Skip to main content
BlackDuck Connector (new revision)

Learn all about integrating BlackDuck into the Vulcan Platform

Updated over 2 weeks ago

Am I reading the right user guide?

Certain connectors have more than one user guide. It depends on the environment's setup and on the connector's available releases (new vs. older revisions).

To access the user guide that is relevant to your environment, simply click on the "How to connect" button located on the connector's setup page. By doing so, you will be directed to the user guide that aligns with your specific environment, ensuring relevancy and accuracy.


Overview

About BlackDuck

Black Duck® software composition analysis (SCA) helps teams manage the security, quality, and license compliance risks from using open-source and third-party code in applications and containers.

Why integrate BlackDuck into the Vulcan platform?

The BlackDuck Connector by Vulcan integrates with the BlackDuck platform to pull and ingest assets and vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.

BlackDuck Connector Details

Supported products

Category

Application Security - SCA

Ingested asset type(s)

Code Projects

Integration type

UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction)

Supported version and type

SaaS (API V2024.1.1)


Connector Setup

Prerequisites and user permissions

Before you begin configuring the Connector, make sure you have the following:

  • Your organization's server URL in BlackDuck

  • Black Duck API Token with Global Code Scanner permission/role.

Generating BlackDuck API Token

  1. Go to the BlackDuck Platform and sign in as an Admin User.

  2. Navigate to Admin > User Management

  3. Create or edit a user you want to use for the integration.

  4. Enter the User and add the permission Global Code Scanner Role.

  5. Make sure the user is a member of the intended project or is a part of a group that is a member of the project.

    Example:

  6. Save.

  7. Log out from the Admin User and log in as the integration user.

  8. Click on the User tab, then on Access My Tokens.

  9. Create a New Token and fill in the token details,

  10. Check the Read Access option and click Create.

  11. Save the generated API Token somewhere safe.

Configuring the BlackDuck Connector

  1. Log in to your Vulcan Cyber dashboard and go to Connectors.

  2. ClickConnector Connector.

  3. Click on the BlackDuck icon.

  4. Set up the Connector as follows:

  5. Click the Test Connectivity button to verify that Vulcan Cyber can connect to your BlackDuck instance, then click Create (or Save Changes).

  6. Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.

  7. Click Create or Save Changes.

  8. Allow some time for the sync to complete. You can review the sync status under Log on the Connector's setup page.

  9. To confirm the sync is complete, navigate to the Connectors page. Once the BlackDuck icon shows Connected, the sync is complete.


BlackDuck in the Vulcan Platform

Viewing BlackDuck vulnerabilities in the Vulcan Platform

To view vulnerabilities by Connector/Source:

  1. Go to the Vulnerabilities page.

  2. Use the Search or Filter input box to select the Vulnerability Source or Connector filter.

  3. Select BlackDuck from the vulnerability source/Connector list to filter results.

  4. Click on any vulnerability for more vulnerability details.

Viewing BlackDuck assets in the Vulcan Platform

To view assets by Connector/Source:

  1. Go to the Assets page.

  2. Click on the relevant asset type tab.

  3. Use the Search or filter input box to select Connector from the drop-down selection.

  4. Select BlackDuck from the Asset source/Connector list to filter results and view all synced assets.
    See the complete list of available asset filters per asset type

Taking Action on vulnerabilities and assets detected by BlackDuck

Take Action on vulnerabilities and assets detected by BlackDuck using the relevant filter.

  1. Go to VulnerabConnector Assets Page.

  2. Click on the Search and Filter input box and select Connector from the drop-down selection.

  3. Locate the BlackDuck option to view all synced vulnerabilities/assets.

  4. Select the relevant Vulnerability/Asset.

  5. Click Take Action.

Automating actions on vulnerabilities detected by BlackDuck

Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. You can take advantage of the automation capabilities of Vulcan Cyber and the BlackDuck Connector.


From BlackDuck to the Vulcan Platform - Data Mapping

The Vulcan Platform integrates with BlacDuck through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields.

Code Project Fields Mapping

BlackDuck field

Vulcan field

name

Uniqueness criteria

name

Asset Name

Code Projects

Asset type

componentName

Asset libraries - Name (SCA)

componentVersionName

Asset libraries - Version (SCA)

source

Asset details

name (from tags call)

Asset Tags - Vendor’s tags

versionName (from versions call)

Asset Tags - Additional

active

Asset’s Status

Now

Last report

componentName, componentVersionName, componentVersionOriginName or externalNamespace, componentVersionOriginId or externalId, version_name

Vulnerability instance uniqueness criteria

vulnerabilityWithRemediation.vulnerabilityName
or
vulnerability.vulnerabilityId

Unique Vulnerability uniqueness criteria

vulnerabilityWithRemediation.vulnerabilityName
or
vulnerability.vulnerabilityId

Vulnerability title

vulnerabilityWithRemediation.overallScore

Vulnerability score

description

Vulnerability description

Technical Description - technicalDescription

Title - title

CVSS3 Vector - cvss3.vector

CVSS2 Vector - cvss2.vector

Source - source

Workaround - workaround

Published Date - publishedDate

Vendor Fix Date - vendorFixDate

Disclosure Date - disclosureDate

Vulnerability details

vulnerabilityWithRemediation.overallScore

CVSS

links -> related-vulnerabiltiy

CVE/S

vulnerabilityWithRemediation.cweId

CWE

cvss3.vector

CVSS attack vector

"versionName": "{{ version_name }}", "componentName": "{{ componentName }}", "componentVersion": "{{ componentVersion }}", "componentVersionName": "{{ componentVersionName }}", "componentVersionOriginName": "{{ componentVersionOriginName }}", "componentVersionOriginId": "{{ componentVersionOriginId }}"

Vulnerability instance connection- additional information

BlackDuck Recommendation for {{ name }}

Fix - Title

solution

Fix - Description

Vulnerability status mapping

BlackDuck Status

Vulcan Status

Status is not "ignored"

Vulnerable

VConnector’sy is no longer relevant in black duck and doesn’t return on the connector’s sync.

Fixed

-

Ignored - false positive

Ignored

Ignored risk acknowledged

Vulnerability score mapping

The score is based on the field: vulnerabilityWithRemediation.overallScore

BlackDuck score

Vulcan score

1-10

1-10

Status Update Mechanisms

Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any added).

The table below lists how the status update mechanism works in the BlackDuck connector for the vulnerabilities and assets in the Vulcan Platform.

Update type

Mechanism

Archiving Assets

  • By X days according to last seen - if the Asset hasn’t been seen for X days, it will be archived from Vulcan.

  • If the asset doesn't fetch on the last sync, it will be archived.

Change of vulnerabiliConnectorces status from "Vulnerable" to "Fixed"

  • By status "fixed": If the connector has a relevant vulnerability status which indicates that the Vulnerability is fixed.

  • Non delta: If the vulnerability doesn't fetch again on the next sync, it will be moved to "fixed".

Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).

API Endpoints in Use

API

Use in Vulcan

Permissions required

api/projects

Assets (Code Projects)

Global Code Scanner

api/projects/{{ project_id }}/versions

Assets Tags, sync vulnerabilities per version

Global Code Scanner

api/projects/{{ project_id }}/tags

Assets Tags

Global Code Scanner

/api/projects/{{ project_id }}/versions/{{ version_id }}/vulnerable-bom-components

Unique Vulnerabilities, Vulnerabilities Instances

Global Code Scanner

api/vulnerabilities/{{ vulnerability_name }}

Unique Vulnerabilities, Solutions

Global Code Scanner


Data Validation

Validating and comparing data between BlackDuck and Vulcan Platform.

Assets Count

Goal: Validate the assets count between BlackDuck and Vulcan.

In BlackDuck:

  1. Navigate to the Dashboard.

  2. Click on "Projects" to see the projects injected into Vulcan.

In Vulcan:

  1. Navigate to Assets > Code Projects

  2. Filter by BlackDuck connector. The results should match the project count in BlackDuck.

Unique Vulnerabilities Count

Goal: Compare the count of unique vulnerabilities between BlackDuck and Vulcan.

In BlackDuck:

  1. In the Dashboard, move to the "Security" tab.

  2. To see only active (vulnerable) vulnerabilities, ensure to filter out ignored vulnerabilities.

In Vulcan:

The count of vulnerabilities should match the number of unique vulnerabilities in Vulcan.

Vulnerabilities Instances (Connection) Count

Goal: Match the count of vulnerability instances between BlackDuck and Vulcan.

In BlackDuck:

  1. From the Dashboard, click on the project name.

  2. Click on a specific version. Note: Vulcan ingests all connections for all versions, so sum all instances from all versions.

  3. Move to the "Security" tab and remove any applied filters.

  4. On the left list, observe the vulnerabilities count of each project component. Clicking on each component will display specific vulnerabilities.

In Vulcan:

The BlackDuck vulnerability instances count should match the count in Vulcan.

You can also create a vulnerabilities report and export it:

Did this answer your question?