Update Configuration

Black Duck Binary Analysis should receive two types of maintenance regularly: system updates, and platform (OS) upgrades. These should be performed whenever updates are available.

A system update:

  • Includes the frontend (the UI), all workers, and the vulnerability database.
  • Does not require a direct Internet connection, but you will have to use the Internet to obtain the update files.
  • Can be configured to take place periodically and automatically.

A platform upgrade:

  • Includes updates to the underlying operating system of the virtual machine (It is similar to using sudo apt-get dist-upgrade).
  • Requires a continuous Internet connection.
  • Cannot be performed automatically.
Note: We've chosen to use "update" when talking about Black Duck Binary Analysis and "upgrade" when talking about the platform (the underlying operating system). This makes it easier to distinguish between the two operations, but there is no other significant difference between the terms.

Automatic System Updates

To activate automatic updates, your appliance must have access to the Internet. Automatic updates require valid Download Arena or credentials, which you should have received when you purchased Black Duck Binary Analysis.

Contact Black Duck Support at https://community.blackduck.com/s/my-support-home if you have not received an account e-mail, if you have lost your password, or if you have any other questions concerning your account.

Configure Automatic Downloading of Updates

To enable automatic downloading:

  1. From the Home page, Navigate to System settings.
  2. Select Automatic update configuration.
  3. Under the Change Arena or Community Credentials heading, enter your Arena or Community account username and password.
  4. Select Save credentials.

If you no longer wish to use automatic updates, clear the text fields and select Save credentials.

Under the Platform update sources for Debian heading, you can change the default source URLs.

Note: Debian officially does not support HTTPS for repositories; the package signing mechanism provides security instead. Official “ftp.country.debian.org” mirrors are aliases for multiple sites that do not have a certificate matching the alias. To use HTTPS, the real hostname of the mirror supporting HTTPS is required in the URL.

Automatic updates include the following.

  • Your appliance syncs the component metadata with the remote vulnerability database and the remote component database once a day, as long as an internet connection is available and your Arena credentials remain valid.
  • Updates for the frontend and worker will be downloaded, when updates become available.
  • You will be notified that the updates are available, so that you can use them.

Although downloading is automatic, the installation must be started manually.

Component Signature Updates

Component signatures for matching components are updated with a new worker release but they can also be updated between releases, if necessary. In order to update component signatures between worker releases, an internet connection is required. Downloading and updating component signatures takes place automatically in the background.

Install an Update

To update the system, when an update is available:

  1. Navigate to Home > System settings > Update system (The details about the new update can be found on this page.)
  2. Select Start upgrade to implement the updates.

Approve Lists

If you limit access to your system by means of an approve list, include in your list the servers providing these updates for Black Duck Binary Analysis. They are:

Frontend & worker update: https://www.codenomicon.com and Black Duck Community.

Database update: protecode-sc.com

Automatic software updates (Appliance and Community in use):protecodesc.s3.us-east-1.amazonaws.com

Automatic signature updates:appcheck-keg-production.s3.eu-west-1.amazonaws.com

Vulnerability updates:https://bdba.blackduck.com

Platform security: http://security.debian.org/debian-security/

Platform: https://www.debian.org/mirror/list

Use the link above to find the nearest mirror repo for Debian. Add the repo (not the link above) to the list.

Manual Updates and Upgrades

You can manually apply both the system update and the platform upgrade.

If system updates are applied manually, two separate steps are required: one to update the vulnerability database and one for the rest of the system.
Note: If you have previously enabled automatic updates, then you need to delete the credentials (username and password) of automatic updates to enable manual updates.

Vulnerability Database Update Frequency

NVD metadata is updated every 24 hours.

BDSA metadata is updated every hour.

Manually Updating the Vulnerability Database

If your appliance is not connected to the Internet, then you will need to manually update the vulnerability database at least weekly.

To manually update the vulnerability database:

  1. Download the database update files in one of the following ways. (Choose only one.)

    For a regular weekly update Obtain the update by downloading bdba-onprem-data-update-YYYYMMDD-hhmmss.tar.zst from https://bdba.blackduck.com/updates-v2/.

    If you haven't updated in more than a week Obtain updates from this address: https://bdba.blackduck.com/updates-v2/bootstrap

    For a new appliance, or one you haven't updated in more than a month Obtain updates from this address: https://bdba.blackduck.com/updates/vulndata/.

    When prompted, enter your Arena credentials or Community credentials (not your Black Duck Binary Analysis user credentials) and then download the file protecode-sc-updates.tar.zst.

  2. In the Black Duck Binary Analysis user interface, navigate to System settings > Update vulnerability database.
  3. In the "Perform a manual update" section, select Choose file OR Browse... (depending on your browser)
  4. Select the file that you downloaded in step 1.
  5. Select Upload and update.

Synchronizing the Vulnerability Database

If for some reason the Appliance has been offline for more than 30 days, there may be holes in vulnerability data. This is due to the fact that Appliance receives only updates for 30 days from upstream data source. To synchronize the database, go to "Settings -> Update vulnerability database" and click Full Synchronization.

During the Synchronization, scanning will be disabled for the time it takes to synchronize the database. This typically takes from 10 to 30 minutes.

In airgapped installations, you can download vulnerability data from https://www.protecode-sc.com/updates/vulndata and update it via manual vulnerability data update.

Applying a System Update

To manually update the system components, you will first have to obtain the system component files from https://www.codenomicon.com/arena or Black Duck Community.

In Arena, the Black Duck Binary Analysis system component files have the following naming conventions:

  • Frontend (code-appcheck-frontend-*.install)
  • Worker (code-appcheck-worker-*.install)

Both should be updated, if newer versions are available.

To apply the system update:

  1. Navigate to System settings.
  2. Select Update system.
  3. Select the System tab (as opposed to platform).
  4. Select Choose file OR Browse... (depending on your browser).
  5. Select a file that you downloaded from https://www.codenomicon.com/arena.
  6. Select Update and upload.
  7. If you are updating both the frontend and the worker, then repeat steps 3 and 4 for each file.

When you apply updates, all your distributed workers are updated as well.

Applying a Platform Upgrade

Platform upgrades do not take place automatically, because they call for rebooting the system in certain cases. The platform upgrade process takes several minutes to complete and requires an active Internet connection throughout the process.

If you can connect your appliance to the Internet, then you can apply a platform upgrade.

To apply a platform upgrade:

  1. Navigate to System settings.
  2. Select Update system.
  3. Select the Platform tab.
  4. Select Start platform upgrade.