Capabilities and Limitations

How Black Duck Binary Analysis Works

Black Duck Binary Analysis uses a combination of static binary analysis techniques to X-ray the provided software package to identify third-party software components and their exact versions with a high level of confidence. Methods range from simple string matching to proprietary patent-pending techniques.

Do I need source code?

No. Black Duck Binary Analysis operates on provided application binaries or embedded system firmwares. No source code is required for the analysis.

Being able to operate purely on the binaries has several unique advantages. Most importantly it allows everyone to take control of what is inside the software they run to support their mission or business, and understand the risk associated with operating a given piece of software. Secondly, if you're already using source code based software composition analysis services, being able to check the final compiled product against results from a source code scan can provide unique insights into what your shipping product really looks like. Thirdly, operating on binaries allows Black Duck Binary Analysis to scale to scan vast volumes of data quickly.

File size limits

There is no size limit when uploading to the API. When using the web UI, uploaded files cannot exceed 8GB.

Memory allocation

A minimal setup of 4 CPUs requires 12 GB of memory. (Below that threshold, scan times can take significantly longer.) Allow 16GB of memory if you plan to frequently scan files larger than 2GB.

Hardening

The system has been designed so that only necessary and needed processes are run to ensure no additional risks for additional applications/processes.

A packet filter / firewall in place preventing all traffic for non used ports/protocols. Only ssh, http and https are available in the default configuration and amqps is used between the frontend and worker(s) in the distributed scanners setup. Lynis ( https://cisofy.com/lynis/ ) has been used to test our service.

You have the option to enable two factor authentication using Google Authenticator and/or use API tokens instead of passing username and password. We strongly encourage our customers to take advantage of these new offerings to add another layer of security to their servers as well.

Support for scanning Java applications

Black Duck Binary Analysis supports scanning Java applications.

Detection capability for own software components

It is possible to add detection capability for your own software components.

Recognizing libraries with stripped symbols

It is possible to recognize libraries with stripped symbols.

Handling packed binaries

Black Duck Binary Analysis can handle packed binaries, such as the output of UPX packer.

Number of supported libraries and software packages

We are constantly adding new software packages and libraries to Black Duck Binary Analysis. To see a complete list, login to Black Duck Binary Analysis and select Supported components from the Shortcuts pane on the home page. Black Duck Binary Analysis includes detection capabilities for both open source and proprietary closed source libraries and software packages.

If the component is known to Black Duck Binary Analysis, your analysis results did not show the component, and you believe it is present, please let us know. Furthermore, Black Duck Binary Analysis only sees what you upload. If you upload binary code that is dynamically linking to OS libraries, Black Duck Binary Analysis will not see the OS libraries unless they are part of the package you uploaded.

Vulnerability sources used by Black Duck Binary Analysis

Black Duck Binary Analysis uses several vulnerability sources to determine if identified third-party components may be exposed to known and unknown vulnerabilities. In particular, Black Duck Binary Analysis uses the Black Duck Security Advisories (BDSA) and the NIST National Vulnerability Database (NVD) to assign CVE identifiers for identified vulnerabilities.

Black Duck Security Advisories (BDSAs) are a Black Duck-exclusive vulnerability data feed sourced and curated by our Cybersecurity Research Center (CyRC). BDSAs offer deeper coverage for a wide set of vulnerabilities than is available through the National Vulnerability Database (NVD). While providing more timely and detailed vulnerability insights, including severity, impact and exploitability metrics. BDSAs also provide actionable remediation guidance to save time by providing details on fixed versions, patch information, exploits, and workarounds where available. Validated additional vulnerability references are also provided under the Technical page on BDSA records.

Black Duck Binary Analysis additionally applies corrections and augmentations to the NVD data in cases where the data is wrong or incomplete. Furthermore, Black Duck Binary Analysis uses vulnerability data provided by Linux distributions for NVD augmentations. For information on which Linux distros are supported see Appendix: Supported Software and Applications.

Patched or backported fixes

Some Linux distributions take code fixes for vulnerabilities and apply them to earlier versions of components. This means that vulnerabilities that would normally apply to a specific component might have been addressed by backporting fixes. Black Duck Binary Analysis is savvy to the concept of backports and correctly reports vulnerabilities for components included in the distributions listed in the Appendix: Supported Software and Applications.

Scan time

In general, the bigger the application you upload is, the longer the scan will take. Scan times are usually measured in minutes.

Load handling

Black Duck Binary Analysis has been designed to meet the requirements of top-tier application stores. We designed Black Duck Binary Analysis to be flexible and be able to dynamically scale to provide more scanning power in response to load and activity.

Locating components in Java applications obfuscated with ProGuard or similar tool

In general, an obfuscator does not touch the parts of the code that Black Duck Binary Analysis examines. ProGuard eliminates dead code, so if only a small portion of a component is being used, there might not be enough of it left for Black Duck Binary Analysis to identify it. Results depend heavily on the tool in use and its configuration. The best results will be achieved by analyzing unobfuscated binaries.

Supported binaries for exploit mitigation check

The following operating systems or architectures are currently supported:

Windows 32 and 64 bit PE32 executables and libraries
Linux 32bit and 64bit ELF binaries on Intel, ARM, and PPC

Modified open source libraries

In general, Black Duck Binary Analysis will detect a component even if its source code has been lightly modified. However, if the changes made are great enough, Black Duck Binary Analysis will not recognize the modified component. Detection is tuned per component by our team.

Encrypted binaries

You will need to supply unencrypted binaries to enable Black Duck Binary Analysis to do its analysis. If your normal packaging includes encryption, you'll need to send binaries to Black Duck Binary Analysis before the encryption stage.

Compressed binaries

Black Duck Binary Analysis supports a wide range of compression technologies. Try uploading your software to Black Duck Binary Analysis and see if it works. If you think Black Duck Binary Analysis is having trouble unpacking your software, send us a message.

"Will not fix" vulnerability

This information is coming from the distribution security feed and means that the distribution has ignored this vulnerability. You can hover over the "Will not fix" text to find a link to the distribution website providing an explanation.

False positives in binary scans

All binary scans carry the risk of producing false negative or false positive results on component matches or versions irrespective of the binary type - inlcuding but not restricted to C++ binaries.

We work to ensure the highest possible quality of results and vet component and version matching of each taught component to minimize the risk. Any and all reports of false matches remaining after internal quality assurance efforts are reviewed and matching methods are re-evaluated based on reported findings to further improve the quality and reliability of our results.

We also offer means for users to triage any known mismatches or improve results based on known parameters, like versions or vulnerability fixes for results that are not confirmable from the binary itself.