Appendix: Supported Software and Applications

Supported Architectures and Operating Systems

Black Duck Binary Analysis supports scanning native applications for the following CPU architectures and operating systems:

  • Microsoft Windows 95/98/ME/XP/Vista/7/8 32bit and 64bit binaries (Intel)
  • Linux binaries 32bit and 64bit binaries (Intel, PowerPC, ARM)
  • Apple Mac OS X 32bit and 64bit binaries (Intel, PowerPC)
  • FreeBSD, NetBSD and OpenBSD 32bit and 64bit binaries (Intel, PowerPC, ARM, SPARC, HP-PA-RISC)
  • Solaris 32bit and 64bit binaries (Intel, Sparc)
  • The following real-time operating systems (RTOS): vxWorks, QNX, NucleusOS, and ThreadX
  • Embedded system firmwares based on Intel, ARM, PowerPC, MIPS, PA-RISC, SPARC, and AVR32 architectures
  • Unencrypted Android, iOS, Blackberry

If your operating system or CPU architecture of choice was not listed, please contact us. We have a dedicated team of engineers that are specialized in adding support for various CPU architectures and OSes.

Supported programming languages

Black Duck Binary Analysis works solely on executables or binaries and is therefore language agnostic. However, the programming language support for components can be inferred from supported binary formats:

  • Native binaries
    • C and C++ are the most common languages used to build native applications but there are plenty of other programming languages that are compiled to native code. Black Duck Binary Analysis is agnostic to the source language as it works on the binary code.
  • Java binaries
    • Besides Java, there are many other languages that compile into Java class binary files, such as Clojure, Groovy and Scala to name a few most popular. Black Duck Binary Analysis is agnostic to the source language as it works on the JVM binary class files.
  • .NET binaries
    • Code for the .NET framework is typically written in C# or VB.NET. Like with Java there are many other languages that compile into .NET binaries and Black Duck Binary Analysis is able to scan binaries produced from any of those languages.
  • Go binaries
    • Even though Go programs compile into native binaries, the format is slightly different to the standard native code binaries. Black Duck Binary Analysis supports scanning Go binaries.
  • Python packages
    • Black Duck Binary Analysis supports the detection of installed Wheel and Egg Python packages.
  • Ruby packages
    • Black Duck Binary Analysis supports the detection of installed Ruby packages installed with the RubyGems package manager.
  • Javascript packages
    • Black Duck Binary Analysis supports the detection of JavaScript runtime environment packages installed with the NPM package manager.
  • Other Languages
    • Some interpreted and scripting languages, such as PHP, are not supported
  • Linux distribution packages
    • Black Duck Binary Analysis supports the detection of Linux packages installed on the scanned filesystem.

Supported application types

When scanning an upload, Black Duck Binary Analysis tries to determine the type of the uploaded binary and display it in the upload list. This can be very helpful when scanning unknown applications from the internet. Application type is automatically determined from the characteristics of the binary and due to similarities in them might sometimes get recognized incorrectly. If Black Duck Binary Analysis cannot determine the application type automatically, "Unknown" is shown.

Note that an incorrectly identified application type does not influence the scanner performance or the found components. The following Application types are supported:

  • .Net application
  • Android APK
  • Android sparse filesystem
  • Arris firmware
  • BlackBerry OS application
  • Directory
  • ELF installer
  • ELF binary
  • iOS application
  • ISO 9660 image
  • Install4J installer
  • InstallJammer installer
  • IntelHEX firmware
  • JFFS2 file system
  • Java library/application
  • Juniper firmware
  • Kosmos firmware
  • Linux firmware
  • Linux kernel
  • macOS application
  • macOS executable
  • macOS file system
  • Mach-O installer
  • OpenWRT firmware
  • QNX firmware
  • QtInstaller
  • S-Record firmware
  • Siemens firmware
  • U-Boot image
  • Unix or Windows library
  • Virtual machine image
  • WebAssembly
  • Windows application
  • Windows DLL
  • Windows executable
  • Windows installer
  • Container

Supported compression formats

Executable code is searched from ELF binaries, Windows Executables and DLLs, Mach-O binaries, Java classes, Android DEX files and unrecognized data files. Uploaded software packages can be inside various archive and installer formats. Generally, Black Duck Binary Analysis supports the following (note that we do not rely on the file extension but the file content to recognize the format)

Compression Formats:

  • gzip (.gz)
  • bzip2 (.bz2)
  • lha (.lha)
  • lzma (.lz)
  • lzo
  • lz4 (.lz4)
  • compress (.Z)
  • xz (.xz)
  • pack200 (.jar)
  • upx (.exe)
  • zstandard (.zstd)

Archive formats:

  • ZIP (including .jar, .apk, and other types derived from .zip)
  • Xar (.xar)
  • 7zip (.7z)
  • ARJ (.arj)
  • Tar (.tar)
  • VM Tar (.tar)
  • cpio (.cpio)
  • RAR (.rar)
  • LZH (.lzh)
  • lzip (.lz)
  • Electron archive (.asar)
  • WARC Archive

Installation formats:

  • vSphere Installation Bundle (.vib)
  • Redhat RPM (.rpm)
  • Debian package (.deb)
  • Mac installers (.dmg, .pkg)
  • Unix Shell file installers (.sh, .bin). However, not all installer formats supported.
  • Windows installers (.exe, .msi, .cab). However, not all .exe installer generators supported.
  • PyInstaller
  • Bitrock Installer

Installer generator formats that are supported:

  • 7z, zip, rar self extracting .exe
  • MSI Installer
  • CAB Installer
  • InstallAnywhere
  • Install4J
  • InstallJammer
  • InstallShield
  • InnoSetup
  • QtInstaller
  • Wise Installer
  • Nullsoft Scriptable Install System (NSIS)
  • WiX Installer

However, Windows installer generators tend to randomly change the file format over time so not all versions might be supported.

Filesystems / Disk images:

  • ISO 9660 / UDF (.iso)
  • Windows imaging
  • ext2/3/4
  • JFFS2
  • UBIFS
  • RomFS
  • Microsoft Disk Image
  • Macintosh HFS
  • VMWare VMDK (.vmdk, .ova)
  • QEMU copy-on-write (.qcow2)
  • Virtualbox VDI (.vdi)
  • QNX - EFS, IFS
  • Netboot images (.nbi)

Firmware formats:

  • Intel HEX
  • Cisco firmwares
  • SREC
  • uBoot
  • Arris firmware
  • Juniper firmwares
  • Kosmosx firmwares
  • Android Sparse Filesystem

Other:

  • Various other formats which are effectively tarballs, zips or other archives, like other Linux package formats, containers (for example Docker)
  • Unrecognized data blobs are scavenged for common filesystems, archives and executables

Supported metadata formats

  • .deps.json
    • A .deps.json file is a JSON manifest file containing information on dependencies required by the application at runtime.
    • BDBA parses components from the .deps.json and uses the information to enhance detection. If you have .NET dependency validation turned off in the UI, those finding will be picked to the results.
  • .runtimeconfig.json
    • A .runtimeconfig.json file is used in .NET applications to specify runtime configuration settings.
    • BDBA picks the .NET version that is used from the file
  • .nuspec
    • A .nuspec file is an XML manifest used in the .NET ecosystem to describe a NuGet package
    • BDBA parses the component and version information from the .nuspec file.
  • Directory.Packages.props and Packages.props
    • Directory.Packages.props and Packages.props are MSBuild XML files used in .NET projects to centrally manage NuGet package versions for multiple projects within a solution.
    • BDBA parses component and version information of valid packages from these files
  • kotlin-tooling-metadata.json
    • kotlin-tooling-metadata.json is a metadata file generated by Kotlin projects containing information about the Kotlin toolchain and build environment
    • BDBA parses the kotlin component version from the file
  • .version and .properties - Android
    • Android metadata files included in Jetpack library artifacts
    • BDBA parses the component name and version from these metadata files
  • Java metadata files
    • BDBA uses multiple different Java metadata files to enhance results and to pick correct versions.
  • package.json
    • Manages project metadata and lists the project´s dependencies and the version ranges
    • is used to parse NPM components
  • package-lock.json
    • Ensures that the exact versions of all installed dependencies, including sub-dependencies, are locked down and consistently used across all environments
    • is used to parse NPM components
  • podlock.file, podfile.lock and .podspec.json files
    • Cocoapod metadata files which present what version of a component has been installed

Supported Linux distributions

Black Duck Binary Analysis supports the currently supported versions of the Linux distributions listed below.

For Debian, Rocky, SLES and Ubuntu both x86 and ARM architectures are supported. For the others, the x86 architecture is supported.

  • Alma
  • Alpine
  • Amazon Linux
  • Chainguard
  • Debian
  • openSUSE
  • Oracle
  • Photon
  • RedHat
  • Rocky
  • SUSE Linux Enterprise Server (SLES)
  • Ubuntu
  • Wolfi

Linux distribution codenames

Black Duck Binary Analysis dynamically extracts this value from distro packages, images, and containers.

While it is impossible to list all possible values, here are some of the most common:

  • archlinux
  • alpine
  • centos
  • debian
  • ol
  • opensuse
  • oracle
  • photon
  • poky
  • rhel
  • sles
  • suse
  • ubuntu