Vendor Components

The Vendor Components feature allows you to teach BDBA to recognize components that BDBA would not recognize with the default component signatures it comes with. This can be, for example, a company internal library, company internal fork of an open source library or commercial component used across company products. BDBA currently supports teaching Vendor Components from the following file formats.

  • .a - ar-archive containing object code. These are generally known as "Unix static libraries".
  • .so - ELF shared objects. These are generally known as "Unix shared libraries".
  • .dylib - Mach-O shared libraries.
  • .dll - PE32 Windows dynamically linked libraries
  • .jar - Java Archives
  • ELF executables for any architecture.
  • .exe PE32-executables for Windows
  • Mach-O executables for Mac OS X.

The process requires these steps:

  1. Choose the right file.
  2. Upload the component.
  3. Add metadata.

Note that vendor component signatures are limited to your company in BDBA SaaS and not shared with anyone else.

Before Uploading, Choose the Right File

For best results the uploaded file should meet the following conditions.

  • Unambiguity: the file should contain only the desired component and no other components should be included. Multiple components cannot be taught at same time. Doing so will result in teaching a combined component and thus result in a bad detection rate in other files.
  • Uniqueness: to be able to build a reliable fingerprint the component should have enough unique characteristics to distinguish it from other components. The tool will notify you if the extracted fingerprints are not sufficient for this. In those cases the component cannot be taught.
  • Size and library type: Vendor Components to teach should be at least 20 Kilobytes in size to build a working signature. Anything under that may not work. This depends on the type of library and the amount of string information and differentiating information found in the library. If library has less than 10 functions or does not contain any unique characteristics, BDBA is not able to build a working signature out of it.
  • BDBA supports only binaries written in C or C++ or Java. Executables written with languages such as Rust and Go are not supported.

Upload the Component

You must upload the code files that are incorporated into your application in order to teach BDBA how to recognize them.

  1. From the Home page, Select Vendor Components (under the Shortcuts section).
  2. Select Upload New Component.
  3. To choose a file, select Browse and then navigate to the vendor file you want to upload.
  4. Select Open. (When the file navigator closes, the name of the file should be visible next to the browse button.)
  5. Select Upload and Teach Component. (BDBA will take a few seconds to verify the vendor component.)

Add Metadata

After uploading a component, add metadata by selecting Edit Component. Complete the form.

Component information metadata fields:

  • Component name — Any name you want to give the vendor component.
  • License — Choose the license type from a pull-down menu.
  • Tags — Choose keyword tags from the menu. You can select more than one. Tags tell you what type of component this is and what it is used for. Tags are visible in scan results.
  • Component Threshold - Component threshold allows you to specify what percentage of the fingerprints present in a teached version of a vendor component is required to be found from an artifact that is scanned. This is also known as matching confidence. BDBA allows tuning this value, as sometimes portions of larger components get eliminated during the linking phase by linker and requiring a larger match would cause BDBA to miss the component. Smaller values, however, could yield false positives. The default value is 20%.

Component version metadata fields:

  • Component version — Enter the version number for the package scanned. Once you have the version number typed in, the system is able to go through the uploaded file and determine a regular expression to find the version for the component. Based on this, future versions can be detected. For BDBA to be able to generate regular expressions, version information must be present in the component.
  • Regular expression for version matching — You can input a regular expression for matching future versions of your uploaded component. BDBA will perform string matching based on the regular expression. You can edit the regular expression if needed. For more information about the syntax, see Regular Expression HOWTO. To generate a regular expression for component version matching, select Generate version matching regular expression. A dialog box will open. Use the drop-down list to select which regular expression you want to use for component version matching. The number of options in the list depends on the component. Once you have selected the regular expression, you can modify it if needed.

After entering your metadata, select Update.

Once the component is uploaded and documented, it will be detected in any packages you scan, and any vulnerabilities will be displayed on the group dashboard.

Delete a Vendor Component

To delete a vendor component:

  1. From the Home page, select the Vendor components tile (under the Actions section).
  2. On the Vendor components page, select the desired vendor component.
  3. Select Remove component and confirm.

When a component is deleted, it will still show in scan results until you do a re-scan.