Black Duck Binary Analysis: How to create a Vendor Vulnerability

Black Duck Binary Analysis: How to create a Vendor Vulnerability

A Course for Black Duck Binary Analysis Users

About this course

Black Duck Binary Analysis offers the ability to add vulnerabilities to either your own proprietary components or existing OSS components. This feature is especially useful when your organization has either proprietary components you are using in your code base and you wish to keep track of the vulnerabilities in them, or when you have detected vulnerabilities from open source components that are specific to your usage. Adding the vendor vulnerability to your company's Black Duck Binary Analysis database helps you keep track of the vulnerabilities in different projects and components.

You can add multiple different vulnerabilities to the database, and give unique vulnerability IDs for each vulnerability. You can also determine a CVSS equivalent vulnerability score to your own vulnerability. The system uses CVSS 2.0 ratings, and you can find more information on CVSS from the following links:

https://www.first.org/cvss/v2/guide

https://nvd.nist.gov/vuln-metrics/cvss/

https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator

Adding vendor vulnerabilities requires the usage of CPE. To learn more about the CPE standard, visit:

https://csrc.nist.gov/publications/detail/nistir/8085/draft

 
Environment:
Black Duck Binary Analysis 2019.06 or newer
Users: Power user, User, Basic user
Hosted or Appliance

 

Keywords: Vendor, Vulnerability, CPE, Common Platform Enumeration, Custom

About this course

Black Duck Binary Analysis offers the ability to add vulnerabilities to either your own proprietary components or existing OSS components. This feature is especially useful when your organization has either proprietary components you are using in your code base and you wish to keep track of the vulnerabilities in them, or when you have detected vulnerabilities from open source components that are specific to your usage. Adding the vendor vulnerability to your company's Black Duck Binary Analysis database helps you keep track of the vulnerabilities in different projects and components.

You can add multiple different vulnerabilities to the database, and give unique vulnerability IDs for each vulnerability. You can also determine a CVSS equivalent vulnerability score to your own vulnerability. The system uses CVSS 2.0 ratings, and you can find more information on CVSS from the following links:

https://www.first.org/cvss/v2/guide

https://nvd.nist.gov/vuln-metrics/cvss/

https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator

Adding vendor vulnerabilities requires the usage of CPE. To learn more about the CPE standard, visit:

https://csrc.nist.gov/publications/detail/nistir/8085/draft

 
Environment:
Black Duck Binary Analysis 2019.06 or newer
Users: Power user, User, Basic user
Hosted or Appliance

 

Keywords: Vendor, Vulnerability, CPE, Common Platform Enumeration, Custom