sca-blackducklisted

# Software Composition Analysis with Black Duck ## Overview Perform comprehensive Software Composition Analysis (SCA) using Synopsys Black Duck to identify security vulnerabilities, license compliance risks, and supply chain threats in open source dependencies. This skill provides automated dependency scanning, vulnerability detection with CVE mapping, license risk analysis, and remediation guidance aligned with OWASP and NIST standards. ## Quick Start Scan a project for dependency vulnerabilities: ```bash # Using Black Duck Detect (recommended) bash <(curl -s -L https://detect.synopsys.com/detect.sh) \ --blackduck.url=$BLACKDUCK_URL \ --blackduck.api.token=$BLACKDUCK_TOKEN \ --detect.project.name="MyProject" \ --detect.project.version.name="1.0.0" ``` Scan with policy violation enforcement: ```bash # Fail build on policy violations bash <(curl -s -L https://detect.synopsys.com/detect.sh) \ --blackduck.url=$BLACKDUCK_URL \ --blackduck.api.token=$BLACKDUCK_TOKEN \ --detect.policy.check.fail.on.severities=BLOCKER,CRITICAL ``` ## Core Workflows ### Workflow 1: Initial Dependency Security Assessment Progress: [ ] 1. Identify package managers and dependency manifests in codebase [ ] 2. Run `scripts/blackduck_scan.py` with project detection [ ] 3. Analyze vulnerability findings categorized by severity (CRITICAL, HIGH, MEDIUM, LOW) [ ] 4. Map CVE findings to CWE and OWASP Top 10 categories [ ] 5. Review license compliance risks and policy violations [ ] 6. Ge