Onboard (log in to the system, generate API tokens, create projects and versions)
- Getting started - https://docs.blackduck.com/r/blackduck/latest/black-duck-documentation/getting-started-with-black-duck-sca.html
- API token - https://docs.blackduck.com/r/blackduck-tools/latest/black-duck-tools/api-token.html
- Create a project - https://docs.blackduck.com/r/blackduck/latest/black-duck-documentation/creating-a-project.html
- Create a version - https://docs.blackduck.com/r/blackduck/2024.7/black-duck-documentation/about-project-versions.html
- About project versions - https://docs.blackduck.com/r/blackduck/2026.4/black-duck-documentation/about-project-versions.html
Identify what scanner(s) they need for their product (based on languages used and capabilities required (like snippet scanning, which will be needed for virtually all of the products we onboard, but for which documentation is notably weaker))
- Black Duck Detect scanner - https://community.blackduck.com/s/article/Black-Duck-Introduction-to-Scanning
- Snippet scanning - https://docs.blackduck.com/r/blackduck/2024.7/black-duck-documentation/about-snippet-matching.html
- Binary scanning with detect - https://docs.blackduck.com/r/detect/latest/black-duck-detect/binary-scanner.html
- C/C++ scanning - https://community.blackduck.com/s/article/Using-the-Black-Duck-C-CPP-Tool
Get data into the platform
- Describe how to configure the scanners (via CLI or yaml) for their particular code base, paths, etc, then perform scans, and troubleshoot common issues they may run into
- Configuring Detect - https://docs.blackduck.com/r/detect/latest/black-duck-detect/configuring-detect.html
- (not relevant to all products) Describe the process for uploading existing SBOMs and handling those results. Note that we’ve identified bugs related to these workflows while trying to follow your documentation or create our own.
Perform result review, processing the results of scans after they’ve been performed. So far, I’ve identified the following steps that need to be wrapped in a coherent document:
- Confirming Snippets – applicable for all C/C++ projects, the vast majority of our product families
- Viewing/confirming snippets - https://docs.blackduck.com/r/blackduck/2024.7/black-duck-documentation/reviewing-snippet-matches.html
- Confirming other unmatched results (Match Review, etc) – applicable for some projects (such as our embedded linux systems importing Yocto information, or those projects importing SBOMs that may not have definitive matches)
Groom the BOM
- Workflows for the creation of custom components covering closed source or commercial third party components
- Documentation about how to assign traits like Licenses correctly
- Defining sources, Usage types and their implications, etc
- Creating/managing custom components - https://docs.blackduck.com/r/blackduck/2024.7/black-duck-documentation/about-custom-components.html
- Final confirmation of components, versions, and other attributes of the components within the BOM
Triage Risk
- Identification and resolution of KEVs (top priority)
- Vulnerability details information - https://docs.blackduck.com/r/blackduck/latest/black-duck-documentation/viewing-vulnerability-details.html
- How to identify vulnerabilities that are known not affected, etc (workflow for determining root cause and applicability) – parts this particular item is understood to be outside your scope as a BOM tool, and we may need to augment documentation with vulnerability-related decision making processes, but data entry and workflow processes are expected
- License risk review (low priority)
- Operational risk review (low priority)
- Understanding types of component risk - https://docs.blackduck.com/r/blackduck/2024.7/black-duck-documentation/understanding-the-types-of-component-risk.html
Understand and perform vulnerability management over time
- Alerting / reporting – how to set up Alerts. Note that currently, we can’t reasonably give access to Alert to users because the tool doesn’t allow for filtering of user access. All users in Alert will have visibility into all information granted by a superuser admin API token. This violates security requirements, so currently only I have access to the alert platform.
- Updating processes (how to use remediation recommendations for decision making, etc)
- Component remediation guidance - https://docs.blackduck.com/r/blackduck/2024.7/black-duck-documentation/remediating-security-vulnerabilities.html
Integrate with CI/CD – only once scan requirements and configuration are well understood. We expect teams to first need to perform manual activities as noted above to configure the scanner, at which point it can be added to CI as needed.
- Black Duck Security Scan:
- ADO – https://docs.blackduck.com/r/bridge/latest/bridge-cli-guide/using-the-black-duck-security-scan-extension-with-black-duck-sca.html
- Github – https://docs.blackduck.com/r/bridge/latest/bridge-cli-guide/using-the-black-duck-security-scan-action-with-black-duck-sca.html
- Gitlab – https://docs.blackduck.com/r/bridge/latest/bridge-cli-guide/using-the-black-duck-security-scan-template-with-black-duck-sca.html
- Bitbucket – https://docs.blackduck.com/r/bridge/latest/bridge-cli-guide/using-the-black-duck-security-scan-pipe-with-black-duck-sca.html
- Jenkins - https://docs.blackduck.com/r/bridge/latest/bridge-cli-guide/using-the-black-duck-security-scan-plugin-with-black-duck-sca.html
Video Courses
- Black Duck SCA Learning Paths - https://blackduck.skilljar.com/page/clone-of-10d0q88hm90dj
- Black Duck SCA Getting Started - https://blackduck.skilljar.com/page/getting-started-black-duck
- Black Duck Courses by Job Roles - https://blackduck.skilljar.com/page/courses-by-job-roles
- Black Duck Courses by Task - https://blackduck.skilljar.com/page/tasks-black-duck