Downloading and Running Synopsys Detect 6.9.0

This page describes downloading and running Synopsys Detect.

Deciding how to use Detect

Before you download and run Detect, you need to make the following decisions:

• In which directory do you want to run Detect?

• Do you want to run Detect before you build or after?

• Do you want to run Detect as a script or a .jar file; this affects which version is run.

• What tools and detectors do you want to include or exclude?

• Do you want to run Detect offline, or connected to Black Duck?

Choosing the working directory

You can run Synopsys Detect from any directory. If you are not running Synopsys Detect from the project directory, provide the project directory using the source path property. When that property is not set, Synopsys Detect assumes the current working directory is the project directory.

Positioning Synopsys Detect in the build process

Choose a build mode or a buildless mode.

Build mode

In build mode, which is the default, Synopsys Detect should be executed as a post-build step in the build environment of the project. Building your project prior to running Synopsys Detect is often required for the detector to run successfully, and helps ensure that the build artifacts are available for signature scanning.

Buildless mode

In buildless mode, Synopsys Detect makes its best effort to discover dependencies without the benefit of build artifacts or build tools. In buildless mode, there is no requirement that Synopsys Detect must run as a post-build step. Results from buildless mode may be less accurate than results from build mode.

Choosing a run method

There are two ways to run Synopsys Detect:

• Running the Synopsys Detect script.

• Running the Synopsys Detect .jar file.

The primary reason to run a Synopsys Detect script is that the default behavior is for the scripts to run the latest version of the Synopsys Detect .jar file; downloading it for you if necessary. When run this way, Synopsys Detect automatically updates itself; as soon as a new version becomes available, the new version automatically runs, unless you override this default behavior.

The primary reason to run the Synopsys Detect .jar directly is that this method enables direct control over the Synopsys Detect version; Synopsys Detect does not automatically update in this scenario.

Running the Synopsys Detect script

The primary function of the Synopsys Detect scripts is to download and execute the Synopsys Detect .jar file. Several aspects of script functionality can be configured, including:

• The Synopsys Detect version to download/run; by default, the latest version.

• The download location.

• Where to find Java

Information about how to configure the scripts is in the Shell script configuration.

Linux or Mac

On Linux or Mac, execute the Synopsys Detect script (detect.sh, which is a Bash script) from Bash.

Use the following command to download and run the latest version of Synopsys Detect:

Add command-line arguments, and separate using spaces. For example:

Windows

On Windows, execute the Synopsys Detect script (detect.ps1, which is a PowerShell script) from the Command Prompt.

Use the following command to download and run the latest version of Synopsys Detect:

Add command-line arguments, and separate using spaces. For example:

Running a specific version of Synopsys Detect

Linux or Mac (Bash)

To run a specific version of Synopsys Detect:

For example, to run Synopsys Detect version 5.5.0:

Windows (Command prompt)

To run a specific version of Synopsys Detect:

For example, to run Synopsys Detect version 5.5.0:

Running the Synopsys Detect JAR file

Download recent versions of the Synopsys Detect .jar file from https://sig-repo.synopsys.com/bds-integrations-release/com/synopsys/integration/synopsys-detect

To run Synopsys Detect by invoking the .jar file:

For example:

You can use the Synopsys Detect Bash script (detect.sh) to download the Synopsys Detect .jar file:

For specific types of projects, Synopsys Detect automatically downloads one or more inspectors as needed.

Running with Black Duck

Synopsys Detect can be used with Black Duck to perform Software Composition Analysis (SCA).

Connected to Black Duck

When Black Duck connection details are provided, Synopsys Detect executes the following by default:

• The detector tool, which runs the appropriate package manager-specific detector; the Maven detector for Maven projects, the Gradle detector for Gradle projects, and so forth.

• The Black Duck Signature Scanner, which performs a Black Duck signature scan on the project directory.

Synopsys Detect can be configured to perform additional tasks, including the following:

• Enable any of the supported snippet matching modes in the Black Duck Signature Scanner.

• Run Black Duck - Binary Analysis on a given binary file.

• Run the Black Duck Docker Inspector on a given Docker image.

• Generate a report.

• Fail on policy violation.

Refer to Black Duck Server properties and Black Duck Signature Scanner properties for details.

Offline mode

If you do not have a Black Duck instance, or if your network is down, you can still run Synopsys Detect in offline mode. In offline mode, Synopsys Detect creates the BDIO content and the dry run Black Duck signature scan output files without attempting to upload them to Black Duck. You can run Synopsys Detect in offline mode using the offline mode property.

BDIO format

Synopsys Detect produces dependency information for Black Duck in Black Duck Input Output (BDIO) format files. Synopsys Detect can produce BDIO files in two formats:

• BDIO version 1
  Black Duck versions prior to 2018.12.4 accept only BDIO 1. By default, Synopsys Detect produces BDIO 1 files.

• BDIO version 2
  Black Duck versions 2018.12.4 and later accept either BDIO 1 or BDIO 2. Use the BDIO2 enabled property to select BDIO 2 format.

Using tools and detectors

Click here for information about including and excluding tools and detectors.