Metrics and Code Verification 6.4.0

Owned by Ray O'Meara (Unlicensed)
Aug 09, 2020
2 min read

Synopsys Detect uses Google Analytics to collect anonymized usage metrics. 

Usage metrics collection

A mechanism called phone home is used to collect metrics. Synopsys uses this data to help set engineering priorities.

In a network where access to outside servers is limited, this mechanism may fail, and those failures may be visible in the log. This is a harmless failure; Synopsys Detect will continue to function normally.

To disable this mechanism, set the SYNOPSYS_SKIP_PHONE_HOME environment variable to true

Synopsys Detect code verification

Two methods are available to verify that the Synopsys Detect code you run has not been tampered with since it was built by Synopsys: code signature verification and checksum verification. Both methods apply to the Synopsys Detect .jar file, and only offer protection when you run Synopsys Detect by invoking the Synopsys Detect .jar file directly (as opposed to invoking detect.sh or detect.ps1).

Code signature verification

Code signature verification is the most secure method available for verifying Synopsys Detect code. This method relies on Java tools. It involves verifying the Synopsys Detect .jar file that you download from https://sig-repo.synopsys.com using the Java jarsigner tool. In the event that the .jar has been tampered with, verification will fail.

To verify the Synopsys Detect .jar, use the following command:

jarsigner -verify -strict {your Synopsys Detect .jar file}

The output should state jar verified. (with no warnings).

Checksum verification

Checksum verification provides less protection against tampering than code signature verification provides because in the unlikely scenario the binary repository has been compromised, an attacker could alter both the .jar and the checksum. But checksum verification does provide some degree of protection against other attack scenarios.

The binary repository provides SHA-256, SHA-1, and MD5 checksums for each Synopsys Detect .jar file. To find it, navigate to the .jar file in the binary repository, and scroll to the bottom of the page. Various tools (such as md5sum, sha1sum, and sha256sum on Linux, and certutil and Get-FileHash on Windows) are available for calculating checksums of files on your computer. Use one of those tools to get a checksum for your copy of the Synopsys Detect .jar, and compare it to the corresponding checksum on the binary repository page to make sure they match.

©2018 Synopsys, Inc. All Rights Reserved