Key Concepts and Terms 6.4.0

Owned by Ray O'Meara (Unlicensed)
Aug 09, 2020
3 min read

This page describes the key concepts and terms that are used with Synopsys Detect. Understanding the basic terms and Synopsys Detect components helps you to explore how to use it to scan and analyze your code more efficiently.

Software Composition Analysis (SCA) 

Open source software detection to provide users visibility into their open source inventory. 

Synopsys Detect run

Typically, it consists of the Synopsys Detect detector using the project's package manager to derive the hierarchy of dependencies in a software project, running the Black Duck signature scanner, and uploading the results to Black Duck for analysis.

Detect script

The primary function of the Synopsys Detect scripts is to download and execute the Synopsys Detect JAR file, which enables the scan.

You download and run the latest version of Synopsys Detect using the following commands, and add properties to refine the instruction.

# Windows powershell "[Net.ServicePointManager]::SecurityProtocol = 'tls12'; irm https://detect.synopsys.com/detect.ps1?$(Get-Random) | iex; detect"   # Linux/MacOs bash <(curl -s https://detect.synopsys.com/detect.sh)

Detect JAR

By using a specific Synopsys Detect JAR, you have direct control over the Synopsys Detect version that you use, rather than using the script, which automatically runs the latest version.

Detect tools

Detect tools are run to enable the scanning of your code.

The default tools that are run are:

  • Detector (--detect.tools=DETECTOR)
    The detector tool runs the appropriate detectors that are used to find and extract dependencies by using package manager inspection.

  • Black Duck Signature Scanner (--detect.tools=SIGNATURE_SCAN)
    The Black Duck Signature Scanner tool runs by default when Black Duck connection details are provided. A file/folder (Signature) scan is performed on the built project to examine all project files for open-source software.

  • Other Detect tools such as Docker Inspector or Black Duck Binary Analysis are not run by default but you can add them by using properties on the command line.

Detectors

Synopsys Detect uses detectors to find and extract dependencies from all supported package managers. For example, the Maven detector, which is run by default, executes an mvn dependency:tree command against a Maven project and derives dependency information, which can be sent to Black Duck.

By default, all detectors are eligible to run. The set of detectors that actually run depends on the files that exist in your project directory. 

Properties

A property to which you assign a value is like a flag or a parameter on the command line or in a script that provides instructions for the Detect scan task.

When setting a property value, the property name is prefixed with two hyphens (--). 

bash <(curl -s -L https://detect.synopsys.com/detect.sh) <--property=value>   # Example using properties to specify project name and Black Duck URL   bash <(curl -s -L https://detect.synopsys.com/detect.sh) --detect.project.name=MyProject \ --blackduck.url=https://blackduck.yourdomain.com

Inspectors

Inspectors are used by detectors when the package manager requires an integration or embedded plugin to work. For example, Gradle uses an inspector as a plugin that executes a custom task. Most detectors do not require an inspector.

Scans and projects

Detect scans are mapped to one project. A project version can have more than one scan mapped to it, which enables the mapping of multiple separate folders and their scan results of their into one aggregated project version.

BDIO 

Synopsys Detect produces dependency information for Black Duck in Black Duck Input Output (BDIO) format files. 

©2018 Synopsys, Inc. All Rights Reserved