How Synopsys Detect Works

This page provides an overview of how Synopsys Detect works.

How Synopsys Detect does its work

Synopsys Detect performs the following basic steps when scanning open source software, assuming you are connected to a Black Duck instance.

  1. Synopsys Detect uses the project's package manager to derive the hierarchy of dependencies known to that package manager. For example, on a Maven project, Synopsys Detect executes an mvn dependency:tree command, and derives dependency information from the output.

  2. Runs the Black Duck signature scanner on the project. This might identify additional dependencies not known to the package manager such as a .jar file copied into the project directory. The signature scanner only runs when there is a connection to Black Duck.

  3. Uploads both sets of results (dependency details) to Black Duck creating the project/version if it does not already exist. Black Duck uses the uploaded dependency information to build the Bill Of Materials (BOM) for the project/version.

In this case, the user has provided Black Duck connection details through property settings to Synopsys Detect, specifying that results (project dependency details) are to be uploaded to Black Duck. By combining all these techniques, Synopsys Detect is capable of scanning a wide range of software projects
utilizing a variety of package managers and programming languages for open source components.