Description

Black Duck by Synopsys identifies open source related vulnerabilities in applications and containers. It tracks the open source in code, mitigate security and license compliance, and automates enforcing open source policies.

Quick Info

Product
HCL Accelerate
Type
plugin
Compatibility
HCL Accelerate version 2.0.4 or later
Created by
HCL Software
Website
Version Name Action

1.0.2

ucv-ext-blackduck:1.0.2.tar

ucv-ext-blackduck:1.0.2.tar

1.0.2


Summary

The Black Duck plugin provides for integration with a Black Duck server. This plugin imports scan result data from an Black Duck server and saves the data as metrics in HCL Accelerate insights.

Compatibility

HCL Accelerate version 2.0.4 and later is required.

Black Duck Server version 2020.6.0 and later is supported.

History

The following table describes the changes made in each plugin version.

Plugin history details
Version Description
1.0.2 Minor enhancements

Usage

To use the Black Duck plugin, the plugin must be loaded and an instance created before you can configure the plugin integration. Configuration properties are defined using the product user interface or a JSON file. After the integration is complete, to invoke the plugin send an HTTP Post request to the plugin endpoint.

Integration type

The Black Duck plugin supports endpoint integration which are listed in the following table.

Endpoints
Name Path Method
Black Duck Scan Endpoint blackDuckScan Post

To import data from the Black Duck server, send an HTTP POST request to your endpoint such as the following sample.


https:///pluginEndpoint//blackDuckScan 
{"project":"project_name", "version":"version_name", buildUrl": "build_url"}

The payload for the POST must have the project and version from the Black Duck server scan.

Name Description
project_name The project name on the Black Duck server.
version_name Version name of a project on the Black Duck server.
build_url The build URL from Jenkins or any other CI/CD tool. This is an optional field which links the Black Duck scan results with VSM

Integration

There are two methods to integrate the plugin:

  • Using the user interface
  • Using a JSON file

Using the user interface

  1. From the Plugins page, click Settings > Integrations > Plugins.
  2. Under the Action column for the plugin, click Add Integration.
  3. On the Add Integration page enter values for the fields used to configure the integration and define communication.
  4. Click Save.

Using a JSON file

The JSON file contains the information for creating a value stream and integrating with the BlackDuck server. The following table describes the information for the creating a HCL Accelerate value stream map.

  1. From a value stream page, download the value stream map. The value stream map is a JSON file used to define integrations.
  2. Edit the JSON file to include the plugin configuration properties.
  3. Save and upload the JSON file. This replaces the current JSON file with the new content.
  4. View the new integration on the Integrations page.

Configuration Properties

The following tables describe the properties used to configure the integration. Each table contains the field name when using the user interface and the property name when using a JSON file.

  • The General Configuration Properties table describes configuration properties used by all plugin integrations.
  • The Black Duck Configuration Properties table describes the Black Duck configuration properties that define the connection and communications with the Black Duck server. When using the JSON method to integrate the plugin these properties are coded within the properties configuration property.

Some properties might not be displayed in the user interface, to see all properties enable the Show Hidden Properties field.

General Configuration Properties
Name Description Required Property Name
NA The version of the plugin that you want to use. To view available versions, click the Version History tab. If a value is not specified, the version named latest is used. No image
Integration Name An assigned name to the value stream. Yes name
Logging Level The level of Log4j messages to display in the log file. Valid values are: all, debug, info, warn, error, fatal, off, and trace. No loggingLevel
NA List of plugin configuration properties used to connect and communicate with the Black Duck server. Enclose the properties within braces. Yes properties
The name of the tenant. Yes tenant_id
NA Unique identifier assigned to the plugin. The value for the Black Duck Server plugin is ucv-ext-blackduck Yes type
Black Duck Configuration Properties
Name Type Description Required Property Name
Access Token Secure The access token to authenticate with the Black Duck server. You can use either this property or a password to authenticate with the server. Yes accessToken
Black Duck URL String The base URL of the Black Duck server. For example: https://poc79.blackduck.synopsys.com. Yes blackDuckUrl
HCL Accelerate User Access Key Secure The user access key to authenticate with the HCL Accelerate server. Yes ucvAccessKey

JSON code sample

The following sample code can be used as a template to define the integration within the JSON file for a value stream. Copy and paste the template into the JSON file Integration section and make the appropriate changes.


"integrations": [ 
{ 
"type": "blackDuckPlugin ", 
"name": " Black Duck", 
"tenant_id": "tenant_id", 
"properties": { 
"serverUrl": "https://poc79.blackduck.synopsys.com", 
"accessToken": "access_token", 
"ucvAccessKey":"user_access_key"} 
} 
]