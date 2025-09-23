The solution: Black Duck SCA solutions for open source management

Black Duck SCA is a comprehensive software composition analysis solution that helps organizations manage the security, quality, and license compliance risks that come from using open source and third-party code in applications and containers. Black Duck SCA gives organizations like Trend Micro visibility into third-party code, enabling them to control it across the software supply chain and throughout the application life cycle.

“We conducted testing on several vendors’ products noted in analysts’ reports as SCA industry leaders,” Arciniegas said. “We found that Black Duck SCA surpassed other vendors in terms of accuracy and support for scanning of various file types. We were impressed by the Black Duck Signature Scanner and its ability to analyze more types of files from different package management ecosystems than other vendors.”

In a typical Black Duck scan, Black Duck Detect scans source code (including archive formats), a Docker image, or a binary artifact. Once the scan is launched, Black Duck Detect utilizes a set of internal tools (Black Duck Signature Scanner, detectors, and inspectors) to discover open source components. These tools also gather metadata about the code, which includes package manager data and code prints. When that process is complete, Detect sends the metadata to Black Duck SCA in the form of a scan file. A Black Duck SCA server communicates with the Black Duck® KnowledgeBase™ and uses the scan file to create a Software Bill of Materials that includes all discovered open source and the associated risk. Black Duck Detect maps the scan file to a project and project version in Black Duck SCA, where the SBOM will be displayed.