Black Duck Binary Analysis Glossary

The following terms are defined here because they have meanings that are relevant only within the context of using Black Duck Binary Analysis software.

appliance: An instance of Black Duck Binary Analysis running on a private server, as opposed to the generally available cloud version at https://bdba.blackduck.com.
bill of materials (BOM): A comprehensive list of known vulnerabilities and license information.
codetype: The programming language of a component, including the development ecosystem that goes along with it. These include C/C++, .NET, Go, Java, and other languages that compile to bytecode. Interpreted and scripted languages require a different version of Black Duck.
component: The term refers to a library most of the time, as opposed to an application. (See "Supported components.")
distributed scanning: A way to configure Black Duck Binary Analysis for higher throughput. Distributed scanning requires that the frontend components (the user interface and the database) run on a single machine, and that a number of other machines are dedicated to scanning binaries.
full-path: The path on which the file was discovered. Sometimes also referred to more simply as "path" in the user interface.
historical vulnerability: One that has been reported against a previous version of a software component but does not apply to your reported version of a component.
information leakage: The unintentional exposure of potentially sensitive data that is contained in a software package. Leaks may include email addresses, endpoints, and passwords or cryptographic keys.
latest version: The most recent version scanned by Black Duck Binary Analysis. This might not be the most recent version released.
matching method: An algorithm that the scanner uses to identify a component. A number of methods can be used when scanning components, some of which apply only to particular programming languages. In the user interface, you can find the matching method that was applied to any file in its component description; JSON results returned by the API assigned the same information to the matching-method key.
mitigation (or exploit mitigation): Mitigation techniques are improvements added by the compiler to make it more difficult for attackers to exploit vulnerabilities. Black Duck Binary Analysis reports code that is missing these mitigations.
object: Always means a file. When we talk about the number of objects in a scan, we are counting the files.
path: See full-path.
product: In the dictionary-list description of a vendor vulnerability, the product is the name of the affected component. Unlike the vendor field, product is mandatory.
rationale: The reason for triaging a known vulnerability. (For example: the vendor applied a patch, the feature is disabled, etc.)
roles: The following roles can be assigned: Administrator, Basic scan user, BoM reviewer, Custom pattern search manager, Global project viewer, License reviewer, Power user, Read-only user, Security manager, Security reviewer, Vendor component manager and Vendor vulnerability manager. Each of these is defined in the Administration Guide.
supported components: Black Duck Binary Analysis recognize thousands of components. If your upload contains proprietary code or third-party libraries, you can teach the components to Black Duck Binary Analysis. (See the user guide for more information.)
teach: When you upload components created by you or your vendors, Black Duck Binary Analysis learns the binary fingerprint of that component. Black Duck Binary Analysis will recognize the component if it is included in future scans. (See the User Guide for more details.)
timestamp: A timestamp match means that the vulnerability was discovered after the component in question became compiled. In such a case, Black Duck Binary Analysis assumes that the vulnerability is present in the component and has not been fixed. Timestamp match is used in cases where it isn't possible to determine the exact version number of a component with certainty.
triage: Within Black Duck Binary Analysis, vulnerability triage refers to the ability to exclude specific known vulnerabilities of a third-party component from the analysis score of a scanned application. This is useful when the vulnerability has been adequately addressed.
triage scope: When you apply a triage, you must choose application, group or company level. When applied to the application, the triage affects all instances of the same component within that application. When applied to a group it affects all the applications in that group. Applied at the account level (the company level) the triage affects every group, and all the applications within each group.
vendor: The term "vendor" can refer to someone who provided a library to you, or it can mean another third party who provided code that was included in that library. The important thing is that in Black Duck Binary Analysis, vendor code usually means a library that is not scanned into the full database and might never be. The private libraries and proprietary code that you upload yourself are never seen by other users, and when you log vulnerabilities, Black Duck Binary Analysis refers to them as vendor vulnerabilities to distinguish between these and the vulnerabilities that appear in the database and are available to all users.
vulnerability: A vulnerability is any weakness that can be exploited. Black Duck Binary Analysis searches for known vulnerabilities that have been discovered and shared, but cannot detect any vulnerabilities that haven't been incorporated into the database. Throughout this documentation, when we say "vulnerability" we're talking about the search for known vulnerabilities in code that you scan.
worker: An instance of Black Duck Binary Analysis on a virtual machine that functions only as a remote scanner, typically when Black Duck Binary Analysis is configured for distributed scanning. Worker machines analyze binary files and create a bill of materials.