Appendix: Supported Software and Applications

Supported Architectures and Operating Systems

Black Duck Binary Analysis supports scanning native applications for the following CPU architectures and operating systems:

  • Microsoft Windows 95/98/ME/XP/Vista/7/8 32bit and 64bit binaries (Intel)
  • Linux binaries 32bit and 64bit binaries (Intel, PowerPC, ARM)
  • Apple Mac OS X 32bit and 64bit binaries (Intel, PowerPC)
  • FreeBSD, NetBSD and OpenBSD 32bit and 64bit binaries (Intel, PowerPC, ARM, SPARC, HP-PA-RISC)
  • Solaris 32bit and 64bit binaries (Intel, Sparc)
  • The following real-time operating systems (RTOS): vxWorks, QNX, NucleusOS, and ThreadX
  • Embedded system firmwares based on Intel, ARM, PowerPC, MIPS, PA-RISC, SPARC, and AVR32 architectures
  • Unencrypted Android, iOS, Blackberry

If your operating system or CPU architecture of choice was not listed, please contact us. We have a dedicated team of engineers that are specialized in adding support for various CPU architectures and OSes.

Supported programming languages

Black Duck Binary Analysis works solely on executables or binaries and is therefore language agnostic. However, the programming language support for components can be inferred from supported binary formats:

  • Native binaries
    • C and C++ are the most common languages used to build native applications but there are plenty of other programming languages that are compiled to native code. Black Duck Binary Analysis is agnostic to the source language as it works on the binary code.
  • Java binaries
    • Besides Java, there are many other languages that compile into Java class binary files, such as Clojure, Groovy and Scala to name a few most popular. Black Duck Binary Analysis is agnostic to the source language as it works on the JVM binary class files.
  • .NET binaries
    • Code for the .NET framework is typically written in C# or VB.NET. Like with Java there are many other languages that compile into .NET binaries and Black Duck Binary Analysis is able to scan binaries produced from any of those languages.
  • Go binaries
    • Even though Go programs compile into native binaries, the format is slightly different to the standard native code binaries. Black Duck Binary Analysis supports scanning Go binaries.
  • Python packages
    • Black Duck Binary Analysis supports the detection of installed Wheel and Egg Python packages.
  • Ruby packages
    • Black Duck Binary Analysis supports the detection of installed Ruby packages installed with the RubyGems package manager.
  • Javascript packages
    • Black Duck Binary Analysis supports the detection of JavaScript runtime environment packages installed with the NPM package manager.
  • Other Languages
    • Some interpreted and scripting languages, such as PHP, are not supported
  • Linux distribution packages
    • Black Duck Binary Analysis supports the detection of Linux packages installed on the scanned filesystem.

Supported application types

When scanning an upload, Black Duck Binary Analysis tries to determine the type of the uploaded binary and display it in the upload list. This can be very helpful when scanning unknown applications from the internet. Application type is automatically determined from the characteristics of the binary and due to similarities in them might sometimes get recognized incorrectly. If Black Duck Binary Analysis cannot determine the application type automatically, "Unknown" is shown.

Note that an incorrectly identified application type does not influence the scanner performance or the found components. The following Application types are supported:

  • .Net application
  • Android APK
  • Android sparse filesystem
  • Arris firmware
  • BlackBerry OS application
  • Directory
  • ELF installer
  • ELF binary
  • iOS application
  • ISO 9660 image
  • Install4J installer
  • InstallJammer installer
  • IntelHEX firmware
  • JFFS2 file system
  • Java library/application
  • Juniper firmware
  • Kosmos firmware
  • Linux firmware
  • Linux kernel
  • macOS application
  • macOS executable
  • macOS file system
  • Mach-O installer
  • OpenWRT firmware
  • QNX firmware
  • QtInstaller
  • S-Record firmware
  • Siemens firmware
  • U-Boot image
  • Unix or Windows library
  • Virtual machine image
  • WebAssembly
  • Windows application
  • Windows DLL
  • Windows executable
  • Windows installer
  • Container

Supported compression formats

Executable code is searched from ELF binaries, Windows Executables and DLLs, Mach-O binaries, Java classes, Android DEX files and unrecognized data files. Uploaded software packages can be inside various archive and installer formats. Generally, Black Duck Binary Analysis supports the following (note that we do not rely on the file extension but the file content to recognize the format)

Compression Formats:

  • gzip (.gz)
  • bzip2 (.bz2)
  • lzma (.lz)
  • lz4 (.lz4)
  • compress (.Z)
  • xz (.xz)
  • pack200 (.jar)
  • upx (.exe)

Archive formats:

  • ZIP (including .jar, .apk, and other types derived from .zip)
  • Xar (.xar)
  • 7zip (.7z)
  • ARJ (.arj)
  • Tar (.tar)
  • VM Tar (.tar)
  • cpio (.cpio)
  • RAR (.rar)
  • LZH (.lzh)
  • Electron archive (.asar)

Installation formats:

  • vSphere Installation Bundle (.vib)
  • Redhat RPM (.rpm)
  • Debian package (.deb)
  • Mac installers (.dmg, .pkg)
  • Unix Shell file installers (.sh, .bin). However, not all installer formats supported.
  • Windows installers (.exe, .msi, .cab). However, not all .exe installer generators supported.

Installer generator formats that are supported:

  • 7z, zip, rar self extracting .exe
  • MSI Installer
  • CAB Installer
  • InstallAnywhere
  • Install4J
  • InstallJammer
  • InstallShield
  • InnoSetup
  • QtInstaller
  • Wise Installer
  • Nullsoft Scriptable Install System (NSIS)
  • WiX Installer

However, Windows installer generators tend to randomly change the file format over time so not all versions might be supported.

Filesystems / Disk images:

  • ISO 9660 / UDF (.iso)
  • Windows imaging
  • ext2/3/4
  • JFFS2
  • UBIFS
  • RomFS
  • Microsoft Disk Image
  • Macintosh HFS
  • VMWare VMDK (.vmdk, .ova)
  • QEMU copy-on-write (.qcow2)
  • Virtualbox VDI (.vdi)
  • QNX - EFS, IFS
  • Netboot images (.nbi)

Firmware formats:

  • Intel HEX
  • Cisco firmwares
  • SREC
  • uBoot
  • Arris firmware
  • Juniper firmwares
  • Kosmosx firmwares
  • Android Sparse Filesystem

Other:

  • Various other formats which are effectively tarballs, zips or other archives, like other Linux package formats, containers (for example Docker)
  • Unrecognized data blobs are scavenged for common filesystems, archives and executables

Supported Linux distributions and versions

  • Alpine 3.3 and later
  • Amazon Linux 2
  • CentOS 5 and later
  • Debian 6.0 (Squeeze) and later
  • openSUSE 13.1 and later
  • Oracle 7
  • Photon OS
  • RedHat 8
  • Rocky 8 and 9
  • SUSE Linux Enterprise Server (SLES) 11 and later
  • Ubuntu 10.04 LTS and later

Linux distribution codenames

Black Duck Binary Analysis dynamically extracts this value from distro packages, images, and containers.

While it is impossible to list all possible values, here are some of the most common:

  • archlinux
  • alpine
  • centos
  • debian
  • ol
  • opensuse
  • oracle
  • photon
  • poky
  • rhel
  • sles
  • suse
  • ubuntu

Environment variables

Common BDBA environment variables

APPCHECK_LOG_LEVEL - logging devel ("DEBUG", "INFO", "WARNING", "CRITICAL"). Defaults to INFO.

DATA_UPDATE_UPSTREAM - Upstream source for data updates (default https://bdba.blackduck.com/)

API_PAGINATION_LIMIT - maximum number of entries per page in APIs (default 1000).

USE_NVD_VALUES- use values from NVD instead of BDSA (versions, scores etc). Default false.

METRICS_STATISTICS_INTERVAL - default "interval" for collecting statistics in hours. Default 24.

SLOW_SCAN_THRESHOLD - "Slow scan" threshold trigger in metrics in seconds. Default 7200.

RESULT_UPDATE_DAYS - Update window for old results in days. Applies vulnerability updates only for newer results. Default 730.

VACUUM_DAYS - Days to run postgresql vacuum (default sunday)

MEMCACHED_LOCATION - location of memcached (default "127.0.0.1:11211").

Appliance-specific environment variables

POSTGRES_DBNAME - postgresql database name

POSTGRES_USER - user for postgresql

POSTGRES_PASSWORD - password for postgresql

CONCURRENT_RESULT_UPDATES - number of concurrent result updates, that is, additional background processing tasks for updating results on vuln updates, version updates etc. (default 0 - disable).

VACUUM_DAYS - Days to run postgresql vacuum (default sunday)

MEMCACHED_LOCATION - location of memcached (default "127.0.0.1:11211").

METRICS_STATISTICS_INTERVAL - default "interval" for collecting statistics in hours. Default 24.

SLOW_SCAN_THRESHOLD - "Slow scan" threshold trigger in metrics in seconds. Default 7200.

RESULT_UPDATE_DAYS - Update window for old results in days. Applies vulnerability updates only for newer results. Default 730.

FRONTEND_WORKER_CONCURRENCY - number of concurrent result post-processors. Default 3.