Using Black Duck Detect (Desktop)

Black Duck Detect (Desktop) provides a new interface to make it easier to scan code.

With Black Duck Detect (Desktop), you can:

Scan source directories, binaries and executables, and docker images and distributions.
Create a scan file to be uploaded at a later time.
Manage scan files.
Upload scan files directly to Black Duck.
View uploaded scans.

To use Black Duck Detect (Desktop):

Download and install Black Duck Detect (Desktop).
Configure Black Duck Detect (Desktop) with your Black Duck server settings and complete the installation process.
Use Black Duck Detect (Desktop) to scan and/or upload your files.

Note: An error message appears if you exceed the scan size limit, which is 5 GB (6 GB for Black Duck Binary Analysis). Contact Customer Support if you receive this message.

Be sure that your system meets the system requirements of Black Duck Detect.

Click here for the system requirements for the latest version of Black Duck Detect.
Click here for the documentation for previous versions of Black Duck Detect. Use this page to find the Black Duck Detect version and view the system requirements.

Downloading and installing Black Duck Detect (Desktop)

Log in to Black Duck.
Navigate to the drop-down menu under your username and select Tools.
Select the operating system you wish to use in the Downloads Black Duck Detect (Desktop) section to download the executable from Google Cloud Storage.
Run the executable to install Black Duck Detect (Desktop).

If you are upgrading from a previous version of Black Duck Detect (Desktop), an option appears to migrate data from the previous version.

Note: As the application installs into a directory related to its name, Black Duck Detect (Desktop) will not uninstall previous versions of Black Duck Detect Desktop. It also will not uninstall versions of Black Duck Detect (Desktop) that were installed in a non-default directory. You must manually uninstall all previous versions of Black Duck Detect Desktop, versions of Black Duck Detect (Desktop) installed in the non-default directory, and fix or delete any shortcuts.

If the Black Duck Detect (Desktop) does not open after installation and the following error message appears:

The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/Black Duck Detect/chrome-sandbox is owned by root and has mode 4755.

your operating system does not support the Sandbox at the kernel layer. To run Black Duck Detect (Desktop) with the Sandbox disabled, enter the following at the command line:

blackduck-detect --no-sandbox

Command line options for Windows

Unattended (silent) install for Black Duck Detect
```
./blackduck-detect-latest.exe /S
```

Installing to a specific directory

./blackduck-detect-latest.exe /D=C:\directory

Installing the Linux version of Black Duck Detect (Desktop)

Download the executable from your Black Duck server, as described in the previous section.

Install Black Duck Detect (Desktop):

cd Downloads

To install on CentOS/RedHat:

sudo yum localinstall blackduck-detect-latest.rpm

To install on Ubuntu/Debian:

sudo apt install ./blackduck-detect-latest.deb

Change the permission of chrome-sandbox:

cd "/opt/Black Duck Detect"
sudo chmod 4755 chrome-sandbox

Run Black Duck Detect (Desktop):
```
./blackduck-detect --no-sandbox
```

Configuring Black Duck Detect (Desktop)

After installing Black Duck Detect (Desktop), continue the installation process by configuring your Black Duck settings.

After installing or upgrading to Black Duck Detect (Desktop), the Welcome page appears.
Click , located in the upper right corner display the Settings page.
As described below, select one of the following tabs and complete the installation and configuration process:
- Server Configuration
- Proxy Settings
- Black Duck Detect
- Updates

Black Duck server configuration

To add a server:

Select the Server Configuration tab and click Add Server.
Specify the Black Duck Server URL. Enter the URL to the Black Duck server as you would type it in the browser, for example https://servername:8443/

If required, enter context information, for example, if the X-Forwarded-Prefix header is being specified in a proxy server/load balancer configuration.
Generate or enter an API key (user access token).
- To generate a new API key:
  1. Enter a key name, your username, and password.
  2. Click Create.
- To enter an API key:
  1. Select Already have a key?.
  2. Enter the API key in the field.
  3. Click Create.
Click Save. Black Duck Detect (Desktop) connects to the Black Duck server and displays the version of Black Duck you are connected to.

To remove an API key:

Removing the API key does not delete the key in Black Duck. It only removes it locally.

Select the Server Configuration tab.
Click in the row of the server and select Remove API Key.

The Remove API Key dialog box appears.
Click OK to confirm.

To delete a configuration

Click in the row of the server and select Delete Configuration.

The Delete Server Configuration dialog box appears.
Click OK to confirm.

Proxy settings

Accessing Black Duck Detect (Desktop) through a proxy is supported. Black Duck Detect (Desktop) automatically uses your local system proxy setup.

If you are required to manually enter your proxy settings or you do not require a proxy, you can modify these default settings.

To modify the default proxy settings:

Select the Proxy Settings tab.
Select either No Proxy or Manual Proxy Configuration.
If you select a manual proxy configuration:
1. Enter the following information:
  - Your proxy host name.
  - Port number.
  - Whether authentication is required.
  - Your username and password.
  If a proxy is enabled and authentication is required, you may have to re-enter your username and password.
2. Click Save.
Restart the application.

Configuring Black Duck Detect settings

Optionally, select Synposys Detect and if necessary, define any Black Duck Detect settings, clear any build tools you do not want to use, or manually configure the path to the build tools.

Checking for updates

You can check to see if there are updates to the Black Duck Detect (Desktop) by selecting the Updates tab. The page lists the last time you checked for updates. Click Check for updates to view if there are newer versions available. This option is only available for Windows and MacOS systems.

Certificates

When connecting to Black Duck, you can ignore invalid or insecure SSL certificates.

Click , located in the upper right corner display the Settings page.
Select the Server Configuration tab.
Check the Ignore invalid or insecure SSL Certificates checkbox.
Restart the application.

CAUTION: This is a potentially unsafe operation. It should only be used if you must connect to a system with an insecure or self-signed certificate.

Alternatively, if you want to imported a self-signed certificate, this can be done following the standard keytool import process for your JRE.

Identify the location of the JRE being used by Black Duck Detect:

Click , located in the upper right corner display the Settings page.
Select the Black Duck Detect tab.
Select paths from the Properties menu. Alternatively, type paths in the Search Properties search field to narrow the options displayed.
If the Java Executable field has no value, Black Duck Detect will use the JRE installed under $JAVA_HOME set in your system environment variables.

Now that the location of the JRE that Black Duck Detect is using is known, the certificate should be imported to the relevant cacerts file (typically found in the lib\security folder).

Within a terminal session, run the following command (changing the paths to suit):

keytool -import -trustcacerts -keystore <path_to_keystore> -file <path_to_certificate> -alias <alias_for_cert>

You will be prompted for a password. Provide it and press enter.
You will be prompted whether or not to trust the certificate. Inspect the contents and accept as appropriate.

Note: It may be necessary to also import any intermediary certificates associated with a chain. If you encounter any issues with the import process, please contact your IT department.

Scanning options

The Black Duck Detect (Desktop) makes it easier to scan:

Source directories
Binaries or executables
Docker images or distributions

By default, all scans are uploaded to the Black Duck server and mapped to a project version. However, you can create a scan file as described here, to output the scan to a file which you can later upload to Black Duck.

To specify project and/or version names:

Click ADD located next to Project Settings.
Select Project Name and/or Version Name. The fields appear in the UI.
Specify the values for the field(s).

Scanning Source Directory

To scan a source directory:

Click New Scan.
From the What type of scan? list, select Source Directory,
Click to select the directory you would like to scan.
Optionally, modify or configure any project or scan settings by clicking ADD and selecting the setting.

If you have purchased a snippet scanning license and want to enable snippet scanning, select Snippet Matching from the Scan Settings options and enable it.
Click Scan.

The status of the scan appears along with an option to cancel the scan.
When the scan is complete, select the Local Scan History tab to view information on the completed scan. From this tab, you can manage your scan. You can also view the uploaded scan using the Scans tab.

Scanning binary/executable

To scan a single binary or executable:

Click New Scan.
From the What type of scan? list, select Binary/Executable,
Click to select the binary or executable you would like to scan.
Optionally, modify or configure any project settings by clicking ADD and selecting the setting.
Click Scan.

The status of the scan appears along with an option to cancel the scan.
When the scan is complete, select the Local Scan History tab to view information on the completed scan. From this tab, you can manage your scan. You can also view the uploaded scan using the Scans tab.

Scanning a Docker image or distribution

To scan a Docker image or distribution (.tar file):

Click New Scan.
From the What type of scan? list, select Docker,
Do one of the following:
- Enter the Docker image name.
- Select Choose Docker archive (.tar) and click to select the directory you would like to scan.
Optionally, modify or configure any project settings by clicking ADD and selecting the setting.
Click Scan.

The status of the scan appears along with an option to cancel the scan.
When the scan is complete, select the Local Scan History tab to view information on the completed scan. From this tab, you can manage your scan. You can also view the uploaded scan using the Scans tab.

Creating a scan file

You can use Black Duck Detect (Desktop) to output the scan to a file which you can later upload to Black Duck by using Black Duck Detect (Desktop), as described below, the command line, or by using the Black Duck UI.

Note: Snippet scanning cannot be completed offline as it requires communication with the Black Duck server.

To create a scan file:

Click New Scan.
Select the type of scan (Source Directory, Binary/Executable, or Docker).
Optionally, modify or configure any project or, for source directory scanning, scan settings by clicking ADD and selecting the setting.
Select Offline Mode.
Click Scan.

The status of the scan appears along with an option to cancel the scan.
When the scan is complete, select the Local Scan History tab to view information on the completed scan.

Managing scans

Use the Local Scan History tab to manage your scans.

Click Local Scan History.

A list of scans on your local system appears in the left column of the tab.

Drag and drop scans from your local machine to this tab to manage them.

From this tab, select a scan and:
- View information on the contents of the scan:
- View the location of the file on your system by clicking and selecting Show Files.
- Upload the file, as described in the next section.
- Delete the scan by hovering over the scan name in the left column and clicking Delete. Click Yes to confirm.

Uploading scan files to Black Duck

You can use Black Duck Detect (Desktop) to upload scan files to Black Duck.

Click Local Scan History.
If the file is on your local system, you can drag and drop the scan file from your local machine to the Scan History tab.
Select the file to upload and click in the upper right corner to display the file options.
Click Upload Scan File to Black Duck. The Upload Progress window appears showing you the status of the upload. Close the window when the process is complete.

You can confirm that the scan has been uploaded by clicking Scans and viewing the uploaded file.

Viewing uploaded scans

You can view the scans that have been uploaded to Black Duck's UI by clicking Scans on Black Duck:

This tab displays the following information:

The left side of the tab shows uploaded scans by status (in progress, completed, or error).

Use the search field to find a scan or limit the scans shown.
The right side of the page lists the scans and shows the following information for each scan:
- Name
- Project and project version scan is mapped to or indicates that the scan is not mapped to a project.
- Date the scan was uploaded to Black Duck.

Select a scan to open the Scan Name page in Black Duck for the selected scan.

Note: The number of scanned bytes displayed in Black Duck Detect (Desktop) may differ from the number of scanned bytes shown in Black Duck. This is because of how Black Duck calculates and counts the number of bytes used. This is normal and is expected to occur in some scans.