About correlated scanning

Correlated Scanning is a scanning method which allows different matching technologies to scan the same application target and correlate results together to perform more accurate component and component version matching.

Black Duck currently supports correlation between single signature scans and one/many package manager scan results only. Correlated scans will continue to each get their own unique ID, but will share a UUID called a correlation ID.

Prerequisites for correlated scanning

Match as a Service must be enabled on your account for correlated scans to be successfully executed.

Performing a correlated scan

Correlated scans are executed with Detect with the additional flag:

--detect.blackduck.correlated.scanning.enabled=true

Once the command is performed, Detect will execute one signature scan and one package manager scan. This will result in two code locations (one for each scan) mapped to the desired project version. BOM results in this project version will be presented in the same way as for non correlated scans (signature and package manager scans mapped to the same project version).

Please note, snippet scanning or using the following option in Detect is currently not supported for correlated scanning:

--detect.blackduck.signature.scanner.snippet.matching=SNIPPET_MATCHING

Warning: The correlated scan flag is only supported for single Signature and one/many Package Manager scan results only. Using it with other scan types is not recommended.