Automated Process to Detect Common Open Source Libraries
Question
Your company is concerned that when developers introduce open source libraries, it creates licensing compliance issues.
You need to add an automated process to the build pipeline to detect when common open source libraries are added to the code base.
What should you use?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.C
Secure and Manage Open Source Software
Black Duck helps organizations identify and mitigate open source security, license compliance and code-quality risks across application and container portfolios.
Black Duck Hub and its plugin for Team Foundation Server (TFS) allows you to automatically find and fix open source security vulnerabilities during the build process, so you can proactively manage risk. The integration allows you to receive alerts and fail builds when any Black Duck Hub policy violations are met.
Note:
There are several versions of this question in the exam. The question has two possible correct answers:
-> Black Duck
-> WhiteSource Bolt
Other incorrect answer options you may see on the exam include the following:
-> OWASP ZAP
-> PDM
-> SourceGear
SourceGear Vault -
The correct answer to this question is C. Black Duck.
Black Duck is a tool that can be integrated into your build pipeline to detect open source software used in your codebase and identify any potential licensing compliance issues. It provides a comprehensive database of open source components, as well as their licensing information and associated risks.
Option A, Microsoft Visual SourceSafe, is a version control system that can help you manage changes to your codebase, but it does not include any specific functionality for detecting open source components or monitoring licensing compliance.
Option B, Code Style, is a tool that can help you enforce coding standards and best practices, but it does not have any specific functionality for identifying open source components or monitoring licensing compliance.
Option D, Jenkins, is a popular open source automation server that can be used to automate various stages of the build pipeline. While it can be integrated with other tools to help with code quality and compliance, it does not have any built-in functionality for detecting open source components or monitoring licensing compliance.
In summary, Black Duck is the most appropriate tool for detecting open source components and monitoring licensing compliance in your build pipeline.