License and Intellectual Property Scanner¶
The License and Intellectual Property Scanner extension uploads SBoMs to BlackDuck instances and retrieves findings (including vulnerability and intellectual property findings) for tracked components.
Configuration Example¶
blackduck:
interval: 86400 # 24 hours
label_rules:
- name: gpl-license
selector:
license_name: 'GPL.*' # regex pattern
host: null
policy_violation_id: null
- name: critical-policy
selector:
policy_violation_id: 'VULN_.*'
host: 'blackduck.prod.example.com'
license_name: null
mappings:
- prefix: 'acme.org/product-a'
targets:
- group_id: "1234"
host: "blackduck.prod.example.com"
distribution_mode_overwrite: INTERNAL
- group_id: "5678"
host: "blackduck.compliance.example.com"
distribution_mode_overwrite: null
deduplicate_across_component_versions: true
cleanup_deprecated_project_versions: false
aws_secret_name: aws-account-prod
- prefix: '' # catch-all
targets:
- group_id: "9999"
host: "blackduck.example.com"
deduplicate_across_component_versions: true
cleanup_deprecated_project_versions: true
aws_secret_name: aws-account-default
Top-Level Options¶
Option |
Type |
Default |
Description |
|---|---|---|---|
|
int (seconds) |
|
Maximum time before a component is re-processed. |
|
list |
|
Label rules for categorizing findings. See label rule fields below. |
|
list |
|
Per-prefix component mappings. See mapping fields below. |
Mapping Fields¶
Each entry in the mappings list supports the following fields:
Option |
Type |
Required |
Description |
|---|---|---|---|
|
string |
yes |
Component name prefix. Use |
|
list |
yes |
List of BlackDuck instances to upload results to. See target fields below. |
|
bool |
|
If true, deduplicate scans of the same artefact across component versions. |
|
bool |
|
If true, delete BlackDuck project versions for artefacts no longer tracked. |
|
string |
no |
Name of the AWS secret to use for S3 artefacts. |
Label Rule Fields¶
Each entry in the label_rules list supports the following fields:
Option |
Type |
Required |
Description |
|---|---|---|---|
|
string |
yes |
Descriptive name for this labeling rule. |
|
object |
yes |
Selector criteria for matching findings. See selector fields below. |
Label Rule Selector Fields¶
Each selector object supports the following fields (all optional, supports regex patterns):
Option |
Type |
Required |
Description |
|---|---|---|---|
|
string |
no |
Regex pattern to match against BlackDuck host. |
|
string |
no |
Regex pattern to match against policy violation IDs. |
|
string |
no |
Regex pattern to match against license names. |
Target Fields¶
Each entry in the targets list supports:
Option |
Type |
Required |
Description |
|---|---|---|---|
|
string |
yes |
The BlackDuck group ID. |
|
string |
yes |
The hostname of the BlackDuck instance. |
|
string |
no |
Override distribution mode: |
Configuration Details¶
Selector Matching¶
All selector fields support regex patterns and use null as a wildcard (matches anything).
A finding matches a rule when ALL non-null selector fields match their patterns.
Examples:
license_name: 'GPL.*'matches GPL-2.0, GPL-3.0, LGPLhost: 'blackduck\\.prod\\..*'matches any production BlackDuck instanceAll fields
nullcreates a catch-all rule
mappings¶
Allows routing different components to different BlackDuck instances and applying different processing policies.
Prefix Matching¶
The prefix field uses simple string prefix matching:
prefix: 'acme.org'matchesacme.org/productandacme.org/another-productprefix: ''(empty string) matches all components (use as a catch-all)
targets¶
A single component can be uploaded to multiple BlackDuck instances. This is useful for:
Uploading to both production and compliance BlackDuck instances
Cross-regional compliance reporting
Multi-tenant scenarios
Distribution Mode¶
The distribution_mode_overwrite field controls the BlackDuck project version’s distribution mode:
EXTERNAL: Software distributed to external partiesINTERNAL: Software for internal use onlyOPENSOURCE: Open source softwareSAAS: Software-as-a-Service offeringsnull(default): Don’t override the distribution mode
This metadata helps BlackDuck apply appropriate policy rules and compliance requirements.
deduplicate_across_component_versions¶
When true, if the same artefact version appears in multiple component versions,
BlackDuck scans are deduplicated. This reduces redundant processing and API calls.
Example:
Component v1.0.0 includes artefact
library:1.2.3Component v1.1.0 also includes artefact
library:1.2.3With deduplication enabled: only one BlackDuck scan for
library:1.2.3
cleanup_deprecated_project_versions¶
When true, the extension will delete BlackDuck project versions for artefacts that
are no longer referenced by any tracked component versions. This keeps BlackDuck clean
and reduces clutter.
Use with caution: Only enable this if you’re confident that the artefact enumerator is tracking all component versions you care about.
aws_secret_name¶
When scanning artefacts stored in AWS S3, specify which AWS secret to use for authentication.