Community
Technology Blog Posts by SAP
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

How to Run Black Duck Scans in SAP Continuous Integration and Delivery Jobs

SarahLendle
Product and Topic Expert
Product and Topic Expert
‎2025 Mar 18 9:44 AM
1,828

In today's software development landscape, integrating security scans into your continuous integration and delivery (CI/CD) pipelines is a best practice. An automated process quickly identifies vulnerabilities and ensures that your software is secure. One essential tool for achieving this level of security is Black Duck. This tool performs comprehensive scans of your codebase and its open-source dependencies, helping to identify potential security vulnerabilities, license compliance issues, and code quality problems.

In this blog, I'll walk you through the process of integrating Black Duck scans into your SAP Continuous Integration and Delivery jobs. By creating a custom command for Black Duck scans, you can actively detect and address risks before they compromise your software, ensuring a more secure and reliable product. Let's dive into the steps required to achieve this integration and enhance your CI/CD pipeline with robust security measures.

Prerequisites

  1. SAP BTP Access:
    Ensure that you have access to SAP BTP and verify that you have the necessary entitlements for the SAP Continuous Integration and Delivery service. See Initial Setup.
  2. Black Duck Access:
    Make sure you have access to a Black Duck server and have your API token available.
  3. Git Repository:
    You need a Git repository connected to SAP Continuous Integration and Delivery. See Add a Repository.

Procedure

1. Prepare Your Script

We'll use a bash script to run a Black Duck scan. This script installs the necessary Java Runtime Environment (JRE), downloads the Black Duck Detect tool, and then executes the scan.

Here’s the script we'll use:

#!/bin/bash
set -eu

# Runs Black Duck scan in current directory after downloading Java 
# and Synopsys Detect script.

JRE_VERSION="21.0.5" 
JRE_TAR="sapmachine-jre-${JRE_VERSION}_linux-x64_bin.tar.gz"
JRE_URL="https://github.com/SAP/SapMachine/releases/download/sapmachine-$JRE_VERSION/$JRE_TAR"

DETECT_URL="https://detect.synopsys.com/detect10.sh" 

install_jre() {
  echo "Downloading and installing sapmachine from $JRE_URL"
  
  wget --quiet $JRE_URL -O - | tar -xzf -

  export JAVA_HOME=$(pwd)/sapmachine-jre-${JRE_VERSION}
  $JAVA_HOME/bin/java -version

  echo "Java installation complete."
}

download_detect_tool() {
  echo "Downloading Black Duck Detect tool from $DETECT_URL"

  wget --quiet $DETECT_URL -O detect.sh
  chmod +x detect.sh
  
  echo "Black Duck Detect tool download complete."
}

run_blackduck_scan() {
  echo "Running Black Duck scan..."

  ./detect.sh --blackduck.url="$BD_SERVER" --blackduck.api.token="$BD_API_TOKEN" --detect.project.name="$BD_PROJECT_NAME" --detect.project.version.name="$BD_PROJECT_VERSION"
  echo "Black Duck scan completed."
}

# Main script execution
install_jre
download_detect_tool
run_blackduck_scan
2. Upload the Script to Your Repository

Add your script to the repository containing your project source code.

3. Add Additional Commands to Your Job

  1. In SAP Continuous Integration and Delivery, either create a new job or navigate to the job to which you want to add additional commands and choose Edit.

  2. In the Compliance stage section of your job, choose + next to Additional Commands. This allows you to introduce a custom script.

  3. Choose either Run First in Stage or Run Last in Stage to execute the scan in relation to other tasks.

  4. In the Command text field. enter the following command to execute your script:

    bash path/to/your/blackduck_script.sh

  5. Replace path/to/your/blackduck_script.sh with the actual path to your script in the repository.

  6. Confirm your changes.

4. Add Additional Variables to Your Job

The script uses a couple of variables provided in the environment, so you don't need to adjust the script for your jobs. Instead, we will set these variables using the Additional Variables feature.

  1. In the Compliance stage section of your job, choose + next to Additional Variables. This opens the Add Variables pop-up.

  2. Add the following variables one after the other:

    • BD_SERVER: Your Black Duck server URL.
    • BD_PROJECT_NAME: The name of your project in Black Duck.
    • BD_PROJECT_VERSION: The version of the project you are scanning.

These variables will be used as parameters for the detect.sh script.

5. Add Additional Credentials to Your Job

In the Compliance stage section of your job, choose + next to Additional Credentials and add the following credential to access your Black Duck server:

BD_API_TOKEN: Your Black Duck API token.

6. Test Your Configuration

Once the setup is complete, trigger your pipeline either manually or by committing new code to your repository. Monitor the pipeline to ensure the Black Duck scan executes properly and review the logs for any errors or output from the scan.

Conclusion

With these steps, you've successfully integrated Black Duck scans into your SAP Continuous Integration and Delivery pipeline. You've empowered your development process with a robust security mechanism that proactively identifies vulnerabilities and maintains code quality. By automating these scans, you can focus on delivering secure, reliable software faster. Stay ahead of potential threats and ensure your software meets the highest security standards with this seamless integration. Happy secure coding!