Hosting location for Black Duck Detect
Managing and updating the versions of Detect across various pipeline jobs in Black Duck can be a challenge. When incompatible versions of Detect and Black Duck are used, it can take a lot of time and effort to update all jobs. Additionally, it's not always clear which version of Detect is being used or which versions are available for a given Black Duck version.
Black Duck offers two means to connect with Black Duck Detect to better suit your needs; Internally Hosted and Black Duck Hosted.
How does it work?
When Detect is invoked to scan source files, it first determines the configuration set in Black Duck (see below) and then validates the version set in Black Duck. This information is then communicated with Detect on client side.
If there is a difference between the client Detect version and the configuration set in Black Duck, Detect will pull the proper Detect version as configured in Black Duck and scan the source with the newly pulled "blackduck-detect-x.x.x.jar" instead.
-
Enabling the Internally Hosted setting provides the option to host the Detect Binary JAR file directly on your own Artifactory to be pulled with the specific version specified for all users. If set to Internally Hosted, Detect will pull and use the version dictated in the Detect URL field.
Using this option allows integration with Code Sight and Detect, but internally hosting the Detect JAR file does not provide a complete Detect installation; it will not include any inspector scripts or inspector tools like in a full air-gap mode installation and is not meant as an alternative to deploying Detect via air-gap mode.
Additionally, scan host machines still require access to the Internet for full functionality.
Warning: Black Duck does not validate the JAR file obtained from the provided internally hosted URL. Ensure that a valid version of the Detect JAR is available for downloaded in the hosting location. -
Using the Black Duck Hosted setting allows the option to use our Black Duck "sig-repo" to download the Detect version set based on the system setting configured.. If set to Black Duck Hosted, it will pull from our repository directly from client side.
Internally hosted Black Duck Detect
Users with limited external connectivity can define the internal hosting location of Black Duck Detect. Using this information, these users can leverage Code Sight for deployment across their developer base to run on-demand Software Composition Analysis (SCA) scans.
To specify the hosting location of Black Duck Detect:
-
Log in to Black Duck with the System Administrator role.
-
Click .
-
Select System Settings.
-
Click Black Duck Detect in the left-hand menu.
-
Click the Internally Hosted box.
-
In the Hosting location for Black Duck Detect section, enter the valid URI for your internal instance of Black Duck Detect.
-
Click Save.
Black Duck hosted Detect
Non-airgapped users who want Black Duck to manage the version of Detect to use can select the Black Duck Hosted option:
-
Log in to Black Duck with the System Administrator role.
-
Click .
-
Select System Settings.
-
Click Black Duck Detect in the left-hand menu.
-
Click the Black Duck Hosted box.
-
Select the desired version of Black Duck Detect from the Black Duck Detect Version dropdown menu.
Optionally, check the Force newer versions of Detect to downgrade box if you want to ensure users cannot perform scans with newer versions of Detect. If enabled, Black Duck Detect will downgrade to the selected version.
Note: Black Duck Detect does not support downgrading itself to versions prior to 8.9.0 because such a downgrade will lose the ability to self-update again.-
Click Save.