Academy Course Catalog - Synopsys Software Integrity ...
31
Academy Catalog Version 2022.01
-
Upload
khangminh22 -
Category
Documents
-
view
0 -
download
0
Transcript of Academy Course Catalog - Synopsys Software Integrity ...
Academy Course CatalogVersion XXX (Released: XXX)
Academy CatalogVersion 2022.01
| synopsys.com | 1Synopsys Academy Catalog | February 2021
General disclaimer This document presents details about the training offerings from Synopsys at the time of its creation. Synopsys has used reasonable efforts to ensure that the information provided in this document is accurate and up to date, but details and offerings are subject to change.
This document contains confidential information about Synopsys and its businesses. Copies of this document may only be provided, and disclosure of the information contained in it may only be made, with written prior agreement from Synopsys.
Ownership and DisposalThe information contained in this document is owned by Synopsys. The recipient shall dispose of the data as confidential waste and/or return the document to Synopsys upon request.
Synopsys AcademyMaster your Synopsys security analysis tools with product education through the Academy. Synopsys Academy offers complimentary product training to help you unlock all the features and functionality of your application security tools (Coverity, Black Duck®, Seeker, Defensics®, etc.). Whether you’re onboarding a new Synopsys tool or calibrating one, our on-demand training, interactive training tutorials and webinars guide you step by step to make setup and configuration a breeze.
| synopsys.com | 2Synopsys Academy Catalog | February 2021
Table of contentsGeneral disclaimer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Ownership and Disposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Synopsys Academy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Black Duck .......................................................... 5Self-Guided Onboarding Part 1— Getting Started and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Self-Guided Onboarding Part 3— Scan Results and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Self-Guided Onboarding Part 2— Scanning With Detect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Installing an On-Premises Black Duck KnowledgeBase . . . . . . . . 6
Custom System Announcements . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Vulnerability Impact Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Managing Users and Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Introduction to Black Duck Solutions . . . . . . . . . . . . . . . . . . . . . . . . 6
Working With Scan Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Configuring LDAP Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
A Technical Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Artifactory Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Importing Your Protex BOM Into Black Duck . . . . . . . . . . . . . . . . . 7
Connecting to the Report Database . . . . . . . . . . . . . . . . . . . . . . . . . 7
Creating Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Setting Global Remediation Status . . . . . . . . . . . . . . . . . . . . . . . . . 7
Discovering Open Source Snippets . . . . . . . . . . . . . . . . . . . . . . . . . 7
Installing Synopsys Detect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Attributing OSS in Your Applications . . . . . . . . . . . . . . . . . . . . . . . . 7
Generating Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Copyright Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Configuring Policy Management . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Hosted System Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Black Duck SAML Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Black Duck Installation Using Docker Swarm . . . . . . . . . . . . . . . . 8
Snippet Scanning and New Triage Workflow . . . . . . . . . . . . . . . . . 8
Artifactory Plugin Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Managing Deep License Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Artifactory Plugin Introduction and Usage . . . . . . . . . . . . . . . . . . . 8
Scanning Docker Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Watching Projects and Saving Searches . . . . . . . . . . . . . . . . . . . . . 9
Cloning Versions and Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Configurable Individual File Matching . . . . . . . . . . . . . . . . . . . . . . . 9
Scanning Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Using Custom Scan Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Custom Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Navigating the Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Configure Security Risk Ranking . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Detectors Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Managing Open Source Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Advanced License Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Introduction to Scanning Open Source Software
With Black Duck . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Black Duck Rapid Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Integrating Black Duck Findings into Code Dx . . . . . . . . . . . . . . .10
Black Duck Binary Analysis ..............................11Introduction to Black Duck Binary Analysis BDBA (formerly Protecode SC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Black Duck Binary Analysis Essentials . . . . . . . . . . . . . . . . . . . . . 12
Black Duck Binary Analysis Advanced . . . . . . . . . . . . . . . . . . . . . . 12
How to Create a Vendor Vulnerability . . . . . . . . . . . . . . . . . . . . . . 12
Kubernetes Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
How to Create a Vendor Component . . . . . . . . . . . . . . . . . . . . . . . 12
API Fetch for Docker Registry and Custom Data . . . . . . . . . . . . . 13
Troubleshooting and Optimizing . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
How to Enable API Key Authentication . . . . . . . . . . . . . . . . . . . . . 13
How to Set Up Server Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . 13
User Management and Default Roles . . . . . . . . . . . . . . . . . . . . . . 13
| synopsys.com | 3Synopsys Academy Catalog | February 2021
Coverity ............................................................. 14Self-Guided Onboarding Part 1— Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Self-Guided Onboarding Part 2— Server Installation and Initial Setup . . . . . . . . . . . . . . . . . . . . . . . . 15
Self-Guided Onboarding Part 3— Analysis, Install, Setup, and Use . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Creating Custom Coverity Checkers With CodeXM . . . . . . . . . . 15
Coverity for Managers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Getting Started Analysis Install, Setup, and Use . . . . . . . . . . . . . 15
Using Models to Improve Analysis . . . . . . . . . . . . . . . . . . . . . . . . . 15
Coverity With Code Sight Plugin Quick Start . . . . . . . . . . . . . . . . 15
Code Sight for Developers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Coverity for Developers (End Users) . . . . . . . . . . . . . . . . . . . . . . . 15
Introduction to Coverity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Baselining Analysis Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Point and Scan Quick Start for Coverity Connect Users . . . . . . . 16
Getting Started Server Installation and Initial Setup . . . . . . . . . . 16
Rolling Out Quick Start Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Getting Started Projects and Streams . . . . . . . . . . . . . . . . . . . . . . 16
How to Replace Your License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Rehosting Your License and Upgrading to a New Coverity Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Coverity Connect: SAML SSO Authentication . . . . . . . . . . . . . . . . 16
The Coverity CLI for Security and Compliance Teams . . . . . . . . 17
Concepts for Developers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Desktop Analysis Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Examining and Triaging Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Views, Filters, and Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Classic Fast Desktop for Your IDE . . . . . . . . . . . . . . . . . . . . . . . . . 17
Classic Fast Desktop CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Using Sigma Rapid Scan Static in GitHub . . . . . . . . . . . . . . . . . . . 17
Getting Started with Sigma Rapid Scan Static Standalone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Checking Connect Status and Diagnostics . . . . . . . . . . . . . . . . . . 18
License Activation and Software Download . . . . . . . . . . . . . . . . . 18
Committing Analysis Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Capturing Source Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Downloading the Analysis License and Software . . . . . . . . . . . . 18
Running Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Installing the Analysis Software . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Users Groups and Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Backups and Data Purging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Installing the Connect Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
CodeSight ......................................................... 20Code Sight for Developers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configuration for Coverity and Polaris Users . . . . . . . . . . . . . . . . 21
Introduction to Code Sight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Code Sight Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Reviewing Coverity Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Polaris ............................................................... 22How to Create Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Polaris Seeker Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Polaris for DevOps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Polaris for Security Professionals . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Polaris for Developers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Viewing and Downloading Reports . . . . . . . . . . . . . . . . . . . . . . . . 23
Coverity on Polaris Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Combining Projects into an Application . . . . . . . . . . . . . . . . . . . . 23
Defensics .......................................................... 24Introduction to Defensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Defensics Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
How to Download Defensics From the Synopsys Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
How to Access Arena and Download Defensics . . . . . . . . . . . . . 25
How to Download a License from Community . . . . . . . . . . . . . . 25
How to Get Your Flex Server Running . . . . . . . . . . . . . . . . . . . . . . 25
Installing the GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Defensics Tutorials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Setting Up Agent Instrumentation . . . . . . . . . . . . . . . . . . . . . . . . . 25
Defensics FuzzBox: Getting Started . . . . . . . . . . . . . . . . . . . . . . . . 26
Defensics SDK: Environment Setup . . . . . . . . . . . . . . . . . . . . . . . . 26
| synopsys.com | 4Synopsys Academy Catalog | February 2021
Interpreting Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Instrumentation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
When to Use Valid Case Instrumentation . . . . . . . . . . . . . . . . . . . 26
Testplans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Rerun Test Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Command Line Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Remediation Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Seeker ................................................................27Seeker for End Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Seeker for DevOps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Integrating Seeker Findings into Code Dx . . . . . . . . . . . . . . . . . . . 28
Code Dx ............................................................ 29How to Analyze a Project and Review Results . . . . . . . . . . . . . . .30
Results Review and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
UI Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Integrating Black Duck Findings into Code Dx . . . . . . . . . . . . . . .30
Integrating Seeker Findings into Code Dx . . . . . . . . . . . . . . . . . . .30
Integrating Coverity Findings into Code Dx . . . . . . . . . . . . . . . . . .30
Headless Server Installation in Linux Systems . . . . . . . . . . . . . .30
Server Installation in Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
| synopsys.com | 5Synopsys Academy Catalog | February 2021
BLACK DUCK
| synopsys.com | 6Synopsys Academy Catalog | February 2021
Self-Guided Onboarding Part 1— Getting Started and ConfigurationIn this course, you will complete the configuration tasks necessary to ensure that the Black Duck GUI is ready to use, including:
• Accessing your SaaS hosted Black Duck instance• (Optional) Security/user authentication: Integrating with
LDAP or SAML• Managing Users and roles• Creating projects
View Course
Self-Guided Onboarding Part 3—Scan Results and ReportingIn this course, you will complete the tasks necessary to review and work with your scan results, including:
• Managing your BoM• Reviewing and triaging the components in your BoM• Generating reports
View Course
Self-Guided Onboarding Part 2—Scanning With DetectIn this course, you will complete the installation and configuration tasks necessary to start scanning your target codebase, including:
• Installing Detect• Scanning your codebase with Detect• Scanning best practices
View Course
Installing an On-Premises Black Duck KnowledgeBaseThis course will show you how to download Black Duck KnowledgeBase OnPrem artifacts, set up your KnowledgeBase server, and set up a Black Duck instance connected to the KnowledgeBase on premises.
View Course
Custom System AnnouncementsThis course covers how to create custom sign-on and post sign-on messages that will appear to your Black Duck users.
View Course
Vulnerability Impact AnalysisThis course covers how to scan for vulnerability impact using Detect CLI and Detect Desktop. You will also learn how to view reachable vulnerabilities in Black Duck.
View Course
Managing Users and RolesLearn how to manage users, roles, and groups within Black Duck. You also learn how to assign users and groups to projects, and assign roles to users and groups.
View Course
Introduction to Black Duck SolutionsLearn the benefits and risks of using open source software and see how Black Duck solutions can help organizations manage the security, licensing, and operational risk that comes with using it.
View Course
Working With Scan ResultsThis interactive tutorial will familiarize you with the Bill of Materials (BOM) and walk you through the process of removing, adding, and adjusting BOM components. It also covers how to track remediation of security vulnerabilities that were discovered.
View Course
Configuring LDAP IntegrationLearn the prerequisites and configuration steps necessary to integrate your Black Duck server with your LDAP environment to facilitate LDAP-based authentication, user, and group management.
View Course
| synopsys.com | 7Synopsys Academy Catalog | February 2021
A Technical IntroductionLearn the technical fundamentals of Black Duck, from the overall function of the product to the relationship between it and the Black Duck KnowledgeBase. You’ll understand the code printing process and see how the code prints are leveraged with the Black Duck KnowledgeBase to assess your code’s security risk. Interactive tutorials walk through a basic scan and viewing risk in Black Duck.
View Course
ArchitectureLearn the architectural elements that comprise the Black Duck system. You’ll see the function of the various components and their relationship with one another, and how the those components are invoked during the scan process.
View Course
Artifactory IntegrationLearn how to install, configure, and use the Black Duck Artifactory plugin to scan and inspect artifacts in your binary repository, and discover the open source components that they contain.
View Course
Importing Your Protex BOM Into Black DuckLearn how to use the new BOM (Bill of Materials) tool, which allows you to export your Protex Bill of Materials and import it into Black Duck to discover security vulnerabilities in your projects.
View Course
Connecting to the Report DatabaseThis course will show you how to leverage the Black Duck report database to extract data and create your own customized reports.
View Course
Creating ProjectsThis course will show you how to create projects in the Black Duck UI, change project settings, and map a scan to a project. You will also learn how to add subprojects and manage access to projects in Black Duck.
View Course
Setting Global Remediation StatusThis course will show you how to set a global remediation status for security vulnerabilities that appear frequently in your open source components.
View Course
Discovering Open Source SnippetsThis course covers how open source snippets enter your code, and walks you through the process of detecting and managing them with Black Duck.
View Course
Installing Synopsys DetectThis course will show you how to install Synopsys Detect and run your first scans.
View Course
Attributing OSS in Your ApplicationsThis course will outline the typical parameters of an open source license, contrast popular license types, and demonstrate how to meet your attribution requirements for any open source you’re using.
View Course
| synopsys.com | 8Synopsys Academy Catalog | February 2021
Generating ReportsLearn how to leverage the available reports in Black Duck to get insight into the open source components you’re using and their associated risk. We’ll highlight both the standard vulnerability reports and customized notices reports that comply with the attribution requirement of virtually all open source licenses.
View Course
Copyright StatementsThis course will teach you how to manage copyright statements in the Black Duck UI. You will learn how to view, create, edit, activate, and deactivate copyright statements.
View Course
Configuring Policy ManagementThis short course will teach you to create policy rules, take advantage of Black Duck’s default policy rules, and override policy violations as needed.
View Course
Hosted System LoginThis course will walk you through registration and the first login on your hosted Black Duck instance.
View Course
Black Duck SAML IntegrationThis tutorial will show you how to configure single sign-on (SSO) via SAML for Black Duck.
View Course
Black Duck Installation Using Docker SwarmThis course will show you how to install Black Duck using Docker Swarm. You will learn how to install Docker CE, and how to install and run Black Duck. You will also learn where to find Black Duck’s configuration files and scripts.
View Course
Snippet Scanning and New Triage WorkflowSnippet scanning and triage workflow have been improved in the new version of Black Duck. This mini course gives a brief overview of the new features and gives you the option to go through an interactive tutorial on the subject.
View Course
Artifactory Plugin InstallationThe Black Duck plugin for Artifactory gives you the ability to scan your artifacts for open source components and vulnerabilities within your local and remote repositories. This course covers the installation and configuration of the plugin.
View Course
Managing Deep License DataThis course will show you how to enable deep license data tracking in your BOM, and how to scan for embedded licenses using Synopsys Detect.
View Course
Artifactory Plugin Introduction and UsageThe Black Duck plugin for Artifactory gives you the ability to scan your artifacts for open source components and vulnerabilities within your local and remote repositories. This course covers the introduction and usage of the plugin.
View Course
Scanning Docker ImagesThis course will show you how to scan Docker images with Synopsys Detect.
View Course
| synopsys.com | 9Synopsys Academy Catalog | February 2021
Watching Projects and Saving SearchesThis course will show you how to use the Black Duck dashboards to watch projects, and how to create focused groups of project versions by using saved searches.
View Course
Cloning Versions and ProjectsThis course will show you how to clone versions and projects, and how to map a scan to a clone.
View Course
Configurable Individual File MatchingThis interactive tutorial will show you how to enable individual file matching using Synopsys Detect.
View Course
Scanning Best PracticesThis course will show you how to use best practices when running scans in Black Duck.
View Course
Using Custom Scan SignaturesAn introduction to custom scan signatures
View Course
Custom FieldsThis course will show you how to create and view custom fields in Black Duck.
View Course
Navigating the InterfaceThis course will show you how to navigate the Black Duck user interface.
View Course
Configure Security Risk RankingThis course will show you how to set the security risk configuration ranking in Black Duck.
Black Duck displays multiple vulnerability scores for a given vulnerability. As of version 2019.06, Black Duck displays NVD CVSS 2.0, NVD CVSS 3.0, BDSA CVSS 2.0, and BDSA CVSS 3.0 scores for most vulnerabilities. If your company has a corporate policy that aligns with one of these security risk frameworks, you can now set the default risk scoring in Black Duck to match the risk profile used by your company.
View Course
Detectors IntroductionThis course will introduce you to the scan configurations that are possible with Synopsys Detect. We walk through two examples using the npm and Maven detectors.
View Course
Managing Open Source LicensesThis course will show you how to view open source licenses in your projects. Additionally, you will learn to create and edit custom licenses, and edit and restore Black Duck KnowledgeBase licenses.
View Course
Advanced License ManagementBlack Duck has several features involved in license management. This course addresses three new features: custom license families, custom license terms, and license terms fulfillment.
View Course
Introduction to Scanning Open Source Software With Black DuckLearn how to scan open source software with Black Duck.
View Course
| synopsys.com | 10Synopsys Academy Catalog | February 2021
Black Duck Rapid ScanLearn how to set up and run Black Duck Rapid Scan with Synopsys Detect. This course also covers the function and use case for rapid scanning on Black Duck. An interactive tutorial will walk you through your first rapid scan.
View Course
Integrating Black Duck Findings into Code DxIntegrating Black Duck with the Code Dx server is simple, but it is almost always easier to see a process rather than just attempting it on your own. This course walks you through how to integrate Black Duck with Code Dx. This process is similar to the process used by most tools Code Dx supports out of the box, so it may be helpful for many other tools as well.
View Course
BLACK DUCK BINARY ANALYSIS
| synopsys.com | 12Synopsys Academy Catalog | February 2021
Introduction to Black Duck Binary Analysis BDBA (formerly Protecode SC)BDBA (Protecode SC) is an automated software composition analysis tool that enables organizations to audit open source software compliance and vulnerabilities in third-party code, and achieve governance over open source. This course covers the features and capabilities of the product, and why you should be using binary analysis to detect vulnerabilities and components in applications. This introduction is for those using BDBA as a standalone, not integrated with Black Duck.
View Course
Black Duck Binary Analysis EssentialsThis course offers a holistic overview of core product features, functionality, and common use cases when BDBA is used outside of Black Duck. The course covers the product conceptual framework and provides by a functional walkthrough. The course consists of theory in text format and interactive tutorials that will take you through the product.
View Course
Black Duck Binary Analysis AdvancedThis course offers a holistic overview of the more advanced product features, functionality, and administrative use cases of BDBA when used outside of Black Duck. The course covers administrative functions, BDBA Appliance setup options, and other advanced topics. The course consists of theory in text format and interactive tutorials that will take you through the product features.
View Course
How to Create a Vendor VulnerabilityBlack Duck Binary Analysis offers the ability to add vulnerabilities to either your own proprietary components or existing OSS components. This feature is especially useful when your organization has proprietary components in the codebase and you wish to keep track of the vulnerabilities in them, or when you have detected vulnerabilities from open source components that are specific to your usage. Adding the vendor vulnerability to your company’s Black Duck Binary Analysis database helps you keep track of the vulnerabilities in different projects and components.
You can add vulnerabilities to the database, and give unique vulnerability IDs for each vulnerability. You can also determine a CVSS equivalent score to the vulnerability. The system uses CVSS 2.0 ratings.
View Course
Kubernetes DeploymentThis course covers the BDBA Kubernetes deployment process and provides an interactive tutorial that walks you through the steps.
View Course
How to Create a Vendor ComponentBlack Duck Binary Analysis offers the ability to add fingerprints for your own components. This feature is useful when your organization has proprietary components in your codebase. Adding the vendor component to your company’s Black Duck Binary Analysis database helps you keep track of the versions and component usage in different projects. When you are uploading a component, make sure the uploaded file contains only the desired component and nothing else. The uploaded component should also be able to be detected during the analysis.
You can add different components to the database, and define the regular expression of how the component version is recognized during an analysis.
For more information on the supported regular expression syntax, visit: https://docs.python.org/3/library/re.html
This course will introduce this feature to you, show you how to upload a vendor component, and demonstrate how the process of modifying the component properties works. It will also show you an example of how the vendor component is detected during an analysis.
View Course
| synopsys.com | 13Synopsys Academy Catalog | February 2021
API Fetch for Docker Registry and Custom DataWhen using Black Duck Binary Analysis (BDBA) in your organization, you can use the API to download and scan remote files. One of the newest additions is the API Fetch for Docker Registry. With the correct syntax, you can define the used BDBA instance, your group, username, and the image from Docker Registry without opening your browser. By default, the Docker Registry API Fetch downloads the latest release, but you can use Docker tags to define other versions as well. It is easy to automate container scanning by using the API.
Another improved feature is the custom data you can add for the scan results. This feature has existed with API usage, but now you can use the custom data in the UI as well. You can define a key and value, which can be used to group scanned binaries together in BDBA.
View Course
Troubleshooting and OptimizingWhen running the BDBA appliance in your organization, it is good to know where to find log files and how to optimize appliance performance. If you’re having issues with the appliance, log files can be downloaded quite easily. You can study the log files yourself to find the source of your issue, but it is usually best to send the log files to Synopsys Support for inspection to avoid any misunderstanding.
Optimizing the appliance performance can be done when you have additional hardware to use. You can distribute the scan load over multiple appliances by attaching more scanner instances to your appliance. Other optimization settings give you the option to leave out certain scan details from the results, thus increasing the scan speed. It is completely up to your organization’s scan standards to identify what you need, so leaving certain portions out may or may not be feasible.
This course walks through the features and gives you the opportunity to see the features in an interactive tutorial.
View Course
How to Enable API Key AuthenticationBlack Duck Binary Analysis (BDBA) will be deprecating the basic authentication option for API access in the 2020.09 release on the hosted platform. This tutorial covers the API key authentication process that replaces the less secure basic authentication option when using the BDBA API.
View Course
How to Set Up Server MonitoringWhen running the BDBA appliance in your organization, it can be helpful to establish a monitoring environment to see how the appliance is doing. The monitoring tools enable you to see a lot of details about the state of the appliance. For example, you can monitor the number of scans, usage over time, CPU usage, memory consumption, and disk space. In this course’s example, the monitoring environment is set up using InfluxDB/ Grafana docker containers.
View Course
User Management and Default RolesDefining roles for a new user in Black Duck Binary Analysis is now easier due to new default role options in the User Management section. This course walks you through how the new options work, and how you can modify the user profile after creating it.
View Course
COVERITY
| synopsys.com | 15Synopsys Academy Catalog | February 2021
Self-Guided Onboarding Part 1—Getting StartedThis course introduces the Coverity onboarding process and provides a quick overview of what Coverity is. It also covers what hardware you will need to get started with Coverity and shows you how to download your license and software.
View Course
Self-Guided Onboarding Part 2—Server Installation and Initial SetupThis course will show you how to get started with installing and configuring a Coverity Connect server.
View Course
Self-Guided Onboarding Part 3—Analysis, Install, Setup, and UseThis course covers how to install and use the Coverity Analysis tool.
View Course
Creating Custom Coverity Checkers With CodeXMThis hands-on course takes you through the basics of writing custom Coverity checkers and integrating them in your Coverity analysis.
View Course
Coverity for ManagersThis course provides an overview of the common Coverity deployment models and how they fit into the SDLC ecosystem and processes. It covers the best practices to successfully introduce Coverity into existing teams and projects, the Coverity adoption maturity path, and ways to evolve the initial deployment and maximize your investment. It also outlines how to measure and track the integrity of your software.
View Course
Getting Started Analysis Install, Setup, and UseThis course will show you how to install and use the Coverity Analysis tool.
View Course
Using Models to Improve AnalysisIn this course, you will learn how you can use models to give more information to Coverity and improve your analysis results, helping to eliminate false positives and false negatives.
View Course
Coverity With Code Sight Plugin Quick StartThis course will help you get started using the Synopsys Code Sight™ plugin with Coverity. It will walk you through the process of installing and using the plugin to begin finding issues in your code.
View Course
Code Sight for DevelopersThis course will help you get started using the Synopsys Code Sight plugin with Coverity. It will walk you through the process of installing and using the plugin to begin finding issues in your code.
View Course
Coverity for Developers (End Users)This course covers how to quickly navigate, inspect, and remediate issues found by Coverity. It outlines ways to slice and dice the source to hone in on issues in specific files and instantly analyze a piece of code you’ve just written or modified, either within your IDE or on the command line.
View Course
| synopsys.com | 16Synopsys Academy Catalog | February 2021
Introduction to CoverityThis is a high-level overview of Coverity. The content provided is also included in most of our role and mission-based courses, but if you are not planning to take any other course and just want to get a quick Coverity overview, this one is what you need.
View Course
Baselining Analysis ResultsIn this course, you will learn what to do when bringing an existing project with lots of Coverity findings into Coverity for the first time. Learn how to avoid overwhelming developers with issues, and how properly baselining your code in Coverity is key to avoiding that.
View Course
Point and Scan Quick Start for Coverity Connect UsersThis interactive microcourse will show you how you can use the Point and Scan UI tool to easily capture and analyze code.
View Course
Getting Started Server Installation and Initial SetupThis course will show you how to get started installing and configuring your Coverity Connect server.
View Course
Rolling Out Quick Start GuideThis course provides important resources to help you install and configure Coverity in your initial deployment. Synopsys offers onboarding services for those customers that require tailored assistance.
This course identifies important installation, configuration, and early deployment steps, tips, tutorials, and references to selected user documentation. The documentation covered is the most relevant, but not necessarily an exhaustive listing of all available documentation.
The primary configuration described in this course should
be undertaken as the Coverity admin user. Adoption of the practices will deliver seamless integration into your SDLC. Optional items are specifically noted as such. All customers are invited to contact [email protected] for further assistance.
View Course
Getting Started Projects and StreamsThis course covers how to get started with understanding and creating Coverity projects and streams.
View Course
How to Replace Your LicenseThis course will show you how to update your Coverity license.
View Course
Rehosting Your License and Upgrading to a New Coverity ServerThis course will show you how to update your Coverity license so it will work on a new server in preparation for moving to new server hardware. It also covers the best method to move or upgrade Coverity onto that new server.
View Course
Coverity Connect: SAML SSO AuthenticationCoverity Connect supports SAML 2.0 single sign-on (SSO) authentication. This course covers how to configure Connect as a SAML service provider (SP) with an SAML identity provider (IdP), such as Okta.
View Course
| synopsys.com | 17Synopsys Academy Catalog | February 2021
The Coverity CLI for Security and Compliance TeamsThis micro course will show you how to use the new simplified Coverity CLI to autocapture and analyze code. The new Coverity CLI enables teams to easily generate analysis results, often without needing to understand or set up a special build environment for each codebase. This course will walk you through using the new Coverity CLI so you know exactly what to expect before you start. Please note as of Coverity 2021.06, this process supports Java, C#, JavaScript, Python, PHP, and Ruby code.
View Course
Concepts for DevelopersThis micro course covers important Coverity terms and concepts for developers. Learn how projects, streams, and snapshots map to more familiar source control concepts such as branches and releases. You will also learn about issue merging, and how components can be used to logically partition source code.
View Course
Desktop Analysis OptionsCoverity offers two options for running a desktop analysis: Code Sight and Classic Fast Desktop. This micro course will help you decide if desktop analysis makes sense for you and if so, which approach to take.
View Course
Examining and Triaging IssuesThis micro course will show you how to examine and triage issues using the Coverity web interface. It covers how to navigate different projects, how to look at defect details, and some of the available options. It also covers how to classify issues, set severity levels, and define required actions.\
View Course
Views, Filters, and NotificationsBeing able to quickly focus on the issues that matter the most to you is very important, especially if Coverity finds a large number of issues. This micro course covers when to use the various view types, how to create custom views, and how to create a notification based on a view. This will enable you to easily focus on the issues that are the most critical to you.
View Course
Classic Fast Desktop for Your IDEThis micro course will help you get started with Coverity Classic Fast Desktop within the comfort and convenience of your IDE. It will show you how to configure and use the plugin/extension in your IDE.
View Course
Classic Fast Desktop CLIThis micro course will help you get started with Coverity Classic Fast Desktop CLI. It will show you how to configure and use the CLI, and how you can use it in VI and Emacs.
View Course
Using Sigma Rapid Scan Static in GitHubThis micro course will show you how you can set up automatic runs of Rapid Scan Static on pushes to GitHub. Standalone Rapid Scan Static is a fast and easy-to-use headless SAST scanner that fits seamlessly into the early stages of the modern development life cycle, and it’s free for use by Coverity customers. This course will walk you through the exact steps needed to set up a GitHub Action including the use of GitHub secrets to protect your security. Both GitHub experts and beginners should find the included example main.yml file helpful in getting started with Rapid Scan Static.
View Course
| synopsys.com | 18Synopsys Academy Catalog | February 2021
Getting Started with Sigma Rapid Scan Static StandaloneRapid Scan Static using the Sigma engine is a fast and easy-to-use headless SAST scanner that fits seamlessly into the early stages of the modern development life cycle, and it’s free for use by Coverity customers. This micro course will walk you through running a standalone Rapid Scan Static analysis using the CLI and show you how you can use a configuration file to set custom default options. The micro course will also cover how you can easily use a policy file to break builds when integrating Rapid Scan Static into a pipeline like Jenkins.
View Course
Checking Connect Status and DiagnosticsThis micro course will show you how to start and check diagnostics on your Connect server. It will walk you through the available system diagnostics found under the help menu and demonstrate how to download the available log files. In addition, it also covers the commands needed to manually start and shutdown the Coverity server.
View Course
License Activation and Software DownloadThis micro course will show you how to activate your Coverity license and download the software. This course can be a good starting point if your company has just purchased Coverity software.
View Course
Committing Analysis ResultsThis micro course will walk you through how to send analysis results to a Coverity Connect server. It includes information on how to use keyfiles for added security and optional information on how SCM integration can be set up in the commit step.
View Course
Capturing Source CodeThis course will walk you through how to capture your source code in preparation for running analysis. It will help you determine whether build or buildless capture is the correct approach for your codebase. The course also covers how to use cov-build and cov-capture.
View Course
Downloading the Analysis License and SoftwareThis micro course will walk you through how to download the Coverity analysis license and software. The course will take you step by step from logging into the community to downloading exactly what you need.
View Course
Running AnalysisThis micro course will walk you through how to run a Coverity analysis. It will first show you the basic process and then detail some commonly used options. The course wraps up with some advanced options that users may find helpful.
View Course
Installing the Analysis SoftwareThis micro course will walk you through how to install Coverity analysis software. It provides step-by-step guidance for the complete process.
View Course
Users Groups and RolesManaging users, groups, and roles is a critical part of administering a Coverity Connect server. This micro course will show you how to add users and groups to your system and how to use roles to correctly assign permissions.
View Course
| synopsys.com | 19Synopsys Academy Catalog | February 2021
Backups and Data PurgingRunning backups and managing database size are important aspects of any system that contains a database. This micro course will show you how to set up automatic backups of your Coverity Connect server. The course will also cover how to configure issue detail purging and snapshot summary purging, which will greatly assist in keeping the size of the Coverity Connect database manageable.
View Course
Installing the Connect ServerThis micro course will show you how to install the Coverity Connect platform server This micro course will show you how to install the Coverity Connect platform server. It will walk you through the complete installation process so you know exactly what to expect before you start the process yourself.
View Course
CODESIGHT
| synopsys.com | 21Synopsys Academy Catalog | February 2021
Code Sight for DevelopersThis course will help you get started using the Synopsys Code Sight plug-in with Coverity. It will walk you through the process of installing and using the plugin to begin finding issues in your code.
View Course
Configuration for Coverity and Polaris UsersThis course will help you configure Code Sight so you can access advanced features and use the tool in nondefault configurations. It is recommended that one member of each team using Code Sight or someone from DevOps take this course so they can distribute customized configuration files. In addition, as an optional lesson, this course provides some basic troubleshooting information.
View Course
Introduction to Code SightThis course will help Black Duck, Coverity, and Polaris users get started using the Synopsys Code Sight IDE plug-in. The Code Sight Plug-in/extension provides developers with an interface to Synopsys tools right in their IDE. After taking this micro course you will understand the basics of how Code Sight works.
View Course
Code Sight InstallationThis course will walk you through how to download and install the Code Sight plug-in/extension into your IDE so you can get Black Duck or Coverity results on your desktop. A Black Duck license is required to get Black Duck results. A Coverity or Polaris license is required for Coverity results.
View Course
Reviewing Coverity ResultsThis micro course will help developers understand and use the information provided by the Code Sight plug-in/extension. Code Sight is a plug-in/extension that provides developers an interface to Synopsys tools directly in their IDE. This micro course is intended for developers who plan to start using Coverity tools on their desktop.
View Course
POLARIS
| synopsys.com | 23Synopsys Academy Catalog | February 2021
How to Create ReportsThis course will introduce you to the process of creating reporting agents in Polaris Software Integrity Platform.
View Course
Polaris Seeker ReportingThis course will show you how to set up Seeker reporting in Polaris.
View Course
Polaris for DevOpsThis course will introduce you to the Polaris Software Integrity Platform and help you integrate static and software composition analysis into your software development life cycle.
View Course
Polaris for Security ProfessionalsThis course will introduce you to the Polaris Software Integrity Platform and help you understand how to execute buildless capture analysis, review and interpret your analysis results, and generate the necessary reports out of the system.
View Course
Polaris for DevelopersThis course will introduce you to the Polaris Software Integrity Platform and help you get started using it to analyze and view potential security issues within your code.
View Course
Viewing and Downloading ReportsThis course covers how to work with the Polaris reporting platform and use agents to sync the results from your tools. This course is geared toward people already familiar with the Polaris reporting platform, agents, and applications.
View Course
Coverity on Polaris Quick StartThis course provides an overview of the Polaris Software Integrity Platform. It will also demonstrate how to install and configure the Polaris CLI analysis tool, and how to interact with the Polaris user interface for viewing and triaging analysis results.
View Course
Combining Projects into an ApplicationApplications allow you to view multiple projects in a single view. This can be especially helpful if multiple microservices need to be looked at together. Applications can also be very helpful for managers who need to get an overall view of several separate projects. This micro course will give you a good idea of exactly what setting up an application will provide and show you how to create them.
View Course
DEFENSICS
| synopsys.com | 25Synopsys Academy Catalog | February 2021
Introduction to DefensicsIn this course, you will learn what Defensics fuzzing is all about. Fuzzing is a method of software testing that uncovers failure modes and unknown vulnerabilities by deliberately sending malformed inputs to a target. Because it’s a common technique utilized by hackers, Defensics employs dynamic, black box testing (meaning it requires no source code) to simulate real-life scenarios. The course covers the features and capabilities of the product, and why you should be using fuzz testing to eliminate bugs and vulnerabilities in your products.
View Course
Defensics EssentialsThis course provides everything you need to know about Defensics, including vulnerabilities, fuzzing techniques, core product features, functionality, and common use cases. To provide hands-on experience, lectures are augmented by lab exercises to be performed on a cloud-based virtual machine.
View Course
How to Download Defensics From the Synopsys CommunityThis course provides an interactive tutorial to walk you through the process of downloading Defensics from the Synopsys community.
View Course
How to Access Arena and Download DefensicsThis course provides an interactive tutorial to walk through the steps of downloading Defensics.
View Course
How to Download a License from CommunityThis course covers the steps for downloading a Defensics license from the community.
View Course
How to Get Your Flex Server RunningFlex server is the license server for Defensics. This interactive tutorial walks through the process of setting it up.
View Course
Installing the GUIOnce you have downloaded Defensics, you need to install it to your local machine with appropriate administrative privileges. The installation procedure is quite straightforward, and this interactive tutorial covers how to do it in Windows. The process is very similar in Linux environment.
View Course
Defensics TutorialsThis course consists of short tutorial videos for Defensics. With the tutorials, you can learn various topics without investing a lot of time for a full course.
View Course
Setting Up Agent InstrumentationAgent instrumentation is an effective way of detecting more issues in your tested system. This course walks you through how to configure both Defensics and your SUT for agent instrumentation.
View Course
| synopsys.com | 26Synopsys Academy Catalog | February 2021
Defensics FuzzBox: Getting StartedDefensics FuzzBox is an operating system with customized libraries and configurations to enable negative testing for IEEE 802.11 protocol layers. Testing with FuzzBox 802.11 requires FuzzBox OS installed to the computer (x86 64-bit hardware) with injector hardware (WLAN adapter) and another computer (real or virtualized) running Defensics Monitor.
This course consists of four lessons:
1. How to create a FuzzBox installation USB key2. Installing the FuzzBox OS3. Authorize a new monitor4. How to use a WLAN test suite
After finishing these lessons, you will able to install and use the Defensics FuzzBox solution in your own production environment.
View Course
Defensics SDK: Environment SetupDefensics SDK is a fuzzing framework that enables organizations to develop their own test suites for uncommon, custom, or proprietary protocols and file format parsers. This course walks through setting up the Defensics SDK environment.
View Course
Interpreting ResultsWhen running tests with Defensics it is important to understand what the results mean. The results tell you if you have configured the test environment properly, and if the tested system failed due to fuzz testing. This course walks through results interpretation in Defensics.
View Course
Instrumentation OverviewDefensics determines the pass/fail verdict for each test case based on instrumentation results. Instrumentation essentially means checking the health of the tested system. This course is an overview of different instrumentation methods in Defensics.
View Course
When to Use Valid Case InstrumentationWhen running server-side testing, valid case instrumentation is usually quick and easy to set up. Valid case instrumentation gives you quick results, but it is recommended to use more in-depth instrumentation methods for more detailed results.
View Course
TestplansWhen you run the same test against the same test target multiple times with Defensics, using testplans is an excellent way to automate it and lessen the workload of configuring the test suite every time.
View Course
Rerun Test CasesWhen doing fuzz testing with Defensics, it is essential to weed out the actual failures by rerunning test cases. This course walks you through how to rerun test cases based on a previous test run.
View Course
Command Line ExecutionUsing command line execution is the best way of automating your fuzz testing. This course walks through the command line execution in Defensics for Windows and Linux , which use identical syntax.
View Course
Remediation PackageReproducing and fixing the found vulnerabilities is the main goal of Defensics testing. With the help of remediation packages, developers can easily reproduce the found issues on their own computer, and make sure the issues are properly fixed.
View Course
SEEKER
| synopsys.com | 28Synopsys Academy Catalog | February 2021
Seeker for End UsersThis course covers how to quickly check the status of a project, check its bill of materials, or look at its vulnerabilities. It also covers how to either triage the vulnerabilities Seeker finds or send them to an external bug tracking system for others to examine, and how to confirm that things are running correctly before testing is started.
View Course
Seeker for DevOpsThis course covers how to set up a new project in Seeker to check its bill of materials or look at its vulnerabilities. It also covers how to integrate Seeker with tools like Jira or Jenkins, and how to confirm that things are running correctly before testing is started.
View Course
Integrating Seeker Findings into Code DxIntegrating Seeker with the Code Dx server is quite simple, but it is almost always easier to see a process rather than just attempting it on your own. This course walks you through how to integrate Seeker with Code Dx. This process is similar to the process used by most tools Code Dx supports out of the box, so it may be helpful for many other tools as well.
View Course
CODE DX
| synopsys.com | 30Synopsys Academy Catalog | February 2021
How to Analyze a Project and Review ResultsThis course provides a step-by-step overview of how to analyze a new project with the built-in Code Dx tools. Learn how to create a new project, associate it with a codebase, select source types to analyze, and select which built-in analysis tools to use. The course also covers how to review results including how to filter and sort results, inspect vulnerabilities and details, export results, and generate assessment reports.
View Course
Results Review and ReportingResults in Code Dx are available in the Findings view. You can generate reports of your findings by using filters to get more focused reports. This course walks you through the results and reporting options.
View Course
UI DashboardThe Code Dx UI dashboard is quite simple, and it contains a lot of useful settings for administrators. This course walks you through the different sections in the UI dashboard.
View Course
Integrating Black Duck Findings into Code DxIntegrating Black Duck with the Code Dx server is quite simple, but it is almost always easier to see a process rather than just attempting it on your own. This course walks you through how to integrate Black Duck with Code Dx. This process is similar to the process used by most tools Code Dx supports out of the box, so it may be helpful for many other tools as well.
View Course
Integrating Seeker Findings into Code DxIntegrating Seeker with the Code Dx server is quite simple, but it is almost always easier to see a process rather than just attempting it on your own. This course walks you through how to integrate Seeker with Code Dx. This process is similar to the process used by most tools Code Dx supports out of the box, so it may be helpful for many other tools as well.
View Course
Integrating Coverity Findings into Code DxCode Dx comes with a broad set of connectors for popular open source and third-party products, including Synopsys tools. Integrating Coverity with Code Dx is simple, but it is almost always easier to see the process in action first. This interactive module walks you through how to integrate and import Coverity findings into Code Dx.
View Course
Headless Server Installation in Linux SystemsA Code Dx server can be installed without the use of graphical UI. This course walks you through how to do a headless installation in a Linux environment.
View Course
Server Installation in WindowsInstalling the Code Dx server in Windows is quite straightforward, but there are a few important steps you need to consider. This course walks you through how to install a Code Dx server in Windows 10 environment.
View Course
