Before you run the Vulnerability Response Integration with Black Duck on your instance, you must complete the installation and configuration steps so that the Black Duck Software Composition Analysis (SCA) tool properly integrates with the Application Vulnerability Response application.

Before you begin

Role required: sn_vul_blackduck.configure_integration, App-Sec Manager user group

About this task

The Vulnerability Response Integration with Black Duck is available as a separate subscription.

Procedure

  1. Navigate to All > Blackduck Vulnerability Integration > Configuration.
  2. Select the Basic Authentication type.
    Basic Authentication requires a MID Server for instances that are on-premises. You can generate the API token that is required for basic authentication from your Black Duck account.
  3. On the form, fill in the fields.
    Basic Authentication
    Table 1.
    FieldDescription
    API URL Black Duck API URL for instances that are enterprise or on-premises. The on-premises instance is your Black Duck endpoint URL.
    API Token Token that you generated from your Black Duck console.
    MID Server MID Server that is required for instances that are on-premises for Basic Authentication.
    Include SCA Vulnerabilities from Software Composition Analysis (SCA) scans that are included by default. SCA scans identify the vulnerabilities in open-source components.
    Select the option to manage False positives in ServiceNow ServiceNow Option to Manage false positives. Leave this option activated if you want to triage the imported application vulnerable items (AVIs) with the Source states that are marked as False Positive or Potential False Positive.

    AVIs with these Source states that normally are mapped to a Closed state in your instance are mapped to Open.

    You can request a False positive from the AVI record.
    • Deactivate one or both options if you want to preserve the Source states that were imported from your scanner.
    • If deactivated, the Request exception and False Positive actions aren’t visible on the AVIs.
    Integration Instance Instance that you’re using to import the data.
  4. Select Save and Test credentials.
  5. Run the Black Duck Project List Integration before you run other integrations.
    The other Black Duck integrations, such as the Black Duck Application List Integration and Black Duck Application Vulnerable Item Integration, depend on the current project and application data that you imported from the Project List Integration.