# Black Duck (Synopsys) MCP for AI Agents MCP

> Black Duck (Synopsys) MCP allows your AI agent to manage open source security compliance directly against your code inventory. You can list projects, find known vulnerabilities, check Bill of Materials (BOM) status, and audit security policies simply by asking natural language questions.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** open-source-security, vulnerability-scanning, license-compliance, software-supply-chain, cve-tracking, risk-management

## Description

Connect Black Duck (Synopsys) through this MCP to turn complex security auditing into a simple conversation with your AI agent. Instead of jumping between dashboards or running manual exports, you talk to the system about your code dependencies. The platform lets you locate all software projects and their versions across multiple repositories. You can ask for details on specific project components, check if the Bill of Materials (BOM) is current, or find out which users have access to sensitive data.

If a dependency has known vulnerabilities, you just ask, and your agent retrieves those CVEs along with severity levels. Furthermore, you can audit the entire organization's security posture by listing defined policy rules or checking who manages user accounts. It’s about getting immediate answers on compliance status and risk assessment right where you work. By connecting this MCP via Vinkius, you give any compatible AI client a single pane of glass for your entire open source supply chain.

## Tools

### get_bom_status
Checks if the Bill of Materials (BOM) calculation for a given project version is up to date.

### get_project
Retrieves specific metadata and details about a targeted software project.

### list_vulnerabilities
Generates a list of known vulnerabilities associated with a particular project version.

### get_vulnerability_details
Pulls deep technical details for a specific CVE or vulnerability ID.

### list_code_locations
Lists the exact locations within code where components were scanned.

### list_policy_rules
Provides a comprehensive list of all security policy rules defined for your organization.

### list_project_versions
Lists every version available for a specific software project, defining the scope of the audit.

### list_projects
Retrieves an exhaustive list of all projects managed within Black Duck.

### list_users
Lists every user account and profile within the platform for access auditing.

### search_projects
Searches across all tracked projects using keywords or partial names.

## Prompt Examples

**Prompt:** 
```
What are the critical security risks found in our 'Client Portal' service?
```

**Response:** 
```
**Project: Client Portal**

We identified 3 high-risk CVEs linked to outdated libraries:

*   **CVE-2024-1234:** Medium severity (Dependency X v1.0).
*   **CVE-2023-5678:** Critical severity (OpenSSL component). Requires immediate patching.
*   **CVE-2024-9012:** High severity (Logging library Y). Check user access controls for this dependency.

Action recommended: Update OpenSSL and review policy rules.
```

**Prompt:** 
```
Check the compliance status and list all versions for 'Core API' project.
```

**Response:** 
```
*Project:* Core API
*Versions Found:* 4 total (v1.0, v1.1-beta, latest)

**BOM Status:** ✅ UP_TO_DATE. The Bill of Materials is fully synchronized with the current compliance policy guidelines.

*Vulnerability Snapshot (latest):* No critical CVEs detected right now.
```

**Prompt:** 
```
Who has admin access and what policies govern them?
```

**Response:** 
```
Here’s a summary of user permissions and governing rules:

**Users with Admin Rights:** John Doe, Jane Smith (2 accounts)
**Governing Policies Found:**
1.  *Data Access Policy:* Limits read/write based on department.
2.  *Audit Scope Policy:* Requires all changes to be logged via user profile tracking.
3.  *BOM Integrity Policy:* Enforces get_bom_status before deployment.
```

## Capabilities

### Identify all software projects
Retrieve a list and detailed metadata for every project tracked in Black Duck.

### Track specific versions and components
List all available versions for a given project or retrieve the full details of a target component.

### Audit known vulnerabilities (CVEs)
Query projects and versions to find listed Common Vulnerabilities and Exposures, along with their severity levels.

### Check compliance status
Verify the calculation status of the Bill of Materials (BOM) to confirm data freshness for regulatory reports.

### Review security policies and users
List all defined organizational security policy rules or retrieve profiles detailing platform user access controls.

## Use Cases

### Auditing a new service dependency
A developer needs to know the risk profile of a newly added library. They ask their agent, which then uses list_vulnerabilities and get_vulnerability_details to summarize all critical CVEs linked to that specific project version.

### Preparing for quarterly compliance review
A Compliance Officer needs a report proving BOM data is current across all major applications. They use the agent to list projects, then check get_bom_status for each one before submitting their documentation.

### Investigating unauthorized user access
The security team suspects an account has excessive privileges. The agent is used to run list_users and cross-reference that data with the platform's defined policy rules via list_policy_rules.

### Determining project scope for a new audit
A lead engineer doesn't know all the applications in use. They ask the agent to list all projects, followed by search_projects to narrow down the targets before beginning the vulnerability scan.

## Benefits

- Immediate vulnerability assessment: Stop manually exporting reports. Your agent can list vulnerabilities or retrieve detailed CVEs instantly.
- Compliance visibility: Use the MCP to check BOM status via get_bom_status, giving Compliance Officers real-time proof of data synchronization for audits.
- Full project scope control: Need to know what you're auditing? List all projects and run a search_projects query to build your audit list quickly.
- Policy enforcement checks: List policy rules (list_policy_rules) or review user access (list_users) directly through conversation, eliminating dashboard navigation time.
- Pinpoint risk locations: Track security coverage by listing code locations (list_code_locations) and getting detailed project info via get_project.

## How It Works

The bottom line is, you talk to your AI client like talking to a colleague; it does the API work behind the scenes.

1. Subscribe to the MCP, providing your Black Duck Instance URL and API Token.
2. Your AI client authenticates with Vinkius and gains read-only access to your defined security scope.
3. You ask a question in natural language (e.g., 'What are the critical vulnerabilities for Project X?'), and the agent executes the necessary tool calls.

## Frequently Asked Questions

**How does the Black Duck (Synopsys) MCP help me audit my code dependencies?**
This MCP allows you to talk directly to your security tool. You can ask it to list all projects, then request vulnerabilities for a specific version, getting immediate reports on CVEs without using any manual dashboard exports.

**Can I use the Black Duck (Synopsys) MCP to check compliance?**
Yes. You can run checks like verifying the Bill of Materials status and listing organizational policy rules, which is critical for proving regulatory adherence during audits.

**What kind of information does this Black Duck (Synopsys) MCP provide about users?**
It allows you to list all user profiles within the platform. This helps compliance officers review who has access and what policies govern their activity across different projects.

**Is the Black Duck (Synopsys) MCP better than running reports manually?**
Absolutely. Instead of spending hours navigating multiple menus, you ask your agent a single question—like 'What's wrong with Project X?'—and it consolidates the data from all necessary tools into one answer.

**Does this MCP only look at open source code?**
No. It gives you visibility across your entire software supply chain, allowing you to check project metadata and dependency risks regardless of where they originate in the codebase.