Add "Black Duck" as advisor for known security vulnerabilities

[fviernau]

Black Duck amongst others is a data source for security vulnerabilities.
Goal of this ticket is to make that data source available by integrating Black Duck as a so called advisor into ORT.

Out of scope: Any other capability Black Duck has besides the security vulnerabilities,
such as scanning, e.g. for code snippets.

There is no public Black Duck instance, and the REST API docs seem to be available only via the actual instance, see also 1.

[fviernau]

There is parties interested in having this, I'll potentially work on this soon.

[sschuberth]

Ping @porsche-rishisaxena and @porsche-rbieniek as you might be interested in this work. We should talk about our respective experiences here, esp. having @porsche-rbieniek's "client layer" work in mind that has been mentioned here.

[porsche-rishisaxena]

@sschuberth: we already have Blackduck as vulnerability provider integrated with "Advisor Stage" in our Porsche Version where we transform the analyzer-result.yml into bdio format of Blackduck to look-up for the dependency and version. If found, we get the vulnerability information as per CVSS 3.x standard.
This solution is LIVE since 3 months now in Porsche Eco-System.

[sschuberth]

This solution is LIVE since 3 months now in Porsche Eco-System.

Thanks for sharing this achievement! This could be of interest to a client that @fviernau is working for, I believe. I'm trying to bring together the community here in order to exchange knowledge / experience and not reinvent the wheel.