Frequently Asked Questions
General Questions
What is Black Duck CoPilot?

CoPilot is a free tool that connects with your GitHub repositories to provide security risk information on your open source projects. It is powered by Black Duck Hub.

How often will CoPilot analyze my project?

CoPilot runs analysis on Git branches. It will analyze a branch any time a CI Build runs on that branch, typically whenever a commit is pushed to that branch on GitHub.

Setup Questions
What platforms does CoPilot support?

Black Duck CoPilot currently supports the following platforms:

Source Repositories
  • GitHub
Build Tools
  • Gradle
  • Maven
  • Maven Wrapper
  • Scala Build Tool
  • NuGet
  • pip
CI Systems
  • Travis CI
  • Circle CI
  • AppVeyor
What GitHub OAuth permissions does CoPilot user, and what does it do with them? Discuss this question

When logging into CoPilot with your GitHub account, it will request the following permissions:

Usage and Remediation Questions
Why do I see components in my results that aren't in my declared dependencies?

Components can be used by other components - these are called "transitive dependencies". Your application may be indirectly using components you didn't explicitly declare if a component you did declare has transitive dependencies.

How do I determine which component is bringing in a transitive dependency? Discuss this question

Gradle

Use the DependencyInsightReportTask - add a task to your top-level Gradle file:

task dependencyInsightReport(type: DependencyInsightReportTask) << {}

And then find the occurance of the dependency (replace ${groupId:artifactId:version} with the external ID of the transitive dependency in question):

./gradlew dependencyInsightReport --configuration testRuntime --dependency (${groupId:artifactId:version})

This will output a tree showing the path from the target dependency to your project. The "configuration" argument determines what configuration is searched - testRuntime is used below, as this encompasses the standard compile, runtime, testCompile, and testRuntime configurations.

Maven

Use the tree command of the Maven Dependency plugin (replace ${groupId:artifactId} with the group and artifact IDs of the transitive dependency in question):

mvn dependency:tree -Dincludes=${groupId:artifactId}

This will output a tree showing the path from the target dependency to your project.

How do I override the version of a transitive dependency? Discuss this question

Gradle

To override the version of a transitive dependency in Gradle, exclude it from the declared dependency that pulls it in, and then explicitly declare the version that you prefer to use in your build.gradle.

dependencies {
    compile("my:declared:dependency") {
        exclude group: 'transitive.group.id', module: 'artifactId'
    }
    compile "transitive.group.id:artifactId:your.preferred.version"
}

Maven

To override the version of a transitive dependency in Maven, just explicitly declare the version of the component that you prefer to use in your pom.xml.

<dependency>
    <groupId>transitive.group.id</groupId>
    <artifactId>artifact-id</artifactId>
    <version>your.preferred.version</version>
</dependency>