Knowledge Base Updates & Vulnerability Propagation

Automatic Vulnerability Propagation

When new vulnerability data is published in the Black Duck Knowledge Base, background jobs automatically propagate that data into Active project versions. This means:

• New CVEs and BDSAs are applied to all relevant Active project BOMs automatically.

• No rescan is required — the system matches new vulnerability data against the existing BOM.

• Processing is asynchronous; the time to full propagation depends on the volume of project versions and the health of the job runner.

Component Data Quality Updates

Occasionally, the Knowledge Base team makes structural improvements to component data to ensure accuracy:

• Component migrations improve the accuracy of component metadata and matching.

• Component deprecations remove invalid or fraudulent components (e.g. fake open-source packages identified on software forges).

• Component merges and splits consolidate or separate component records for better data quality.

These changes are applied automatically and may update BOM entries in both Active and LTS project versions to reflect the corrected component data.

Notifications & Audit Logging

Black Duck SCA generates notifications and audit log entries for key vulnerability changes. The following table summarises current notification behaviour:

Change Type	Notification Generated	Audit Log Entry
New vulnerability added to a component	Yes	Yes
Vulnerability removed from a component	Yes	Yes
CVE ↔ BDSA mapping update	Yes	Yes
CVSS / severity score change	—	—
Metadata-only update (description, references)	—	—

Score and metadata changes are applied to your project data but do not currently generate notifications or audit log entries. This is an intentional design decision to minimise notification noise while a next-generation notification system is under development. We plan to revisit score-change notifications as part of that work.

Understanding Remediation Status

When you review and remediate vulnerabilities in your project, Black Duck retains your remediation status and comments. However, there are specific scenarios where a vulnerability may appear as "new" and remediation status is reset:

• Identifier transitions: When a vulnerability transitions between a BDSA and CVE identifier (or vice versa), the system creates a new record. Your previous remediation data is preserved in the system but is associated with the original identifier.

• Component migrations: If a component is migrated to a new record in the Knowledge Base, vulnerabilities on the updated component are treated as new entries.

We are actively working on improvements to preserve remediation context across identifier transitions — this is a priority item on our product roadmap.

Resolving Data Discrepancies Across Views

Different views in Black Duck refresh at different intervals. If you notice temporary inconsistencies between views:

1. The BDSA/CVE detail page is always the authoritative source — it reflects the most current Knowledge Base data.

2. BOM vulnerability pages, dashboards, and reports may take slightly longer to update.

3. The "Where used" view on a component version can help confirm which projects are affected when the "Affected projects" view has not yet fully refreshed.

These timing differences are expected and typically resolve within a short period as background processing completes.

Best Practices

• Check the BDSA/CVE detail page when you need the most up-to-date vulnerability information.

• Re-scan a project version if you suspect KB update data has not yet propagated — this forces a full refresh against the latest Knowledge Base.