Using the Black Duck Hub Service Broker for PCF

This topic describes how to use the Black Duck Hub Service Broker for Pivotal Cloud Foundry (PCF).

The Black Duck Hub Service Broker for PCF requires that you are logged in to a PCF environment and have selected your organization and space.

  1. If this is the first time you are pushing a particular app, you must let PCF know about it before you can start binding other apps and services to it. This is done by running the command:

    $ cf push APP-NAME --no-start

  2. Verify that the black-duck-scan service displays in the Marketplace using the command:

    $ cf marketplace

    Where APP-NAME is replaced with the name of your app.
  3. Create a service instance of the black-duck-scan-service using the command:

    $ cf create-service black-duck-scan standard INSTANCE-NAME

  4. Bind the service instance of the scan service to the app using the command:

    $ cf bind-service APP-NAME INSTANCE-NAME -c '{"project_name": "PROJECT-NAME", "code_location": "CODE-LOCATION-NAME"}

    Where:
    • PROJECT-NAME: (optional) Name of the project displayed in the Black Duck Hub.
    • CODE-LOCATION-NAME: (optional) Hub code location alias. If not specified, the default code location is in the format API-ENDPOINT/SPACE-ID/SPACE-NAME/APP-NAME.

      Note: As an alternative to specifying the JSON string inline with the bind-service command, the JSON can be placed in a file and specified with the -c option, or the project name and code location parameters can be specified in the manifest.yml file as shown in the next step.

  5. Edit the project manifest.yml file, and in the env property of the app being scanned, add:

    • BLACK_DUCK_PROJECT_VERSION: (optional) This refers to the version of the project displayed in the Black Duck Hub. Black Duck strongly recommends that you use this parameter.
    • BLACK_DUCK_CODE_LOCATION: (optional) Hub code location alias.
    • BLACK_DUCK_PROJECT_NAME: (optional) Name of the project displayed in the Black Duck Hub.

    The following is an example of the manifest.yml file with the Black Duck changes:

    applications:
       - name: spring-music
         memory: 1G
         random-route: true
         path: build/libs/spring-music.jar
         env:
            BLACK_DUCK_PROJECT_VERSION: "1.0"
            BLACK_DUCK_PROJECT_NAME: "My CF Project"
            BLACK_DUCK_CODE_LOCATION: "my/cf/code/location"

    Note: The parameter values should be in single or double quotes so it is always interpreted as a string.
    Also, if the parameters are specified both in the bind command and yml file, the bind command takes precedence.

  6. To initiate the push with a Black Duck scan, use the command:

    $ cf push -m 4G APP-NAME
    Memory of 4 GB or more is required because the Black Duck scan client reserves 4 GB of heap space. The -m 4G parameter overrides the memory attribute in the manifest.yml file and is not necessary if the value in the file is equal to or greater than 4 GB.

  7. Navigate to Black Duck Hub to view the results.

Create a pull request or raise an issue on the source for this page in GitHub