Black Duck Detect 11.5.0: More Reliable SBOM Evidence Across Builds
Black Duck Detect 11.5.0 strengthens software composition analysis evidence by correcting dependency parsing and build-tool edge cases that could produce incomplete or inaccurate BOMs. The release moves Quack Patch output into the Detect scan output directory, includes it in diagnostic archives, and adds operational guidance for renamed download domains, SCASS network access, CentOS deprecation, and the planned Java 8 support sunset. Enterprise teams should validate scan-success policies where empty BOMs are now an expected outcome for projects with no dependencies or no matching binaries.
Black Duck Detect 11.5.0 moves Quack Patch output into the Detect scan output directory, giving release owners a predictable location for scan evidence and diagnostic collection.
That operational change arrives with detector fixes that improve the quality of BOM data across several enterprise build estates. For organizations using scan results in release gates, vulnerability triage, license review, or audit evidence, the practical value is fewer incorrect dependency outcomes and clearer handling of exceptional build conditions.
More dependable dependency and BOM results
The release addresses parsing and reporting issues that could omit dependencies, include dependencies that should not be reported, or generate misleading versions in the BOM.
Notable corrections include:
Python requirements.txt files now support extras syntax such as kopf[dev]>=1.3.
PIP Native Inspector now parses PEP 508 environment markers correctly.
PEP 440 direct references in the form name @ url are included in Python dependency trees.
Cargo dependency declarations using the caret (^) syntax no longer fail parsing.
sbt evictions now report the replacement version rather than the evicted requested version.
UV optional-dependency exclusions now correctly exclude named extras alongside development dependencies.
BitBake layer detection resolves colliding project and layer names more deterministically.
These fixes matter because a BOM is often treated as a control record, not merely scan output. If a direct-reference package is omitted, an evicted version is reported, or a dependency group exclusion is applied incorrectly, security and legal review decisions can be based on incomplete evidence.
July 13, 2026By Chris CarpenterBlack DuckDetectCI CD
Better build-tool behavior in complex repositories
Detect 11.5.0 also addresses cases common in large build environments, particularly Gradle and Bazel estates with generated modules, plugins, deferred configuration, or partial query output.
For Gradle, the updated init script prevents plugin-injected tools from phantom projects from entering dependency reports. Phantom projects are container modules that lack a build.gradle file; previously, tools introduced by plugins such as Detekt and Ktlint could appear as dependencies. Detect now also waits until Gradle project evaluation callbacks have completed before enumerating configurations, improving compatibility with the Android Gradle Plugin and other deferred configuration patterns.
For Bazel, exit code 3 from query or cquery is now treated as partial success. Detect processes any available output and logs a warning that dependency results may be incomplete. This preserves useful scan evidence while making the coverage limitation visible to pipeline owners.
Release governance should treat that warning as a policy event. A partial result may be acceptable for an informational branch scan, but it may require review or a failed gate for a production release candidate.
Empty BOMs now require explicit coverage policy
Two behaviors reduce avoidable scan failures:
A Python Setuptools project with no dependencies now completes and generates an empty BOM.
A scan with no files matching configured binary patterns, such as .jar, .war, or .zip, now completes successfully.
This is appropriate when the project genuinely has no dependencies or no in-scope binaries. It also changes the meaning of a successful job: success alone no longer proves expected package-manager or binary coverage was found.
Teams should add controls around expected scan content, including:
Require known manifests or expected detector output for governed applications.
Alert when a production application produces an empty BOM unexpectedly.
Record whether an empty BOM was approved as valid for that component.
Review binary-pattern configuration after pipeline or repository layout changes.
This makes audit collection more predictable, especially where scans runs in ephemeral agents.
Quack Patch evidence is easier to retain and diagnose
Quack Patch output now defaults to the Detect scan output directory instead of the current working directory. When Quack Patch is enabled, that output directory is also included in the diagnostic ZIP.
The change improves traceability for CI/CD jobs because scan logs, generated artifacts, and diagnostics can be collected from a single defined location. Teams should update any artifact publication, cleanup, support bundle, or incident-runbook references that assume Quack Patch files are written to the workspace root.
Platform and connectivity actions to schedule
Several notices require operational planning beyond the detector fixes.
Updated Detect name and download domains
Synopsys Detect has been renamed Black Duck Detect. Documentation links and URLs have changed accordingly. Supported download locations are repo.blackduck.com and detect.blackduck.com; Detect scripts should be downloaded only through detect.blackduck.com.
Detect 10.0.0 and later requires repo.blackduck.com. Organizations still operating Detect 8 or 9 should update to 8.11.2 or 9.10.1 respectively while they prepare a broader upgrade path.
SCASS firewall and allow-list requirements
Black Duck SCA Scan Service users must allow the published SCASS addresses so scan data can reach the processing service. This should be handled through standard network-change governance, with validation from CI runners and any segregated build networks.
Review the current required endpoints and IP addresses in the release notice, including regional SCASS and store hosts. Do not assume existing allow lists cover newly published service addresses.
CentOS and Java 8 migration planning
CentOS support in Detect Docker Inspector is deprecated in 11.5.0 and will be removed in Detect 12.0.0. The imageinspector.service.port.centos property is also deprecated and scheduled for removal in that release.
Java 8 support is planned for deprecation in the anticipated 2026 Q3 Detect 12.0.0 release, aligned to EU Cyber Resilience Act compliance timelines. Inventory self-hosted agents, container images, shared build templates, and wrapper scripts now, rather than making the migration a release-blocking event later.
Recommended rollout controls
A controlled upgrade should focus on both scan correctness and operational behavior.
Test representative Python, Gradle, Bazel, sbt, UV, Cargo, and BitBake repositories.
Compare BOM component counts and version selections against the prior release.
Update artifact collection for the new Quack Patch output path.
Define handling for partial Bazel results and unexpected empty BOMs.
Verify download domains, SCASS connectivity, and firewall rules from build environments.
Create remediation owners and dates for CentOS Docker Inspector and Java 8 dependencies.
The Project Inspector update to version 2026.6.0 also supports continued security compliance, so this release should be assessed as part of the organization’s regular scanner currency process.
How Merito helps
Merito helps enterprises introduce Black Duck Detect updates without weakening release controls. We assess affected pipelines, validate BOM deltas, update artifact and network configurations, and define policy rules for partial or empty scan outcomes.
For teams facing the CentOS and Java 8 changes, Merito can build an inventory-led migration plan that assigns ownership across platform engineering, application teams, security, and audit stakeholders.
Merito is a Black Duck partner. Our Black Duck Detect team can scope licensing, sizing, and rollout for 11.5.0, and our enterprise upgrade services help you plan and validate the upgrade with minimal disruption to release schedules.
Frequently Asked Questions
The release primarily improves the accuracy and completeness of BOM generation for common build ecosystems, including Python, Gradle, Bazel, sbt, UV, BitBake, and Cargo. It also makes Quack Patch artifacts easier to collect and diagnose by placing them under the Detect scan output directory. Merito can help teams prioritize regression testing for affected repositories and define evidence-retention practices for release audits.
Yes. Quack Patch output now defaults to the Detect scan output directory rather than the current working directory, and the output directory is included in the diagnostic ZIP when the feature is enabled. Pipeline jobs, artifact collectors, and retention rules that reference the former working-directory location should be reviewed before rollout.
Detect now completes successfully with an empty BOM when a Setuptools project has no dependencies or when no configured binary file patterns are found. This prevents unnecessary pipeline failures, but a successful empty BOM can also indicate an unintended coverage gap. Teams should add policy checks that distinguish an expected empty result from a missing manifest, incorrect scan path, or excluded binary pattern.
Teams should use repo.blackduck.com and detect.blackduck.com for supported downloads, and SCASS users must ensure the published service IP addresses are permitted by firewalls or allow lists. CentOS support in Detect Docker Inspector is deprecated and will be removed in Detect 12.0.0, while Java 8 support is planned for deprecation in the anticipated 2026 Q3 Detect 12.0.0 release. Merito can assess build-agent exposure, update network controls, and create a phased migration plan.
Keep Reading
Related Product Release Updates
Explore a few more Merito release updates that align with the themes in this article.