AI coding tools created 107% more vulnerabilities this year. EU CRA gives you 24 hours to report the ones being exploited.
Black Duck detects what AI wrote. Siemens Polarion proves it was governed. X-DLM™ makes the 24h window operational.
and
The attack surface AI development created is real. EU CRA makes it a legal reporting obligation.
Mean open-source vulnerabilities per codebase in 2026 — more than doubled YoY. Every actively exploited one triggers a CRA 24-hour Early Warning obligation. Source: 2026 OSSRA Report.
Of commercial codebases contain at least one high or critical open-source vulnerability — up from 86% in 2025. AI-assisted development is accelerating exposure, not reducing it.
Vulnerabilities in Black Duck's KnowledgeBase — including 63,000+ exclusive BDSA advisories not in NVD. BDSA alerts arrive up to 3 weeks ahead of public disclosure.
Manual handoffs in the X-DLM™ workflow. Black Duck findings route automatically into Polarion work items with owners, timelines, CRA practice mapping, and approval chains.
Sources: 2026 OSSRA Report. Black Duck BDSA product documentation.
Detection at AI speed requires governance at the same speed. Manual processes cannot cover 581 vulnerabilities per codebase.
- 01
Detect AI-specific threats — not just traditional CVEs
Black Duck identifies vulnerabilities in AI model packages, malicious packages injected via dependency confusion attacks, compromised open-source packages, AI-generated code snippets with known CVEs, and license-laundered GPL code that creates both security and legal exposure.
- 02
Operationalize CRA's 24h/72h/14-day reporting windows
When Black Duck surfaces an actively exploited vulnerability, X-DLM™ creates a Polarion work item that triggers the CRA three-stage cascade automatically: Early Warning at 24h, Vulnerability Notification at 72h, Final Report at 14 days. Every step is tracked, owned, and timestamped for ENISA/CSIRT submission.
- 03
Govern the AI model supply chain
AI model dependencies — PyTorch, TensorFlow, HuggingFace models, LangChain, vector database packages — carry the same vulnerability risk as any open-source library, with less mature patching ecosystems. Black Duck tracks them. X-DLM™ governs the response.
- 04
VDR and VEX records — on demand, not on deadline
EU CRA requires manufacturers to maintain Vulnerability Disclosure Records and produce Vulnerability Exploitability Exchange statements. X-DLM™ generates both from Polarion workflow history — available for customer requests, enterprise procurement reviews, and regulatory inquiry in minutes.
See how Siemens Polarion and Black Duck become one governed software risk workflow.
X-DLM™ turns Black Duck software supply chain intelligence into Siemens Polarion work items, requirements links, approvals, escalation paths, and continuously maintained evidence.
Brand authority buyers recognize
Backed by Siemens lifecycle governance and Black Duck AppSec intelligence.
Siemens Polarion ALM
Polarion provides the lifecycle system of record for requirements, tests, approvals, traceability, workflow automation, audit evidence, and regulated software delivery.
Black Duck Software Composition Analysis
Black Duck identifies open source and third-party components across source, binaries, containers, firmware, snippets, AI-generated code, and C/C++ environments without package managers.
What X-DLM™ changes for your business
Security runs itself.Your teams focus on product innovation.
Before
Security as a release bottleneck
Manual triage, fragmented tools, late-cycle surprises. Security gates slow delivery and drain engineering bandwidth.
After X-DLM™
Automated vulnerability handling from detection to remediation. Engineers stay focused on building — security runs in parallel, not as a checkpoint.
Before
Security bolted on at the end
Reactive posture. Vulnerabilities discovered late. Costly rework. Customers and auditors see through it.
After X-DLM™
Secure by design from day one. Black Duck SCA monitors every component continuously — source, binaries, firmware, and AI-generated code — before it ships.
Before
Compliance as recurring overhead
Engineers pulled into audit prep. Legal scrambling for evidence. Weeks of work per assessment. Repeatable cost with no revenue return.
After X-DLM™
Evidence generated and timestamped continuously via Polarion LiveDocs. Audit prep drops 60–80%. What took weeks takes hours — without touching engineering.
Before
Security as a cost story in sales
Enterprise buyers in regulated markets want proof of security maturity. Without it, deals stall, diligence cycles extend, and contracts go to competitors who have it.
After X-DLM™
100% traceable, audit-ready cybersecurity proof — with Siemens and Black Duck behind it. Your sales team closes faster. Your brand commands a premium.
AI software companies face two EU frameworks simultaneously — and most are unprepared for either.
EU CRA requires SBOM, vulnerability governance, and secure-by-design evidence for every software product with digital elements. The EU AI Act layers conformity obligations on top for any AI system deployed in high-risk categories. Neither waits for the other.
View EU CRA, AI Act & All Frameworks →Make the 24-hour CRA window operational.
Before the first exploited vulnerability triggers it.
X-DLM™ connects Black Duck's vulnerability and SBOM intelligence to Siemens Polarion's governed workflows — so your security team can execute EU CRA reporting timelines, produce VDR/VEX records, and govern AI-generated code risk on demand.