@black-duck/coverity-mcp-server
v2026.6.1
Published
Coverity MCP Server - Coverity Static Analysis integration for AI coding agents
Downloads
336
Readme
Coverity MCP Server
A Model Context Protocol (MCP) server that provides Coverity Static Analysis integration for Claude Code, GitHub Copilot, Cursor, Windsurf, Cline, OpenCode, and other MCP-compatible AI coding agents.
Coverity MCP Connector — Disclaimer and Use Terms (“Disclaimer”)
See the Legal section for more details.
Table of Contents
- Supported Platforms
- Prerequisites
- Installation
- MCP Server Tools Overview
- Agent Configuration
- Coverity Skill Guide
- Your First Scan
- Troubleshooting Guide
- Data Storage and Privacy
Supported Platforms
| Platform | Architecture | |---|---| | macOS | Apple Silicon (ARM64) | | macOS | Intel (AMD64) | | Windows | AMD64 | | Linux | AMD64 | | Linux | ARM64 |
Prerequisites
Coverity Static Analysis
- Coverity Static Analysis 2026.3.0 or later must be installed on the same machine where the MCP server runs.
- The Coverity command-line tools must be accessible, either via a known installation directory or via your system
PATH. - A valid Coverity license is required.
To verify your Coverity installation:
# Check that the coverity CLI tool is accessible
/path/to/coverity/bin/coverity --version
# Or, if coverity is on your PATH
coverity --versionNode.js
Node.js 18 or later is required to run the MCP server via npx.
An MCP-Compatible AI Coding Agent
You need at least one of the agents listed in the Agent Configuration section below, or any code agent that supports MCP servers. If your coding agent is not listed here, refer to your agent's documentation for how to configure an MCP server.
Installation
Running with npx (recommended)
No installation is required. Use npx in your agent configuration and the package will be downloaded and cached automatically on first use:
npx -y @black-duck/coverity-mcp-serverTo verify the server starts correctly:
npx -y @black-duck/coverity-mcp-server -versionYou should see output like:
coverity-mcp-server version 2026.3.0Global Installation
Install globally if you want the binary always available on your PATH or to access the bundled skill files directly:
npm install -g @black-duck/coverity-mcp-serverAfter global installation, the binary is on your PATH:
coverity-mcp-server -versionThe bundled skill files are located at:
# macOS / Linux
$(npm root -g)/@black-duck/coverity-mcp-server/skills/coverity/SKILL.md
# Windows (PowerShell)
$(npm root -g)\@black-duck\coverity-mcp-server\skills\coverity\SKILL.mdMCP Server Tools Overview
The Coverity MCP Server exposes five tools to your AI coding agent. The agent calls these tools automatically when you ask it to scan your code or check for issues.
create_project
Purpose: Initializes the workspace for a project. Must be run once before any scan.
The agent will ask you for:
- The path to your Coverity installation (or confirm it is on your
PATH) - Clean and build commands (required for C, C++, Objective-C/C++, Kotlin, and Visual Basic; recommended but not required for Java, C#, and Go; not needed for JavaScript, Python, TypeScript, Ruby, PHP, Swift, and other interpreted languages)
- Optional Coverity Connect server URL and stream name (speeds up
HFIincremental scans if you have a Connect server)
run_scan
Purpose: Executes a Coverity static analysis scan on a project directory.
Scan types:
auto(default) — the server automatically chooses full or incremental based on prior scan historyfull— analyzes the entire codebase; use for a comprehensive baselineincremental— analyzes only changed files; much faster for everyday development
Scan modes (incremental only):
pfi(Perfect Fidelity Incremental) — highest accuracy, recommended before merging codehfi(High Fidelity Incremental) — fastest, ideal for pre-commit checks
Supported languages:
| Category | Languages | |---|---| | Requires build command | C, C++, Objective-C/C++, Kotlin, Visual Basic | | Build command recommended (not required) | Java, C#, Go | | No build command needed | JavaScript, TypeScript, Python, PHP, Ruby, Swift, Apex, Terraform/CloudFormation (Infra-as-code) |
Platform notes: C# and Visual Basic are only supported on Linux AMD64 and Windows AMD64. Objective-C/C++ and Kotlin are not supported on Linux ARM64.
get_issues
Purpose: Retrieves issues found by a previous scan with rich filtering options.
Key filters:
severities—High,Medium,Low,Auditkinds—SECURITY,QUALITYcwe_categories— filter by CWE number (e.g."79"for XSS,"89"for SQL injection)only_modified— show only issues in files changed since the last git commitgroup_by_file— organize results by file for targeted fixing
get_issue_details
Purpose: Returns the full diagnostic information for a specific issue, including the complete execution path of events leading to the defect. Use this after get_issues to understand and fix a particular problem.
list_scans
Purpose: Lists all previous scans for a project in reverse chronological order. Use this to review scan history or to retrieve results from an earlier scan.
Agent Configuration
All agents below communicate with the MCP server over standard input/output (stdio). The npx command handles downloading and caching the server automatically.
GitHub Copilot
GitHub Copilot in Visual Studio Code supports MCP servers through VS Code's built-in MCP host (VS Code 1.99 or later required).
Option A — Workspace configuration (applies only to the current project)
Create or edit .vscode/mcp.json in your project root:
{
"servers": {
"coverity": {
"type": "stdio",
"command": "npx",
"args": ["-y", "@black-duck/coverity-mcp-server"]
}
}
}Option B — User configuration (applies to all projects)
Open VS Code User Settings (JSON) (Ctrl+Shift+P → Preferences: Open User Settings (JSON)) and add:
"mcp": {
"servers": {
"coverity": {
"type": "stdio",
"command": "npx",
"args": ["-y", "@black-duck/coverity-mcp-server"]
}
}
}After saving, open the GitHub Copilot Chat panel and you should see the Coverity tools listed as available. Enable them when prompted.
Skill Installation:
Install the Coverity skill for your current project or all projects according to how the MCP server was configured.
First, install the package globally to access the skill file:
npm install -g @black-duck/coverity-mcp-serverGlobal configuration (applies to all projects):
- macOS / Linux: Copy
$(npm root -g)/@black-duck/coverity-mcp-server/skills/coverity/SKILL.mdto$HOME/.github/skills/coverity/SKILL.md - Windows: Copy
$(npm root -g)\@black-duck\coverity-mcp-server\skills\coverity\SKILL.mdto%USERPROFILE%\.github\skills\coverity\SKILL.md
Workspace configuration (applies only to the current project):
Copy the skill file to .github/skills/coverity/SKILL.md in your project directory.
Claude Code
Option A — CLI (recommended)
claude mcp add --transport stdio coverity --scope user -- npx -y @black-duck/coverity-mcp-serverThe --scope user flag makes the server available across all your Claude Code sessions.
Option B — Configuration file
Add the following to ~/.claude.json:
{
"mcpServers": {
"coverity": {
"type": "stdio",
"command": "npx",
"args": ["-y", "@black-duck/coverity-mcp-server"]
}
}
}Restart Claude Code after making changes.
Skill Installation:
First, install the package globally to access the skill file:
npm install -g @black-duck/coverity-mcp-server- macOS / Linux: Copy
$(npm root -g)/@black-duck/coverity-mcp-server/skills/coverity/SKILL.mdto$HOME/.claude/skills/coverity/SKILL.md - Windows: Copy
$(npm root -g)\@black-duck\coverity-mcp-server\skills\coverity\SKILL.mdto%USERPROFILE%\.claude\skills\coverity\SKILL.md
Cursor
Global configuration (applies to all projects):
- macOS / Linux:
$HOME/.cursor/mcp.json - Windows:
%USERPROFILE%\.cursor\mcp.json
Workspace configuration (applies only to the current project):
Create .cursor/mcp.json in your project root.
In both cases use:
{
"mcpServers": {
"coverity": {
"command": "npx",
"args": ["-y", "@black-duck/coverity-mcp-server"]
}
}
}After saving, open Cursor Settings → MCP to confirm the server is listed and active.
Skill Installation:
First, install the package globally to access the skill file:
npm install -g @black-duck/coverity-mcp-serverGlobal configuration (applies to all projects):
- macOS / Linux: Copy
$(npm root -g)/@black-duck/coverity-mcp-server/skills/coverity/SKILL.mdto$HOME/.cursor/skills/coverity/SKILL.md - Windows: Copy
$(npm root -g)\@black-duck\coverity-mcp-server\skills\coverity\SKILL.mdto%USERPROFILE%\.cursor\skills\coverity\SKILL.md
Workspace configuration (applies only to the current project):
Copy the skill file to .cursor/skills/coverity/SKILL.md in your project directory.
Windsurf
Note that Windsurf does not support project-specific MCP server configuration. You must configure the MCP server at the user level.
Global configuration (applies to all projects):
Edit the Windsurf MCP configuration file:
- macOS / Linux:
$HOME/.codeium/windsurf/mcp_config.json - Windows:
%USERPROFILE%\.codeium\windsurf\mcp_config.json
Then use:
{
"mcpServers": {
"coverity": {
"command": "npx",
"args": ["-y", "@black-duck/coverity-mcp-server"]
}
}
}Restart Windsurf after saving. The Coverity tools will appear in the Cascade AI panel.
Skill Installation:
First, install the package globally to access the skill file:
npm install -g @black-duck/coverity-mcp-server- macOS / Linux: Copy
$(npm root -g)/@black-duck/coverity-mcp-server/skills/coverity/SKILL.mdto$HOME/.codeium/windsurf/skills/coverity/SKILL.md - Windows: Copy
$(npm root -g)\@black-duck\coverity-mcp-server\skills\coverity\SKILL.mdto%USERPROFILE%\.codeium\windsurf\skills\coverity\SKILL.md
Cline
Global configuration (applies to all projects):
- macOS / Linux:
$HOME/.cline/mcp.json - Windows:
%USERPROFILE%\.cline\mcp.json
Workspace configuration (applies only to the current project):
Create .cline/mcp.json in your project root.
In both cases use:
{
"mcpServers": {
"coverity": {
"command": "npx",
"args": ["-y", "@black-duck/coverity-mcp-server"]
}
}
}Skill Installation:
First, install the package globally to access the skill file:
npm install -g @black-duck/coverity-mcp-serverGlobal configuration (applies to all projects):
- macOS / Linux: Copy
$(npm root -g)/@black-duck/coverity-mcp-server/skills/coverity/SKILL.mdto$HOME/.cline/skills/coverity/SKILL.md - Windows: Copy
$(npm root -g)\@black-duck\coverity-mcp-server\skills\coverity\SKILL.mdto%USERPROFILE%\.cline\skills\coverity\SKILL.md
Workspace configuration (applies only to the current project):
Copy the skill file to .cline/skills/coverity/SKILL.md in your project directory.
OpenCode
Global configuration (applies to all projects):
OpenCode reads MCP server configuration from its config file:
- macOS / Linux:
$HOME/.config/opencode/opencode.json - Windows:
%USERPROFILE%\.config\opencode\opencode.json
Workspace configuration (applies only to the current project):
Create opencode.json in your project root.
In both cases add an mcp section to the file:
{
"mcp": {
"coverity": {
"type": "local",
"command": ["npx", "-y", "@black-duck/coverity-mcp-server"]
}
}
}Skill Installation:
First, install the package globally to access the skill file:
npm install -g @black-duck/coverity-mcp-serverGlobal configuration (applies to all projects):
- macOS / Linux: Copy
$(npm root -g)/@black-duck/coverity-mcp-server/skills/coverity/SKILL.mdto$HOME/.config/opencode/skills/coverity/SKILL.md - Windows: Copy
$(npm root -g)\@black-duck\coverity-mcp-server\skills\coverity\SKILL.mdto%USERPROFILE%\.config\opencode\skills\coverity\SKILL.md
Workspace configuration (applies only to the current project):
Copy the skill file to .opencode/skills/coverity/SKILL.md in your project directory.
Coverity Skill Guide
The Coverity skill is a set of instructions that tells your AI agent exactly when and how to invoke the Coverity MCP tools — for example, automatically triggering a scan whenever you modify more than ten lines of code.
Using the Skill Manually
With the skill installed, you can trigger a scan by simply asking:
Scan my code for security issues
Check my recent changes for defects
Run a Coverity analysis on this projectYour First Scan
Once the MCP server is configured and (optionally) the skill is installed, follow these steps to run your first scan.
1. Open a Project
In your AI coding agent, open or navigate to the project you want to analyze.
2. Ask the Agent to Scan
Type a natural-language request such as:
Scan this project for security vulnerabilities.
My Coverity installation is at /opt/coverity/2026.3.0The agent will:
- Call
create_projectto initialize the Coverity workspace for your project (first time only). - Call
run_scanto analyze your code. - Call
get_issuesto retrieve and summarize the findings. - Offer to investigate specific issues in detail using
get_issue_details.
3. Review the Results
The agent will present a summary of the number of issues found organized by various characteristics such as severity, category, checker, and language. The results will also highlight issues in files you have changed (if using Git) and the most important files ranked by the severity of the issues found in them.
You can ask follow-up questions such as:
Show me only high-severity security issues
What issues are in the files I changed today?
Tell me more about the null pointer issue in auth.c4. Verify Fixes
After fixing reported issues, ask the agent to verify:
I fixed the issues in auth.c — can you re-scan just those files?The agent will run a quick (HFI) incremental scan on the modified files and confirm whether the issues are resolved. If you have configured the project with a Coverity Connect server URL and stream name, the HFI scan will be significantly faster, as it can reuse scan summary data from the server.
Troubleshooting Guide
MCP Server Does Not Start
Symptom: The agent reports it cannot connect to the Coverity MCP server.
Steps:
- Verify Node.js 18 or later is installed:
node --version - Verify
npxis available:npx --version - Test the server manually:
npx -y @black-duck/coverity-mcp-server -version - Check that npm can reach the registry. If behind a proxy or firewall, configure npm's proxy settings.
- On macOS, if the underlying binary is blocked by Gatekeeper, run the server once from the terminal to trigger the security prompt, then allow it in System Settings → Privacy & Security.
Coverity Installation Not Found
Symptom: The agent reports that Coverity cannot be found during project setup.
Steps:
- Confirm your Coverity installation directory. Look for a
bin/coverity(orbin/coverity.exe) executable inside it. - When prompted by the agent for the Coverity installation path, provide the full path to the installation directory (not the binary itself):
/opt/coverity/2026.3.0 - Alternatively, add the Coverity
bin/directory to your systemPATHand provide an empty string for the installation directory.
Build Capture Fails (Compiled Languages)
Symptom: The scan fails or produces no results for C, C++, Go, or similar compiled projects.
Steps:
- Test your build command in isolation before configuring it in the MCP server:
cd /path/to/project make clean && make - Build commands must be a single command — do not use shell operators like
&&. Use a Makefile target or shell script that combines steps:- Wrong:
make clean && make - Right (clean command):
make clean - Right (build command):
make
- Wrong:
- Ensure the build command compiles all source files (not just incremental artifacts).
- For CMake projects, run CMake's configure step before using the MCP server and provide the build command for the generated Makefiles.
Scans Are Very Slow
Symptom: Scans take a long time.
Recommendations:
- Use HFI incremental scans (
scan_type=incremental,scan_mode=hfi) for everyday development — these scan only changed files and are significantly faster. - Use PFI incremental scans for pre-merge validation.
- Reserve full scans for establishing a baseline on a new project or after major refactoring.
- If you have a Coverity Connect server, configure the
stream_nameandconnect_urlparameters duringcreate_project— this speeds up HFI scans by reusing server-side data.
No Issues Found When Issues Are Expected
Symptom: Scan completes but reports zero issues.
Steps:
- Confirm the scan type was appropriate. Incremental scans analyze only modified files; run a full scan for a comprehensive baseline.
- For compiled languages, ensure the build command was run and captured all source files.
- Check the log file for warnings or errors (see Log Files below).
- Confirm you are analyzing the correct project directory.
- On Windows, try enabling long path support OR using the environment variable
COVERITY_COV_USER_DIRto change the location of the directory used to store Coverity MCP server data. The default location of the intermediate directory can cause Coverity to exceed theMAX_PATHlimit which can result in no files being captured.
Skill Does Not Trigger Automatically
Symptom: The Coverity skill is not invoked when code changes are made.
Steps:
- Confirm the skill file is in the correct location for your agent.
- Restart your coding agent completely.
- Confirm the Coverity MCP server is configured and connected.
- Try manually invoking the skill: type
"scan my code"in the chat.
Permission Denied Accessing Data Directory
Symptom: The server cannot write to its data directory.
Resolution:
# macOS / Linux
mkdir -p ~/.coverity/agent
chmod 755 ~/.coverity/agentOn Windows, ensure your user account has write access to %APPDATA%\Coverity\agent\.
You can override the default data directory by setting the COVERITY_COV_USER_DIR environment variable to a path where you have write access.
Log Files
The MCP server writes diagnostic logs to:
| Platform | Log Directory |
|---|---|
| macOS / Linux | $HOME/.coverity/agent/logs/ |
| Windows | %APPDATA%\Coverity\agent\logs\ |
Log files are named with a timestamp and user identity information, for example:
coverity-mcp-server-2026-05-14T143022-UID-501-GID-20-PID-12345.logReview the most recent log file when diagnosing unexpected behavior. To enable verbose logging, pass -debug on the MCP server command line:
"args": ["-y", "@black-duck/coverity-mcp-server", "-debug"]Testing the MCP Connection Manually
You can verify the MCP server responds correctly by sending it a test message from the command line:
echo '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"test","version":"1.0"}}}' \
| npx -y @black-duck/coverity-mcp-serverYou should receive a JSON response containing "result" and the server's capabilities. If you see an error or no output, check the log directory and verify prerequisites.
Data Storage and Privacy
- All analysis is performed locally on your machine. No source code or scan results are sent to any external service.
- Scan results are stored as JSON files in:
- macOS / Linux:
$HOME/.coverity/agent/<project-hash>/ - Windows:
%APPDATA%\Coverity\agent\<project-hash>\
- macOS / Linux:
- The MCP server does not modify your source code or project directories.
- To remove all data collected by the MCP server, delete the agent data directory:
rm -rf ~/.coverity/agent/ # macOS / LinuxRemove-Item -Recurse -Force "$env:APPDATA\Coverity\agent\" # Windows
Getting Help
- Review log files in
$HOME/.coverity/agent/logs/(macOS/Linux) or%APPDATA%\Coverity\agent\logs\(Windows). - Contact your Coverity support representative for product-specific issues. Inquiries should be directed to [email protected].
- Refer to the Model Context Protocol documentation for general MCP concepts.
Legal
Coverity MCP Connector — Disclaimer and Use Terms (“Disclaimer”)
Designation as a Plug-In; Relationship to the Agreement
The parties agree that the Connector is a plug-in. If a plug-in or similar term (“Plug-In”) is referenced in the Agreement, the Agreement’s terms for Plug-Ins apply to the Connector. Without limiting any other restrictions or disclaimers in the Agreement regarding Plug-Ins, Black Duck disclaims all express, implied, or statutory warranties with respect to the Connector, and Black Duck, its affiliates, and its licensors, partners, suppliers, and distributors (collectively, the “Black Duck Supply Chain”) disclaim all liability with respect to the Connector. Additionally, and notwithstanding anything to the contrary, the indemnification provisions, support service levels, security commitments, and any other commitments of the Agreement regarding the Service do not apply to the Connector. For the avoidance of doubt, whether or not the Agreement contains any Plug-In terms, the disclaimers, restrictions, and limitations in this Disclaimer apply on their own terms to Customer’s use of the Connector. If additional or stronger restrictions or disclaimers apply to Plug-Ins in the Agreement, such terms apply in addition to the disclaimers, restrictions, and limitations in this Disclaimer.
Subscription Concurrency
Customer’s license to use the Connector is valid only during, and is concurrent with, Customer's active subscription to the Service. The Connector does not grant Customer any right to the Service, and Customer must maintain a valid active subscription to the Service to use the Connector. If Customer’s active subscription to the Service expires or lapses, Customer’s license to use the Connector is suspended during the gap; Customer may retain dormant copies solely to reinstate its Service subscription or uninstall the Connector, but Customer may not use the Connector unless and until the Service subscription is reinstated. If Customer’s Service subscription is not reinstated within ninety (90) days, or if Black Duck terminates the license for breach, Customer must cease all use and delete or destroy copies of the Connector upon Black Duck’s request.
License Grant/Restrictions
Subject to Customer’s compliance with this Disclaimer and the Agreement, Black Duck grants Customer a limited, revocable, non-exclusive, non-transferable, non-sublicensable, license during Customer’s active subscription to the Service to download, install, and use the Connector solely to connect the Service to Customer's separately licensed AI system for Customer's internal business purposes in accordance with the Connector documentation. No other right is granted. Customer shall not, and shall not permit any affiliate, user, AI system, contractor, agent, or third party to: (a) sell, lease, loan, assign, sublicense, distribute, host, outsource, timeshare, operate as a service bureau, or otherwise make the Connector available for the benefit of any third party; (b) modify, adapt, translate, create derivative works of, decompile, disassemble, reverse engineer, or attempt to discover the source code, protocols, algorithms, underlying ideas, or non-public interfaces of the Connector, except to the extent such restriction is prohibited by applicable law; (c) remove proprietary, copyright, or other notices; (d) use the Connector to build, train, fine-tune, benchmark, evaluate, or improve a competing product, AI model, AI system, or service; (e) use the Connector for bulk extraction, scraping, circumvention of technical controls, unauthorized access, security testing, vulnerability testing, load testing, or stress testing without Black Duck’s prior written authorization; (f) use the Connector with credentials, permissions, data, or systems Customer is not authorized to use; or (g) use the Connector except as expressly permitted by this Disclaimer.
Unique Aspects of Using AI
The Connector is designed to enable certain Customer-selected AI systems as specified in the documentation to interact with Customer's active subscription to the Service using Customer credentials. AI output may be inaccurate, incomplete, misleading, unreliable, unsafe, destructive, noncompliant, or unsuitable for Customer's intended use, and Customer must review, test, validate, and approve AI output itself before relying on it in any manner, including using such output in the Service or allowing it to affect the Service. AI agents may make decisions or take actions regarding the Connector, the Service, or Customer’s instance, including access, query, instruction, command, write-back, upload, deletion, modification, transmission, export, configuration change, or other actions (collectively, “AI Agent Actions” and each, an “Agent Action”). Customer is responsible for all AI Agent Actions from such AI systems, and such actions and decisions are considered to have been performed by Customer. For the avoidance of doubt, Customer chooses and engages with the AI system. Black Duck does not recommend or take responsibility for Customer’s use of any AI system. Black Duck does not provide such AI system and, despite any statements in the Connector documentation or otherwise about interoperability, Customer is responsible for determining whether the Connector can be safely, securely, lawfully, and appropriately used with the AI system. Black Duck does not provide, control, supervise, or warrant, and Black Duck disclaims all liability for, any AI system or its provider. All Agent Actions submitted through the Connector using Customer's credentials or authorization are deemed Customer's instructions and Customer's actions, for which Customer is solely responsible, including, without limitation, any creation, modification, overwriting, deletion, corruption, suppression, loss, disclosure, export, transmission, misclassification, or other effect on data in Customer's instance. The Connector may enable AI Agent Actions, AI output, and data or other materials processed through the Connector (“Connector Data”) to access, create, change, overwrite, delete, corrupt, suppress, expose, export, transmit, misclassify, or otherwise affect data, outputs, configurations, records, workflows, and other materials within the Service or Customer’s instance, including effects that impact the operation, availability, accuracy, integrity, configuration, records, workflows, data, outputs, or results of the Service or Customer's instance. As between Customer and Black Duck, such effects are the result of Customer's use of the Connector, its AI system, its credentials, its configurations, and its Agent Actions, and not Black Duck's operation of the Service. Accordingly, even where an Agent Action is initiated by Customer's AI agent rather than a human, it remains Customer's instruction and Customer's responsibility, and Black Duck disclaims all liability for any AI output, AI Agent Action, Agent Action, Connector Data, or effect on the Service or Customer's instance caused by Customer's use of the Connector.
Customer Environment and Security
Customer is solely responsible for installing, enabling, operating, securing, monitoring, disabling, and removing the Connector in Customer’s environment. Customer must not modify the Connector except as expressly permitted in the documentation or in writing by Black Duck. Customer is solely responsible for securing and managing Customer’s systems, AI systems, credentials, tokens, permissions, configurations, network connections, logs, backups, disaster recovery, and other infrastructure used with the Connector, and for limiting the Connector and any AI system to the minimum permissions Customer determines are appropriate. Black Duck has no responsibility for Customer’s environment, credentials, AI systems, configurations, backups, monitoring, or security controls, or for any loss, corruption, unauthorized access, disclosure, export, transmission, or Service effect resulting from them or from Customer’s use of the Connector.
Disclaimer of All Other Warranties
Not limiting any other disclaimers that apply: THE CONNECTOR IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. BLACK DUCK DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, CONFORMITY TO DOCUMENTATION, AND NON-INFRINGEMENT, AND DOES NOT WARRANT THAT THE CONNECTOR, ANY AI SYSTEM, ANY AI OUTPUT, ANY AI AGENT ACTION, ANY AGENT ACTION, OR ANY CONNECTOR DATA WILL BE ACCURATE, COMPLETE, SECURE, ERROR-FREE, OR UNINTERRUPTED. THIS DISCLAIMER APPLIES ON ITS OWN TERMS, REGARDLESS OF AND IN ADDITION TO ANY DISCLAIMER IN THE AGREEMENT. Customer Indemnity Customer will defend, indemnify, and hold harmless the Black Duck Supply Chain from and against any claims, losses, liabilities, damages, fines, penalties, costs, and expenses, including reasonable attorneys’ fees, arising out of or relating to: (a) Customer’s download, installation, enablement, operation, configuration, or use of the Connector; (b) any AI system, AI output, AI Agent Action, Agent Action, Connector Data, Customer credentials, Customer environment, or Customer’s instance; (c) any data, code, content, prompt, output, instruction, or other material provided, accessed, processed, transmitted, exported, modified, uploaded, or written by or for Customer through the Connector; (d) any alleged or actual infringement, misappropriation, privacy violation, security incident, data loss, data corruption, unauthorized access, regulatory violation, or violation of law caused by or relating to Customer’s use of the Connector; or (e) Customer’s breach of this Disclaimer.
No Liability; Black Duck Affiliates and Supply Chain
TO THE MAXIMUM EXTENT PERMITTED BY LAW, AND EXCEPT FOR LIABILITY THAT CANNOT BE EXCLUDED OR LIMITED UNDER APPLICABLE LAW, THE BLACK DUCK SUPPLY CHAIN WILL HAVE NO LIABILITY ARISING OUT OF OR RELATING TO CUSTOMER'S DOWNLOAD, INSTALLATION, ENABLEMENT, OPERATION, CONFIGURATION, OR USE OF THE CONNECTOR, ON ANY SYSTEM INCLUDING ANY AI SYSTEM, THE SERVICE, ANY OTHER SYSTEM, ANY AI OUTPUT OR OTHER DATA, ANY AI AGENT ACTION OR AGENT ACTION, ANY CONNECTOR DATA, ANY CUSTOMER DECISION, ANY CUSTOMER CREDENTIAL, PERMISSION, OR CONFIGURATION, ANY SECURITY ISSUE, ANY EFFECT WITHIN OR ON THE SERVICE OR CUSTOMER'S INSTANCE, OR ANY OTHER LOSS, LIABILITY, OR DAMAGE RELATED TO THE CONNECTOR. CUSTOMER RELEASES AND WAIVES, TO THE MAXIMUM EXTENT PERMITTED BY LAW, ALL CLAIMS AGAINST THE BLACK DUCK SUPPLY CHAIN ARISING OUT OF OR RELATING TO THE FOREGOING. THE BLACK DUCK SUPPLY CHAIN WILL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, EXEMPLARY, ENHANCED, OR SIMILAR DAMAGES, OR FOR LOST PROFITS, LOST REVENUE, LOST SAVINGS, LOSS OF BUSINESS, LOSS OF GOODWILL, LOSS OR CORRUPTION OF DATA, LOSS OF USE, SECURITY INCIDENT COSTS, REPLACEMENT SERVICES, OR BUSINESS INTERRUPTION, WHETHER BASED IN CONTRACT, WARRANTY, INDEMNITY, TORT, NEGLIGENCE, STRICT LIABILITY, STATUTE, OR ANY OTHER THEORY, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE CONNECTOR IS PROVIDED WITHOUT SEPARATE CHARGE; IF ANY LIABILITY NONETHELESS ARISES, THE BLACK DUCK SUPPLY CHAIN’S TOTAL AGGREGATE LIABILITY FOR ALL CLAIMS RELATING TO THE CONNECTOR WILL NOT EXCEED US $50. THE FOREGOING DISCLAIMERS, EXCLUSIONS, RELEASES, AND LIMITATIONS APPLY ON THEIR OWN TERMS AND ARE IN ADDITION TO, AND NOT LIMITED BY, ANY DISCLAIMER, EXCLUSION, LIMITATION, OR REMEDY IN THE AGREEMENT.
