Black Duck is a software composition analysis tool acquired and now supported by Synopsys since 2017.
N/A
Jenkins
Score 8.4 out of 10
N/A
Jenkins is an open source automation server. Jenkins provides hundreds of plugins to support building, deploying and automating any project. As an extensible automation server, Jenkins can be used as a simple CI server or turned into a continuous delivery hub for any project.
N/A
Pricing
Black Duck Software Composition Analysis (SCA)
Jenkins
Editions & Modules
No answers on this topic
No answers on this topic
Offerings
Pricing Offerings
Black Duck Software Composition Analysis (SCA)
Jenkins
Free Trial
No
No
Free/Freemium Version
No
Yes
Premium Consulting/Integration Services
Yes
No
Entry-level Setup Fee
Optional
No setup fee
Additional Details
Contact the Synopsys Software Integrity Group (SIG) Sales team at https://www.synopsys.com/software-integrity/contact-sales.html for more detailed pricing information.
Chose Black Duck Software Composition Analysis (SCA)
Black Duck had similar capabilities to other vendors in the industry but where they come out on top is their extensive catalog of known open source in their knowledge base.
Jenkins is a highly customizable CI/CD tool with excellent community support. One can use Jenkins to build and deploy monolith services to microservices with ease. It can handle multiple "builds" per agent simultaneously, but the process can be resource hungry, and you need some impressive specs server for that. With Jenkins, you can automate almost any task. Also, as it is an open source, we can save a load of money by not spending on enterprise CI/CD tools.
Quick inventory scan: Black Duck helps us scan the code repositories in no time. And quickly list the components and I now really know what is in my code.
Security and License risk management: Black Duck being rich in its knowledge base about the vulnerabilities and license issues of open source components, quickly compares the identified inventory to the Black Duck knowledge base and lists all the vulnerabilities and license issues in the code.
Integration for automatic scanning: Black Duck is part of devops which provides us automatic scanning. Black Duck is not just for devops but also SecOps.
Automated Builds: Jenkins is configured to monitor the version control system for new pull requests. Once a pull request is created, Jenkins automatically triggers a build process. It checks out the code, compiles it, and performs any necessary build steps specified in the configuration.
Unit Testing: Jenkins runs the suite of unit tests defined for the project. These tests verify the functionality of individual components and catch any regressions or errors. If any unit tests fail, Jenkins marks the build as unsuccessful, and the developer is notified to fix the issues.
Code Analysis: Jenkins integrates with code analysis tools like SonarQube or Checkstyle. It analyzes the code for quality, adherence to coding standards, and potential bugs or vulnerabilities. The results are reported back to the developer and the product review team for further inspection.
We have a certain buy-in as we have made a lot of integrations and useful tools around jenkins, so it would cost us quite some time to change to another tool. Besides that, it is very versatile, and once you have things set up, it feels unnecessary to change tool. It is also a plus that it is open source.
Jenkins streamlines development and provides end to end automated integration and deployment. It even supports Docker and Kubernetes using which container instances can be managed effectively. It is easy to add documentation and apply role based access to files and services using Jenkins giving full control to the users. Any deviation can be easily tracked using the audit logs.
No, when we integrated this with GitHub, it becomes more easy and smart to manage and control our workforce. Our distributed workforce is now streamlined to a single bucket. All of our codes and production outputs are now automatically synced with all the workers. There are many cases when our in-house team makes changes in the release, our remote workers make another release with other environment variables. So it is better to get all of the work in control.
As with all open source solutions, the support can be minimal and the information that you can find online can at times be misleading. Support may be one of the only real downsides to the overall software package. The user community can be helpful and is needed as the product is not the most user-friendly thing we have used.
It is worth well the time to setup Jenkins in a docker container. It is also well worth to take the time to move any "Jenkins configuration" into Jenkinsfiles and not take shortcuts.
Black Duck is an obvious choice, with its versatility, integration, best enterprise support and on top of the list the knowledge base Black Duck has. Vega or Grabber also scans the application and tells about vulnerabilities. But it can never be compared with the feature set of Black Duck. Black Duck can also generate reports.
Overall, Jenkins is the easiest platform for someone who has no experience to come in and use effectively. We can get a junior engineer into Jenkins, give them access, and point them in the right direction with minimal hand-holding. The competing products I have used (TravisCI/GitLab/Azure) provide other options but can obfuscate the process due to the lack of straightforward simplicity. In other areas (capability, power, customization), Jenkins keeps up with the competition and, in some areas, like customization, exceeds others.
