Skip to main content
Black Duck Software Composition Analysis (SCA)

Black Duck Software Composition Analysis (SCA)


What is Black Duck Software Composition Analysis (SCA)?

Black Duck is a software composition analysis tool acquired and now supported by Synopsys since 2017.

Read more
Recent Reviews

TrustRadius Insights

Black Duck is a software tool that proves to be invaluable for businesses in various industries. According to user experiences, the …
Continue reading
Read all reviews
Return to navigation

Product Details

What is Black Duck Software Composition Analysis (SCA)?

Black Duck® by Synopsys software composition analysis (SCA) helps teams manage the security, quality, and license compliance risks that come from the use of open source and third-party code in applications and containers.

Black Duck gives users visibility into third-party code, enabling them to control it across the software supply chain and throughout the application life cycle.

Black Duck Software Composition Analysis (SCA) Features

  • Supported: Find and fix security vulnerabilities at each stage in the SDLC, with detailed, vulnerability-specific remediation guidance and technical insight.
  • Supported: Address the risk of open source license noncompliance and safeguard your intellectual property by using the industry’s largest open source knowledge base to identify the license obligations obligated by the open source in your applications (including partial, snippets of code copied into applications).
  • Supported: Avoid development cost overruns and combat code decay with operational risk metrics associated with poor open source code quality.
  • Supported: Scan virtually any software, firmware, source code, and binary files to generate a comprehensive bill of materials (BOM).
  • Supported: Automatically monitor for new vulnerabilities that affect your BOM, with custom policies and workflow triggers to accelerate remediation and reduce your risk exposure.

Black Duck Software Composition Analysis (SCA) Screenshots

Screenshot of Black Duck helps you find and fix your highest-priority vulnerabilitiesScreenshot of Use Black Duck to comply with open source license obligations and to verify compliance with all open source license  termsScreenshot of Black Duck automatically creates tickets in your activity tracking applications like Jira for both policy violations and vulnerabilitiesScreenshot of Black Duck's vulnerability ImpactAnalysis indicates whether a vulnerability is actually being called by your applicationScreenshot of The Black Duck security advisory gives the information you need to address security risks and make the fixScreenshot of Black Duck generates a Bill of Materials which gives you a complete and detailed inventory of all open source identified in your codebaseScreenshot of Configure and customize to your company's specific security and license policiesScreenshot of Black Duck integrates with other tools to find and scan your codebase

Black Duck Software Composition Analysis (SCA) Video

Black Duck Software Composition Analysis (SCA) Competitors

Black Duck Software Composition Analysis (SCA) Technical Details

Deployment TypesOn-premise, Software as a Service (SaaS), Cloud, or Web-Based
Operating SystemsWindows, Linux, Mac
Mobile ApplicationNo
Return to navigation


View all alternatives
Return to navigation

Reviews and Ratings


Community Insights

TrustRadius Insights are summaries of user sentiment data from TrustRadius reviews and, when necessary, 3rd-party data sources. Have feedback on this content? Let us know!

Black Duck is a software tool that proves to be invaluable for businesses in various industries. According to user experiences, the product offers a wide range of use cases, ensuring timely and accurate code analysis through its dedicated support team. This means that any problems encountered can be resolved promptly, minimizing downtime and improving overall efficiency.

One of the major use cases of Black Duck is auditing source code to protect against license and open source compliance issues. The software has proven itself by quickly comparing identified inventory to its extensive knowledge base, highlighting any vulnerabilities and license concerns within the code. What sets Black Duck apart is its ability to efficiently identify vulnerabilities even in small-sized code from random sources.

Over time, Black Duck has been instrumental in reducing rework for businesses by detecting vulnerabilities before leveraging open source code. It seamlessly integrates into the CI/CD pipeline, allowing for the detection of vulnerabilities and efficient creation of Jira issues. As a result, it aids in keeping systems secure and compliant while saving valuable time and resources.

Black Duck's utility extends beyond security concerns. It assists in managing software licenses and ensures that open source components are being used responsibly. By generating an inventory of open source components, it mitigates legal risks and safeguards intellectual property.

In addition to code security audits and quality analysis, Black Duck also aids in encryption audits, saving both time and money for organizations. It facilitates open source usage governance by monitoring legal, security, and operational risks associated with open source components.

Overall, Black Duck provides users with a sense of security by ensuring enterprise products are free from unauthorized code. Its comprehensive functionalities make it an indispensable tool for businesses seeking to manage their software effectively while maintaining compliance with licensing requirements and minimizing security risks.

Impressive Compliance Features: Users have been impressed with the wide range of features offered by Black Duck for ensuring legal and security compliance with third-party software. They have mentioned that it efficiently analyzes code in a timely and accurate manner, helping to identify any potential issues.

User-Friendly Interface: Reviewers have praised the intuitive and easy-to-navigate user interface of Black Duck, stating that it enhances their ability to effectively navigate and utilize the software. This streamlined interface makes it easier for users to find the information they need quickly.

Thorough Analysis Capabilities: Users appreciate the comprehensive analysis capabilities provided by Black Duck, as it excels at identifying various vulnerabilities, bugs, and licensing issues associated with open-source code. The software's extensive knowledge base helps ensure a thorough examination of all components, providing users with confidence in its findings.

Slow and Outdated Performance: Several users have mentioned that the software is slow, outdated in design, and does not meet their expectations. They feel that the user experience is bad due to the sluggish performance of Black Duck Hub.

Expensive Cost: Many users find the cost of the software relatively higher compared to other solutions in the market. This makes it a difficult choice for organizations, especially considering the software's perceived shortcomings.

Inadequate Reporting Functionality: Users express dissatisfaction with the reporting capabilities of Black Duck Hub. They mention that there are no comprehensive reports or a nice user interface. The software expects users to manually analyze raw information and create their own reports without providing any recommendations or insights from third-party vendors.

Users commonly recommend the following when it comes to Black Duck:

  • Try Black Duck, starting from a trial version, because it is well-developed and suited for managing open source components in terms of license and security. (The user)
  • Thoroughly test the trial version of Black Duck to ensure it meets your needs. (The user)
  • Be clear on how well Black Duck operates in your environment, as some users are unsure if issues were caused by Black Duck or a combination with their specific environment. (The user)

Attribute Ratings


(1-4 of 4)
Companies can't remove reviews or game the system. Here's why
Score 9 out of 10
Vetted Review
Verified User
It's being used for dependency analysis to find out if there are any known CVEs existing by integrating them in the DevOps tooling. It's very useful to figure out vulnerabilities in the various open-source libraries. This ensures overall security, compliance, and risk management
  • Application and Container Scan
  • Source Code Dependency Analysis
  • Severity Prioritization
  • Improvements in Documentation
  • Live video examples
If you are using a lot of open-source libraries, which is most likely, this is a must-have to ensure no known vulnerabilities slip into production
  • Application or Library Scans
  • Container scans
  • Dependency analysis
  • Increased efficiency of the teams
  • Rapid identification of security issues
Score 5 out of 10
Vetted Review
Verified User
Black Duck is used for security and vulnerability scanning at my organization. It is being used across the entire organization. We scan all the projects' languages, binaries, source code, etc and ensure that no high security or license risk libraries, dependencies, or sub-dependencies are pushed into production. It does solve that business problem very well.
  • Security scanning very accurate.
  • License scanning is fantastic.
  • Very slow.
  • Bad UX.
  • Outdated design.
  • Too expensive.
I do not love the software. A lot of other solutions exist that have must more robust integration into CI/CDs, without complex configurations.
  • Too expensive and time-consuming to use/add in the CI/CD.
Support seems very responsive.
December 12, 2017

SecOps made easy!!!

Rajiv Aradhyula | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User
Black Duck provides our complete organization an easy way to manage our open source components used in our code repositories. It promisingly keeps track of the security vulnerabilities or license management, where I do not have to worry where to check for the vulnerabilities and open source components license issues which can be devastating. And with Black Duck, I now stay on top in managing my open source code. Black Duck orchestrates and allows us the visibility and control we need to manage and control open source components.
  • Quick inventory scan: Black Duck helps us scan the code repositories in no time. And quickly list the components and I now really know what is in my code.
  • Security and License risk management: Black Duck being rich in its knowledge base about the vulnerabilities and license issues of open source components, quickly compares the identified inventory to the Black Duck knowledge base and lists all the vulnerabilities and license issues in the code.
  • Integration for automatic scanning: Black Duck is part of devops which provides us automatic scanning. Black Duck is not just for devops but also SecOps.
  • Governance: I am expecting better governance of teams. I have various teams using the capacity. And I am quite unsure or have to spend more time in figuring out which team is using how much.
  • Tenancy: Black Duck can come up with something called tenancy. Like team A, a separate hyperlink for them. A kind of a zone where the admins or users have complete view of team A.
Well Suited:
1. Easily come out of pain to manage open source components. No worries, Black Duck is to the rescue, it takes care of your open source components in terms of license and security
2. SecOps eased with the super Black Duck

Less Suited:
I can't really come up with a scenario, where it can be less suited. Until you stop using open source components in your code. Which is quite impossible.
  • Increased time to market
  • Dwells well with devops
  • Significantly negates the speck of a chance of security risks in a software release
  • Orchestrates the policies
  • Vega
Black Duck is an obvious choice, with its versatility, integration, best enterprise support and on top of the list the knowledge base Black Duck has.

Vega or Grabber also scans the application and tells about vulnerabilities. But it can never be compared with the feature set of Black Duck. Black Duck can also generate reports.
VMware ESXi, VMware NSX, VMware Service Manager, VMware Business Continuity & Disaster Recovery, Cisco Unified Computing System Manager, Cisco UCS B-Series, Cisco UCS C-Series, EMC Clariion CX4 Series, Dell EMC Unity, EMC Documentum, Data Domain, JIRA Software, Jenkins, Atlassian Confluence, Bitbucket, Amazon Elastic Compute Cloud (EC2), Amazon Relational Database Service, AWS Elastic Beanstalk, AWS Lambda, Microsoft Azure, Microsoft Access, Azure SQL Database, Azure API Management
I have a very strong reason for the very best rating. Usually, Black Duck support is quick enough and they continuously keep me updated about the status if some issue is taking time for them to resolve. Overall, I am happy with the response I get from t customer care.

I was planning an upgrade and I ran into an issue as the migrated Postgres database does not get identified by the new version of the hub. And all the projects, scans and the huge amount of work we put in comments under version are all lost. I immediately opened a case in the Black Duck customer portal. And in no time, I get a message back from the support for a quick WebEx session. And support was able to help me and my weekend was saved. Thank you for the quick support Black Duck. Appreciate it. I also have some questions on using Black Duck in an optimal way. I get helpful replies quick enough.
Emmanuel Canaan | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User
Black Duck Hub is being used across our organization to enforce a robust open source software usage policy. It helps us ensure that we are protecting our intellectual property from open source license risk.
  • Black Duck Hub performs scans very quickly
  • Black Duck Hub is easy to use
  • Black Duck Hub has a robust set of integrations available for CI tools such as Jenkins and Bamboo
  • Black Duck has the most extensive open source KB in the industry
  • License model based on usage is costly.
  • Documentation is extensive, but often confusing.
  • Black Duck Hub could use some feature improvements for more robust governance capabilities
This tool is well-suited as part of a continuous integration cycle and offers very good information about license, security and operational risks.
  • It is hard to measure ROI since Black Duck Hub saves us from costly legal battles that have thankfully never had to happen.
Black Duck had similar capabilities to other vendors in the industry but where they come out on top is their extensive catalog of known open source in their knowledge base.
Return to navigation