Black Duck provides our complete organization an easy way to manage our open source components used in our code repositories. It promisingly keeps track of the security vulnerabilities or license management, where I do not have to worry where to check for the vulnerabilities and open source components license issues which can be devastating. And with Black Duck, I now stay on top in managing my open source code. Black Duck orchestrates and allows us the visibility and control we need to manage and control open source components.

Pros and Cons

Quick inventory scan: Black Duck helps us scan the code repositories in no time. And quickly list the components and I now really know what is in my code.
Security and License risk management: Black Duck being rich in its knowledge base about the vulnerabilities and license issues of open source components, quickly compares the identified inventory to the Black Duck knowledge base and lists all the vulnerabilities and license issues in the code.
Integration for automatic scanning: Black Duck is part of devops which provides us automatic scanning. Black Duck is not just for devops but also SecOps.

Governance: I am expecting better governance of teams. I have various teams using the capacity. And I am quite unsure or have to spend more time in figuring out which team is using how much.
Tenancy: Black Duck can come up with something called tenancy. Like team A, a separate hyperlink for them. A kind of a zone where the admins or users have complete view of team A.

Likelihood to Recommend

Well Suited:
1. Easily come out of pain to manage open source components. No worries, Black Duck is to the rescue, it takes care of your open source components in terms of license and security
2. SecOps eased with the super Black Duck

Less Suited:
I can't really come up with a scenario, where it can be less suited. Until you stop using open source components in your code. Which is quite impossible.

Support Rating

I have a very strong reason for the very best rating. Usually, Black Duck support is quick enough and they continuously keep me updated about the status if some issue is taking time for them to resolve. Overall, I am happy with the response I get from t customer care.

I was planning an upgrade and I ran into an issue as the migrated Postgres database does not get identified by the new version of the hub. And all the projects, scans and the huge amount of work we put in comments under version are all lost. I immediately opened a case in the Black Duck customer portal. And in no time, I get a message back from the support for a quick WebEx session. And support was able to help me and my weekend was saved. Thank you for the quick support Black Duck. Appreciate it. I also have some questions on using Black Duck in an optimal way. I get helpful replies quick enough.

December 05, 2017

Great open source governance tool that protects our IP!

Emmanuel Canaan

Project Manager, Technology Operations

Thomson Reuters (Legal Services, 10,001+ employees)

Score 9 out of 10

Vetted Review

Verified User

Review Source

Use Cases and Deployment Scope

Black Duck Hub is being used across our organization to enforce a robust open source software usage policy. It helps us ensure that we are protecting our intellectual property from open source license risk.

Pros and Cons

Black Duck Hub performs scans very quickly
Black Duck Hub is easy to use
Black Duck Hub has a robust set of integrations available for CI tools such as Jenkins and Bamboo
Black Duck has the most extensive open source KB in the industry

License model based on usage is costly.
Documentation is extensive, but often confusing.
Black Duck Hub could use some feature improvements for more robust governance capabilities

Likelihood to Recommend

This tool is well-suited as part of a continuous integration cycle and offers very good information about license, security and operational risks.

September 16, 2019

Black Duck's use in an Enterprise Software company

Verified User

Engineer in Product Management

Computer Software Company, 1-10 employees

Score 5 out of 10

Vetted Review

Verified User

Review Source

Use Cases and Deployment Scope

Black Duck is used for security and vulnerability scanning at my organization. It is being used across the entire organization. We scan all the projects' languages, binaries, source code, etc and ensure that no high security or license risk libraries, dependencies, or sub-dependencies are pushed into production. It does solve that business problem very well.

Pros and Cons

Security scanning very accurate.
License scanning is fantastic.

Very slow.
Bad UX.
Outdated design.
Too expensive.

Likelihood to Recommend

I do not love the software. A lot of other solutions exist that have must more robust integration into CI/CDs, without complex configurations.

Support Rating

Support seems very responsive.

Black Duck Software Composition Analysis (SCA) Scorecard Summary

Likelihood to Recommend (3): 46%
4.6
Support Rating (4): 82%
8.2

What is Black Duck Software Composition Analysis (SCA)?

Black Duck® by Synopsys software composition analysis (SCA) helps teams manage the security, quality, and license compliance risks that come from the use of open source and third-party code in applications and containers.

Black Duck gives users visibility into third-party code, enabling them to control it across the software supply chain and throughout the application life cycle.

Black Duck Software Composition Analysis (SCA) Features

Supported: Find and fix security vulnerabilities at each stage in the SDLC, with detailed, vulnerability-specific remediation guidance and technical insight.
Supported: Address the risk of open source license noncompliance and safeguard your intellectual property by using the industry’s largest open source knowledge base to identify the license obligations obligated by the open source in your applications (including partial, snippets of code copied into applications).
Supported: Avoid development cost overruns and combat code decay with operational risk metrics associated with poor open source code quality.
Supported: Scan virtually any software, firmware, source code, and binary files to generate a comprehensive bill of materials (BOM).
Supported: Automatically monitor for new vulnerabilities that affect your BOM, with custom policies and workflow triggers to accelerate remediation and reduce your risk exposure.

Black Duck Software Composition Analysis (SCA) Screenshots

Black Duck helps you find and fix your highest-priority vulnerabilities

Use Black Duck to comply with open source license obligations and to verify compliance with all open source license terms

Black Duck automatically creates tickets in your activity tracking applications like Jira for both policy violations and vulnerabilities

Black Duck's vulnerability ImpactAnalysis indicates whether a vulnerability is actually being called by your application

The Black Duck security advisory gives the information you need to address security risks and make the fix

Black Duck generates a Bill of Materials which gives you a complete and detailed inventory of all open source identified in your codebase

Configure and customize to your company's specific security and license policies

Black Duck integrates with other tools to find and scan your codebase

Black Duck Software Composition Analysis (SCA) Video

Watch See how Black Duck works.

Black Duck Software Composition Analysis (SCA) Competitors

Black Duck Software Composition Analysis (SCA) Pricing

More Pricing Information

Black Duck Software Composition Analysis (SCA) Technical Details

Deployment Types	On-premise, SaaS
Operating Systems	Windows, Linux, Mac
Mobile Application	No

Frequently Asked Questions

What is Black Duck Software Composition Analysis (SCA)?

Black Duck is a software composition analysis tool acquired and now supported by Synopsys since 2017.

What are Black Duck Software Composition Analysis (SCA)'s top competitors?

Checkmarx, Snyk, and Veracode are common alternatives for Black Duck Software Composition Analysis (SCA).

What is Black Duck Software Composition Analysis (SCA)'s best feature?

Reviewers rate Support Rating highest, with a score of 8.2.

Who uses Black Duck Software Composition Analysis (SCA)?

The most common users of Black Duck Software Composition Analysis (SCA) are from Enterprises and the Computer Software industry.