Black Duck Software Composition Analysis (SCA)

Black Duck Software Composition Analysis (SCA)

About TrustRadius Scoring
Score 9.1 out of 100
Black Duck Software Composition Analysis (SCA)


Recent Reviews

Read all reviews

Reviewer Pros & Cons

View all pros & cons

Video Reviews

Leaving a video review helps other professionals like you evaluate products. Be the first one in your network to record a review of Black Duck Software Composition Analysis (SCA), and make your voice heard!

Return to navigation


View all pricing

What is Black Duck Software Composition Analysis (SCA)?

Black Duck is a software composition analysis tool acquired and now supported by Synopsys since 2017.

Entry-level set up fee?

  • Setup fee optional


  • Free Trial
  • Free/Freemium Version
  • Premium Consulting / Integration Services

Would you like us to let the vendor know that you want pricing?

27 people want pricing too
Return to navigation

Features Scorecard

No scorecards have been submitted for this product yet..
Return to navigation

Product Details

What is Black Duck Software Composition Analysis (SCA)?

Black Duck® by Synopsys software composition analysis (SCA) helps teams manage the security, quality, and license compliance risks that come from the use of open source and third-party code in applications and containers.

Black Duck gives users visibility into third-party code, enabling them to control it across the software supply chain and throughout the application life cycle.

Black Duck Software Composition Analysis (SCA) Features

  • Supported: Find and fix security vulnerabilities at each stage in the SDLC, with detailed, vulnerability-specific remediation guidance and technical insight.
  • Supported: Address the risk of open source license noncompliance and safeguard your intellectual property by using the industry’s largest open source knowledge base to identify the license obligations obligated by the open source in your applications (including partial, snippets of code copied into applications).
  • Supported: Avoid development cost overruns and combat code decay with operational risk metrics associated with poor open source code quality.
  • Supported: Scan virtually any software, firmware, source code, and binary files to generate a comprehensive bill of materials (BOM).
  • Supported: Automatically monitor for new vulnerabilities that affect your BOM, with custom policies and workflow triggers to accelerate remediation and reduce your risk exposure.

Black Duck Software Composition Analysis (SCA) Screenshots

Screenshot of Black Duck helps you find and fix your highest-priority vulnerabilitiesScreenshot of Use Black Duck to comply with open source license obligations and to verify compliance with all open source license  termsScreenshot of Black Duck automatically creates tickets in your activity tracking applications like Jira for both policy violations and vulnerabilitiesScreenshot of Black Duck's vulnerability ImpactAnalysis indicates whether a vulnerability is actually being called by your applicationScreenshot of The Black Duck security advisory gives the information you need to address security risks and make the fixScreenshot of Black Duck generates a Bill of Materials which gives you a complete and detailed inventory of all open source identified in your codebaseScreenshot of Configure and customize to your company's specific security and license policiesScreenshot of Black Duck integrates with other tools to find and scan your codebase

Black Duck Software Composition Analysis (SCA) Video

Black Duck Software Composition Analysis (SCA) Competitors

Black Duck Software Composition Analysis (SCA) Technical Details

Deployment TypesOn-premise, SaaS
Operating SystemsWindows, Linux, Mac
Mobile ApplicationNo

Frequently Asked Questions

Black Duck is a software composition analysis tool acquired and now supported by Synopsys since 2017.

Checkmarx, Snyk, and Veracode are common alternatives for Black Duck Software Composition Analysis (SCA).

Reviewers rate Support Rating highest, with a score of 8.2.

The most common users of Black Duck Software Composition Analysis (SCA) are from Enterprises (1,001+ employees) and the Computer Software industry.
Return to navigation


View all alternatives
Return to navigation

Reviews and Ratings




(1-4 of 4)
Companies can't remove reviews or game the system. Here's why
Score 9 out of 10
Vetted Review
Verified User
Review Source
It's being used for dependency analysis to find out if there are any known CVEs existing by integrating them in the DevOps tooling. It's very useful to figure out vulnerabilities in the various open-source libraries. This ensures overall security, compliance, and risk management
  • Application and Container Scan
  • Source Code Dependency Analysis
  • Severity Prioritization
  • Improvements in Documentation
  • Live video examples
If you are using a lot of open-source libraries, which is most likely, this is a must-have to ensure no known vulnerabilities slip into production
Score 5 out of 10
Vetted Review
Verified User
Review Source
Black Duck is used for security and vulnerability scanning at my organization. It is being used across the entire organization. We scan all the projects' languages, binaries, source code, etc and ensure that no high security or license risk libraries, dependencies, or sub-dependencies are pushed into production. It does solve that business problem very well.
  • Security scanning very accurate.
  • License scanning is fantastic.
  • Very slow.
  • Bad UX.
  • Outdated design.
  • Too expensive.
I do not love the software. A lot of other solutions exist that have must more robust integration into CI/CDs, without complex configurations.
Support seems very responsive.
December 12, 2017

SecOps made easy!!!

Rajiv Aradhyula | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User
Review Source
Black Duck provides our complete organization an easy way to manage our open source components used in our code repositories. It promisingly keeps track of the security vulnerabilities or license management, where I do not have to worry where to check for the vulnerabilities and open source components license issues which can be devastating. And with Black Duck, I now stay on top in managing my open source code. Black Duck orchestrates and allows us the visibility and control we need to manage and control open source components.
  • Quick inventory scan: Black Duck helps us scan the code repositories in no time. And quickly list the components and I now really know what is in my code.
  • Security and License risk management: Black Duck being rich in its knowledge base about the vulnerabilities and license issues of open source components, quickly compares the identified inventory to the Black Duck knowledge base and lists all the vulnerabilities and license issues in the code.
  • Integration for automatic scanning: Black Duck is part of devops which provides us automatic scanning. Black Duck is not just for devops but also SecOps.
  • Governance: I am expecting better governance of teams. I have various teams using the capacity. And I am quite unsure or have to spend more time in figuring out which team is using how much.
  • Tenancy: Black Duck can come up with something called tenancy. Like team A, a separate hyperlink for them. A kind of a zone where the admins or users have complete view of team A.
Well Suited:
1. Easily come out of pain to manage open source components. No worries, Black Duck is to the rescue, it takes care of your open source components in terms of license and security
2. SecOps eased with the super Black Duck

Less Suited:
I can't really come up with a scenario, where it can be less suited. Until you stop using open source components in your code. Which is quite impossible.
I have a very strong reason for the very best rating. Usually, Black Duck support is quick enough and they continuously keep me updated about the status if some issue is taking time for them to resolve. Overall, I am happy with the response I get from t customer care.

I was planning an upgrade and I ran into an issue as the migrated Postgres database does not get identified by the new version of the hub. And all the projects, scans and the huge amount of work we put in comments under version are all lost. I immediately opened a case in the Black Duck customer portal. And in no time, I get a message back from the support for a quick WebEx session. And support was able to help me and my weekend was saved. Thank you for the quick support Black Duck. Appreciate it. I also have some questions on using Black Duck in an optimal way. I get helpful replies quick enough.
Emmanuel Canaan | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User
Review Source
Black Duck Hub is being used across our organization to enforce a robust open source software usage policy. It helps us ensure that we are protecting our intellectual property from open source license risk.
  • Black Duck Hub performs scans very quickly
  • Black Duck Hub is easy to use
  • Black Duck Hub has a robust set of integrations available for CI tools such as Jenkins and Bamboo
  • Black Duck has the most extensive open source KB in the industry
  • License model based on usage is costly.
  • Documentation is extensive, but often confusing.
  • Black Duck Hub could use some feature improvements for more robust governance capabilities
This tool is well-suited as part of a continuous integration cycle and offers very good information about license, security and operational risks.
Return to navigation