Black Duck Software Composition Analysis (SCA) Reviews and Ratings
Rating: 9.9 out of 10
Score
9.9 out of 10
Community insights
TrustRadius Insights for Black Duck Software Composition Analysis (SCA) are summaries of user sentiment data from TrustRadius reviews and, when necessary, third party data sources.
Pros
Impressive Compliance Features: Users have been impressed with the wide range of features offered by Black Duck for ensuring legal and security compliance with third-party software. They have mentioned that it efficiently analyzes code in a timely and accurate manner, helping to identify any potential issues.
User-Friendly Interface: Reviewers have praised the intuitive and easy-to-navigate user interface of Black Duck, stating that it enhances their ability to effectively navigate and utilize the software. This streamlined interface makes it easier for users to find the information they need quickly.
Thorough Analysis Capabilities: Users appreciate the comprehensive analysis capabilities provided by Black Duck, as it excels at identifying various vulnerabilities, bugs, and licensing issues associated with open-source code. The software's extensive knowledge base helps ensure a thorough examination of all components, providing users with confidence in its findings.
This software checks out code for possible vulnerabilities and allow us to “shift left”. This allows the potential issue to be seen and addressed in the beginning stages before the cost to fix are too high.
Pros
Vulnerability scans
Tracking of the problem
Alerting
Cons
Have a scheduled alerting process for items in triage
I would like if problems could be “rolled up”, to see how many issues throughout the company need triaged
Export to csv
Likelihood to Recommend
The UI of the scan is quite nice to use. It can be separated into only a particular group can see the results (nice for NIST)
It's being used for dependency analysis to find out if there are any known CVEs existing by integrating them in the DevOps tooling. It's very useful to figure out vulnerabilities in the various open-source libraries. This ensures overall security, compliance, and risk management
Pros
Application and Container Scan
Source Code Dependency Analysis
Severity Prioritization
Cons
Improvements in Documentation
Live video examples
Likelihood to Recommend
If you are using a lot of open-source libraries, which is most likely, this is a must-have to ensure no known vulnerabilities slip into production
VU
Verified User
Engineer in Information Technology (5001-10,000 employees)
Black Duck is used for security and vulnerability scanning at my organization. It is being used across the entire organization. We scan all the projects' languages, binaries, source code, etc and ensure that no high security or license risk libraries, dependencies, or sub-dependencies are pushed into production. It does solve that business problem very well.
Pros
Security scanning very accurate.
License scanning is fantastic.
Cons
Very slow.
Bad UX.
Outdated design.
Too expensive.
Likelihood to Recommend
I do not love the software. A lot of other solutions exist that have must more robust integration into CI/CDs, without complex configurations.
Black Duck provides our complete organization an easy way to manage our open source components used in our code repositories. It promisingly keeps track of the security vulnerabilities or license management, where I do not have to worry where to check for the vulnerabilities and open source components license issues which can be devastating. And with Black Duck, I now stay on top in managing my open source code. Black Duck orchestrates and allows us the visibility and control we need to manage and control open source components.
Pros
Quick inventory scan: Black Duck helps us scan the code repositories in no time. And quickly list the components and I now really know what is in my code.
Security and License risk management: Black Duck being rich in its knowledge base about the vulnerabilities and license issues of open source components, quickly compares the identified inventory to the Black Duck knowledge base and lists all the vulnerabilities and license issues in the code.
Integration for automatic scanning: Black Duck is part of devops which provides us automatic scanning. Black Duck is not just for devops but also SecOps.
Cons
Governance: I am expecting better governance of teams. I have various teams using the capacity. And I am quite unsure or have to spend more time in figuring out which team is using how much.
Tenancy: Black Duck can come up with something called tenancy. Like team A, a separate hyperlink for them. A kind of a zone where the admins or users have complete view of team A.
Likelihood to Recommend
Well Suited:
1. Easily come out of pain to manage open source components. No worries, Black Duck is to the rescue, it takes care of your open source components in terms of license and security
2. SecOps eased with the super Black Duck
Less Suited:
I can't really come up with a scenario, where it can be less suited. Until you stop using open source components in your code. Which is quite impossible.
Black Duck Hub is being used across our organization to enforce a robust open source software usage policy. It helps us ensure that we are protecting our intellectual property from open source license risk.
Pros
Black Duck Hub performs scans very quickly
Black Duck Hub is easy to use
Black Duck Hub has a robust set of integrations available for CI tools such as Jenkins and Bamboo
Black Duck has the most extensive open source KB in the industry
Cons
License model based on usage is costly.
Documentation is extensive, but often confusing.
Black Duck Hub could use some feature improvements for more robust governance capabilities
Likelihood to Recommend
This tool is well-suited as part of a continuous integration cycle and offers very good information about license, security and operational risks.
