We performed a comparison between Black Duck and Mend (formerly WhiteSource) based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Mend is the clear winner in this comparison. Compared with Black Duck, it is easier to set up and has better reporting and analysis features and superior customer support. Mend also has a proven ROI.
"The product enables other applications to be secure."
"The most valuable feature for me in Black Duck is its ability to scan binary files effectively."
"The solution works well on Mac products."
"The cloud option of the product is always available and a positive aspect of the solution."
"It is able to drill down to the source level."
"We accidentally use third-party library APIs, which may not be secure. Our technical team may not have the end time or expertise to figure it out. Black Duck helps us with that and saves us time."
"The installation is very easy."
"The most valuable feature is the vulnerability scanning, and that it's easy to use."
"The results and the dashboard they provide are good."
"We find licenses together with WhiteSource which are associated with a certain library, then we get a classification of the license. This is with respect to criticality and vulnerability, so we could take action and improve some things, or replace a third-party library which seems to be too risky for us to use on legal grounds."
"Our dev team uses the fix suggestions feature to quickly find the best path for remediation."
"With the fix suggestions feature, not only do you get the specific trace back to where the vulnerability is within your code, but you also get fix suggestions."
"Mend has reduced our open-source software vulnerabilities and helped us remediate issues quickly. My company's policy is to ensure that vulnerabilities are fixed before it gets to production."
"It gives us full visibility into what we're using, what needs to be updated, and what's vulnerable, which helps us make better decisions."
"The most valuable feature is the unified JAR to scan for all langs (wss-scanner jar)."
"We use a lot of open sources with a variety of containers, and the different open sources come with different licenses. Some come with dual licenses, some are risky and some are not. All our three use cases are equally important to us and we found WhiteSource handles them decently."
"The scanner client is limited by the size of software it can handle."
"They are giving a lot of APIs and Python scripts for certain functionalities, but instead of using APIs and Python scripts, they should provide these functionalities through the UI. Users should be able to customize and add more fields through the UI. Users should be able to add more fields and generate reports. Currently, they are not giving flexibility in the UI. They're providing a script that simply generates an Excel file or CSV file. There is no flexibility."
"The tool's documentation and support are areas of concern where improvements are required."
"I would like to see more integration with other solutions, such as IntelliJ IDEA."
"It can be cumbersome to use or invalidate open source software because there is a hold time to check requirements or common regulations to ensure compliance."
"Black Duck can improve the time it takes for a scan. Most of the time it's not ideal when integrated with the live DevSecOps pipeline. We have to create a separate job to scan the library because it takes a couple of hours to scan all those libraries. The scanning could be faster."
"The solution must provide more open APIs."
"I would like to see improvements in Black Duck's reporting capabilities."
"Mend supports most of the common package managers, but it doesn't support some that we use. I would appreciate it if they can quickly make these changes to add new package managers when necessary."
"It should support multiple SBOM formats to be able to integrate with old industry standards."
"The UI is not that friendly and you need to learn how to navigate easily."
"WhiteSource only produces a report, which is nice to look at. However, you have to check that report every week, to see if something was found that you don't want. It would be great if the build that's generating a report would fail if it finds a very important vulnerability, for instance."
"The UI can be slow once in a while, and we're not sure if it's because of the amount of data we have, or it is just a slow product, but it would be nice if it could be improved."
"Needs better ACL and more role definitions. This product could be used by large organisations and it definitely needs a better role/action model."
"Make the product available in a very stable way for other web browsers."
"The initial setup could be simplified."
Black Duck is ranked 1st in Software Composition Analysis (SCA) with 19 reviews while Mend.io is ranked 4th in Software Composition Analysis (SCA) with 29 reviews. Black Duck is rated 7.8, while Mend.io is rated 8.4. The top reviewer of Black Duck writes "Enables applications to be secure, but it must provide more open APIs". On the other hand, the top reviewer of Mend.io writes "Easy to use, great for finding vulnerabilities, and simple to set up". Black Duck is most compared with Snyk, Fortify Static Code Analyzer, JFrog Xray, FOSSA and Sonatype Lifecycle, whereas Mend.io is most compared with SonarQube, Snyk, Veracode, Checkmarx One and JFrog Xray. See our Black Duck vs. Mend.io report.
See our list of best Software Composition Analysis (SCA) vendors.
We monitor all Software Composition Analysis (SCA) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.