We performed a comparison between Black Duck and Mend (formerly WhiteSource) based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Mend is the clear winner in this comparison. Compared with Black Duck, it is easier to set up and has better reporting and analysis features and superior customer support. Mend also has a proven ROI.
"The solution is stable."
"The solution works well on Mac products."
"It is able to drill down to the source level."
"The cloud option of the product is always available and a positive aspect of the solution."
"The installation is very easy."
"Black Duck is pretty extensive in terms of the scan reserves and the vulnerability exposures. From that perspective, I'm happy with it."
"We accidentally use third-party library APIs, which may not be secure. Our technical team may not have the end time or expertise to figure it out. Black Duck helps us with that and saves us time."
"The most valuable feature of Black Duck is the seamless integration to scan our Docker binary files, it provides us all open vulnerabilities, and it ensures a reference point from where it finds the vulnerability is up to date. For example, if there is any new vulnerability found, they are immediately available in the Black Duck. There is no delay in finding the vulnerabilities, they are called out in our code immediately."
"Attribution and license due diligence reports help us with aggregating the necessary data that we, in turn, have to provide to satisfy the various licenses copyright and component usage disclosures in our software."
"WhiteSource helped reduce our mean time to resolution since the adoption of the product."
"The dashboard view and the management view are most valuable."
"We use a lot of open sources with a variety of containers, and the different open sources come with different licenses. Some come with dual licenses, some are risky and some are not. All our three use cases are equally important to us and we found WhiteSource handles them decently."
"We find licenses together with WhiteSource which are associated with a certain library, then we get a classification of the license. This is with respect to criticality and vulnerability, so we could take action and improve some things, or replace a third-party library which seems to be too risky for us to use on legal grounds."
"It gives us full visibility into what we're using, what needs to be updated, and what's vulnerable, which helps us make better decisions."
"I am the organizational deployment administrator for this tool, and I, along with other users in our company, especially the security team, appreciate the solution for several reasons. The UI is excellent, and scanning for security threats fits well into our workflow."
"The most valuable feature is the inventory, where it compiles a list of all of the third-party libraries that we have on our estate."
"The documentation is quite scattered."
"We're not too sure about the extension of the firewall. It never shows up in the Hub."
"Due to the fact that, with our software developer life cycle, we don't need to scan our source code every day or every week. For that reason, we find the cost is too high. We might only actually use it five to ten times a year, which makes it expensive."
"The tool needs to improve its pricing. Its configuration is complex and can be improved."
"The solution's pricing model and documentation areas of concern where improvement is needed."
"The scanner client is limited by the size of software it can handle."
"I would like to see improvements in Black Duck's reporting capabilities."
"Black Duck can improve the time it takes for a scan. Most of the time it's not ideal when integrated with the live DevSecOps pipeline. We have to create a separate job to scan the library because it takes a couple of hours to scan all those libraries. The scanning could be faster."
"The UI can be slow once in a while, and we're not sure if it's because of the amount of data we have, or it is just a slow product, but it would be nice if it could be improved."
"On the reporting side, they could make some improvements. They are making the reports better and better, but sometimes it takes a lot of time to generate a report for our entire organization."
"The UI is not that friendly and you need to learn how to navigate easily."
"At times, the latency of getting items out of the findings after they're remediated is higher than it should be."
"Mend supports most of the common package managers, but it doesn't support some that we use. I would appreciate it if they can quickly make these changes to add new package managers when necessary."
"I rated the solution an eight out of ten because WhiteSource hasn't built in a couple of features that we would have loved to use and they say they're on their roadmap. I'm hoping that they'll be able to build and deliver in 2022."
"It should support multiple SBOM formats to be able to integrate with old industry standards."
"The initial setup could be simplified."
Black Duck is ranked 1st in Software Composition Analysis (SCA) with 19 reviews while Mend.io is ranked 4th in Software Composition Analysis (SCA) with 29 reviews. Black Duck is rated 7.8, while Mend.io is rated 8.4. The top reviewer of Black Duck writes "Enables applications to be secure, but it must provide more open APIs". On the other hand, the top reviewer of Mend.io writes "Easy to use, great for finding vulnerabilities, and simple to set up". Black Duck is most compared with Snyk, Fortify Static Code Analyzer, JFrog Xray, FOSSA and Sonatype Lifecycle, whereas Mend.io is most compared with SonarQube, Snyk, Veracode, Checkmarx One and JFrog Xray. See our Black Duck vs. Mend.io report.
See our list of best Software Composition Analysis (SCA) vendors.
We monitor all Software Composition Analysis (SCA) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.