Black Duck Review

Good knowledge base and management system and helpful for discovering commercial and open-source licenses

What is our primary use case?

We use Black Duck Hub to discover commercial and open-source licenses and the licensed software used by a company. Whenever a company enters the M&A process, a preliminary step called due diligence is done. A part of it is the technical discovery that includes finding out what software the company is using and whether the software is linked with any open-source software or commercial product for which you have to pay a license.

Our main use case is to discover the license and find out if there is an obligation for the paid license. We also check the exposure of the software to open-source libraries. Open source is great, and it is a preferred solution for many companies. Around 90% of the software is now open source, but it is also exposed to vulnerabilities. So, through the dependencies that we were discovering, we were also working on the security exposure of the software product. For this purpose, we use Black Duck Hub.

What is most valuable?

The knowledge base and the management system are the most valuable features of Black Duck Hub. It has a very helpful management environment. They offer an editor where we can check the discovered license, which is retrieved from their knowledge base. They have a huge knowledge base build over the years. It gives you some possibilities, such as this license with possibility A could cause a vulnerability issue or a potential breach. 

What needs improvement?

It is a cloud-only solution. In many cases, companies like to evaluate the software, but they're very reluctant to give you the software. It would be great if they could offer an on-prem component that could be used to scan the code and then upload the discovery results to the cloud and get all the information from there, but there is no such possibility. You have to upload the code to the Black Duck cloud system. Of course, they have a strong legal department, and they offer some configuration, but it is never enough. You have to give the code, which is a drawback. In modern designs like Snyk or FOSSA, you don't need to give the code.

It requires more native integration with Coverity because they go together technically. You need both Coverity and Black Duck Hub. It would be really helpful for companies working in this space to get a combined offer from the same company. They should provide an option to buy Coverity for an additional fee. Coverity combined with Black Duck Hub will provide a one-step analysis to get everything you need and a unified report. It would be really great to be able to connect Black Duck Hub with Coverity unified reports.

For how long have I used the solution?

I have been using this solution for two and a half years. I was serving as vice president of engineering and integration in a company in Austin, Texas. I was assigned to acquisitions of companies, more specifically to the technical due diligence that takes place during acquisition. So, we used Black Duck Hub very extensively. We had the biggest ever contract with Synopsys for almost $1 million per year, and we used Black Duck Hub to scan the license for each acquired company. We had a very aggressive acquisition plan of almost one acquisition every 15 days. So, I have accumulated quite a big experience with the Black Duck Hub tool.

What do I think about the stability of the solution?

It is stable.

What do I think about the scalability of the solution?

From the company side, it's super scalable, but from the client's side, it's not that scalable. The issue with scalability is that if you have reserved 100 megabytes on Black Duck Hub, and eventually, you like to use 200 or 300 megabytes, the pricing policy requires extending your product permanently. This is really painful because you just need instant access to the higher, bigger space, but you don't want to buy it permanently. They should give the possibility to extend instantly by 50% or 80% more for a week or two weeks. This is quite common, and I have seen many cloud providers that let you pay instantly for a limited time, and you have the possibility to use a little bit more.

I have a team of six users who use Black Duck for the discovery, but the results are forwarded to many more things.

How are customer service and technical support?

In some cases, we have faced delays. We had reported issues, and we got the reply in 15 days or 20 days. Being a big organization, their support is rather slow. They prioritize these issues based on some logic unknown to me. If we have a big problem, we should get priority.

How was the initial setup?

The initial setup is super simple for the user because it is set up on the cloud. You just get an account and upload the code. You don't have to install it. There is no deployment. You just access the service from the cloud.

What's my experience with pricing, setup cost, and licensing?

Black Duck is more suitable if you require a lot of licensing compliance. For smaller organizations, WhiteSource is better because its pricing policies are not really suitable for huge organizations.

Which other solutions did I evaluate?

I'm also currently testing WhiteSource, Black Duck Hub, FOSSA, Snyk, and a few more solutions. My assignment is to provide an evaluation for a blockchain platform.

What other advice do I have?

I would advise others to be careful with the provisioning of the space that you need. Black Duck has been the key player in the market for many years. It is totally in conjunction with Coverity and forms a suite of security and quality. It is frequently used in M&A or mergers and acquisition cases. It is the top product in the market.

I would rate Black Duck a nine out of ten. 

Which deployment model are you using for this solution?

Private Cloud
**Disclosure: I am a real user, and this review is based on my own experience and opinions.
More Black Duck reviews from users
...who compared it with WhiteSource
Learn what your peers think about Black Duck. Get advice and tips from experienced pros sharing their opinions. Updated: February 2021.
464,655 professionals have used our research since 2012.
Add a Comment
1 Comment

author avatarFranklin Davis

Black Duck can be installed in-house. It only communicates with their servers to fetch updated its Knowledge Base, which is used to identify open source components and vulnerabilities. We sometimes send the can results to Synopsys/Black Duck support, but that does not contain any of our code, just the analysis of the scanned files, which we judged to not be a security risk for us.