We just raised a $30M Series A: Read our story

Black Duck OverviewUNIXBusinessApplication

Black Duck is the #6 ranked solution in our list of top Software Composition Analysis (SCA) tools. It is most often compared to WhiteSource: Black Duck vs WhiteSource

What is Black Duck?

Black Duck is a comprehensive solution for managing security, license compliance, and code quality risks that come from the use of open source in applications and containers. Named a leader in software composition analysis (SCA) by Forrester, Black Duck gives you unmatched visibility into third-party code, enabling you to control it across your software supply chain and throughout the application life cycle.

Black Duck is also known as Blackduck Hub, Black Duck Protex, Black Duck Security Checker.

Black Duck Buyer's Guide

Download the Black Duck Buyer's Guide including reviews and more. Updated: October 2021

Black Duck Customers

Samsung, Siemens, ScienceLogic, Noser Engineering AG, ClickFox, Dynatrace, CopperLeaf

Black Duck Video

Pricing Advice

What users are saying about Black Duck pricing:
  • "Black Duck is more suitable if you require a lot of licensing compliance. For smaller organizations, WhiteSource is better because its pricing policies are not really suitable for huge organizations."
  • "The price is quite high because the behavior of the software during the scan is similar to competing products."
  • "The price is low. It's not an expensive solution."

Black Duck Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Zvika-Ronen
Chief Technology Officer (CTO) at FOSSAWARE
Real User
Top 5
Auto analyzes components and supports a range of scales

Pros and Cons

  • "I like the fact that the product auto analyzes components."
  • "The scanner client is limited by the size of software it can handle."

What is our primary use case?

I'm a technology leader and an open source compliant and risk expert. I lead two domains, both are open source compliant. We use Black Duck in order to make internal audits on software during development, for license compliance, open source compliance, and open source vulnerability. We have an open source audit team, which has some administration rights on the tool and can make changes to the reports based on feedback from business units. Remaining users have permission via tokens to view reports. We would have around 300 users. Up to 20 users can access the system at any one time. The product is used on a daily basis. 

What is most valuable?

I like the fact that the product auto analyzes components. In comparison to Protecode where you're given a suggestion and you have to manually choose the correct one, Black Duck analyzes automatically. However, there is a degree of error, possibly around 5%. 

What needs improvement?

In terms of improvement, there are several areas. The scanner client is limited by the size of software it can handle. If you're scanning software larger than five gigs, it needs to be split and is separated into sub-scans. If you want the status on a certain scan, you can't get it automatically and it can sometimes take a couple of hours. If you want to attach the scan into a CI process and then get an actual result it cannot provide an accurate status.

We are running a Proscan developed in-house and this manipulates the result. It doesn't change the result but it adds some attributes to it. For instance, it gets an alter source and it gives you a link for the domain where you can read more about it. Or if the GUI suggests the conversion, and provides an excel report, you do not really need to go to the GUI, it can be accessed by email after the scan. These attributes and manipulations are done by the API developed in-house for the GUI.

For additional features, I'd like to be able to see SQL on demand, side by side. I'd like to be able to change a room with managed components inside the project, and still have it affect other projects. There is currently no internal database for manual changes which would be a good addition. Also, it would be helpful to include isolation of parts from the doctor image, for instance.

For how long have I used the solution?

We've been using Black Duck for three years.

What do I think about the stability of the solution?

Stability is quite good. 

What do I think about the scalability of the solution?

Scalability is quite good, because they manage to support a range of scales, but it's not unlimited. We can scan six in a row with no problem, but there might be some delay. This is the threshold that we set, we don't scan more than six at once. It's a good product for enterprise companies and smaller ones too, although it is quite expensive for a small company. 

How are customer service and technical support?

There are some very professional support people. No one tool is perfect, but if you're comparing to the rest of the tools on the market, Black Duck comes out on top. They have some really unique features, especially from the perspective of seeing a wide range of open source versions. It's something that is not available in other tools.

I am happy with the support, although I work in Israel and the work week is from Sunday to Thursday - they work Monday to Friday. It means there are only four days in the week when we overlap. If I need something on a Sunday I have to wait. It's challenging. They do have some good training videos.

How was the initial setup?

The complexity of setup depends on the scale. If it's an out-of-the-box scan, it's basically scaled for the port, but once we started to utilize it, we wanted a system that automatically scaled up, so we moved to Upper Shift. It was challenging and required some support from their R&D. Then we applied integration, which required consulting with experts. You can use their documentation and set up your own software, it works smoothly. but depends on the size of the setup.

The product requires someone familiar with the tool. It's not that complicated, but it's not intuitive to find your way through the tool easily. There are two kinds of setup that I am aware of in Black Duck. One is a complete SAS solution where you upload your software to the cloud. Alternatively, you have your on-premise hub, which is attached to the knowledge base. This is a secure solution and can be compared with the knowledge base. The way this hub communicates outside is very important because it needs a stable and wide metro connection.

What about the implementation team?

Deployment was with external support but the integration had some challenges and took some extra days. We had a very professional expert on site, we pay for premium support.

What's my experience with pricing, setup cost, and licensing?

There are some features that cost extra but we don't use them because I'm not sure there's added value. The product is not cheap. There are several methods of payment - by product, by scale, or by code-based size. I suggest those buying Black Duck know their code size in relation to the code size that the system registers. This gives a good estimation of how to negotiate the pricing model. If you're buying extremely high capacity, it costs a lot.

What other advice do I have?

The set up is on-premises but the knowledge base is through the cloud. As mentioned, it's a hybrid solution.

The main difference between Black Duck and other solutions is the way the software identifies the open source. If it's being used out of the box and there's no need for any changes or modification or integration, probably a software based on SHA-1 would be good enough. If the company's customizing its software based on a customer requirements, changes will be needed. Software that works on a single match point probably will miss that. And that's the advantage of Black Duck.

I would rate this product an eight out of 10.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
CV
CTO at a computer software company with 11-50 employees
Real User
Top 5Leaderboard
Good knowledge base and management system and helpful for discovering commercial and open-source licenses

Pros and Cons

  • "The knowledge base and the management system are the most valuable features of Black Duck Hub. It has a very helpful management environment. They offer an editor where we can check the discovered license, which is retrieved from their knowledge base. They have a huge knowledge base build over the years. It gives you some possibilities, such as this license with possibility A could cause a vulnerability issue or a potential breach."
  • "It is a cloud-only solution. In many cases, companies like to evaluate the software, but they're very reluctant to give you the software. It would be great if they could offer an on-prem component that could be used to scan the code and then upload the discovery results to the cloud and get all the information from there, but there is no such possibility. You have to upload the code to the Black Duck cloud system. Of course, they have a strong legal department, and they offer some configuration, but it is never enough. You have to give the code, which is a drawback. In modern designs like Snyk or FOSSA, you don't need to give the code. It requires more native integration with Coverity because they go together technically. You need both Coverity and Black Duck Hub. It would be really helpful for companies working in this space to get a combined offer from the same company. They should provide an option to buy Coverity for an additional fee. Coverity combined with Black Duck Hub will provide a one-step analysis to get everything you need and a unified report. It would be really great to be able to connect Black Duck Hub with Coverity unified reports."

What is our primary use case?

We use Black Duck Hub to discover commercial and open-source licenses and the licensed software used by a company. Whenever a company enters the M&A process, a preliminary step called due diligence is done. A part of it is the technical discovery that includes finding out what software the company is using and whether the software is linked with any open-source software or commercial product for which you have to pay a license.

Our main use case is to discover the license and find out if there is an obligation for the paid license. We also check the exposure of the software to open-source libraries. Open source is great, and it is a preferred solution for many companies. Around 90% of the software is now open source, but it is also exposed to vulnerabilities. So, through the dependencies that we were discovering, we were also working on the security exposure of the software product. For this purpose, we use Black Duck Hub.

What is most valuable?

The knowledge base and the management system are the most valuable features of Black Duck Hub. It has a very helpful management environment. They offer an editor where we can check the discovered license, which is retrieved from their knowledge base. They have a huge knowledge base build over the years. It gives you some possibilities, such as this license with possibility A could cause a vulnerability issue or a potential breach. 

What needs improvement?

It is a cloud-only solution. In many cases, companies like to evaluate the software, but they're very reluctant to give you the software. It would be great if they could offer an on-prem component that could be used to scan the code and then upload the discovery results to the cloud and get all the information from there, but there is no such possibility. You have to upload the code to the Black Duck cloud system. Of course, they have a strong legal department, and they offer some configuration, but it is never enough. You have to give the code, which is a drawback. In modern designs like Snyk or FOSSA, you don't need to give the code.

It requires more native integration with Coverity because they go together technically. You need both Coverity and Black Duck Hub. It would be really helpful for companies working in this space to get a combined offer from the same company. They should provide an option to buy Coverity for an additional fee. Coverity combined with Black Duck Hub will provide a one-step analysis to get everything you need and a unified report. It would be really great to be able to connect Black Duck Hub with Coverity unified reports.

For how long have I used the solution?

I have been using this solution for two and a half years. I was serving as vice president of engineering and integration in a company in Austin, Texas. I was assigned to acquisitions of companies, more specifically to the technical due diligence that takes place during acquisition. So, we used Black Duck Hub very extensively. We had the biggest ever contract with Synopsys for almost $1 million per year, and we used Black Duck Hub to scan the license for each acquired company. We had a very aggressive acquisition plan of almost one acquisition every 15 days. So, I have accumulated quite a big experience with the Black Duck Hub tool.

What do I think about the stability of the solution?

It is stable.

What do I think about the scalability of the solution?

From the company side, it's super scalable, but from the client's side, it's not that scalable. The issue with scalability is that if you have reserved 100 megabytes on Black Duck Hub, and eventually, you like to use 200 or 300 megabytes, the pricing policy requires extending your product permanently. This is really painful because you just need instant access to the higher, bigger space, but you don't want to buy it permanently. They should give the possibility to extend instantly by 50% or 80% more for a week or two weeks. This is quite common, and I have seen many cloud providers that let you pay instantly for a limited time, and you have the possibility to use a little bit more.

I have a team of six users who use Black Duck for the discovery, but the results are forwarded to many more things.

How are customer service and technical support?

In some cases, we have faced delays. We had reported issues, and we got the reply in 15 days or 20 days. Being a big organization, their support is rather slow. They prioritize these issues based on some logic unknown to me. If we have a big problem, we should get priority.

How was the initial setup?

The initial setup is super simple for the user because it is set up on the cloud. You just get an account and upload the code. You don't have to install it. There is no deployment. You just access the service from the cloud.

What's my experience with pricing, setup cost, and licensing?

Black Duck is more suitable if you require a lot of licensing compliance. For smaller organizations, WhiteSource is better because its pricing policies are not really suitable for huge organizations.

Which other solutions did I evaluate?

I'm also currently testing WhiteSource, Black Duck Hub, FOSSA, Snyk, and a few more solutions. My assignment is to provide an evaluation for a blockchain platform.

What other advice do I have?

I would advise others to be careful with the provisioning of the space that you need. Black Duck has been the key player in the market for many years. It is totally in conjunction with Coverity and forms a suite of security and quality. It is frequently used in M&A or mergers and acquisition cases. It is the top product in the market.

I would rate Black Duck a nine out of ten. 

Which deployment model are you using for this solution?

Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Learn what your peers think about Black Duck. Get advice and tips from experienced pros sharing their opinions. Updated: October 2021.
542,721 professionals have used our research since 2012.
SK
Former SVP at a manufacturing company with 5,001-10,000 employees
Real User
Top 20
Good security, but creates a lot of manual work and needs better scanning capabilities

Pros and Cons

  • "The solution works well on Mac products."
  • "We're not too sure about the extension of the firewall. It never shows up in the Hub."

What is our primary use case?

We're primarily using the solution for compliance. It's part of an audit process.

What is most valuable?

The solution has some pretty good features on offer.

It helps protect our information. It has good security.

The solution works well on Mac products.

What needs improvement?

The solution requires us to manually identify codes and other forms of identification, and this takes up a lot of time. The patterns the solution uses for identification need to be constantly reviewed by our team. There's also no time stamps. Everything needs to be reviewed. It takes double the time to identify things. Features just don't come up in the Hub.

We'd like to be able to authenticate through our two companies.

We're not too sure about the extension of the firewall. It never shows up in the Hub.

The Hub doesn't like that we have binary sides, so, once again, we need to check everything, meaning we get double the work.

The scanning aspect of the resolution needs to be improved. Right now, as it is, it's not okay.

It would be ideal if the solution offered features to add one or more components to a file.

For how long have I used the solution?

We've been using the solution for three years at this point. It's been a while.

What do I think about the stability of the solution?

The solution is stable. We find it pretty reliable in that sense. It doesn't crash or freeze. It doesn't have bugs or glitches.

That said, if a company is moving from any other tool to the Hub, it's not a good idea to move the Hub itself as there are a few bugs in that scenario.

What do I think about the scalability of the solution?

I can't comment on the scalability. I've never personally tried to scale the solution.

Currently, we have 300-400 people using it in our organization.

How are customer service and technical support?

The technical support has been fine. They help us a lot and we actually find them to be quite helpful. They will alert us when items become available or when new features are coming. We may not know how long it will take, however, we will know they are on the way.

Which solution did I use previously and why did I switch?

We didn't previously work with a different solution. Black Duck has been our first technology for these types of tasks. As we are using it for an audit, I basically just learned the tool and started applying it to the process. I don't know how to use any other tool for this purpose.

However, the company is currently migrating from another Hub to Black Duck Hub.

How was the initial setup?

The initial setup is unique. We're actually migrating from our current Hub to Black Duck Hub. It has its own specific challenges.

What's my experience with pricing, setup cost, and licensing?

I'm not sure of what the exact pricing is for the solution. That's not something I handle. My company deals with those aspects of the solution.

What other advice do I have?

We're just a customer. We don't have a business relationship with Black Duck.

I'm not sure how the solution is deployed within our organization (whether it's cloud or on-premises).

We've had to migrate our current Hub to Black Duck Hub, which is not efficient for the identification process. We do projects. Due to our identification process, it's not as accurate as we'd like. 

Overall, I'd rate the solution six out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
SK
Project Lead at a manufacturing company with 10,001+ employees
Real User
Top 20
Stable, but the process is very manual and the price should be reduced

Pros and Cons

  • "The stability is okay."
  • "It needs to be more user-friendly for developers and in general, to ensure compliance."

What is our primary use case?

We use Black Duck to examine our source code for compliance issues.

What needs improvement?

The older version that we are using is very primitive. You have to do every step, right from setting up an application to the user. The code has to sit in a particular folder and all of the open-source dependencies have to be there. With everything in one folder, it starts to scan. As we are using Code Center, we need to ensure that all of the components are there. However, there are thousands of components and for each submission, the components have to be there. There are no bulk submissions or bulk transfers. Essentially, you need to write your own scripts with the APIs to do it more efficiently.

It needs to be more user-friendly for developers and in general, to ensure compliance. The scanning should be quick and easy to use, rather than complex.

The pricing for this solution should definitely be lower.

For how long have I used the solution?

We have been using Black Duck for between five and six years.

What do I think about the stability of the solution?

The stability is okay. We need to keep cleaning up and archiving, which is the standard care by an administrator.

What do I think about the scalability of the solution?

The number of people we have using Black Duck at any time is on a project-by-project basis. We probably have around 500 users, although they do not use it on a continuous basis. The usage is based on the number of requests. For some projects, it will be used just one time, and that's it. 

How are customer service and technical support?

We have just started to contact technical support, so it is too early to evaluate them.

Which solution did I use previously and why did I switch?

We did not use another similar solution prior to Black Duck.

How was the initial setup?

The initial setup is complex. It is installed and configured on a Linux-based system, and the on-premises database needs to be updated.

Upgrading our version of Black Duck to the most recent is a tedious process. It is very step-by-step and very manual.

What's my experience with pricing, setup cost, and licensing?

The price is quite high because the behavior of the software during the scan is similar to competing products. 

Which other solutions did I evaluate?

We are currently evaluating whether we should continue to work with Black Duck, upgrading to the most recent version, or change to another solution. We are looking at several tools that also include WhiteSource and Checkmarx Composition Software Analysis. Ideally, we want to find a solution that suits our everyday needs.

One thing that we have found is that the price of Black Duck is quite high, compared to other products.

What other advice do I have?

As we are using an older version, and have not yet completed a PoC with the most recent one, I am not sure whether there are newer features that we need or will use. Things that we would like to see may have already been implemented.

I would rate this solution a six out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Jyotiprasad RATH
Head: Open Source Program Office at a financial services firm with 10,001+ employees
Real User
Top 20
Feature-rich, with good security compliance

Pros and Cons

  • "Black Duck is pretty extensive in terms of the scan reserves and the vulnerability exposures. From that perspective, I'm happy with it."
  • "We have been having some issues with the latest releases where we are not able to scan our applications with the help of Black Duck."

What is our primary use case?

I am not working with Black Duck. I manage a team that works with Black Duck.

What is most valuable?

We are happy with this solution.

We have not yet explored all of the functionalities of Black Duck.

Black Duck is pretty extensive in terms of the scan reserves and the vulnerability exposures. From that perspective, I'm happy with it.

What needs improvement?

We have been having some issues with the latest releases where we are not able to scan our applications with the help of Black Duck. I feel that it is just a matter of time and it should be fine.

For how long have I used the solution?

We have been working with Black Duck for a little more than one year.

What do I think about the scalability of the solution?

It is a very small group of people who are using this solution in our organization.

My team is the open-source program office and we have three people who are using Black Duck and the other teams would be in the range of fewer than 20 people.

How are customer service and technical support?

We contacted technical support as we were not able to fix this issue ourselves. We are not the primary contact who has procured the product, they are based out of Paris. We are using the license but we have to go through them to contact Black Duck to get their help.

I am not able to share an opinion on the support because we raised the issue only a few weeks back, and this being the summer vacation period, a lot of people were unavailable. I don't know whether that delay is being caused by our counterparts in Paris or if it is really caused by Black Duck.

Which solution did I use previously and why did I switch?

We have been using other tools, but our IT division acquired Black Duck and we wanted to use it across the organization.

As far as security is concerned, it has always been a priority in our organization. We had different tools that we were using for security, but when it comes to operational risk and compliance and licensing, we didn't have any specific approach before Black Duck.

What's my experience with pricing, setup cost, and licensing?

We are not the primary team to procure this solution. My counterparts in Paris are the only ones who are aware of the pricing.

We are only using a few of the licenses because they had acquired several licenses, but I'm not involved in the pricing and the contract negotiations.

What other advice do I have?

I would rate Black Duck an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
MC
Engineer at a manufacturing company with 10,001+ employees
Real User
Top 5Leaderboard
Easy to use with a simple installation process and good stability

Pros and Cons

  • "The installation is very easy."
  • "Due to the fact that, with our software developer life cycle, we don't need to scan our source code every day or every week. For that reason, we find the cost is too high. We might only actually use it five to ten times a year, which makes it expensive."

What is most valuable?

It's a well-recognized tool in our industry. We have a lot of requests for the product from clients. 

The solution is very easy to use. 

The stability has been good over the years.

The installation is very easy.

What needs improvement?

Due to the fact that, with our software developer life cycle, we don't need to scan our source code every day or every week. For that reason, we find the cost is too high. We might only actually use it five to ten times a year, which makes it expensive.

For how long have I used the solution?

We've used the solution for about three or four years at this point. 

What do I think about the stability of the solution?

The stability is very good. There are no bugs or glitches. It doesn't crash or freeze. It's reliable. 

What do I think about the scalability of the solution?

Not everyone uses the solution at our company. Mainly, just developers use it, and we have about 60 people on it. 

Which solution did I use previously and why did I switch?

Right now, we are considering changing to WhiteSource, however, we still might just keep Black Duck.

How was the initial setup?

The initial setup isn't too difficult. It's a pretty straightforward, simple process. We have only installed it once, and I cannot recall how long the deployment actually took. It was a long time ago.

What's my experience with pricing, setup cost, and licensing?

The cost of the solution is very high. We'd prefer if the product offered a monthly subscription.

What other advice do I have?

We are a customer and an end-user.

We are using Black Duck Hub.

I'd rate the solution at an eight out of ten. We're mostly quite happy with the capabilities. 

Black Duck is a good, but not an inexpensive tool. If others want stability or a well-respected tool, I would recommend it. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
RaviShankar
Lead Product Enginner at Harman International Industries, Incorporated
Vendor
Top 20
Stable, with good vulnerability scanning, and it's priced well

What is our primary use case?

We are using this solution for software analysis and vulnerability scanning.

What is most valuable?

The most valuable feature is the vulnerability scanning, and that it's easy to use.

What needs improvement?

The initial setup could be simplified. It was somewhat complex. In the next release, I would like to see packet analysis and binary analysis included as features.

For how long have I used the solution?

We have been using Black Duck for approximately four years.

What do I think about the stability of the solution?

We have not had any issues with stability. It's a stable solution.

What do I think about the scalability of the solution?

The number of users on the project depends on the license and the project.

How are customer service

What is our primary use case?

We are using this solution for software analysis and vulnerability scanning.

What is most valuable?

The most valuable feature is the vulnerability scanning, and that it's easy to use.

What needs improvement?

The initial setup could be simplified. It was somewhat complex.

In the next release, I would like to see packet analysis and binary analysis included as features.

For how long have I used the solution?

We have been using Black Duck for approximately four years.

What do I think about the stability of the solution?

We have not had any issues with stability.

It's a stable solution.

What do I think about the scalability of the solution?

The number of users on the project depends on the license and the project.

How are customer service and technical support?

I am from the DevOps team and have not had any contact with technical support. It's not an area that I am a part of.

If I have any issues, I escalate them to our team and they reach out to technical support.

Which solution did I use previously and why did I switch?

Previously, we did not use any other solution.

How was the initial setup?

The initial setup is complex.

We had some issues finding the report.

The length of deployment is different, it varies on the requirements.

What about the implementation team?

The implementation was done by someone in our company.

The maintenance is done through the vendor.

What's my experience with pricing, setup cost, and licensing?

The price is low. It's not an expensive solution.

What other advice do I have?

This is a product that I would recommend to others.

I would rate Black Duck an eight out of ten.

Which deployment model are you using for this solution?

Private Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.