What is our primary use case?
I'm a technology leader and an open source compliant and risk expert. I lead two domains, both are open source compliant. We use Black Duck in order to make internal audits on software during development, for license compliance, open source compliance, and open source vulnerability. We have an open source audit team, which has some administration rights on the tool and can make changes to the reports based on feedback from business units. Remaining users have permission via tokens to view reports. We would have around 300 users. Up to 20 users can access the system at any one time. The product is used on a daily basis.
What is most valuable?
I like the fact that the product auto analyzes components. In comparison to Protecode where you're given a suggestion and you have to manually choose the correct one, Black Duck analyzes automatically. However, there is a degree of error, possibly around 5%.
What needs improvement?
In terms of improvement, there are several areas. The scanner client is limited by the size of software it can handle. If you're scanning software larger than five gigs, it needs to be split and is separated into sub-scans. If you want the status on a certain scan, you can't get it automatically and it can sometimes take a couple of hours. If you want to attach the scan into a CI process and then get an actual result it cannot provide an accurate status.
We are running a Proscan developed in-house and this manipulates the result. It doesn't change the result but it adds some attributes to it. For instance, it gets an alter source and it gives you a link for the domain where you can read more about it. Or if the GUI suggests the conversion, and provides an excel report, you do not really need to go to the GUI, it can be accessed by email after the scan. These attributes and manipulations are done by the API developed in-house for the GUI.
For additional features, I'd like to be able to see SQL on demand, side by side. I'd like to be able to change a room with managed components inside the project, and still have it affect other projects. There is currently no internal database for manual changes which would be a good addition. Also, it would be helpful to include isolation of parts from the doctor image, for instance.
For how long have I used the solution?
We've been using Black Duck for three years.
What do I think about the stability of the solution?
What do I think about the scalability of the solution?
Scalability is quite good, because they manage to support a range of scales, but it's not unlimited. We can scan six in a row with no problem, but there might be some delay. This is the threshold that we set, we don't scan more than six at once. It's a good product for enterprise companies and smaller ones too, although it is quite expensive for a small company.
How are customer service and technical support?
There are some very professional support people. No one tool is perfect, but if you're comparing to the rest of the tools on the market, Black Duck comes out on top. They have some really unique features, especially from the perspective of seeing a wide range of open source versions. It's something that is not available in other tools.
I am happy with the support, although I work in Israel and the work week is from Sunday to Thursday - they work Monday to Friday. It means there are only four days in the week when we overlap. If I need something on a Sunday I have to wait. It's challenging. They do have some good training videos.
How was the initial setup?
The complexity of setup depends on the scale. If it's an out-of-the-box scan, it's basically scaled for the port, but once we started to utilize it, we wanted a system that automatically scaled up, so we moved to Upper Shift. It was challenging and required some support from their R&D. Then we applied integration, which required consulting with experts. You can use their documentation and set up your own software, it works smoothly. but depends on the size of the setup.
The product requires someone familiar with the tool. It's not that complicated, but it's not intuitive to find your way through the tool easily. There are two kinds of setup that I am aware of in Black Duck. One is a complete SAS solution where you upload your software to the cloud. Alternatively, you have your on-premise hub, which is attached to the knowledge base. This is a secure solution and can be compared with the knowledge base. The way this hub communicates outside is very important because it needs a stable and wide metro connection.
What about the implementation team?
Deployment was with external support but the integration had some challenges and took some extra days. We had a very professional expert on site, we pay for premium support.
What's my experience with pricing, setup cost, and licensing?
There are some features that cost extra but we don't use them because I'm not sure there's added value. The product is not cheap. There are several methods of payment - by product, by scale, or by code-based size. I suggest those buying Black Duck know their code size in relation to the code size that the system registers. This gives a good estimation of how to negotiate the pricing model. If you're buying extremely high capacity, it costs a lot.
What other advice do I have?
The set up is on-premises but the knowledge base is through the cloud. As mentioned, it's a hybrid solution.
The main difference between Black Duck and other solutions is the way the software identifies the open source. If it's being used out of the box and there's no need for any changes or modification or integration, probably a software based on SHA-1 would be good enough. If the company's customizing its software based on a customer requirements, changes will be needed. Software that works on a single match point probably will miss that. And that's the advantage of Black Duck.
I would rate this product an eight out of 10.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Black Duck can be installed in-house. It only communicates with their servers to fetch updated its Knowledge Base, which is used to identify open source components and vulnerabilities. We sometimes send the can results to Synopsys/Black Duck support, but that does not contain any of our code, just the analysis of the scanned files, which we judged to not be a security risk for us.