Black Duck Overview

Black Duck is the #4 ranked solution in our list of top Software Composition Analysis (SCA) tools. It is most often compared to WhiteSource: Black Duck vs WhiteSource

What is Black Duck?

Black Duck is a comprehensive solution for managing security, license compliance, and code quality risks that come from the use of open source in applications and containers. Named a leader in software composition analysis (SCA) by Forrester, Black Duck gives you unmatched visibility into third-party code, enabling you to control it across your software supply chain and throughout the application life cycle.

Black Duck is also known as Blackduck Hub, Black Duck Protex, Black Duck Security Checker.

Black Duck Buyer's Guide

Download the Black Duck Buyer's Guide including reviews and more. Updated: January 2021

Black Duck Customers

Samsung, Siemens, ScienceLogic, Noser Engineering AG, ClickFox, Dynatrace, CopperLeaf

Black Duck Video

Pricing Advice

What users are saying about Black Duck pricing:
  • "Depending on the use case, the cost could range from $10,000 USD to $70,000 USD."
  • "Black Duck is more suitable if you require a lot of licensing compliance. For smaller organizations, WhiteSource is better because its pricing policies are not really suitable for huge organizations."
  • "The price is quite high because the behavior of the software during the scan is similar to competing products."
  • "The price is low. It's not an expensive solution."

Black Duck Reviews

Filter by:
Filter Reviews
Filter Unavailable
Company Size
Filter Unavailable
Job Level
Filter Unavailable
Filter Unavailable
Filter Unavailable
Order by:
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Showingreviews based on the current filters. Reset all filters
Consulting Partner, Cyber Security Delivery - Africa at DeltaGRiC Consulting
Top 5
May 30, 2019
Useful for determining the health of applications that contain open source components

What is our primary use case?

We have been using this solution for between two and three years. We frequently use this solution for software composition analysis. We also use it for vulnerability assessment and operational risk assessment. This is usually for customers who want to do one-off assessments, trying to check open source components they are using in their build.

Pros and Cons

  • "It highlights what the developers have done, and it shows the impact from an intellectual property point of view."
  • "I would like to see more integration with other solutions, such as IntelliJ IDEA."

What other advice do I have?

This is a good solution. My advice to anybody interesting in implementing it is to be clear in their mind whether they want to go on a user-based model, or they want to do a code-based model. It can get tricky if your development team is growing rapidly. Maybe you started off with five developers and then the next year you are growing to ten. Then, in another year, there are fourteen or twenty. As you grow, a user-based model may not work for you so you might consider going with the code-based model. However, if you are working on multiple projects then you may consider the user-based model…
Chief Technology Officer (CTO) at FOSSAWARE
Real User
Jan 19, 2020
Auto analyzes components and supports a range of scales

What is our primary use case?

I'm a technology leader and an open source compliant and risk expert. I lead two domains, both are open source compliant. We use Black Duck in order to make internal audits on software during development, for license compliance, open source compliance, and open source vulnerability. We have an open source audit team, which has some administration rights on the tool and can make changes to the reports based on feedback from business units. Remaining users have permission via tokens to view reports. We would have around 300 users. Up to 20 users can access the system at any one time. The product… more »

Pros and Cons

  • "I like the fact that the product auto analyzes components."
  • "The scanner client is limited by the size of software it can handle."

What other advice do I have?

The set up is on-premises but the knowledge base is through the cloud. As mentioned, it's a hybrid solution. The main difference between Black Duck and other solutions is the way the software identifies the open source. If it's being used out of the box and there's no need for any changes or modification or integration, probably a software based on SHA-1 would be good enough. If the company's customizing its software based on a customer requirements, changes will be needed. Software that works on a single match point probably will miss that. And that's the advantage of Black Duck. I would rate…
Learn what your peers think about Black Duck. Get advice and tips from experienced pros sharing their opinions. Updated: January 2021.
455,164 professionals have used our research since 2012.
Co-Founder CTO/CPO at Source Code Inspection
Real User
Top 5Leaderboard
Dec 19, 2020
Good knowledge base and management system and helpful for discovering commercial and open-source licenses

What is our primary use case?

We use Black Duck Hub to discover commercial and open-source licenses and the licensed software used by a company. Whenever a company enters the M&A process, a preliminary step called due diligence is done. A part of it is the technical discovery that includes finding out what software the company is using and whether the software is linked with any open-source software or commercial product for which you have to pay a license. Our main use case is to discover the license and find out if there is an obligation for the paid license. We also check the exposure of the software to open-source… more »

Pros and Cons

  • "The knowledge base and the management system are the most valuable features of Black Duck Hub. It has a very helpful management environment. They offer an editor where we can check the discovered license, which is retrieved from their knowledge base. They have a huge knowledge base build over the years. It gives you some possibilities, such as this license with possibility A could cause a vulnerability issue or a potential breach."
  • "It is a cloud-only solution. In many cases, companies like to evaluate the software, but they're very reluctant to give you the software. It would be great if they could offer an on-prem component that could be used to scan the code and then upload the discovery results to the cloud and get all the information from there, but there is no such possibility. You have to upload the code to the Black Duck cloud system. Of course, they have a strong legal department, and they offer some configuration, but it is never enough. You have to give the code, which is a drawback. In modern designs like Snyk or FOSSA, you don't need to give the code. It requires more native integration with Coverity because they go together technically. You need both Coverity and Black Duck Hub. It would be really helpful for companies working in this space to get a combined offer from the same company. They should provide an option to buy Coverity for an additional fee. Coverity combined with Black Duck Hub will provide a one-step analysis to get everything you need and a unified report. It would be really great to be able to connect Black Duck Hub with Coverity unified reports."

What other advice do I have?

I would advise others to be careful with the provisioning of the space that you need. Black Duck has been the key player in the market for many years. It is totally in conjunction with Coverity and forms a suite of security and quality. It is frequently used in M&A or mergers and acquisition cases. It is the top product in the market. I would rate Black Duck a nine out of ten.
Former SVP at a manufacturing company with 5,001-10,000 employees
Real User
Sep 27, 2020
Good security, but creates a lot of manual work and needs better scanning capabilities

What is our primary use case?

We're primarily using the solution for compliance. It's part of an audit process.

Pros and Cons

  • "The solution works well on Mac products."
  • "We're not too sure about the extension of the firewall. It never shows up in the Hub."

What other advice do I have?

We're just a customer. We don't have a business relationship with Black Duck. I'm not sure how the solution is deployed within our organization (whether it's cloud or on-premises). We've had to migrate our current Hub to Black Duck Hub, which is not efficient for the identification process. We do projects. Due to our identification process, it's not as accurate as we'd like. Overall, I'd rate the solution six out of ten.
Project Lead at a manufacturing company with 10,001+ employees
Real User
Jun 9, 2020
Stable, but the process is very manual and the price should be reduced

What is our primary use case?

We use Black Duck to examine our source code for compliance issues.

Pros and Cons

  • "The stability is okay."
  • "It needs to be more user-friendly for developers and in general, to ensure compliance."

What other advice do I have?

As we are using an older version, and have not yet completed a PoC with the most recent one, I am not sure whether there are newer features that we need or will use. Things that we would like to see may have already been implemented. I would rate this solution a six out of ten.
Lead Product Enginner at Harman International Industries, Incorporated
Real User
Top 20
Dec 9, 2020
Stable, with good vulnerability scanning, and it's priced well

What is our primary use case?

We are using this solution for software analysis and vulnerability scanning.

What is most valuable?

The most valuable feature is the vulnerability scanning, and that it's easy to use.

What needs improvement?

The initial setup could be simplified. It was somewhat complex. In the next release, I would like to see packet analysis and binary analysis included as features.

For how long have I used the solution?

We have been using Black Duck for approximately four years.

What do I think about the stability of the solution?

We have not had any issues with stability. It's a stable solution.

What do I think about the scalability of the solution?

The number of users on the project depends on the license and the project.

How are customer service