Black Duck Reviews

Name: Black Duck
Brand: Black Duck
Rating: 3.8 (21 reviews)

Vendor: Black Duck

3.8 out of 5

21 reviews
84% willing to recommend

700 followers

Start review

What is Black Duck?

Organizations use Black Duck for compliance, internal audits, license management, and security, scanning software to identify vulnerabilities, non-compliant code, and dependencies in open-source projects.

Get the Black Duck Buyer's Guide and find out what your peers are saying about Black Duck, GitLab, Snyk and more!

Black Duck is the #1 ranked solution in top Software Composition Analysis (SCA) solutions. PeerSpot users give Black Duck an average rating of 7.6 out of 10. Black Duck is most commonly compared to GitLab: Black Duck vs GitLab. Black Duck is popular among the large enterprise segment, accounting for 74% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a financial services firm, accounting for 20% of all views.

Helped 849,686 peers since 2012

Featured Black Duck reviews

Saravanan_Radhakrishnan

Senior Manager at Happiest Minds Technologies

The product enables other applications to be secure. We use it to onboard 400 to 500 applications into the DevOps platform, protect them, and have a secure environment. The tool integrates well with different technologies, application stacks, and databases. The APIs are available. We can read the blogs in the community for open-source compliance and security. The community feeds are important. Black Duck is a leader in Gartner. It is a reliable solution.

Read full review

Aaron P

DevOps Engineer at a manufacturing company with 1,001-5,000 employees

The only thing I don't like about the product is that it is quite expensive and it is not very feasible as an open-source platform. One of the other things that I hate about the product stems from my dislike of contacting the support team of Black Duck to know if there are some issues since debugging some issues can be quite difficult. I don't find reliable or feasible documents to help me debug all those issues. The solution's pricing model and documentation areas of concern where improvement is needed. In our company, we get some issues or errors when we run a pipeline, and debugging those errors can be tedious and time-consuming. To minimize the time for debugging errors, I feel that Black Duck needs to add some documentation or something that will make it easy for users to debug the errors instead of seeking help from Black Duck's support team every time. Black Duck can add features, like viewing the vulnerability, to help users figure out the next step if they detect some vulnerability while also providing them some steps to help them follow some remedial steps, along with an explanation of measures to mitigate such issues. Black Duck's UI or server doesn't provide functionality to help users view the vulnerability, which is a process that needs to be automated. The solution's scalability is an area that needs to improve.

Read full review

Sagar Mody

Solutions Architect at a tech services company with 10,001+ employees

It's still a bit inconsistent. For example, sometimes a scan might reveal components or vulnerabilities, and the next day they might not show up. There's a lack of consistency at times. Of course, this could sometimes be due to new vulnerabilities being identified in the public domain after a scan. So, consistent inputs and more streamlined dependency management are needed. It doesn’t clearly show whether vulnerabilities are from direct or transitive dependencies. A clear classification between direct and indirect vulnerabilities is crucial. If I'm looking to improve my product, I need to know out of 'x' vulnerabilities, how many are direct dependencies. With direct dependencies, I can take action, like replacing a component. But with transitive dependencies, we are helpless at times. Often, we have to raise exceptions and work around them. A clear classification between direct and indirect dependencies is something I'd like to see improved.

Read full review

Black Duck mindshare

As of May 2025, the mindshare of Black Duck in the Software Composition Analysis (SCA) category stands at 19.3%, down from 22.7% compared to the previous year, according to calculations based on PeerSpot user engagement data.

Software Composition Analysis (SCA)

PeerResearch reports based on Black Duck reviews

Type	Title	Date
Category	Software Composition Analysis (SCA)	May 1, 2025	Download
Product	Reviews, tips, and advice from real users	May 1, 2025	Download
Comparison	Black Duck vs Veracode	May 1, 2025	Download
Comparison	Black Duck vs Snyk	May 1, 2025	Download
Comparison	Black Duck vs Sonatype Lifecycle	May 1, 2025	Download

Title	Rating	Mindshare	Recommending
GitLab	4.3	4.4%	97%	82 interviews Add to research
Snyk	4.0	14.8%	100%	45 interviews Add to research

Valuable Features

Black Duck's auto analysis of components, extensive vulnerability scanning, security features, and easy integration are highly valued. Its knowledge base, license, and policy management, along with seamless integration for scanning Docker files, enhance its robustness. Users appreciate open-source license compliance, binary file scanning, and the capability to pinpoint vulnerabilities in transitive dependencies. Its security risk management, operational insights, and audit readiness reporting are also important. The tool's ease of use and wide industry recognition add to its appeal.

"The most valuable feature of Black Duck is the composition analysis feature, which is effective for security risk management."
"The automated code scanning feature and Black Duck's integration with our development tools have enhanced our software compliance process and overall audit readiness."
"The software composition analysis is most effective for security risk management."

Room for Improvement

Black Duck requires better integration with other tools, faster scanning and improved UI, and it should offer more comprehensive documentation and support. The absence of an on-premise component with a mandatory cloud upload and complex initial setup pose issues. There are concerns about inconsistent results and lack of flexibility in the reporting features. Its pricing is considered high for infrequent use and needs to be more aligned with alternatives like Snyk or FOSSA.

"Black Duck does not have the SBOM management part. I would like to see this feature added in the future."
"There are areas for improvement such as false positives and the scanning of containers."
"There are areas for improvement such as false positives and the scanning of containers."

ROI

Users report that Black Duck significantly improves their software management by identifying vulnerabilities early, ultimately leading to cost savings. They highlight its effectiveness in ensuring license compliance, which prevents potential legal costs and issues. Black Duck also offers a quick integration with existing workflows, further boosting productivity. Its comprehensive reporting capabilities facilitate better decision-making and risk management. Its robust security features and user-friendly interface contribute to increased efficiency and reduced operational risks.

Pricing

Black Duck pricing varies by user number or code size, offering unlimited users for code size specified. Costs range from $10,000 to $70,000. Licensing includes academy access, with free integrations and plug-ins. Some features cost extra. Generally considered expensive, the pricing favors large enterprises needing extensive licensing compliance. Users emphasize knowing code size for negotiation. Subscription models and flexibility in costs are less favorable compared to competitors, making it less suitable for smaller organizations.

"The price charged by Black Duck is exorbitant."
"The pricing is a little high."
"I rate the product's price one on a scale of one to ten, where one is a high price, and ten is a low price."

Popular Use Cases

Black Duck is primarily used for software composition analysis, including license compliance and open-source vulnerability assessments. Organizations leverage it for auditing software during development and ensuring compliance within their DevSecOps pipelines. It is utilized for security management and scanning Java code and third-party applications for non-compliance. Teams apply Black Duck in due diligence, M&A processes, and operational risk assessments by discovering commercial and open-source licenses and managing open-source security exposure.

Service and Support

Black Duck's customer service generally has varied feedback. Many find the support team helpful and responsive, with quick response times and professional assistance. Some express dissatisfaction with delays and complexity in processes, especially during urgent situations. Response times can sometimes take days, and working hours may not align with users in different countries. There are reports of inconsistencies in technical depth, with some representatives more knowledgeable than others. Despite challenges, Black Duck is often praised for unique features and support efforts.

Deployment

Black Duck's initial setup varies in complexity. Some users find it straightforward, especially with cloud deployments like SaaS versions. The tool is often easy to manage with Linux or cloud services like Azure and Google Cloud. However, others encounter challenges, particularly with on-premise installations and scaling needs, necessitating technical expertise and comprehensive documentation. Overall, deployments can be quick, but certain configurations and version upgrades may require additional time and support.

Scalability

Black Duck is scalable but influenced by licensing and pricing. Organizations varying in size utilize it, with user numbers dependent on project requirements. While some enterprises manage hundreds of users, smaller teams find the cost significant. It supports various environments and integrates with tools like Jira, suitable for diverse needs. Scaling challenges arise with resource limitations, and flexibility in temporary resource expansion is needed. Cloud deployment is favored for flexibility.

Stability

Users report Black Duck's stability as reliable, with few bugs or glitches. Many find it stable, with some suggesting attention is needed for maintenance. Common delays occur when refreshing the web interface using Chrome, but these are viewed as typical. Stability ratings range from seven to ten out of ten, indicating strong reliability. It's recommended not to transition the Hub in organizations switching from other tools due to potential bugs in that scenario.

These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.

Download our Black Duck Buyer's Guide for additional reliable information.

Review data by company size

By reviewers

By visitors reading reviews

Top industries

By visitors reading reviews

Financial Services Firm

20%

Manufacturing Company

16%

Computer Software Company

14%

Insurance Company

Healthcare Company

Retailer

Real Estate/Law Firm

Government

Educational Organization

University

Energy/Utilities Company

Comms Service Provider

Media Company

Transportation Company

Consumer Goods Company

Construction Company

Non Profit

Legal Firm

Logistics Company

Outsourcing Company

Recreational Facilities/Services Company

Performing Arts

Marketing Services Firm

Hospitality Company

Wholesaler/Distributor

Pharma/Biotech Company

Compare Black Duck with alternative products

Learn more about Black Duck

Black Duck integrates into CI/CD pipelines and DevSecOps processes, helping multiple industries detect and handle risks associated with open-source usage. Users leverage it for source and binary analysis to ensure security and compliance before software release. Automatic component analysis, effective vulnerability scanning, and a comprehensive knowledge base are some of its valuable features. Despite needing improvements in scanning speed, UI, and documentation, Black Duck remains crucial for ensuring open-source security and compliance.

What are Black Duck's most important features?

Automatic Component Analysis: Provides automatic identification and analysis of open-source components.
Effective Vulnerability Scanning: Scans for vulnerabilities in both source code and binary files.
Comprehensive Knowledge Base: Offers expansive information on open-source components.
Policy Management: Enables the creation and enforcement of security and compliance policies.
Binary File Scanning: Capable of scanning binary files for in-depth security checks.
Ease of Use: Demonstrates ease of use, particularly on Mac products.
Stability: Known for its stable performance.
Docker Integration: Smooth integration with Docker for enhanced deployment.
Open-source Evaluation: Excellent evaluation capabilities for open-source software.
License Management: Manages open-source licenses effectively.
Easy Installation: Simple installation process.
Secure Onboarding: Ensures secure application onboarding.
API Availability: Provides APIs for custom integrations.
Community Support: Backed by an active community.
Dependency Tree Visualization: Visualizes dependencies for better management.

What benefits or ROI should users look for in reviews?

Improved Compliance: Helps maintain compliance with legal and regulatory requirements.
Risk Mitigation: Reduces risks associated with open-source vulnerabilities.
Enhanced Security: Strengthens software security by identifying and addressing potential issues early.
Time-saving: Automates many aspects of vulnerability scanning and analysis, saving valuable time.
Cost Efficiency: Detects issues early, potentially saving costs related to compliance breaches and security incidents.
Integration Ease: Seamlessly integrates with existing CI/CD pipelines and DevSecOps practices.
Knowledge Resource: Access to comprehensive information aiding better decision-making.

Black Duck is implemented by industries ranging from finance to healthcare, addressing security and compliance in open-source usage. Financial institutions employ it to manage license risks and ensure audit readiness. Healthcare organizations use it to comply with stringent data protection regulations, ensuring patient data security and privacy. Tech companies integrate Black Duck within CI/CD pipelines to maintain the security and compliance of software products before release. Its deployment varies, tailored to meet the specific risk management and compliance needs dictated by each sector's regulatory environment.

Black Duck was previously known as Blackduck Hub, Black Duck Protex, Black Duck Security Checker.