Black Duck Reviews

We use the solution to scan Java code. 

We accidentally use third-party library APIs, which may not be secure. Our technical team may not have the end time or expertise to figure it out. Black Duck helps us with that and saves us time. 

The tool needs to improve its pricing. Its configuration is complex and can be improved. 

I have been using the tool for five years. 

Black Duck is stable. 

I rate the tool's deployment a seven out of ten. 

I rate the product an eight out of ten. 

It is able to drill down to the source level.

We expect a lot more features. They have to improve it a lot in terms of the way they do the analysis. At the analysis level, more depth is required.

They are giving a lot of APIs and Python scripts for certain functionalities, but instead of using APIs and Python scripts, they should provide these functionalities through the UI. Users should be able to customize and add more fields through the UI. Users should be able to add more fields and generate reports. Currently, they are not giving flexibility in the UI. They're providing a script that simply generates an Excel file or CSV file. There is no flexibility.

We have been using this solution for a year. We are using its latest version.

It is stable.

Because it is on the cloud, it is scalable. We have quite a significant number of users. Our users might be in the hundreds.

Their support is not so strong. It is fine. It is not bad. If we go a little bit deeper on the technical side, they might not know about it.

We didn't do the setup. They did the setup. My guess is that it is not so easy because it's done in the docker environment. For its maintenance, we need two people.

It is expensive.

I would rate it a seven out of ten.

We are using this solution for software analysis and vulnerability scanning.

The most valuable feature is the vulnerability scanning, and that it's easy to use.

The initial setup could be simplified. It was somewhat complex.

In the next release, I would like to see packet analysis and binary analysis included as features.

We have been using Black Duck for approximately four years.

We have not had any issues with stability.

It's a stable solution.

The number of users on the project depends on the license and the project.

I am from the DevOps team and have not had any contact with technical support. It's not an area that I am a part of.

If I have any issues, I escalate them to our team and they reach out to technical support.

Previously, we did not use any other solution.

The initial setup is complex.

We had some issues finding the report.

The length of deployment is different, it varies on the requirements.

The implementation was done by someone in our company.

The maintenance is done through the vendor.

The price is low. It's not an expensive solution.

This is a product that I would recommend to others.

I would rate Black Duck an eight out of ten.

We use Black Duck to examine our source code for compliance issues.

The older version that we are using is very primitive. You have to do every step, right from setting up an application to the user. The code has to sit in a particular folder and all of the open-source dependencies have to be there. With everything in one folder, it starts to scan. As we are using Code Center, we need to ensure that all of the components are there. However, there are thousands of components and for each submission, the components have to be there. There are no bulk submissions or bulk transfers. Essentially, you need to write your own scripts with the APIs to do it more efficiently.

It needs to be more user-friendly for developers and in general, to ensure compliance. The scanning should be quick and easy to use, rather than complex.

The pricing for this solution should definitely be lower.

We have been using Black Duck for between five and six years.

The stability is okay. We need to keep cleaning up and archiving, which is the standard care by an administrator.

The number of people we have using Black Duck at any time is on a project-by-project basis. We probably have around 500 users, although they do not use it on a continuous basis. The usage is based on the number of requests. For some projects, it will be used just one time, and that's it. 

We have just started to contact technical support, so it is too early to evaluate them.

We did not use another similar solution prior to Black Duck.

The initial setup is complex. It is installed and configured on a Linux-based system, and the on-premises database needs to be updated.

Upgrading our version of Black Duck to the most recent is a tedious process. It is very step-by-step and very manual.

The price is quite high because the behavior of the software during the scan is similar to competing products. 

We are currently evaluating whether we should continue to work with Black Duck, upgrading to the most recent version, or change to another solution. We are looking at several tools that also include WhiteSource and Checkmarx Composition Software Analysis. Ideally, we want to find a solution that suits our everyday needs.

One thing that we have found is that the price of Black Duck is quite high, compared to other products.

As we are using an older version, and have not yet completed a PoC with the most recent one, I am not sure whether there are newer features that we need or will use. Things that we would like to see may have already been implemented.

I would rate this solution a six out of ten.

We have been using this solution for between two and three years.

We frequently use this solution for software composition analysis. We also use it for vulnerability assessment and operational risk assessment. This is usually for customers who want to do one-off assessments, trying to check open source components they are using in their build. 

This solution helps our customers to understand what really lies in their application. In terms of the open source components, it can show the dependencies that other components are relying on, which you don't see. For example, if your application is packaged with other stuff, it would help to pull up all of the dependencies. It will list all of the open source dependencies in the entire library and show details about what they are using. It highlights what the developers have done, and it shows the impact from an intellectual property point of view.

This can also impact them from a security perspective. For example, it can tell you about the health of an application. What we often see is that developers are using an older version of an open source component, and they don't change it because it works. In cases where a newer version is available, we are able to show them what old components they are using, and the age of those components. This gives them a measure of health for their application in terms of operational risk. If an application were to break tomorrow, the chances that it can be quickly fixed may be dependent on the age of the component.

Largely, this is the kind of value we use Black Duck to provide to customers in this part of the world.

I would like to see more integration with other solutions, such as IntelliJ IDEA.

This solution is stable. Maybe, depending on the browser that you use, you might have delays in response. If you are using Chrome, for example, and you click refresh on the web GUI, you get delays sometimes. I think that this is normal with most applications. 

In terms of scalability, we are a small team so we have never tried with too many users. We only have one user and have used this for two or three customers in South Africa. I think that it is pretty scalable, but the limitation comes from the pricing and licensing agreement.

Beyond the licensing, you might be limited by your hardware capacity. I think that it starts off with 16GB RAM and four cores minimum, but if there are more people on it then you might need to expand the resources. 

Like with any product, the technical support can be better. They have a feedback system where you raise a ticket, and it usually takes twenty-four hours before they respond. If there is something very urgent then you can escalate it, and I think that the delay is reduced to six hours.

The initial setup for this solution is straightforward. It is Dockerized, and very easy if you use Linux. If you have a server on Azure then you can just go to the Azure marketplace and spin it up straight from there.

If you are using an instance on Google Cloud, for example, we've done deployments where you simply spin up the application and it deploys by itself in about four minutes. If you have to deploy by yourself, you have to wait for Linux to completely finish, etc. But if you're using a cloud service provider then it is automatic. You put in your license and you integrate it with whatever you want to do.

Once it is deployed, it is again straightforward. You can easily take your build, use the Hub Detect to scan it and get a JSON file, then upload it to the server. It will do the analysis and it is usually fast, except sometimes when you want to check code snippets. 

It does not require more than one person for deployment and maintenance.

We handle the deployment ourselves.

It is difficult to determine ROI when it comes to security because it depends on many things.  For example, it may tell you how much knowledge your developers have about licensing, or security, which may ultimately reduce the cost of training.

On the other hand, it may increase the rate at which you find bugs or problems with specific components. This, again, may contribute to the ROI. However, it is difficult to say without a set of predefined metrics.

The pricing works either by the number of users or by code size. In the case of code size, they give you unlimited users. For example, if you have two thousand developers but you want a code size of 20GB, then that is what you get. If, however, you have forty developers and a lot of projects then you can say "We'll use forty developers and then we can scan unlimited applications, even if our applications are going to be 3,000GB."

Depending on the use case, the cost could range from $10,000 USD to $70,000 USD. It depends on what you are doing. There are no costs in addition to the standard licensing fees, including the academy. If you buy the license then they give you access to their academy, where you can get trained. The integrations are free, and the plug-ins are free.

This is a good solution. My advice to anybody interesting in implementing it is to be clear in their mind whether they want to go on a user-based model, or they want to do a code-based model. It can get tricky if your development team is growing rapidly.

Maybe you started off with five developers and then the next year you are growing to ten. Then, in another year, there are fourteen or twenty. As you grow, a user-based model may not work for you so you might consider going with the code-based model.

However, if you are working on multiple projects then you may consider the user-based model, as long as your headcount is relatively stable.

Overall, the deployment is straightforward, uploading code is straightforward, analysis is straightforward, but with integration then it may be slightly lacking.

I would rate this solution a nine out of ten.

The product's pricing is higher compared to other competitor products. 

I am using the product for a year. 

The solution is stable. 

The tool is scalable. 

I would rate the product a nine out of ten. We mostly have enterprise customers for the solution.