Black Duck SCA Reviews

In terms of advantages, Black Duck offers a big database.

From a customer satisfaction point of view, I am not satisfied with the product. I am also not satisfied with the documentation part of the product. If you want to use the tool, you will have to indulge in self-learning. In terms of customer interaction, I read the product three out of ten.

If you provide a feature in a product, either you should provide training to customers or provide clear documentation with an example of how to use it. The aforementioned aspect is not covered by the solution. You get no response from Black Duck's end if you ask for support to help you deal with the features provided by the product, which doesn't work even though the documentation claims that its functionalities work. The tool's team provides a reason that doesn't even closely relate to the problems faced by the user. In general, certain features in the product don't work. The tool's documentation and support are areas of concern where improvements are required.

I have been using Black Duck for four years. I am a customer of the product.

I have experience with FossID and FOSSA. There are good products available in the market, and I would only be able to choose them based on my company's decision. From a user perspective, Black Duck is not viable for an organization since you cannot rely on a tool that offers not-so-good support or documentation. In the near future, I believe that my company should switch over from Black Duck.

My company does not take care of the installation part of the tool, as it is something that is taken care of in the cloud. The cloud option of the product is always available and a positive aspect of the solution.

The price charged by Black Duck is exorbitant. For the features provided by the product, I would not want to pay a high price. There are many other products in the market that offer better features and support services compared to Black Duck at a lower cost.

Even though my company is ready to pay extra charges for additional support from Black Duck, if a feature is given in a product and if it needs to be used by a user, then proper training and good documentation should be made available by the solution. If a certain set of users want to purchase a product, I believe that the solution should not charge them extra to teach them how to use the tool. A product can charge for the customization requested by users so that the tool is able to meet their specific needs. If a product offers a feature and somebody wants to use it even though they don't know how to use it, it is not acceptable for the solution to charge such users for training on how to use the tool's functionalities.

If there are other products with a better database, then my company would prefer to move to such tools.

We use the solution to detect non-compliance in third-party applications.

I really like the fact that we can define policies at a group level. Based on the foundation we create on the baseline, we can apply specific policies for specific teams. We can apply the same policy to the entire organization and tailor the policies for different teams. Policy management is a valuable feature.

I also enjoy using the license management feature in which we can add or review the terms of the licenses. The component management feature is also good. Black Duck is quite powerful. It has been in the industry for quite a lot of time, for around 30 years.

The documentation is quite scattered. It's really difficult to identify the documentation we need for a specific need. When I was working for an organization, I had to create my own documentation to establish the service for the group. The solution must make it easy for the users to understand what to do when they are getting started.

I have been familiar with the solution for a year, including the demo period.

The solution was pretty stable. We had some issues here and there.

The product is pretty scalable. It depends on the licensing model. We had negotiated a license model that was fit for our needs. Then, we added more applications as we grew. The tool provides both the on-premise and the cloud solution. We chose the cloud solution. We wanted the tool for internal use within our organization. We had more than 250 business units.

We have had a chance to benefit from expert hours with proper engineers who were able to respond to some questions. Some of them were more competent than the others. I'm satisfied with support on average.

Neutral

The initial setup is moderately hard because the documentation is not available. If someone is gathering the documentation and creating custom documentation for the organization, explaining how to connect to the CI/CD pipeline and create an account and everything in between, then it's not difficult. The initial investment in developing the documentation is quite tedious.

We provide an initial onboarding period of two weeks to the deployment team. The team can deploy the solution at its own pace, provided it follows the documentation. The team also has early life support throughout these two to three weeks, in which the team members also get trained and understand how to make the best of the tool’s features.

The deployment time depends on the organization’s application architecture, where they keep their projects, and how they are organized. These variables can extend or decrease the timeline for implementation. We need one or two technical resources to deploy the product.

We paid for the license on a yearly basis.

I have evaluated several other solutions, including FOSSA, but we didn't go forward with them. We chose Black Duck because it has a very strong knowledge base with a lot of customization around license management, component management, and policy management.

Organizations that enter a contract with Synopsys must be very careful about the expert hours. We would need support even if we do not have a premium contract. The expert hours are quite pricey. Whoever enters a contract with Synopsys should secure some expert hours because they will need it at least initially when they establish the system.

It wasn't that easy for us to onboard. It was a very steep learning curve. I was expecting more support from the vendor during the onboarding. I expected they would drive the onboarding since it was my first time using the solution. Instead, we had to discover a lot on our own as a customer. They provided some onboarding materials and training, but we were not hand-held through the process.

Overall, I rate the tool a nine out of ten.

Our company uses the solution to check open source software that is embedded in our products. 

The solution is very good at scanning and evaluating open source software. In the past, we had misunderstandings about the open source files in our products. 

The solution checks for open source license compliance. You provide the license for a software such as MIT and the solution scans documents, tabs, and files by date. 

It can be cumbersome to use or invalidate open source software because there is a hold time to check requirements or common regulations and ensure compliance. 

Sometimes the solution produces incorrect or ambiguous results so that needs improvement to ensure there are no misunderstandings. 

I have been using the solution for three years. 

The solution is scalable. We have different departments and it is easy to process change orders or add users. 

The scalability is rated an eight out of ten. 

The technical support is very, very good and their response time is very quick. 

I don't have experience with other solutions. 

The setup and implementation was completed by the supplier. We just waited for them to complete the process and then began using the solution.

The solution is the most popular open software scanning tool. I rate the solution an eight out of ten. 

We use Black Duck mainly for the DevSecOps pipeline. For the microservices-based application, we have to deploy Black Duck into the Kubernetes environment. 

I have worked for multiple clients across the world, such as the US and Europe in the banking, retail, and energy sectors.

The most valuable feature of Black Duck is the seamless integration to scan our Docker binary files, it provides us all open vulnerabilities, and it ensures a reference point from where it finds the vulnerability is up to date. For example, if there is any new vulnerability found, they are immediately available in the Black Duck. There is no delay in finding the vulnerabilities, they are called out in our code immediately.

Black Duck can improve the time it takes for a scan. Most of the time it's not ideal when integrated with the live DevSecOps pipeline. We have to create a separate job to scan the library because it takes a couple of hours to scan all those libraries. The scanning could be faster.

I have been using Black Duck for a few years.

The stability of Black Duck is very good.

Black Duck is scalable.

The technical support from Black Duck is very good.

Black Duck is easy to install. The full implementation took a couple of hours.

I do the implementation of the solution.

We have seen a very high return on investment using Black Duck.

I rate Black Duck a nine out of ten.

We use the solution to scan Java code. 

We accidentally use third-party library APIs, which may not be secure. Our technical team may not have the end time or expertise to figure it out. Black Duck helps us with that and saves us time. 

The tool needs to improve its pricing. Its configuration is complex and can be improved. 

I have been using the tool for five years. 

Black Duck is stable. 

I rate the tool's deployment a seven out of ten. 

I rate the product an eight out of ten. 

It is able to drill down to the source level.

We expect a lot more features. They have to improve it a lot in terms of the way they do the analysis. At the analysis level, more depth is required.

They are giving a lot of APIs and Python scripts for certain functionalities, but instead of using APIs and Python scripts, they should provide these functionalities through the UI. Users should be able to customize and add more fields through the UI. Users should be able to add more fields and generate reports. Currently, they are not giving flexibility in the UI. They're providing a script that simply generates an Excel file or CSV file. There is no flexibility.

We have been using this solution for a year. We are using its latest version.

It is stable.

Because it is on the cloud, it is scalable. We have quite a significant number of users. Our users might be in the hundreds.

Their support is not so strong. It is fine. It is not bad. If we go a little bit deeper on the technical side, they might not know about it.

We didn't do the setup. They did the setup. My guess is that it is not so easy because it's done in the docker environment. For its maintenance, we need two people.

It is expensive.

I would rate it a seven out of ten.

I am not working with Black Duck. I manage a team that works with Black Duck.

We are happy with this solution.

We have not yet explored all of the functionalities of Black Duck.

Black Duck is pretty extensive in terms of the scan reserves and the vulnerability exposures. From that perspective, I'm happy with it.

We have been having some issues with the latest releases where we are not able to scan our applications with the help of Black Duck. I feel that it is just a matter of time and it should be fine.

We have been working with Black Duck for a little more than one year.

It is a very small group of people who are using this solution in our organization.

My team is the open-source program office and we have three people who are using Black Duck and the other teams would be in the range of fewer than 20 people.

We contacted technical support as we were not able to fix this issue ourselves. We are not the primary contact who has procured the product, they are based out of Paris. We are using the license but we have to go through them to contact Black Duck to get their help.

I am not able to share an opinion on the support because we raised the issue only a few weeks back, and this being the summer vacation period, a lot of people were unavailable. I don't know whether that delay is being caused by our counterparts in Paris or if it is really caused by Black Duck.

We have been using other tools, but our IT division acquired Black Duck and we wanted to use it across the organization.

As far as security is concerned, it has always been a priority in our organization. We had different tools that we were using for security, but when it comes to operational risk and compliance and licensing, we didn't have any specific approach before Black Duck.

We are not the primary team to procure this solution. My counterparts in Paris are the only ones who are aware of the pricing.

We are only using a few of the licenses because they had acquired several licenses, but I'm not involved in the pricing and the contract negotiations.

I would rate Black Duck an eight out of ten.

It's a well-recognized tool in our industry. We have a lot of requests for the product from clients. 

The solution is very easy to use. 

The stability has been good over the years.

The installation is very easy.

Due to the fact that, with our software developer life cycle, we don't need to scan our source code every day or every week. For that reason, we find the cost is too high. We might only actually use it five to ten times a year, which makes it expensive.

We've used the solution for about three or four years at this point. 

The stability is very good. There are no bugs or glitches. It doesn't crash or freeze. It's reliable. 

Not everyone uses the solution at our company. Mainly, just developers use it, and we have about 60 people on it. 

Right now, we are considering changing to WhiteSource, however, we still might just keep Black Duck.

The initial setup isn't too difficult. It's a pretty straightforward, simple process. We have only installed it once, and I cannot recall how long the deployment actually took. It was a long time ago.

The cost of the solution is very high. We'd prefer if the product offered a monthly subscription.

We are a customer and an end-user.

We are using Black Duck Hub.

I'd rate the solution at an eight out of ten. We're mostly quite happy with the capabilities. 

Black Duck is a good, but not an inexpensive tool. If others want stability or a well-respected tool, I would recommend it.