No more typing reviews! Try our Samantha, our new voice AI agent.

Black Duck SCA vs Software Risk Manager ASPM comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Mar 22, 2026

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

Black Duck SCA
Ranking in Software Composition Analysis (SCA)
3rd
Average Rating
7.6
Reviews Sentiment
6.2
Number of Reviews
23
Ranking in other categories
No ranking in other categories
Software Risk Manager ASPM
Ranking in Software Composition Analysis (SCA)
24th
Average Rating
0.0
Reviews Sentiment
7.0
Number of Reviews
1
Ranking in other categories
Static Application Security Testing (SAST) (29th), Application Security Posture Management (ASPM) (15th)
 

Mindshare comparison

As of July 2026, in the Software Composition Analysis (SCA) category, the mindshare of Black Duck SCA is 9.1%, down from 17.6% compared to the previous year. The mindshare of Software Risk Manager ASPM is 2.0%, up from 0.7% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Software Composition Analysis (SCA) Mindshare Distribution
ProductMindshare (%)
Black Duck SCA9.1%
Software Risk Manager ASPM2.0%
Other88.9%
Software Composition Analysis (SCA)
 

Featured Reviews

SS
Project Lead at ABB
Compliance checks have improved while vulnerability coverage and SBOM accuracy still need work
I think Black Duck SCA needs to improve on the overall approach. I assume that the people who developed Black Duck SCA believe that users will use this tool for some time in a full-fledged way with all those features. However, the way it really works with product development or in a software development life cycle is that this is just one of the steps for checking whether something is license compliant, whether it has vulnerabilities, or whether the SBOM is generated. It is just one of those steps in the software development process. The expectation from the tool's perspective is that users have to go into the Black Duck SCA portal, look at each of those items, and if something is not correct, try to find it out and update or configure the right CPEs or PURLs or those kinds of things. In reality, most users would not have time for this because they would have done this as part of the build and would generate an SBOM as part of the build. The tool should be quite usable. If a feature works properly and correctly, then nobody will go back and try to spend time on that. For example, if I generate an SBOM and that SBOM has a particular CPE and there are multiple sources, the tool should produce those CPEs with vulnerabilities, put them into the SBOM, and allow me to move forward. If there are more bugs or more configuration requirements, the usage will come down. It is like a mobile application: if there is too much data that needs to be looked at, configured, and used, then the number of users would come down. The tool should be fast, usable, and accurate. Users should just be able to use it without needing to learn too much. The learning curve should be less when using a tool, and the usage should be easy with basic understanding. They should not need to go through complex processes and can assume that whatever data is given is correct. That is where the whole problem with Black Duck SCA lies. The documentation is not really on the mark. For example, if there is a functionality, such as wanting to see a CPE, the documentation should show how to get this via API or see it and how to configure that with examples. Most of the time the tool says it is all in the community, which is not ideal. The community is different from a conceptual view. The community is for bugs and issues that users want to report. However, people who are looking at the tool fresh and need to see functionality such as scan configuration need clear documentation. If I want to see the scan configurations and how to do it, there are videos, but there should be clear documentation with examples, such as how to configure for Docker using specific commands and methods. This example could be clear documentation and should not be redirected to the community every time. If there is a problem or those kinds of issues, they should go to the community and solutions will be found. However, for basic documentation on features being provided, I do not see that kind of clear documentation with clear examples.
Saravanan_Radhakrishnan - PeerSpot reviewer
Senior Manager at Happiest Minds Technologies
Facilitates continuous assessment of applications, covering both static and dynamic security aspects
Code Dx lacks one aspect, the dynamic security part, known as DAST. It's not an on-premise solution; it's in the cloud now. There are compliance standards and data standards where the customer might need to have the data on-premises for dynamic security testing. So that is one shortfall. An area of improvement could be developing an on-premise DAST solution. The current one is a complete cloud-based solution, and that can be one of the areas of improvement.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"Black Duck's ability to identify dependencies very accurately has been most valuable in identifying and mitigating risks."
"The solution is very good at scanning and evaluating open source software."
"Black Duck has been the key player in the market for many years."
"This solution helps our customers to understand what really lies in their application."
"I like the fact that the product auto analyzes components."
"The software composition analysis is most effective for security risk management."
"We accidentally use third-party library APIs, which may not be secure. Our technical team may not have the end time or expertise to figure it out. Black Duck helps us with that and saves us time."
"The technical support has been fine, they help us a lot and we actually find them to be quite helpful."
"The customers were looking for something around static security and dynamic security, and in all those areas, they were looking for an industry leader with a proven solution. Synopsys is a Gartner leader, so I position this particular technology for the technical pre-sales part of it."
 

Cons

"It's still a bit inconsistent. For example, if I scan today, it might not show the same results tomorrow."
"It can be cumbersome to use or invalidate open source software because there is a hold time to check requirements or common regulations to ensure compliance."
"Black Duck does not have the SBOM management part. I would like to see this feature added in the future."
"The solution's pricing model and documentation areas of concern where improvement is needed."
"We're not too sure about the extension of the firewall. It never shows up in the Hub."
"The initial setup is complex."
"They are giving a lot of APIs and Python scripts for certain functionalities, but instead of using APIs and Python scripts, they should provide these functionalities through the UI. Users should be able to customize and add more fields through the UI. Users should be able to add more fields and generate reports. Currently, they are not giving flexibility in the UI. They're providing a script that simply generates an Excel file or CSV file. There is no flexibility."
"The tool's documentation and support are areas of concern where improvements are required."
"The initial setup is a bit challenging because things are not easy. It needs a lot of technology adaptability plus the customer's environment-specific use cases."
 

Pricing and Cost Advice

"The price is low. It's not an expensive solution."
"The price charged by Black Duck is exorbitant."
"The pricing is a little high."
"I rate the product's price one on a scale of one to ten, where one is a high price, and ten is a low price."
"The price is quite high because the behavior of the software during the scan is similar to competing products."
"Black Duck is more suitable if you require a lot of licensing compliance. For smaller organizations, WhiteSource is better because its pricing policies are not really suitable for huge organizations."
"It is expensive."
"Depending on the use case, the cost could range from $10,000 USD to $70,000 USD."
"It is more of an enterprise solution for budget-conscious customers. So, it's moderately priced. It's not for everybody."
report
Use our free recommendation engine to learn which Software Composition Analysis (SCA) solutions are best for your needs.
903,996 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Manufacturing Company
16%
Financial Services Firm
16%
Computer Software Company
11%
University
5%
Financial Services Firm
15%
Manufacturing Company
13%
University
10%
Construction Company
8%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
By reviewers
Company SizeCount
Small Business6
Large Enterprise17
No data available
 

Questions from the Community

How does WhiteSource compare with Black Duck?
We researched Black Duck but ultimately chose WhiteSource when looking for an application security tool. WhiteSource is a software solution that enables agile open source security and license compl...
What needs improvement with Black Duck?
I think Black Duck SCA needs to improve on the overall approach. I assume that the people who developed Black Duck SCA believe that users will use this tool for some time in a full-fledged way with...
What is your primary use case for Black Duck?
The primary use cases are compliance and scanning in terms of license compliance and trying to identify snippets, particularly if there are any snippets being identified that are coming from open s...
Ask a question
Earn 20 points
 

Also Known As

Blackduck Hub, Black Duck Protex, Black Duck Security Checker
Code Dx
 

Overview

 

Sample Customers

Samsung, Siemens, ScienceLogic, BryterCX, Dynatrace
Discover why companies like: CGI said, "Synopsys and Software Risk Manager have provided the results we’re looking for".
Find out what your peers are saying about Veracode, Snyk, Black Duck and others in Software Composition Analysis (SCA). Updated: June 2026.
903,996 professionals have used our research since 2012.