Black Duck vs FOSSA comparison

Read 12 FOSSA reviews

2,750 Views
1,714 Comparison Views

100% willing to recommend

Black Duck

Comparison Buyer's Guide

Download the report

Executive Summary

We performed a comparison between Black Duck and FOSSA based on real PeerSpot user reviews.

Find out in this report how the two Software Composition Analysis (SCA) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI.

To learn more, read our detailed Black Duck vs. FOSSA Report (Updated: July 2024).

Black Duck vs. FOSSA

Download the complete report

Helped 793,295 peers since 2012

Categories and Ranking

Black Duck

Ranking in Software Composition Analysis (SCA)

1st

Average Rating

7.8

Number of Reviews

Ranking in other categories

No ranking in other categories

FOSSA

Ranking in Software Composition Analysis (SCA)

9th

Average Rating

8.6

Number of Reviews

Ranking in other categories

No ranking in other categories

Mindshare comparison

As of July 2024, in the Software Composition Analysis (SCA) category, the mindshare of Black Duck is 26.0%, down from 27.9% compared to the previous year. The mindshare of FOSSA is 5.5%, down from 5.6% compared to the previous year. It is calculated based on PeerSpot user engagement data.

Software Composition Analysis (SCA)

Unique Categories:

No other categories found

Featured Reviews

Zhengang Ren

Senior Quality Manager at a financial services firm with 11-50 employees

Feb 13, 2023

Very good at scanning open source software and ensuring compliance

Our company uses the solution to check open source software that is embedded in our products. The solution is very good at scanning and evaluating open source software. In the past, we had misunderstandings about the open source files in our products. The solution checks for open source license…

Read full review

Patrick Lonergan

Associate General Counsel at Circleci

Jul 19, 2020

Provides contextualized, easily actionable intelligence that alerts us to compliance issues

I wish there was a way that you could have a more global rollout of it, instead of having to do it in each repository individually. It's possible that's something that is offered now, or maybe if you were using the CI Jenkins, you'd be able to do that. But with Travis, there wasn't an easy way to do that. At least not that I could find. That was probably the biggest issue. Another thing that is they were super great to work with. I could contact them and the engineers were very responsive to the questions I had or if there was some issue I found they were always helpful working it out. I would say that the documentation would probably be another area that could use some work. If I was doing something that was undocumented but I might know about it because I talked to one of the engineers at FOSSA, then our engineers were always a little worried that it wasn't documented and if they should be using an undocumented feature. I felt like the documentation a lot of times trailed the product functionality a little bit. If you were trying to solve problems on your own, sometimes it wasn't the easiest.

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"It highlights what the developers have done, and it shows the impact from an intellectual property point of view."

"The knowledge base and the management system are the most valuable features of Black Duck Hub. It has a very helpful management environment. They offer an editor where we can check the discovered license, which is retrieved from their knowledge base. They have a huge knowledge base build over the years. It gives you some possibilities, such as this license with possibility A could cause a vulnerability issue or a potential breach."

"The most valuable feature for me in Black Duck is its ability to scan binary files effectively."

"The solution is very good at scanning and evaluating open source software."

"Policy management is a valuable feature."

"We didn't have a central inventory to quickly identify issues or determine how many products were affected. Now under Black Duck, it's all consolidated. You search for a component and immediately see which products use it."

"The product enables other applications to be secure."

"The most valuable feature of Black Duck is the seamless integration to scan our Docker binary files, it provides us all open vulnerabilities, and it ensures a reference point from where it finds the vulnerability is up to date. For example, if there is any new vulnerability found, they are immediately available in the Black Duck. There is no delay in finding the vulnerabilities, they are called out in our code immediately."

More Black Duck pros

"I am impressed with the tool’s seamless integration and quick results."

"The scalability is excellent."

"Their CLI tool is very efficient. It does not send your source code over to their servers. It just does fingerprinting. It is also very easy to integrate into software development practices."

"The most valuable feature is its ability to identify all of the components in a build, and then surface the licenses that are associated with it, allowing us to make a decision as to whether or not we allow a team to use the components. That eliminates the risk that comes with running consumer software that contains open source components."

"The most valuable feature is definitely the ease and speed of integrating into build pipelines, like a Jenkins pipeline or something along those lines. The ease of a new development team coming on board and integrating FOSSA with a new project, or even an existing project, can be done so quickly that it's invaluable and it's easy to ask the developers to use a tool like this. Those developers greatly value the very quick feedback they get on any licensing or security vulnerability issues."

"What I really need from FOSSA, and it does a really good job of this, is to flag me when there are particular open source licenses that cause me or our legal department concern. It points out where a particular issue is, where it comes from, and the chain that brought it in, which is the most important part to me."

"Being able to know the licenses of the libraries is most valuable because we sell products, and we need to provide to the customers the licenses that we are using."

"One of the things that I really like about FOSSA is that it allows you to go very granular. For example, if there's a package that's been flagged because it's subject to a license that may be conflicts with or raises a concern with one of the policies that I've set, then FOSSA enables you to go really granular into that package to see which aspects of the package are subject to which licenses. We can ultimately determine with our engineering teams if we really need this part of the package or not. If it's raising this flag, we can make really actionable decisions at a very micro level to enable the build to keep pushing forward."

More FOSSA pros

Cons

"The tool's documentation and support are areas of concern where improvements are required."

"I would like to see more integration with other solutions, such as IntelliJ IDEA."

"The scanner client is limited by the size of software it can handle."

"The product's pricing is higher compared to other competitor products."

"The solution must provide more open APIs."

"We're not too sure about the extension of the firewall. It never shows up in the Hub."

"The documentation is quite scattered."

"It's still a bit inconsistent. For example, if I scan today, it might not show the same results tomorrow."

More Black Duck cons

"Security scanning is an area for improvement. At this point, our experience is that we're only scanning for license information in components, and we're not scanning for security vulnerability information. We don't have access to that data. We use other tools for that. It would be an improvement for us to use one tool instead of two, so that we just have to go through one process instead of two."

"I would like more customized categories because our company is so big. This is doable for them. They are still in the stages of trying to figure this out since we are one of their biggest companies that they support."

"The technical support has room for improvement."

"On the dashboard, there should be an option to increase the column width so that we can see the complete name of the GitHub repository. Currently, on the dashboard, we see the list of projects, but to see the complete name, you have to hover your mouse over an item, which is annoying."

"The solution provides contextualized, actionable, intelligence that alerts us to compliance issues, but there is still a little bit of work to be done on it. One of the issues that I have raised with FOSSA is that when it identifies an issue that is an error, why is it in error? What detail can they give to me? They've improved, but that still needs some work. They could provide more information that helps me to identify the dependencies and then figure out where they originated from."

"I want the product to include binary scanning which is missing at the moment. Binary scanning includes code and component matching through dependency management. It also includes the actual scanning and reverse engineering of the boundaries and finding out what is inside."

"One thing that can sometimes be difficult with FOSSA is understanding all that it can do. One of the ways that I've been able to unlock some of those more advanced features is through conversations with the absolutely awesome customer success team at FOSSA, but it has been a little bit difficult to find some of that information separately on my own through FAQs and other information channels that FOSSA has. The improvement is less about the product itself and more about empowering FOSSA customers to know and understand how to unlock its full potential."

"For open-source management, FOSSA's out-of-the-box policy engine is easy to use, but the list of licenses is not as complete as we would like it to be. They should add more open-source licenses to the selection."

More FOSSA cons

Pricing and Cost Advice

"The price is low. It's not an expensive solution."

"The pricing is a little high."

"It is expensive."

"I rate the product's price one on a scale of one to ten, where one is a high price, and ten is a low price."

"Depending on the use case, the cost could range from $10,000 USD to $70,000 USD."

"The price is quite high because the behavior of the software during the scan is similar to competing products."

"The price charged by Black Duck is exorbitant."

"Black Duck is more suitable if you require a lot of licensing compliance. For smaller organizations, WhiteSource is better because its pricing policies are not really suitable for huge organizations."

"Its price is reasonable as compared to the market. It is competitively priced in comparison to other similar solutions on the market. It is also quite affordable in terms of the value that it delivers as compared to its alternative of hiring a team."

"FOSSA is a fairly priced product. It is not either cheaper or expensive. The pricing lies somewhere in the middle. The solution is worth the money that we are spending to use it."

"The solution's cost is a five out of ten."

"FOSSA is not cheap, but their offering is top-notch. It is very much a "you get what you pay for" scenario. Regardless of the price, I highly recommend FOSSA."

See which vendors are best for you

Use our free recommendation engine to learn which Software Composition Analysis (SCA) solutions are best for your needs.

See recommendations

793,295 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Financial Services Firm

21%

Manufacturing Company

16%

Computer Software Company

15%

Healthcare Company

Manufacturing Company

26%

Computer Software Company

17%

Financial Services Firm

11%

Healthcare Company

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

Questions from the Community

How does WhiteSource compare with Black Duck?

We researched Black Duck but ultimately chose WhiteSource when looking for an application security tool. WhiteSource is a software solution that enables agile open source security and license compl...

What do you like most about Black Duck?

The cloud option of the product is always available and a positive aspect of the solution.

What is your experience regarding pricing and costs for Black Duck?

The price charged by Black Duck is exorbitant. For the features provided by the product, I would not want to pay a high price. There are many other products in the market that offer better features...

What do you like most about FOSSA?

I am impressed with the tool’s seamless integration and quick results.

What is your experience regarding pricing and costs for FOSSA?

FOSSA is a fairly priced product. It is not either cheaper or expensive. The pricing lies somewhere in the middle. The solution is worth the money that we are spending to use it.

What needs improvement with FOSSA?

I want the product to include binary scanning which is missing at the moment. Binary scanning includes code and component matching through dependency management. It also includes the actual scannin...

Fortify Static Code Analyzer vs Black Duck

Comparisons

Snyk vs Black Duck

Compared 23% of the time

Compared 19% of the time

JFrog Xray vs Black Duck

Compared 12% of the time

Mend.io vs Black Duck

Compared 9% of the time

Sonatype Lifecycle vs Black Duck

Compared 6% of the time

More Black Duck Competitors

Snyk vs FOSSA

Compared 16% of the time

Mend.io vs FOSSA

Compared 9% of the time

JFrog Xray vs FOSSA

Compared 7% of the time

Fortify Static Code Analyzer vs FOSSA

Compared 6% of the time

Sonatype Lifecycle vs FOSSA

Compared 4% of the time

More FOSSA Competitors

Product Reports

Black Duck

Download Black Duck product report

Download FOSSA product report

Also Known As

Blackduck Hub, Black Duck Protex, Black Duck Security Checker

No data available

Learn More

Synopsys

Video not available

Overview

Black Duck is a comprehensive solution for managing security, license compliance, and code quality risks that come from the use of open source in applications and containers. Named a leader in software composition analysis (SCA) by Forrester, Black Duck gives you unmatched visibility into third-party code, enabling you to control it across your software supply chain and throughout the application life cycle.

Up to 90% of any piece of software is from open source, creating countless dependencies and areas of risk to manage. FOSSA is the most reliable automated policy engine for legal teams to maintain license compliance, security to fix vulnerabilities, and engineering to improve code quality across the entire software supply chain. As the only developer-native open source management platform, FOSSA fully integrates with your existing CI/CD pipeline to provide complete visibility and context earlier in the software development lifecycle. For the first time, teams can collaboratively shift left and audit, analyze, control, and remediate license issues and vulnerabilities right in their existing workflows.

Sample Customers

Samsung, Siemens, ScienceLogic, BryterCX, Dynatrace

AppDyanmic, Uber, Twitter, Zendesk, Confluent

Black Duck vs. FOSSA