Comparison Buyer's Guide

Executive SummaryUpdated on May 29, 2022
 

Categories and Ranking

Black Duck
Ranking in Software Composition Analysis (SCA)
1st
Average Rating
7.8
Number of Reviews
19
Ranking in other categories
No ranking in other categories
Mend.io
Ranking in Software Composition Analysis (SCA)
4th
Average Rating
8.4
Number of Reviews
29
Ranking in other categories
Application Security Tools (13th), Static Code Analysis (4th), Software Supply Chain Security (1st)
 

Mindshare comparison

As of June 2024, in the Software Composition Analysis (SCA) category, the mindshare of Black Duck is 28.8%, up from 26.7% compared to the previous year. The mindshare of Mend.io is 7.7%, down from 10.3% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Software Composition Analysis (SCA)
Unique Categories:
No other categories found
Application Security Tools
3.6%
Static Code Analysis
20.7%
 

Featured Reviews

CV
Dec 15, 2020
Good knowledge base and management system and helpful for discovering commercial and open-source licenses
It is a cloud-only solution. In many cases, companies like to evaluate the software, but they're very reluctant to give you the software. It would be great if they could offer an on-prem component that could be used to scan the code and then upload the discovery results to the cloud and get all the information from there, but there is no such possibility. You have to upload the code to the Black Duck cloud system. Of course, they have a strong legal department, and they offer some configuration, but it is never enough. You have to give the code, which is a drawback. In modern designs like Snyk or FOSSA, you don't need to give the code. It requires more native integration with Coverity because they go together technically. You need both Coverity and Black Duck Hub. It would be really helpful for companies working in this space to get a combined offer from the same company. They should provide an option to buy Coverity for an additional fee. Coverity combined with Black Duck Hub will provide a one-step analysis to get everything you need and a unified report. It would be really great to be able to connect Black Duck Hub with Coverity unified reports.
SM
Sep 26, 2023
Helps to identify open-source vulnerabilities and eliminate any licensing risks
Using Mend SCA, it is easy to identify open-source vulnerabilities, but it is not easy to remediate because there are multiple moving components or moving parts in a build frame or a small library, so the impact of one component can be different on different products. To identify open-source vulnerabilities, you just run a scan in your pipeline, but to fix them, you need to do multiple regression tests and check whether your application or product is getting affected by that upgrade or not. Mend SCA has helped reduce our mean time to resolution (MTTR). Knowing a risk does not necessarily help us in remediating or fixing that vulnerability, but it helps at least in deploying certain compensatory controls so that we can take on the upgrade part later on. Our protection is deployed at the parameter level, at the system level, or at the network level. It has reduced our MTTR roughly by 20%. Mend SCA has definitely helped us reduce the number of open-source software vulnerabilities running in our production at any given point in time. We have now started to break the build in case there are any high-level or critical vulnerabilities. Certain teams, not all, are now forced to fix them, which is why the vulnerability count is going down. There is about a 20% reduction in vulnerabilities.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The solution is very good at scanning and evaluating open source software."
"The stability is okay."
"The UI is the solution's most valuable feature since it allows for easy pipeline integration."
"We accidentally use third-party library APIs, which may not be secure. Our technical team may not have the end time or expertise to figure it out. Black Duck helps us with that and saves us time."
"It highlights what the developers have done, and it shows the impact from an intellectual property point of view."
"I like the fact that the product auto analyzes components."
"Black Duck is pretty extensive in terms of the scan reserves and the vulnerability exposures. From that perspective, I'm happy with it."
"The product enables other applications to be secure."
"The inventory management as well as the ability to identify security vulnerabilities has been the most valuable for our business."
"What is very nice is that the product is very easy to set up. When you want to implement Mend.io, it just takes a few minutes to create your organization, create your products, and scan them. It's really convenient to have Mend scanning your products in less than one hour."
"The dashboard view and the management view are most valuable."
"The overall support that we receive is pretty good. ​"
"The most valuable feature is the unified JAR to scan for all langs (wss-scanner jar)."
"The most valuable feature is the inventory, where it compiles a list of all of the third-party libraries that we have on our estate."
"For us, the most valuable tool was open-source licensing analysis."
"The most valuable features are the reporting, customizing libraries "In-house, White list, license selection", comparing the products/projects, and License & Copyright resolution."
 

Cons

"I would like to see more integration with other solutions, such as IntelliJ IDEA."
"The documentation is quite scattered."
"The initial setup could be simplified. It was somewhat complex."
"It's still a bit inconsistent. For example, if I scan today, it might not show the same results tomorrow."
"The tool's documentation and support are areas of concern where improvements are required."
"The tool needs to improve its pricing. Its configuration is complex and can be improved."
"We have been having some issues with the latest releases where we are not able to scan our applications with the help of Black Duck."
"It is a cloud-only solution. In many cases, companies like to evaluate the software, but they're very reluctant to give you the software. It would be great if they could offer an on-prem component that could be used to scan the code and then upload the discovery results to the cloud and get all the information from there, but there is no such possibility. You have to upload the code to the Black Duck cloud system. Of course, they have a strong legal department, and they offer some configuration, but it is never enough. You have to give the code, which is a drawback. In modern designs like Snyk or FOSSA, you don't need to give the code. It requires more native integration with Coverity because they go together technically. You need both Coverity and Black Duck Hub. It would be really helpful for companies working in this space to get a combined offer from the same company. They should provide an option to buy Coverity for an additional fee. Coverity combined with Black Duck Hub will provide a one-step analysis to get everything you need and a unified report. It would be really great to be able to connect Black Duck Hub with Coverity unified reports."
"Some detected libraries do not specify a location of where in the source they were matched from, which is something that should be enhanced to enable quicker troubleshooting."
"We specifically use this solution within our CICD pipelines in Azure DevOps, and we would like to have a gate so that if the score falls below a certain value then we can block the pipeline from running."
"The dashboard UI and UX are problematic."
"It should support multiple SBOM formats to be able to integrate with old industry standards."
"At times, the latency of getting items out of the findings after they're remediated is higher than it should be."
"It would be good if it can do dynamic code analysis. It is not necessarily in that space, but it can do more because we have too many tools. Their partner relationship support is a little bit confusing. They haven't really streamlined the support process when we buy through a reseller. They should improve their process."
"The UI can be slow once in a while, and we're not sure if it's because of the amount of data we have, or it is just a slow product, but it would be nice if it could be improved."
"Make the product available in a very stable way for other web browsers."
 

Pricing and Cost Advice

"The pricing is a little high."
"Black Duck is more suitable if you require a lot of licensing compliance. For smaller organizations, WhiteSource is better because its pricing policies are not really suitable for huge organizations."
"The price is quite high because the behavior of the software during the scan is similar to competing products."
"Depending on the use case, the cost could range from $10,000 USD to $70,000 USD."
"I rate the product's price one on a scale of one to ten, where one is a high price, and ten is a low price."
"The price is low. It's not an expensive solution."
"The price charged by Black Duck is exorbitant."
"It is expensive."
"As we were using an SaaS-based service, the solution must be scalable, although my understanding is that this is based on the licensing model one is using."
"It is fairly priced."
"The solution involves a yearly licensing fee."
"Mend is costly but not overly expensive. The license was quite expensive this year, but we managed to negotiate the price down to the same as last year. At the same time, it's a good value. We're getting what we're paying for and still not using all the features. We could probably get more out of the tool and make it more valuable. At the moment, we don't have the capacity to do that."
"WhiteSource is much more affordable than Veracode."
"Its pricing model is per developer. It depends on the number of developers in the company. The license is for a minimum of 20 developers. So, even if you are a small startup with less than 10 developers, you have to buy a license for 20 developers on a yearly subscription, which makes it quite expensive for startup customers. I provide consultation to startup accelerators. They're small at the beginning, and only once they grow to 20 developers, they can afford this tool. As a result, WhiteSource is missing this target audience. Their licensing is not flexible."
"Pricing is competitive."
"When comparing the price of WhiteSource to the competition it is priced well. The cost for 50 users is approximately $18,000 annually."
report
Use our free recommendation engine to learn which Software Composition Analysis (SCA) solutions are best for your needs.
789,728 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
21%
Manufacturing Company
16%
Computer Software Company
15%
Healthcare Company
4%
Financial Services Firm
17%
Computer Software Company
16%
Manufacturing Company
11%
Insurance Company
5%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

How does WhiteSource compare with Black Duck?
We researched Black Duck but ultimately chose WhiteSource when looking for an application security tool. WhiteSource is a software solution that enables agile open source security and license compl...
What do you like most about Black Duck?
The cloud option of the product is always available and a positive aspect of the solution.
What is your experience regarding pricing and costs for Black Duck?
The price charged by Black Duck is exorbitant. For the features provided by the product, I would not want to pay a high price. There are many other products in the market that offer better features...
How does WhiteSource compare with SonarQube?
Red Hat Ceph does well in simplifying storage integration by replacing the need for numerous storage solutions. This solution allows for multiple copies of replicated and coded pools to be kept, ea...
What do you like most about Mend.io?
The best feature is that the Mend R&D team does their due diligence for all the vulnerabilities. In case they observe any important or critical vulnerabilities, such as the Log4j-related vulner...
 

Comparisons

 

Also Known As

Blackduck Hub, Black Duck Protex, Black Duck Security Checker
WhiteSource, Mend SCA, Mend.io Supply Chain Defender, Mend SAST
 

Learn More

 

Overview

 

Sample Customers

Samsung, Siemens, ScienceLogic, Noser Engineering AG, ClickFox, Dynatrace, CopperLeaf
Microsoft, Autodesk, NCR, Target, IBM, vodafone, Siemens, GE digital, KPMG, LivePerson, Jack Henry and Associates
Find out what your peers are saying about Black Duck vs. Mend.io and other solutions. Updated: May 2024.
789,728 professionals have used our research since 2012.