Black Duck Reviews

Name: Black Duck
Brand: Black Duck
Rating: 3.8 (22 reviews)

Vendor: Black Duck

3.8 out of 5

22 reviews
85% willing to recommend

637 followers

Start review

What is Black Duck?

Organizations use Black Duck for compliance, internal audits, license management, and security, scanning software to identify vulnerabilities, non-compliant code, and dependencies in open-source projects.

Get the Black Duck Buyer's Guide and find out what your peers are saying about Black Duck, GitLab, Snyk and more!

Black Duck is the #1 ranked solution in top Software Composition Analysis (SCA) solutions. PeerSpot users give Black Duck an average rating of 7.6 out of 10. Black Duck is most commonly compared to GitLab: Black Duck vs GitLab. Black Duck is popular among the large enterprise segment, accounting for 73% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a financial services firm, accounting for 20% of all views.

Helped 851,604 peers since 2012

Featured Black Duck reviews

Saravanan_Radhakrishnan

Senior Manager at Happiest Minds Technologies

The product enables other applications to be secure. We use it to onboard 400 to 500 applications into the DevOps platform, protect them, and have a secure environment. The tool integrates well with different technologies, application stacks, and databases. The APIs are available. We can read the blogs in the community for open-source compliance and security. The community feeds are important. Black Duck is a leader in Gartner. It is a reliable solution.

Read full review

Aaron P

DevOps Engineer at a manufacturing company with 1,001-5,000 employees

The only thing I don't like about the product is that it is quite expensive and it is not very feasible as an open-source platform. One of the other things that I hate about the product stems from my dislike of contacting the support team of Black Duck to know if there are some issues since debugging some issues can be quite difficult. I don't find reliable or feasible documents to help me debug all those issues. The solution's pricing model and documentation areas of concern where improvement is needed. In our company, we get some issues or errors when we run a pipeline, and debugging those errors can be tedious and time-consuming. To minimize the time for debugging errors, I feel that Black Duck needs to add some documentation or something that will make it easy for users to debug the errors instead of seeking help from Black Duck's support team every time. Black Duck can add features, like viewing the vulnerability, to help users figure out the next step if they detect some vulnerability while also providing them some steps to help them follow some remedial steps, along with an explanation of measures to mitigate such issues. Black Duck's UI or server doesn't provide functionality to help users view the vulnerability, which is a process that needs to be automated. The solution's scalability is an area that needs to improve.

Read full review

Sagar Mody

Solutions Architect at a tech services company with 10,001+ employees

It's still a bit inconsistent. For example, sometimes a scan might reveal components or vulnerabilities, and the next day they might not show up. There's a lack of consistency at times. Of course, this could sometimes be due to new vulnerabilities being identified in the public domain after a scan. So, consistent inputs and more streamlined dependency management are needed. It doesn’t clearly show whether vulnerabilities are from direct or transitive dependencies. A clear classification between direct and indirect vulnerabilities is crucial. If I'm looking to improve my product, I need to know out of 'x' vulnerabilities, how many are direct dependencies. With direct dependencies, I can take action, like replacing a component. But with transitive dependencies, we are helpless at times. Often, we have to raise exceptions and work around them. A clear classification between direct and indirect dependencies is something I'd like to see improved.

Read full review

Black Duck mindshare

As of May 2025, the mindshare of Black Duck in the Software Composition Analysis (SCA) category stands at 19.3%, down from 22.7% compared to the previous year, according to calculations based on PeerSpot user engagement data.

Software Composition Analysis (SCA)

PeerResearch reports based on Black Duck reviews

Type	Title	Date
Category	Software Composition Analysis (SCA)	May 20, 2025	Download
Product	Reviews, tips, and advice from real users	May 20, 2025	Download
Comparison	Black Duck vs Veracode	May 20, 2025	Download
Comparison	Black Duck vs Snyk	May 20, 2025	Download
Comparison	Black Duck vs Sonatype Lifecycle	May 20, 2025	Download

Title	Rating	Mindshare	Recommending
GitLab	4.3	4.4%	97%	84 interviews Add to research
Snyk	4.0	14.8%	100%	45 interviews Add to research

Valuable Features

Black Duck offers automated component analysis, effective vulnerability scanning, and seamless integration with Docker binary files. It provides robust dependency identification, comprehensive policy management, and a substantial knowledge base. The user-friendly UI and easy installation enhance its appeal. Black Duck excels in identifying legal and security risks while maintaining audit readiness. Its extensive database and accurate recommendations improve security within applications, offering reliable management features and industry recognition.

"Black Duck's ability to identify dependencies very accurately has been most valuable in identifying and mitigating risks."
"The most valuable feature of Black Duck is the composition analysis feature, which is effective for security risk management."
"The automated code scanning feature and Black Duck's integration with our development tools have enhanced our software compliance process and overall audit readiness."

Room for Improvement

Black Duck requires better integration with other tools and needs to simplify its scanning and setup processes. Users have expressed concerns about pricing, complexity, and documentation, which can make debugging difficult. Reporting capabilities should be enhanced for better clarity and functionality. The identification and classification of vulnerabilities are inconsistent and need improvement. Users also desire greater flexibility in the UI and the ability to manage components efficiently. Adding features for an on-prem option would address data privacy concerns.

"The initial setup of Black Duck is complex. It's not very straightforward. You need a lot of support and hand-holding from the Black Duck team itself for it to be deployed successfully across the organization."
"Black Duck does not have the SBOM management part. I would like to see this feature added in the future."
"There are areas for improvement such as false positives and the scanning of containers."

ROI

Users report that Black Duck significantly improves their software management by identifying vulnerabilities early, ultimately leading to cost savings. They highlight its effectiveness in ensuring license compliance, which prevents potential legal costs and issues. Black Duck also offers a quick integration with existing workflows, further boosting productivity. Its comprehensive reporting capabilities facilitate better decision-making and risk management. Its robust security features and user-friendly interface contribute to increased efficiency and reduced operational risks.

Pricing

Enterprise buyers note that Black Duck pricing depends on user count or code size, ranging from $10,000 to $70,000 annually. While some find the cost high, licenses include access to an academy for training without extra fees, and integrations are free. Despite some negative feedback on pricing relative to features, many suggest knowing code size for better negotiation. Yearly payment options and additional charges for certain features are mentioned. Some organizations find it suitable for extensive licensing compliance.

"The price charged by Black Duck is exorbitant."
"The pricing is a little high."
"I rate the product's price one on a scale of one to ten, where one is a high price, and ten is a low price."

Popular Use Cases

Black Duck is primarily used for software composition analysis, identifying software components and assessing security and compliance risks. Organizations use it for vulnerability assessment and license compliance in development. It helps with open-source security management, ensures compliance in DevSecOps pipelines, and facilitates audits during the M&A process. Users focus on examining code for compliance, scanning for vulnerabilities, and detecting non-compliance in third-party applications, enhancing software visibility and security management.

Service and Support

Black Duck has a feedback system where some users find technical support professional and helpful. Response times vary, with reports of delays and a complex contact process. While some users rate support highly, others mention challenges due to geographic workweek differences and prioritization issues. Some have experienced very good support and quick responses, but others feel communication could be improved with a chatbot. Training resources are available for better assistance.

Deployment

Black Duck's setup varies in complexity; cloud-based options are simple and quick, while on-premises deployments can be challenging and manual. Many find cloud integration direct and fast, with some using the Azure or Google Cloud marketplaces for rapid deployment. Larger deployments needing scaling may require external expertise. Some enterprises report the process as seamless and appreciate the hassle-free SaaS model, whereas others encounter documentation challenges and need extensive support for successful implementation.

Scalability

Black Duck is considered scalable by various companies, accommodating both small teams and large enterprises. Scalability can be influenced by licensing models and hardware capabilities, with potential cost limitations for smaller firms. Many organizations, ranging from a few dozen to hundreds of users, find Black Duck adaptable to cloud and on-premise setups. Though praised for managing diverse environments, some express concerns about pricing when additional resources are needed temporarily.

Stability

Black Duck is known for its stability, with many noting it as reliable with no major bugs, glitches, crashes, or freezes. Some users mention occasional delays, particularly when using browsers like Chrome, but consider this typical of most applications. While transitioning from other tools might reveal some issues, Black Duck is typically rated between seven and ten for stability, indicating consistent and dependable performance.

These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.

Download our Black Duck Buyer's Guide for additional reliable information.

Review data by company size

By reviewers

By visitors reading reviews

Top industries

By visitors reading reviews

Financial Services Firm

20%

Manufacturing Company

16%

Computer Software Company

13%

Insurance Company

Healthcare Company

Retailer

Real Estate/Law Firm

Government

Educational Organization

Comms Service Provider

University

Energy/Utilities Company

Media Company

Transportation Company

Construction Company

Consumer Goods Company

Non Profit

Legal Firm

Recreational Facilities/Services Company

Outsourcing Company

Logistics Company

Performing Arts

Hospitality Company

Marketing Services Firm

Wholesaler/Distributor

Pharma/Biotech Company

Compare Black Duck with alternative products

Learn more about Black Duck

Black Duck integrates into CI/CD pipelines and DevSecOps processes, helping multiple industries detect and handle risks associated with open-source usage. Users leverage it for source and binary analysis to ensure security and compliance before software release. Automatic component analysis, effective vulnerability scanning, and a comprehensive knowledge base are some of its valuable features. Despite needing improvements in scanning speed, UI, and documentation, Black Duck remains crucial for ensuring open-source security and compliance.

What are Black Duck's most important features?

Automatic Component Analysis: Provides automatic identification and analysis of open-source components.
Effective Vulnerability Scanning: Scans for vulnerabilities in both source code and binary files.
Comprehensive Knowledge Base: Offers expansive information on open-source components.
Policy Management: Enables the creation and enforcement of security and compliance policies.
Binary File Scanning: Capable of scanning binary files for in-depth security checks.
Ease of Use: Demonstrates ease of use, particularly on Mac products.
Stability: Known for its stable performance.
Docker Integration: Smooth integration with Docker for enhanced deployment.
Open-source Evaluation: Excellent evaluation capabilities for open-source software.
License Management: Manages open-source licenses effectively.
Easy Installation: Simple installation process.
Secure Onboarding: Ensures secure application onboarding.
API Availability: Provides APIs for custom integrations.
Community Support: Backed by an active community.
Dependency Tree Visualization: Visualizes dependencies for better management.

What benefits or ROI should users look for in reviews?

Improved Compliance: Helps maintain compliance with legal and regulatory requirements.
Risk Mitigation: Reduces risks associated with open-source vulnerabilities.
Enhanced Security: Strengthens software security by identifying and addressing potential issues early.
Time-saving: Automates many aspects of vulnerability scanning and analysis, saving valuable time.
Cost Efficiency: Detects issues early, potentially saving costs related to compliance breaches and security incidents.
Integration Ease: Seamlessly integrates with existing CI/CD pipelines and DevSecOps practices.
Knowledge Resource: Access to comprehensive information aiding better decision-making.

Black Duck is implemented by industries ranging from finance to healthcare, addressing security and compliance in open-source usage. Financial institutions employ it to manage license risks and ensure audit readiness. Healthcare organizations use it to comply with stringent data protection regulations, ensuring patient data security and privacy. Tech companies integrate Black Duck within CI/CD pipelines to maintain the security and compliance of software products before release. Its deployment varies, tailored to meet the specific risk management and compliance needs dictated by each sector's regulatory environment.

Black Duck was previously known as Blackduck Hub, Black Duck Protex, Black Duck Security Checker.