Black Duck Reviews

Name: Black Duck
Brand: Black Duck
Rating: 3.8 (22 reviews)

3.8 out of 5

22 reviews
85% willing to recommend

What is Black Duck?

Organizations use Black Duck for compliance, internal audits, license management, and security, scanning software to identify vulnerabilities, non-compliant code, and dependencies in open-source projects.

Get the Black Duck Buyer's Guide and find out what your peers are saying about Black Duck, GitLab, Snyk and more!

Black Duck is the #1 ranked solution in top Software Composition Analysis (SCA) solutions. PeerSpot users give Black Duck an average rating of 7.6 out of 10. Black Duck is most commonly compared to GitLab: Black Duck vs GitLab. Black Duck is popular among the large enterprise segment, accounting for 70% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a financial services firm, accounting for 18% of all views.

Helped 866,218 peers since 2012

Featured Black Duck reviews

Aaron P

DevOps Engineer at a manufacturing company with 1,001-5,000 employees

The only thing I don't like about the product is that it is quite expensive and it is not very feasible as an open-source platform. One of the other things that I hate about the product stems from my dislike of contacting the support team of Black Duck to know if there are some issues since debugging some issues can be quite difficult. I don't find reliable or feasible documents to help me debug all those issues. The solution's pricing model and documentation areas of concern where improvement is needed. In our company, we get some issues or errors when we run a pipeline, and debugging those errors can be tedious and time-consuming. To minimize the time for debugging errors, I feel that Black Duck needs to add some documentation or something that will make it easy for users to debug the errors instead of seeking help from Black Duck's support team every time. Black Duck can add features, like viewing the vulnerability, to help users figure out the next step if they detect some vulnerability while also providing them some steps to help them follow some remedial steps, along with an explanation of measures to mitigate such issues. Black Duck's UI or server doesn't provide functionality to help users view the vulnerability, which is a process that needs to be automated. The solution's scalability is an area that needs to improve.

Read full review

Saravanan_Radhakrishnan

Senior Manager at Happiest Minds Technologies

The product enables other applications to be secure. We use it to onboard 400 to 500 applications into the DevOps platform, protect them, and have a secure environment. The tool integrates well with different technologies, application stacks, and databases. The APIs are available. We can read the blogs in the community for open-source compliance and security. The community feeds are important. Black Duck is a leader in Gartner. It is a reliable solution.

Read full review

Sagar Mody

Solutions Architect at a tech services company with 10,001+ employees

It's still a bit inconsistent. For example, sometimes a scan might reveal components or vulnerabilities, and the next day they might not show up. There's a lack of consistency at times. Of course, this could sometimes be due to new vulnerabilities being identified in the public domain after a scan. So, consistent inputs and more streamlined dependency management are needed. It doesn’t clearly show whether vulnerabilities are from direct or transitive dependencies. A clear classification between direct and indirect vulnerabilities is crucial. If I'm looking to improve my product, I need to know out of 'x' vulnerabilities, how many are direct dependencies. With direct dependencies, I can take action, like replacing a component. But with transitive dependencies, we are helpless at times. Often, we have to raise exceptions and work around them. A clear classification between direct and indirect dependencies is something I'd like to see improved.

Read full review

Black Duck mindshare

As of August 2025, the mindshare of Black Duck in the Software Composition Analysis (SCA) category stands at 17.8%, down from 22.5% compared to the previous year, according to calculations based on PeerSpot user engagement data.

Software Composition Analysis (SCA) Market Share Distribution
Product	Market Share (%)
Black Duck	17.8%
Snyk	13.7%
JFrog Xray	10.3%
Other	58.2%

Software Composition Analysis (SCA)

PeerResearch reports based on Black Duck reviews

Type	Title	Date
Category	Software Composition Analysis (SCA)	Aug 29, 2025	Download
Product	Reviews, tips, and advice from real users	Aug 29, 2025	Download
Comparison	Black Duck vs Snyk	Aug 29, 2025	Download
Comparison	Black Duck vs Veracode	Aug 29, 2025	Download
Comparison	Black Duck vs Sonatype Lifecycle	Aug 29, 2025	Download

Title	Rating	Mindshare	Recommending
GitLab	4.2	4.1%	97%	85 interviews Add to research
Snyk	4.0	13.7%	100%	48 interviews Add to research

Valuable Features

Black Duck offers automated component analysis, effective vulnerability scanning, and seamless integration with Docker binary files. It provides robust dependency identification, comprehensive policy management, and a substantial knowledge base. The user-friendly UI and easy installation enhance its appeal. Black Duck excels in identifying legal and security risks while maintaining audit readiness. Its extensive database and accurate recommendations improve security within applications, offering reliable management features and industry recognition.

"Black Duck's ability to identify dependencies very accurately has been most valuable in identifying and mitigating risks."
"The most valuable feature of Black Duck is the composition analysis feature, which is effective for security risk management."
"The automated code scanning feature and Black Duck's integration with our development tools have enhanced our software compliance process and overall audit readiness."

Room for Improvement

Black Duck requires better integration with other tools and needs to simplify its scanning and setup processes. Users have expressed concerns about pricing, complexity, and documentation, which can make debugging difficult. Reporting capabilities should be enhanced for better clarity and functionality. The identification and classification of vulnerabilities are inconsistent and need improvement. Users also desire greater flexibility in the UI and the ability to manage components efficiently. Adding features for an on-prem option would address data privacy concerns.

"The initial setup of Black Duck is complex. It's not very straightforward. You need a lot of support and hand-holding from the Black Duck team itself for it to be deployed successfully across the organization."
"Black Duck does not have the SBOM management part. I would like to see this feature added in the future."
"There are areas for improvement such as false positives and the scanning of containers."

ROI

Users report that Black Duck significantly improves their software management by identifying vulnerabilities early, ultimately leading to cost savings. They highlight its effectiveness in ensuring license compliance, which prevents potential legal costs and issues. Black Duck also offers a quick integration with existing workflows, further boosting productivity. Its comprehensive reporting capabilities facilitate better decision-making and risk management. Its robust security features and user-friendly interface contribute to increased efficiency and reduced operational risks.

Pricing

Enterprise buyers note that Black Duck pricing depends on user count or code size, ranging from $10,000 to $70,000 annually. While some find the cost high, licenses include access to an academy for training without extra fees, and integrations are free. Despite some negative feedback on pricing relative to features, many suggest knowing code size for better negotiation. Yearly payment options and additional charges for certain features are mentioned. Some organizations find it suitable for extensive licensing compliance.

"The price charged by Black Duck is exorbitant."
"The pricing is a little high."
"I rate the product's price one on a scale of one to ten, where one is a high price, and ten is a low price."

Popular Use Cases

Black Duck is primarily used for software composition analysis, identifying software components and assessing security and compliance risks. Organizations use it for vulnerability assessment and license compliance in development. It helps with open-source security management, ensures compliance in DevSecOps pipelines, and facilitates audits during the M&A process. Users focus on examining code for compliance, scanning for vulnerabilities, and detecting non-compliance in third-party applications, enhancing software visibility and security management.

Service and Support

Black Duck has a feedback system where some users find technical support professional and helpful. Response times vary, with reports of delays and a complex contact process. While some users rate support highly, others mention challenges due to geographic workweek differences and prioritization issues. Some have experienced very good support and quick responses, but others feel communication could be improved with a chatbot. Training resources are available for better assistance.

Deployment

Black Duck's setup varies in complexity; cloud-based options are simple and quick, while on-premises deployments can be challenging and manual. Many find cloud integration direct and fast, with some using the Azure or Google Cloud marketplaces for rapid deployment. Larger deployments needing scaling may require external expertise. Some enterprises report the process as seamless and appreciate the hassle-free SaaS model, whereas others encounter documentation challenges and need extensive support for successful implementation.

Scalability

Black Duck is considered scalable by various companies, accommodating both small teams and large enterprises. Scalability can be influenced by licensing models and hardware capabilities, with potential cost limitations for smaller firms. Many organizations, ranging from a few dozen to hundreds of users, find Black Duck adaptable to cloud and on-premise setups. Though praised for managing diverse environments, some express concerns about pricing when additional resources are needed temporarily.

Stability

Black Duck is known for its stability, with many noting it as reliable with no major bugs, glitches, crashes, or freezes. Some users mention occasional delays, particularly when using browsers like Chrome, but consider this typical of most applications. While transitioning from other tools might reveal some issues, Black Duck is typically rated between seven and ten for stability, indicating consistent and dependable performance.

These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.

Download our Black Duck Buyer's Guide for additional reliable information.

Review data by company size

By reviewers
Company Size	Count
Small Business	6
Large Enterprise	13

By reviewers

By visitors reading reviews
Company Size	Count
Small Business	443
Midsize Enterprise	274
Large Enterprise	1689

By visitors reading reviews

Top industries

By visitors reading reviews

Financial Services Firm

18%

Manufacturing Company

15%

Computer Software Company

13%

Insurance Company

Healthcare Company

Retailer

Educational Organization

Real Estate/Law Firm

University

Comms Service Provider

Energy/Utilities Company

Government

Media Company

Construction Company

Consumer Goods Company

Transportation Company

Non Profit

Performing Arts

Outsourcing Company

Legal Firm

Recreational Facilities/Services Company

Hospitality Company

Marketing Services Firm

Wholesaler/Distributor

Logistics Company

Pharma/Biotech Company

Aerospace/Defense Firm

Compare Black Duck with alternative products

Learn more about Black Duck

Black Duck integrates into CI/CD pipelines and DevSecOps processes, helping multiple industries detect and handle risks associated with open-source usage. Users leverage it for source and binary analysis to ensure security and compliance before software release. Automatic component analysis, effective vulnerability scanning, and a comprehensive knowledge base are some of its valuable features. Despite needing improvements in scanning speed, UI, and documentation, Black Duck remains crucial for ensuring open-source security and compliance.

What are Black Duck's most important features?

Automatic Component Analysis: Provides automatic identification and analysis of open-source components.
Effective Vulnerability Scanning: Scans for vulnerabilities in both source code and binary files.
Comprehensive Knowledge Base: Offers expansive information on open-source components.
Policy Management: Enables the creation and enforcement of security and compliance policies.
Binary File Scanning: Capable of scanning binary files for in-depth security checks.
Ease of Use: Demonstrates ease of use, particularly on Mac products.
Stability: Known for its stable performance.
Docker Integration: Smooth integration with Docker for enhanced deployment.
Open-source Evaluation: Excellent evaluation capabilities for open-source software.
License Management: Manages open-source licenses effectively.
Easy Installation: Simple installation process.
Secure Onboarding: Ensures secure application onboarding.
API Availability: Provides APIs for custom integrations.
Community Support: Backed by an active community.
Dependency Tree Visualization: Visualizes dependencies for better management.

What benefits or ROI should users look for in reviews?

Improved Compliance: Helps maintain compliance with legal and regulatory requirements.
Risk Mitigation: Reduces risks associated with open-source vulnerabilities.
Enhanced Security: Strengthens software security by identifying and addressing potential issues early.
Time-saving: Automates many aspects of vulnerability scanning and analysis, saving valuable time.
Cost Efficiency: Detects issues early, potentially saving costs related to compliance breaches and security incidents.
Integration Ease: Seamlessly integrates with existing CI/CD pipelines and DevSecOps practices.
Knowledge Resource: Access to comprehensive information aiding better decision-making.

Black Duck is implemented by industries ranging from finance to healthcare, addressing security and compliance in open-source usage. Financial institutions employ it to manage license risks and ensure audit readiness. Healthcare organizations use it to comply with stringent data protection regulations, ensuring patient data security and privacy. Tech companies integrate Black Duck within CI/CD pipelines to maintain the security and compliance of software products before release. Its deployment varies, tailored to meet the specific risk management and compliance needs dictated by each sector's regulatory environment.

Black Duck was previously known as Blackduck Hub, Black Duck Protex, Black Duck Security Checker.

Black Duck customers

Samsung, Siemens, ScienceLogic, BryterCX, Dynatrace

Product Categories

Software Composition Analysis (SCA)

Popular Comparisons

GitLab vs Black Duck

Snyk vs Black Duck

Veracode vs Black Duck

Mend.io vs Black Duck

JFrog Xray vs Black Duck

Sonatype Lifecycle vs Black Duck

Semgrep vs Black Duck

Polaris Software Integrity Platform vs Black Duck

FOSSA vs Black Duck

ReversingLabs vs Black Duck

Apiiro vs Black Duck

CAST Highlight vs Black Duck

Cycode vs Black Duck

Checkmarx Software Composition Analysis vs Black Duck

Sonatype Repository Firewall vs Black Duck

See all alternatives

Black Duck Reviews Summary
Author info	Rating	Review Summary
IP Head at a tech services company with 10,001+ employees	3.5	I find Black Duck to be robust and accurate, particularly in identifying dependencies and licenses, but it needs improvement in security vulnerability identification. It's pricier and complex to set up, impacting direct ROI assessment in some cases.
Director at a healthcare company with 10,001+ employees	3.0	I recommend Black Duck for its ability to identify software components and manage security, operational, and license risks effectively. While it excels in risk management, improvements are needed in addressing false positives, reporting, and container scanning.
Director at a healthcare company with 10,001+ employees	4.0	I use Black Duck primarily for software composition analysis. Its composition analysis and automated code scanning features are valuable for managing security risks and audit readiness. However, the absence of SBOM management is a notable drawback for me.
DevOps Engineer at a manufacturing company with 1,001-5,000 employees	3.5	As a DevOps engineer, I integrate Black Duck in our CI/CD pipeline for product vulnerability scans. The UI is valuable for easy integration, but improvements are needed in pricing, documentation, and scalability. Debugging can be challenging without adequate documentation.
Senior Manager at Happiest Minds Technologies	3.5	We use Black Duck for open-source security management in DevOps and DevSecOps, appreciating its integration capabilities and community resources. It effectively secures 400 to 500 applications, although more open APIs would enhance its functionality further.
Solutions Architect at a tech services company with 10,001+ employees	4.0	I use Synopsys Black Duck for security-focused project scans, identifying vulnerabilities through source code and binary analysis. It provides precise fixes and dependency insights, but sometimes lacks consistency, particularly in differentiating between direct and transitive vulnerabilities.
Project Manager at a manufacturing company with 11-50 employees	4.5	I use Black Duck to detect vulnerabilities in open-source software, valuing its effective binary file scanning. However, its reporting capabilities need improvement for clarity and comprehensiveness. Compared to competitors, it's superior in deployment, scalability, and its comprehensive vulnerability database.
Group IT Vendor Management Director at Twoday	4.5	I use Black Duck to detect non-compliance in third-party applications. Its valuable features include policy and license management at a group level. Despite its power, documentation needs improvement. I evaluated other solutions like FOSSA but chose Black Duck for its customization.

Black Duck Reviews

What is Black Duck?

Featured Black Duck reviews

Black Duck mindshare

PeerResearch reports based on Black Duck reviews

Valuable Features

Room for Improvement

ROI

Pricing

Popular Use Cases

Service and Support

Deployment

Scalability

Stability

Review data by company size

Top industries

Compare Black Duck with alternative products

Learn more about Black Duck

Black Duck customers

Related questions

Product Categories

Popular Comparisons