Try our new research platform with insights from 80,000+ expert users
Black Duck SCA Logo

Black Duck SCA pros and cons

Vendor: Black Duck
3.8 out of 5
Badge Leader
Leave a review

Pros & Cons summary

Black Duck SCA offers a robust knowledge base and vulnerability scanning, integrates well with Mac products, and improves audit readiness. It enhances software compliance, supports risk management, and simplifies cloud deployment. However, initial setup is complex, integration with some tools is limited, and the pricing model is considered high. Users report incomplete SBOMs and desire SBOM management features. Despite these concerns, its comprehensive capabilities aid in effective security management.

Buyer's Guide

Get pricing advice, tips, use cases and valuable features from real users of this product.
Get the report

Prominent pros & cons

PROS

Black Duck SCA provides a comprehensive knowledge base, management system, and impressive vulnerability scanning capabilities, effectively integrating with Mac products and ensuring up-to-date reference points for all vulnerabilities.
It excels in automated code scanning, integrating seamlessly with development tools, enhancing software compliance processes, and improving audit readiness.
The software's extensive scan reserves and vulnerability exposures, together with its ability to drill down to source levels, greatly support security risk management.
Its sophisticated policy management and automated component analysis significantly aid in identifying and mitigating risks, especially with dependencies.
Installation and cloud availability are both reported as easy and consistently positive, contributing to overall effective security risk management.

CONS

SBOMs generated from Black Duck SCA may be incomplete, and vulnerabilities verified post-generation can be incorrect or missing.
Integration with other tools, such as IntelliJ IDEA, is limited.
The initial setup is complex and requires considerable support from the Black Duck team to deploy successfully across an organization.
There are concerns about the pricing model; it is considered high compared to competitor products.
Black Duck SCA lacks SBOM management capabilities, which users would like to see added.
 

Black Duck SCA Pros review quotes

TO
TundeOgunkoya
Consulting Partner, Cyber Security Delivery - Africa at DeltaGRiC Consulting
May 28, 2019
It highlights what the developers have done, and it shows the impact from an intellectual property point of view.
Read full review
ZR
Zvika-Ronen
Chief Technology Officer (CTO) at FOSSAWARE
Jan 15, 2020
I like the fact that the product auto analyzes components.
Read full review
SS
SanjeevKumar26
Project Lead at ABB
Jun 7, 2020
The stability is okay.
Read full review
Buyer's Guide
Black Duck SCA
March 2026
Free Report: Black Duck SCA Reviews and More
Learn what your peers think about Black Duck SCA. Get advice and tips from experienced pros sharing their opinions. Updated: March 2026.
DOWNLOAD NOW
884,933 professionals have used our research since 2012.
reviewer1421445 - PeerSpot reviewer
reviewer1421445
Former SVP at a manufacturing company with 5,001-10,000 employees
Sep 27, 2020
The solution works well on Mac products.
Read full review
it_user1435263 - PeerSpot reviewer
it_user1435263
Lead Product Enginner at Harman International Industries, Incorporated
Dec 7, 2020
The most valuable feature is the vulnerability scanning, and that it's easy to use.
Read full review
reviewer1472997 - PeerSpot reviewer
reviewer1472997
CTO at a computer software company with 11-50 employees
Dec 15, 2020
The knowledge base and the management system are the most valuable features of Black Duck Hub. It has a very helpful management environment. They offer an editor where we can check the discovered license, which is retrieved from their knowledge base. They have a huge knowledge base build over the years. It gives you some possibilities, such as this license with possibility A could cause a vulnerability issue or a potential breach.
Read full review
reviewer1642500 - PeerSpot reviewer
reviewer1642500
Engineer at a manufacturing company with 10,001+ employees
Aug 6, 2021
The installation is very easy.
Read full review
JR
Jyotiprasad RATH
Head: Open Source Program Office at a financial services firm with 10,001+ employees
Aug 26, 2021
Black Duck is pretty extensive in terms of the scan reserves and the vulnerability exposures. From that perspective, I'm happy with it.
Read full review
SS
SanjeevKumar26
Project Lead at ABB
May 3, 2022
It is able to drill down to the source level.
Read full review
Tarun-Sharma - PeerSpot reviewer
Tarun-Sharma
Cloud Solution Architect at IBM
Jun 8, 2022
The most valuable feature of Black Duck is the seamless integration to scan our Docker binary files, it provides us all open vulnerabilities, and it ensures a reference point from where it finds the vulnerability is up to date. For example, if there is any new vulnerability found, they are immediately available in the Black Duck. There is no delay in finding the vulnerabilities, they are called out in our code immediately.
Read full review
Show 10 more reviews (out of 23)
 

Black Duck SCA Cons review quotes

TO
TundeOgunkoya
Consulting Partner, Cyber Security Delivery - Africa at DeltaGRiC Consulting
May 28, 2019
I would like to see more integration with other solutions, such as IntelliJ IDEA.
Read full review
ZR
Zvika-Ronen
Chief Technology Officer (CTO) at FOSSAWARE
Jan 15, 2020
The scanner client is limited by the size of software it can handle.
Read full review
SS
SanjeevKumar26
Project Lead at ABB
Jun 7, 2020
It needs to be more user-friendly for developers and in general, to ensure compliance.
Read full review
Buyer's Guide
Black Duck SCA
March 2026
Free Report: Black Duck SCA Reviews and More
Learn what your peers think about Black Duck SCA. Get advice and tips from experienced pros sharing their opinions. Updated: March 2026.
DOWNLOAD NOW
884,933 professionals have used our research since 2012.
reviewer1421445 - PeerSpot reviewer
reviewer1421445
Former SVP at a manufacturing company with 5,001-10,000 employees
Sep 27, 2020
We're not too sure about the extension of the firewall. It never shows up in the Hub.
Read full review
it_user1435263 - PeerSpot reviewer
it_user1435263
Lead Product Enginner at Harman International Industries, Incorporated
Dec 7, 2020
The initial setup could be simplified. It was somewhat complex.
Read full review
reviewer1472997 - PeerSpot reviewer
reviewer1472997
CTO at a computer software company with 11-50 employees
Dec 15, 2020
It is a cloud-only solution. In many cases, companies like to evaluate the software, but they're very reluctant to give you the software. It would be great if they could offer an on-prem component that could be used to scan the code and then upload the discovery results to the cloud and get all the information from there, but there is no such possibility. You have to upload the code to the Black Duck cloud system. Of course, they have a strong legal department, and they offer some configuration, but it is never enough. You have to give the code, which is a drawback. In modern designs like Snyk or FOSSA, you don't need to give the code. It requires more native integration with Coverity because they go together technically. You need both Coverity and Black Duck Hub. It would be really helpful for companies working in this space to get a combined offer from the same company. They should provide an option to buy Coverity for an additional fee. Coverity combined with Black Duck Hub will provide a one-step analysis to get everything you need and a unified report. It would be really great to be able to connect Black Duck Hub with Coverity unified reports.
Read full review
reviewer1642500 - PeerSpot reviewer
reviewer1642500
Engineer at a manufacturing company with 10,001+ employees
Aug 6, 2021
Due to the fact that, with our software developer life cycle, we don't need to scan our source code every day or every week. For that reason, we find the cost is too high. We might only actually use it five to ten times a year, which makes it expensive.
Read full review
JR
Jyotiprasad RATH
Head: Open Source Program Office at a financial services firm with 10,001+ employees
Aug 26, 2021
We have been having some issues with the latest releases where we are not able to scan our applications with the help of Black Duck.
Read full review
SS
SanjeevKumar26
Project Lead at ABB
May 3, 2022
They are giving a lot of APIs and Python scripts for certain functionalities, but instead of using APIs and Python scripts, they should provide these functionalities through the UI. Users should be able to customize and add more fields through the UI. Users should be able to add more fields and generate reports. Currently, they are not giving flexibility in the UI. They're providing a script that simply generates an Excel file or CSV file. There is no flexibility.
Read full review
Tarun-Sharma - PeerSpot reviewer
Tarun-Sharma
Cloud Solution Architect at IBM
Jun 8, 2022
Black Duck can improve the time it takes for a scan. Most of the time it's not ideal when integrated with the live DevSecOps pipeline. We have to create a separate job to scan the library because it takes a couple of hours to scan all those libraries. The scanning could be faster.
Read full review
Show 10 more reviews (out of 23)

Product Categories

Product Categories
Software Composition Analysis (SCA)

Popular Comparisons

Popular Comparisons
Snyk vs Black Duck SCA Logo
Snyk vs Black Duck SCA
GitLab vs Black Duck SCA Logo
GitLab vs Black Duck SCA
Veracode vs Black Duck SCA Logo
Veracode vs Black Duck SCA
JFrog Xray vs Black Duck SCA Logo
JFrog Xray vs Black Duck SCA
Mend.io vs Black Duck SCA Logo
Mend.io vs Black Duck SCA
Sonatype Lifecycle vs Black Duck SCA Logo
Sonatype Lifecycle vs Black Duck SCA
Semgrep vs Black Duck SCA Logo
Semgrep vs Black Duck SCA
ReversingLabs vs Black Duck SCA Logo
ReversingLabs vs Black Duck SCA
Aikido Security vs Black Duck SCA Logo
Aikido Security vs Black Duck SCA
Sonatype Repository Firewall vs Black Duck SCA Logo
Sonatype Repository Firewall vs Black Duck SCA
Apiiro vs Black Duck SCA Logo
Apiiro vs Black Duck SCA
Polaris Platform vs Black Duck SCA Logo
Polaris Platform vs Black Duck SCA
Cycode vs Black Duck SCA Logo
Cycode vs Black Duck SCA
FOSSA vs Black Duck SCA Logo
FOSSA vs Black Duck SCA
Checkmarx Software Composition Analysis vs Black Duck SCA Logo
Checkmarx Software Composition Analysis vs Black Duck SCA
See all alternatives

Product Categories

Product Categories
Software Composition Analysis (SCA)

Popular Comparisons

Popular Comparisons
Snyk vs Black Duck SCA Logo
Snyk vs Black Duck SCA
GitLab vs Black Duck SCA Logo
GitLab vs Black Duck SCA
Veracode vs Black Duck SCA Logo
Veracode vs Black Duck SCA
JFrog Xray vs Black Duck SCA Logo
JFrog Xray vs Black Duck SCA
Mend.io vs Black Duck SCA Logo
Mend.io vs Black Duck SCA
Sonatype Lifecycle vs Black Duck SCA Logo
Sonatype Lifecycle vs Black Duck SCA
Semgrep vs Black Duck SCA Logo
Semgrep vs Black Duck SCA
ReversingLabs vs Black Duck SCA Logo
ReversingLabs vs Black Duck SCA
Aikido Security vs Black Duck SCA Logo
Aikido Security vs Black Duck SCA
Sonatype Repository Firewall vs Black Duck SCA Logo
Sonatype Repository Firewall vs Black Duck SCA
Apiiro vs Black Duck SCA Logo
Apiiro vs Black Duck SCA
Polaris Platform vs Black Duck SCA Logo
Polaris Platform vs Black Duck SCA
Cycode vs Black Duck SCA Logo
Cycode vs Black Duck SCA
FOSSA vs Black Duck SCA Logo
FOSSA vs Black Duck SCA
Checkmarx Software Composition Analysis vs Black Duck SCA Logo
Checkmarx Software Composition Analysis vs Black Duck SCA
See all alternatives
Related questions
  • 115
How does WhiteSource compare with Black Duck?
  • 39
What tools do you rely on for building a DevSecOps pipeline?
  • 40
What alternatives are there for Fortify WebInspect and Fortify SCA?
  • 30
What is the best way to track open-source license compatibility?
  • 64
How long does SCA scanning take?
  • 243
Why is Software Composition Analysis (SCA) important for companies?
  • 45
Differences between Black Duck & Veracode
  • 42
What SCA solution do you recommend?
  • 40
Is there an SCA solution that finds and fixes vulnerabilities?
  • 51
Can I get SCA in my IDE?