We performed a comparison between Black Duck and Mend (formerly WhiteSource) based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Mend is the clear winner in this comparison. Compared with Black Duck, it is easier to set up and has better reporting and analysis features and superior customer support. Mend also has a proven ROI.
"The solution is stable."
"It highlights what the developers have done, and it shows the impact from an intellectual property point of view."
"Policy management is a valuable feature."
"It is able to drill down to the source level."
"The solution works well on Mac products."
"I like the fact that the product auto analyzes components."
"The product enables other applications to be secure."
"We didn't have a central inventory to quickly identify issues or determine how many products were affected. Now under Black Duck, it's all consolidated. You search for a component and immediately see which products use it."
"The most valuable feature is the inventory, where it compiles a list of all of the third-party libraries that we have on our estate."
"The results and the dashboard they provide are good."
"Attribution and license due diligence reports help us with aggregating the necessary data that we, in turn, have to provide to satisfy the various licenses copyright and component usage disclosures in our software."
"We set the solution up and enabled it and we had everything running pretty quickly."
"For us, the most valuable tool was open-source licensing analysis."
"Its ease of use and good results are the most valuable."
"It gives us full visibility into what we're using, what needs to be updated, and what's vulnerable, which helps us make better decisions."
"I am the organizational deployment administrator for this tool, and I, along with other users in our company, especially the security team, appreciate the solution for several reasons. The UI is excellent, and scanning for security threats fits well into our workflow."
"Due to the fact that, with our software developer life cycle, we don't need to scan our source code every day or every week. For that reason, we find the cost is too high. We might only actually use it five to ten times a year, which makes it expensive."
"The solution must provide more open APIs."
"We have been having some issues with the latest releases where we are not able to scan our applications with the help of Black Duck."
"The tool's documentation and support are areas of concern where improvements are required."
"I would like to see more integration with other solutions, such as IntelliJ IDEA."
"The documentation is quite scattered."
"We're not too sure about the extension of the firewall. It never shows up in the Hub."
"Black Duck can improve the time it takes for a scan. Most of the time it's not ideal when integrated with the live DevSecOps pipeline. We have to create a separate job to scan the library because it takes a couple of hours to scan all those libraries. The scanning could be faster."
"The only thing that I don't find support for on Mend Prioritize is C++."
"Mend supports most of the common package managers, but it doesn't support some that we use. I would appreciate it if they can quickly make these changes to add new package managers when necessary."
"It would be nice to have a better way to realize its full potential and translate it within the UI or during onboarding."
"The turnaround time for upgrading databases for this tool as well as the accuracy could be improved."
"We specifically use this solution within our CICD pipelines in Azure DevOps, and we would like to have a gate so that if the score falls below a certain value then we can block the pipeline from running."
"On the reporting side, they could make some improvements. They are making the reports better and better, but sometimes it takes a lot of time to generate a report for our entire organization."
"The UI is not that friendly and you need to learn how to navigate easily."
"I would like to see the static analysis included with the open-source version."
Black Duck is ranked 1st in Software Composition Analysis (SCA) with 19 reviews while Mend.io is ranked 4th in Software Composition Analysis (SCA) with 29 reviews. Black Duck is rated 7.8, while Mend.io is rated 8.4. The top reviewer of Black Duck writes "Enables applications to be secure, but it must provide more open APIs". On the other hand, the top reviewer of Mend.io writes "Easy to use, great for finding vulnerabilities, and simple to set up". Black Duck is most compared with Snyk, Fortify Static Code Analyzer, JFrog Xray, FOSSA and Sonatype Lifecycle, whereas Mend.io is most compared with SonarQube, Snyk, Veracode, Checkmarx One and JFrog Xray. See our Black Duck vs. Mend.io report.
See our list of best Software Composition Analysis (SCA) vendors.
We monitor all Software Composition Analysis (SCA) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.