Black Duck Reviews

We use the solution to detect non-compliance in third-party applications.

I really like the fact that we can define policies at a group level. Based on the foundation we create on the baseline, we can apply specific policies for specific teams. We can apply the same policy to the entire organization and tailor the policies for different teams. Policy management is a valuable feature.

I also enjoy using the license management feature in which we can add or review the terms of the licenses. The component management feature is also good. Black Duck is quite powerful. It has been in the industry for quite a lot of time, for around 30 years.

The documentation is quite scattered. It's really difficult to identify the documentation we need for a specific need. When I was working for an organization, I had to create my own documentation to establish the service for the group. The solution must make it easy for the users to understand what to do when they are getting started.

I have been familiar with the solution for a year, including the demo period.

The solution was pretty stable. We had some issues here and there.

The product is pretty scalable. It depends on the licensing model. We had negotiated a license model that was fit for our needs. Then, we added more applications as we grew. The tool provides both the on-premise and the cloud solution. We chose the cloud solution. We wanted the tool for internal use within our organization. We had more than 250 business units.

We have had a chance to benefit from expert hours with proper engineers who were able to respond to some questions. Some of them were more competent than the others. I'm satisfied with support on average.

Neutral

The initial setup is moderately hard because the documentation is not available. If someone is gathering the documentation and creating custom documentation for the organization, explaining how to connect to the CI/CD pipeline and create an account and everything in between, then it's not difficult. The initial investment in developing the documentation is quite tedious.

We provide an initial onboarding period of two weeks to the deployment team. The team can deploy the solution at its own pace, provided it follows the documentation. The team also has early life support throughout these two to three weeks, in which the team members also get trained and understand how to make the best of the tool’s features.

The deployment time depends on the organization’s application architecture, where they keep their projects, and how they are organized. These variables can extend or decrease the timeline for implementation. We need one or two technical resources to deploy the product.

We paid for the license on a yearly basis.

I have evaluated several other solutions, including FOSSA, but we didn't go forward with them. We chose Black Duck because it has a very strong knowledge base with a lot of customization around license management, component management, and policy management.

Organizations that enter a contract with Synopsys must be very careful about the expert hours. We would need support even if we do not have a premium contract. The expert hours are quite pricey. Whoever enters a contract with Synopsys should secure some expert hours because they will need it at least initially when they establish the system.

It wasn't that easy for us to onboard. It was a very steep learning curve. I was expecting more support from the vendor during the onboarding. I expected they would drive the onboarding since it was my first time using the solution. Instead, we had to discover a lot on our own as a customer. They provided some onboarding materials and training, but we were not hand-held through the process.

Overall, I rate the tool a nine out of ten.

I'm a technology leader and an open source compliant and risk expert. I lead two domains, both are open source compliant. We use Black Duck in order to make internal audits on software during development, for license compliance, open source compliance, and open source vulnerability. We have an open source audit team, which has some administration rights on the tool and can make changes to the reports based on feedback from business units. Remaining users have permission via tokens to view reports. We would have around 300 users. Up to 20 users can access the system at any one time. The product is used on a daily basis. 

I like the fact that the product auto analyzes components. In comparison to Protecode where you're given a suggestion and you have to manually choose the correct one, Black Duck analyzes automatically. However, there is a degree of error, possibly around 5%. 

In terms of improvement, there are several areas. The scanner client is limited by the size of software it can handle. If you're scanning software larger than five gigs, it needs to be split and is separated into sub-scans. If you want the status on a certain scan, you can't get it automatically and it can sometimes take a couple of hours. If you want to attach the scan into a CI process and then get an actual result it cannot provide an accurate status.

We are running a Proscan developed in-house and this manipulates the result. It doesn't change the result but it adds some attributes to it. For instance, it gets an alter source and it gives you a link for the domain where you can read more about it. Or if the GUI suggests the conversion, and provides an excel report, you do not really need to go to the GUI, it can be accessed by email after the scan. These attributes and manipulations are done by the API developed in-house for the GUI.

For additional features, I'd like to be able to see SQL on demand, side by side. I'd like to be able to change a room with managed components inside the project, and still have it affect other projects. There is currently no internal database for manual changes which would be a good addition. Also, it would be helpful to include isolation of parts from the doctor image, for instance.

We've been using Black Duck for three years.

Stability is quite good. 

Scalability is quite good, because they manage to support a range of scales, but it's not unlimited. We can scan six in a row with no problem, but there might be some delay. This is the threshold that we set, we don't scan more than six at once. It's a good product for enterprise companies and smaller ones too, although it is quite expensive for a small company. 

There are some very professional support people. No one tool is perfect, but if you're comparing to the rest of the tools on the market, Black Duck comes out on top. They have some really unique features, especially from the perspective of seeing a wide range of open source versions. It's something that is not available in other tools.

I am happy with the support, although I work in Israel and the work week is from Sunday to Thursday - they work Monday to Friday. It means there are only four days in the week when we overlap. If I need something on a Sunday I have to wait. It's challenging. They do have some good training videos.

The complexity of setup depends on the scale. If it's an out-of-the-box scan, it's basically scaled for the port, but once we started to utilize it, we wanted a system that automatically scaled up, so we moved to Upper Shift. It was challenging and required some support from their R&D. Then we applied integration, which required consulting with experts. You can use their documentation and set up your own software, it works smoothly. but depends on the size of the setup.

The product requires someone familiar with the tool. It's not that complicated, but it's not intuitive to find your way through the tool easily. There are two kinds of setup that I am aware of in Black Duck. One is a complete SAS solution where you upload your software to the cloud. Alternatively, you have your on-premise hub, which is attached to the knowledge base. This is a secure solution and can be compared with the knowledge base. The way this hub communicates outside is very important because it needs a stable and wide metro connection.

Deployment was with external support but the integration had some challenges and took some extra days. We had a very professional expert on site, we pay for premium support.

There are some features that cost extra but we don't use them because I'm not sure there's added value. The product is not cheap. There are several methods of payment - by product, by scale, or by code-based size. I suggest those buying Black Duck know their code size in relation to the code size that the system registers. This gives a good estimation of how to negotiate the pricing model. If you're buying extremely high capacity, it costs a lot.

The set up is on-premises but the knowledge base is through the cloud. As mentioned, it's a hybrid solution.

The main difference between Black Duck and other solutions is the way the software identifies the open source. If it's being used out of the box and there's no need for any changes or modification or integration, probably a software based on SHA-1 would be good enough. If the company's customizing its software based on a customer requirements, changes will be needed. Software that works on a single match point probably will miss that. And that's the advantage of Black Duck.

I would rate this product an eight out of 10.

We use Black Duck mainly for the DevSecOps pipeline. For the microservices-based application, we have to deploy Black Duck into the Kubernetes environment. 

I have worked for multiple clients across the world, such as the US and Europe in the banking, retail, and energy sectors.

The most valuable feature of Black Duck is the seamless integration to scan our Docker binary files, it provides us all open vulnerabilities, and it ensures a reference point from where it finds the vulnerability is up to date. For example, if there is any new vulnerability found, they are immediately available in the Black Duck. There is no delay in finding the vulnerabilities, they are called out in our code immediately.

Black Duck can improve the time it takes for a scan. Most of the time it's not ideal when integrated with the live DevSecOps pipeline. We have to create a separate job to scan the library because it takes a couple of hours to scan all those libraries. The scanning could be faster.

I have been using Black Duck for a few years.

The stability of Black Duck is very good.

Black Duck is scalable.

The technical support from Black Duck is very good.

Black Duck is easy to install. The full implementation took a couple of hours.

I do the implementation of the solution.

We have seen a very high return on investment using Black Duck.

I rate Black Duck a nine out of ten.

We use Black Duck to examine our source code for compliance issues.

The older version that we are using is very primitive. You have to do every step, right from setting up an application to the user. The code has to sit in a particular folder and all of the open-source dependencies have to be there. With everything in one folder, it starts to scan. As we are using Code Center, we need to ensure that all of the components are there. However, there are thousands of components and for each submission, the components have to be there. There are no bulk submissions or bulk transfers. Essentially, you need to write your own scripts with the APIs to do it more efficiently.

It needs to be more user-friendly for developers and in general, to ensure compliance. The scanning should be quick and easy to use, rather than complex.

The pricing for this solution should definitely be lower.

We have been using Black Duck for between five and six years.

The stability is okay. We need to keep cleaning up and archiving, which is the standard care by an administrator.

The number of people we have using Black Duck at any time is on a project-by-project basis. We probably have around 500 users, although they do not use it on a continuous basis. The usage is based on the number of requests. For some projects, it will be used just one time, and that's it. 

We have just started to contact technical support, so it is too early to evaluate them.

We did not use another similar solution prior to Black Duck.

The initial setup is complex. It is installed and configured on a Linux-based system, and the on-premises database needs to be updated.

Upgrading our version of Black Duck to the most recent is a tedious process. It is very step-by-step and very manual.

The price is quite high because the behavior of the software during the scan is similar to competing products. 

We are currently evaluating whether we should continue to work with Black Duck, upgrading to the most recent version, or change to another solution. We are looking at several tools that also include WhiteSource and Checkmarx Composition Software Analysis. Ideally, we want to find a solution that suits our everyday needs.

One thing that we have found is that the price of Black Duck is quite high, compared to other products.

As we are using an older version, and have not yet completed a PoC with the most recent one, I am not sure whether there are newer features that we need or will use. Things that we would like to see may have already been implemented.

I would rate this solution a six out of ten.

We have been using this solution for between two and three years.

We frequently use this solution for software composition analysis. We also use it for vulnerability assessment and operational risk assessment. This is usually for customers who want to do one-off assessments, trying to check open source components they are using in their build. 

This solution helps our customers to understand what really lies in their application. In terms of the open source components, it can show the dependencies that other components are relying on, which you don't see. For example, if your application is packaged with other stuff, it would help to pull up all of the dependencies. It will list all of the open source dependencies in the entire library and show details about what they are using. It highlights what the developers have done, and it shows the impact from an intellectual property point of view.

This can also impact them from a security perspective. For example, it can tell you about the health of an application. What we often see is that developers are using an older version of an open source component, and they don't change it because it works. In cases where a newer version is available, we are able to show them what old components they are using, and the age of those components. This gives them a measure of health for their application in terms of operational risk. If an application were to break tomorrow, the chances that it can be quickly fixed may be dependent on the age of the component.

Largely, this is the kind of value we use Black Duck to provide to customers in this part of the world.

I would like to see more integration with other solutions, such as IntelliJ IDEA.

This solution is stable. Maybe, depending on the browser that you use, you might have delays in response. If you are using Chrome, for example, and you click refresh on the web GUI, you get delays sometimes. I think that this is normal with most applications. 

In terms of scalability, we are a small team so we have never tried with too many users. We only have one user and have used this for two or three customers in South Africa. I think that it is pretty scalable, but the limitation comes from the pricing and licensing agreement.

Beyond the licensing, you might be limited by your hardware capacity. I think that it starts off with 16GB RAM and four cores minimum, but if there are more people on it then you might need to expand the resources. 

Like with any product, the technical support can be better. They have a feedback system where you raise a ticket, and it usually takes twenty-four hours before they respond. If there is something very urgent then you can escalate it, and I think that the delay is reduced to six hours.

The initial setup for this solution is straightforward. It is Dockerized, and very easy if you use Linux. If you have a server on Azure then you can just go to the Azure marketplace and spin it up straight from there.

If you are using an instance on Google Cloud, for example, we've done deployments where you simply spin up the application and it deploys by itself in about four minutes. If you have to deploy by yourself, you have to wait for Linux to completely finish, etc. But if you're using a cloud service provider then it is automatic. You put in your license and you integrate it with whatever you want to do.

Once it is deployed, it is again straightforward. You can easily take your build, use the Hub Detect to scan it and get a JSON file, then upload it to the server. It will do the analysis and it is usually fast, except sometimes when you want to check code snippets. 

It does not require more than one person for deployment and maintenance.

We handle the deployment ourselves.

It is difficult to determine ROI when it comes to security because it depends on many things.  For example, it may tell you how much knowledge your developers have about licensing, or security, which may ultimately reduce the cost of training.

On the other hand, it may increase the rate at which you find bugs or problems with specific components. This, again, may contribute to the ROI. However, it is difficult to say without a set of predefined metrics.

The pricing works either by the number of users or by code size. In the case of code size, they give you unlimited users. For example, if you have two thousand developers but you want a code size of 20GB, then that is what you get. If, however, you have forty developers and a lot of projects then you can say "We'll use forty developers and then we can scan unlimited applications, even if our applications are going to be 3,000GB."

Depending on the use case, the cost could range from $10,000 USD to $70,000 USD. It depends on what you are doing. There are no costs in addition to the standard licensing fees, including the academy. If you buy the license then they give you access to their academy, where you can get trained. The integrations are free, and the plug-ins are free.

This is a good solution. My advice to anybody interesting in implementing it is to be clear in their mind whether they want to go on a user-based model, or they want to do a code-based model. It can get tricky if your development team is growing rapidly.

Maybe you started off with five developers and then the next year you are growing to ten. Then, in another year, there are fourteen or twenty. As you grow, a user-based model may not work for you so you might consider going with the code-based model.

However, if you are working on multiple projects then you may consider the user-based model, as long as your headcount is relatively stable.

Overall, the deployment is straightforward, uploading code is straightforward, analysis is straightforward, but with integration then it may be slightly lacking.

I would rate this solution a nine out of ten.

It is able to drill down to the source level.

We expect a lot more features. They have to improve it a lot in terms of the way they do the analysis. At the analysis level, more depth is required.

They are giving a lot of APIs and Python scripts for certain functionalities, but instead of using APIs and Python scripts, they should provide these functionalities through the UI. Users should be able to customize and add more fields through the UI. Users should be able to add more fields and generate reports. Currently, they are not giving flexibility in the UI. They're providing a script that simply generates an Excel file or CSV file. There is no flexibility.

We have been using this solution for a year. We are using its latest version.

It is stable.

Because it is on the cloud, it is scalable. We have quite a significant number of users. Our users might be in the hundreds.

Their support is not so strong. It is fine. It is not bad. If we go a little bit deeper on the technical side, they might not know about it.

We didn't do the setup. They did the setup. My guess is that it is not so easy because it's done in the docker environment. For its maintenance, we need two people.

It is expensive.

I would rate it a seven out of ten.

I am not working with Black Duck. I manage a team that works with Black Duck.

We are happy with this solution.

We have not yet explored all of the functionalities of Black Duck.

Black Duck is pretty extensive in terms of the scan reserves and the vulnerability exposures. From that perspective, I'm happy with it.

We have been having some issues with the latest releases where we are not able to scan our applications with the help of Black Duck. I feel that it is just a matter of time and it should be fine.

We have been working with Black Duck for a little more than one year.

It is a very small group of people who are using this solution in our organization.

My team is the open-source program office and we have three people who are using Black Duck and the other teams would be in the range of fewer than 20 people.

We contacted technical support as we were not able to fix this issue ourselves. We are not the primary contact who has procured the product, they are based out of Paris. We are using the license but we have to go through them to contact Black Duck to get their help.

I am not able to share an opinion on the support because we raised the issue only a few weeks back, and this being the summer vacation period, a lot of people were unavailable. I don't know whether that delay is being caused by our counterparts in Paris or if it is really caused by Black Duck.

We have been using other tools, but our IT division acquired Black Duck and we wanted to use it across the organization.

As far as security is concerned, it has always been a priority in our organization. We had different tools that we were using for security, but when it comes to operational risk and compliance and licensing, we didn't have any specific approach before Black Duck.

We are not the primary team to procure this solution. My counterparts in Paris are the only ones who are aware of the pricing.

We are only using a few of the licenses because they had acquired several licenses, but I'm not involved in the pricing and the contract negotiations.

I would rate Black Duck an eight out of ten.

We're primarily using the solution for compliance. It's part of an audit process.

The solution has some pretty good features on offer.

It helps protect our information. It has good security.

The solution works well on Mac products.

The solution requires us to manually identify codes and other forms of identification, and this takes up a lot of time. The patterns the solution uses for identification need to be constantly reviewed by our team. There's also no time stamps. Everything needs to be reviewed. It takes double the time to identify things. Features just don't come up in the Hub.

We'd like to be able to authenticate through our two companies.

We're not too sure about the extension of the firewall. It never shows up in the Hub.

The Hub doesn't like that we have binary sides, so, once again, we need to check everything, meaning we get double the work.

The scanning aspect of the resolution needs to be improved. Right now, as it is, it's not okay.

It would be ideal if the solution offered features to add one or more components to a file.

We've been using the solution for three years at this point. It's been a while.

The solution is stable. We find it pretty reliable in that sense. It doesn't crash or freeze. It doesn't have bugs or glitches.

That said, if a company is moving from any other tool to the Hub, it's not a good idea to move the Hub itself as there are a few bugs in that scenario.

I can't comment on the scalability. I've never personally tried to scale the solution.

Currently, we have 300-400 people using it in our organization.

The technical support has been fine. They help us a lot and we actually find them to be quite helpful. They will alert us when items become available or when new features are coming. We may not know how long it will take, however, we will know they are on the way.

We didn't previously work with a different solution. Black Duck has been our first technology for these types of tasks. As we are using it for an audit, I basically just learned the tool and started applying it to the process. I don't know how to use any other tool for this purpose.

However, the company is currently migrating from another Hub to Black Duck Hub.

The initial setup is unique. We're actually migrating from our current Hub to Black Duck Hub. It has its own specific challenges.

I'm not sure of what the exact pricing is for the solution. That's not something I handle. My company deals with those aspects of the solution.

We're just a customer. We don't have a business relationship with Black Duck.

I'm not sure how the solution is deployed within our organization (whether it's cloud or on-premises).

We've had to migrate our current Hub to Black Duck Hub, which is not efficient for the identification process. We do projects. Due to our identification process, it's not as accurate as we'd like. 

Overall, I'd rate the solution six out of ten.