We performed a comparison between Black Duck and Mend (formerly WhiteSource) based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Mend is the clear winner in this comparison. Compared with Black Duck, it is easier to set up and has better reporting and analysis features and superior customer support. Mend also has a proven ROI.
"We didn't have a central inventory to quickly identify issues or determine how many products were affected. Now under Black Duck, it's all consolidated. You search for a component and immediately see which products use it."
"The cloud option of the product is always available and a positive aspect of the solution."
"We accidentally use third-party library APIs, which may not be secure. Our technical team may not have the end time or expertise to figure it out. Black Duck helps us with that and saves us time."
"The knowledge base and the management system are the most valuable features of Black Duck Hub. It has a very helpful management environment. They offer an editor where we can check the discovered license, which is retrieved from their knowledge base. They have a huge knowledge base build over the years. It gives you some possibilities, such as this license with possibility A could cause a vulnerability issue or a potential breach."
"Policy management is a valuable feature."
"The solution works well on Mac products."
"I like the fact that the product auto analyzes components."
"The UI is the solution's most valuable feature since it allows for easy pipeline integration."
"Attribution and license due diligence reports help us with aggregating the necessary data that we, in turn, have to provide to satisfy the various licenses copyright and component usage disclosures in our software."
"Our dev team uses the fix suggestions feature to quickly find the best path for remediation."
"We set the solution up and enabled it and we had everything running pretty quickly."
"Enables scanning/collecting third-party libraries and classifying license types. In this way we ensure our third-party software policy is followed."
"WhiteSource is unique in the scanning of open-source licenses. Additionally, the vulnerabilities aspect of the solution is a benefit. We don't use WhiteSource in the whole organization, but we use it for some projects. There we receive a sense of the vulnerabilities of the open-source components, which improves our security work. The reports are automated which is useful."
"We find licenses together with WhiteSource which are associated with a certain library, then we get a classification of the license. This is with respect to criticality and vulnerability, so we could take action and improve some things, or replace a third-party library which seems to be too risky for us to use on legal grounds."
"What is very nice is that the product is very easy to set up. When you want to implement Mend.io, it just takes a few minutes to create your organization, create your products, and scan them. It's really convenient to have Mend scanning your products in less than one hour."
"The solution boasts a broad range of features and covers much of what an ideal SCA tool should."
"The initial setup could be simplified. It was somewhat complex."
"We have been having some issues with the latest releases where we are not able to scan our applications with the help of Black Duck."
"The documentation is quite scattered."
"The solution must provide more open APIs."
"I would like to see more integration with other solutions, such as IntelliJ IDEA."
"It can be cumbersome to use or invalidate open source software because there is a hold time to check requirements or common regulations to ensure compliance."
"The solution's pricing model and documentation areas of concern where improvement is needed."
"The tool needs to improve its pricing. Its configuration is complex and can be improved."
"At times, the latency of getting items out of the findings after they're remediated is higher than it should be."
"Some detected libraries do not specify a location of where in the source they were matched from, which is something that should be enhanced to enable quicker troubleshooting."
"It should support multiple SBOM formats to be able to integrate with old industry standards."
"It would be good if it can do dynamic code analysis. It is not necessarily in that space, but it can do more because we have too many tools. Their partner relationship support is a little bit confusing. They haven't really streamlined the support process when we buy through a reseller. They should improve their process."
"The solution lacks the code snippet part."
"We specifically use this solution within our CICD pipelines in Azure DevOps, and we would like to have a gate so that if the score falls below a certain value then we can block the pipeline from running."
"On the reporting side, they could make some improvements. They are making the reports better and better, but sometimes it takes a lot of time to generate a report for our entire organization."
"I rated the solution an eight out of ten because WhiteSource hasn't built in a couple of features that we would have loved to use and they say they're on their roadmap. I'm hoping that they'll be able to build and deliver in 2022."
Black Duck is ranked 1st in Software Composition Analysis (SCA) with 19 reviews while Mend.io is ranked 4th in Software Composition Analysis (SCA) with 29 reviews. Black Duck is rated 7.8, while Mend.io is rated 8.4. The top reviewer of Black Duck writes "Enables applications to be secure, but it must provide more open APIs". On the other hand, the top reviewer of Mend.io writes "Easy to use, great for finding vulnerabilities, and simple to set up". Black Duck is most compared with Snyk, Fortify Static Code Analyzer, JFrog Xray, FOSSA and Sonatype Lifecycle, whereas Mend.io is most compared with SonarQube, Snyk, Veracode, Checkmarx One and JFrog Xray. See our Black Duck vs. Mend.io report.
See our list of best Software Composition Analysis (SCA) vendors.
We monitor all Software Composition Analysis (SCA) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.