Black Duck vs MergeBase: What’s the Best Software Composition Analysis (SCA) Tool?

Black Duck vs MergeBase: What’s the Best SCA Tool? (2023)

Ten years ago, Black Duck was the go-to SCA solution—but in today’s rapidly-changing cybersecurity environment, older doesn’t mean better, and it’s important to understand how industry leaders stack up against more recent innovations.

Choosing a software composition analysis tool is an important decision that will affect your cybersecurity for years to come. But since the product category is relatively new, it can be difficult to evaluate your options and understand what sets the best solutions apart. 

This comparison evaluates Black Duck and MergeBase on five capabilities that companies find most important when choosing an SCA tool. (If you’d like to see our analysis of all the major SCA solutions side by side, check out our SCA buyer’s guide.)

Black Duck vs. MergeBase: a side-by-side comparison

Black Duck vs MergeBase: What’s the Best Software Composition Analysis (SCA) Tool?

Black Duck Vs Mergebase

We’ve measured these tools’ competencies in the five most critical areas for SCA tools to perform. This guide is based on our extensive industry experience, conversations with cybersecurity professionals, and our own research. 

The five core areas are: 

1. Developer guidance with compatibility check
2. Comprehensive SBOM support
3. Low false positives output
4. Integration to the DevOps process with runtime protection
5. Total cost of ownership

We’ll unpack these individual competencies in a moment, but here’s how MergeBase and Black Duck stack up against each other at a glance, on a scale of 1–5. These scores are based on each tool’s capabilities as of January 2023.

MergeBase vs Black Duck comparison

At this point, you should be asking, “Isn’t it a bit suspect for MergeBase to give themselves a perfect score?” 

Fair point, but there are a few good reasons for this: 

  1. This scoring system focuses on the five areas that are absolutely vital to choosing a strong SCA solution. We arrived at these factors after countless conversations with IT security and development teams over the years: these are the ones that come up over and over. 
  2. We could score all of these solutions across many more factors—like the size of the company’s internal research team, the number of integrations available, etc. However, getting reliable numbers for these factors is difficult to do, and even if we did get accurate numbers, they could change next week.
  3. MergeBase was specifically built to master these five areas. When companies switch from another solution to MergeBase, it’s because of one (or several) of these factors.  
  4. While MergeBase is strictly an SCA solution, these other SCA tools are parts of much larger software security suites. With breadth of coverage comes a lack of focus. If we were to rate ourselves against everything that Black Duck does, our score would look a lot different—but we’re not playing their game.

Let’s look at how these two stack up against each other in detail.

Black Duck vs. MergeBase on developer guidance

It’s no secret that developers play a crucial role in securing your software supply chain, but most SCA solutions don’t make their jobs any easier. After an SCA identifies a vulnerability, only a handful of solutions provide usable developer guidance on how to patch it. 

Unfortunately, technology organizations have discovered that most developer guidance requires the developer to invest more time to research. An ideal SCA solution gives you advanced developer guidance, a precise compatibility check, and suppression management. This empowers your developers to find the best upgrade path instantly.

Developer Guidance

We graded these tools’ developer guidance capabilities on the following five-point scale:

Score: 1 2 3 4 5
Capabilities: No guidance Refers to current versions Provides versions & risks for each patch Provides compatibility, popularity & data points for each patch AutoPatch: Can patch vulnerabilities automatically

The MergeBase advantage: Not only does our tool provide information on each patch’s risks, compatibility, and popularity, but MergeBase can automatically implement safe patches for you—so your product and security teams can make informed decisions and move on.

Black Duck vs MergeBase on SBOM support

The software bill of materials (SBOM) plays an essential role for both software companies and their enterprise customers. Organizations that deliver software applications face increasing regulatory and compliance pressures to produce a comprehensive SBOM: one that not only shows vulnerabilities and licenses, but also points out technical debt (portions of code that need future cleanup).

For enterprise customers, it’s more common to ask your vendor for an accompanying software bill of materials. But it’s also important to validate the SBOMs that these vendors provide—which an advanced SCA tool can help you do.


We graded these tools’ SBOM support on the following five-point scale:

Score: 1 2 3 4 5
Capabilities: No SBOM support Exports SBOMs in only one format (no import) Exports SBOMs in multiple formats (no import) Supports multiple SBOM formats (import and export) Dependency info incorporated into SBOM

Both tools get a perfect score of 5 in this area. MergeBase allows you to import and export multiple SBOM formats, and it clearly delineates all dependency relationships between the components and subcomponents in your application. (Plus, you can visually navigate your SBOM inside MergeBase, so you can see how your third-party code is nested and where any given vulnerability lies.)

Black Duck vs MergeBase on false positives

SCA false positives are just plain bad for business. In our 2022 report The True Costs of False Positives in Software Security, 62.1% of surveyed technology leaders revealed that decreasing false positives is a higher business priority than increasing true positives. False positives waste valuable time and significantly hamper productivity on both development and security teams—and they can even harm relationships between teams. 

We ran each of these tools against a set of applications with 511 known vulnerabilities to see how many they’d catch, how many they’d miss, and how many false positives they’d flag. Here’s how they stacked up:


We graded these tools’ accuracy on the following five-point scale:

Score: 1 2 3 4 5
Capabilities: False positive rate above 10% False positive rate of 5–10% False positive rate of 2–5% False positive rate of 1–2% False positive rate below 1%

The MergeBase advantage: One of the reasons we built MergeBase was to take on the problem of false positives in the SCA space—without missing true positives. By design, MergeBase is the most accurate SCA tool on the market today. For all of Black Duck’s strengths, its ability to accurately call out vulnerabilities is not one of them. 

Black Duck vs. MergeBase on DevOps integration

Most SCA solutions claim to protect and integrate into your DevOps process. Each of these leading tools integrates with your build pipeline and repository, and supports container scanning, but some integrate more fully than others for example, not every SCA offers binary application scanning and runtime protection. Here’s how these particular tools stack up against each other:

DevOps integration  

We graded these tools’ DevOps integration capabilities on the following five-point scale:

Score: 1 2 3 4 5
Capabilities: No DevOps integration: a standalone product Build pipeline integration Repository integration and container scanning Binary application scanning Runtime protection

The MergeBase advantage: MergeBase is built on a Shift Left Security philosophy. Our SCA tool protects your build pipeline and runtime, integrates with your repository, and allows for both container and binary scanning—so you’re always aware of known vulnerabilities in your third-party code, whether it’s open source or licensed.

Black Duck vs. MergeBase on total cost of ownership

Each SCA tool comes with a cost. This goes beyond the price you pay for the tool, though: you should also consider the cost of labor to use the tool. For example, a tool with a high false positive rate will eat up your developer’s time—and the less developer guidance a tool provides, the more labor you spend figuring out how to respond to vulnerability alerts.

Then there’s the pricing structure itself to consider. Some SCAs are transparent with pricing, others use complex formulas based on variable directional metrics, and others are entirely opaque. So when cross-evaluating SCA options, we looked for two factors:

  1. Competitive pricing: The vendor uses transparent, straightforward pricing.
  2. Labor savings: The tool has robust enough capabilities to reduce software supply chain security supply labor costs.

Here’s how Black Duck and MergeBase stack up:

Cost of ownership

We graded these tools’ total cost of ownership on the following five-point scale:

Score: 1 2 3 4 5
Capabilities: Low labor savings Medium labor savings, high price Medium labor savings, competitive price High labor savings, high price High labor savings, competitive price

The MergeBase advantage: Between the two, Black Duck is far and away the more costly solution. MergeBase’s pricing model is entirely transparent, with no hidden fees or limits—plus we save labor with a low false positive rate, clear developer guidance, automatic patching, prioritization, and other remediation options. If you want an estimate of how much MergeBase will cost (or save) your company, check out our total cost of ownership calculator.

Choose the SCA that’s right for you

Selecting the right SCA is critical to protecting your organization, and these five factors are the strongest indicators of how valuable an SCA tool can be to your organization. 

We built MergeBase so you can rapidly secure your software supply chain without slowing down your business. If you’re considering SCA options, you’re welcome to download our comparison worksheet to build your own SCA benchmark for your organization.

For more information on this guide and to learn more about how MergeBase can help protect your software supply chain, please connect with us at Or if you’d like to see MergeBase in action, we’d love to show you a demo!

Oscar van der Meer

About the Author

Oscar van der Meer

Inspiring leadership and innovative technology expertise in Digital, Payments, Finance and Artificial Intelligence.