Bob Gobeille recently posted a series of questions on how FOSSology compares to Black Duck. Bob called me to let me know the questions were posted, told me that he often gets these questions and wanted to put some info online, and that he wanted Black Duck's perspective. I want to thank Bob for reaching out.
While Black Duck has not been very involved with FOSSology, I do want to point out that Black Duck is a member of both Linux Foundation and FOSSbazaar, and that we (actually Phil Odence) co-chair the FOSSBazaar SPDX (Software Package Data Exchange)Working Group which is defining a standard way for companies to share license and copyright information about software packages they exchange. I'll list Bob's questions with our perspective following each one. But first, and at a high level, FOSSology and Black Duck by and large don't compete. There is some overlap in functionality but from our perspective the differences are significant as the Black Duck Suite is a complete OSS management/automation solution. 1) Duck Black Duck is proprietary and expensive, FOSSology is open source (GPL) and free. Black Duck is a commercial product sold on an annual subscription basis under a commercial license. It's straightforward to compare licensing between FOSSology and Black Duck but simple comparisons on functionality and features aren't as easy. Black Duck sells a Suite of products for open source compliance and management. The design center for Black Duck's Suite is to enable multi-source development with open source across the application life cycle. We automate and 'design in' compliance in a way that can't be achieved manually or with other tools. And the part of the Suite that overlaps with FOSSology employs a fundamentally different technology and approach to discovering open source code and the associated license(s), i.e., source code pattern matching, while it also supports string search. 2) With Black Duck you get access to their large database of software information. With FOSSology, you have to build your own. Black Duck maintains a KnowledgeBase of open source project information from over 4,600 sites covering 1,900 licenses. It is used both to automate and ensure legal compliance but also as a productivity tool in the front-end of the development process when developers are searching for open source they can use to offset having to write new code. In addition to component information, we maintain a database of licenses and license terms that is used in the Suite to automatically identify conflicts when incompatible licenses are used in combination. We also track all known security vulnerabilities associated with open source components that we provide as additional information to aid developers in selecting and maintaining their code. 3) Black Duck has some great resources for helping you with your issues. FOSSology is a software project, no services. We do try to help as much as possible on IRC/email but this is hardly the service you would expect from a commercial company. Many customers are quite happy with the support they receive from open source communities and FOSSology is in that camp. Black Duck provides various levels of technical support. Many of our customers use the Black Duck Suite in mission critical applications and require direct technical support, sometimes including 24X7. In addition to technical support services, Black Duck offers a range of professional services that span the gamut of needs from helping create an open source policy, to assessing an organization's capabilities and readiness, to integrating a company's open source policy with an associated workflow and approval process, to implementing the Suite with existing development tools and business processes. 4) FOSSology scans every file looking for licenses. This degree of license analysis is not in the Black Duck database. Note: My information on this may be out of date. If you know this to be correct or incorrect, please reply. As mentioned earlier, while we support string search, Black Duck additionally employs a fundamentally different technology and approach to discovering open source code and the associated licenses. Black Duck does scan every file but is primarily looking for source code matches. If license text is missing, code pattern matching will still identify the open source code. A feature of Black Duck's that many customers value is the ability to automatically produce a software Bill of Materials (BoM) for each application/project, showing what FOSS components are in use with their associated licenses. The BoM is also useful to developers for knowing when new component versions are released, if a security vulnerability exists and in what component it's used, etc.
_______________________________________________ fossology mailing list fossology@fossology.org http://fossology.org/mailman/listinfo/fossology
