Safeguard
Security

Black Duck and Synopsys: What the Spinoff Means for SCA

Black Duck is now an independent company after splitting from Synopsys in 2024. Here is what changed, and what it means if you rely on it for SCA.

Safeguard Team
Product
5 min read

Black Duck and Synopsys are no longer the same company: on October 1, 2024, the Synopsys Software Integrity Group was acquired by Clearlake Capital and Francisco Partners and relaunched as the independent Black Duck Software, Inc. If you have been evaluating tools and are confused about whether "blackduck synopsys" is one product, one vendor, or two, this is why. The name you knew for years, Synopsys Software Integrity, is gone; the technology continues under the Black Duck brand as a standalone application security company. This post explains what actually changed, what stayed the same, and how to think about it if software composition analysis is on your roadmap.

The Short History

Synopsys, primarily an electronic design automation company, built up an application security portfolio over the years, much of it through acquisitions, including the original Black Duck Software, which Synopsys bought in 2017. That portfolio lived inside Synopsys as the Software Integrity Group.

In May 2024, Synopsys announced it would divest that group. The transaction, valued at up to $2.1 billion, closed on October 1, 2024, with private equity firms Clearlake Capital Group and Francisco Partners as the buyers. The newly independent company took the name Black Duck Software, a nod to its flagship software composition analysis product, which has been helping organizations manage open source risk for close to two decades. Jason Schmitt, who had led the Software Integrity Group, continued as CEO of the independent Black Duck.

So the practical translation is simple. When you see "Synopsys Black Duck" in older documentation, marketing, or a security questionnaire, it refers to the product line that is now just "Black Duck." The Synopsys association is historical.

What the Portfolio Actually Covers

Black Duck as an independent company carries forward the application security solutions previously sold under Synopsys Software Integrity. The core relevant to supply chain security is Black Duck SCA, which scans codebases and binaries to identify open source components, map them to known vulnerabilities and license obligations, and flag policy violations. It is a long-established SCA product with a large vulnerability knowledge base (historically branded BDSA, the Black Duck Security Advisories) that supplements public sources like the National Vulnerability Database.

Alongside SCA, the portfolio has historically included static analysis (Coverity), dynamic and interactive testing, and fuzzing, positioning Black Duck as a broad AppSec suite rather than an SCA point tool. That breadth is part of its enterprise appeal and part of its cost.

What the Change Means for Buyers

A divestiture like this is worth factoring into a purchasing decision, in both directions.

On the positive side, an independent, focused company can move faster and prioritize application security without competing for investment against a much larger semiconductor-design business. Focus is generally good for a product's roadmap.

On the caution side, private-equity-owned software companies are worth watching for the usual patterns: pricing changes, support-model shifts, and roadmap re-prioritization as the new owners pursue their return. None of that is unique to Black Duck, and none of it is predetermined, but it is prudent to ask about contract terms, support commitments, and roadmap direction during any evaluation now, rather than assuming continuity from the Synopsys era.

The practical takeaways for anyone comparing options:

Verify current details directly. Pricing, packaging, and product names may have shifted since the spinoff, so confirm them with the vendor rather than relying on Synopsys-era collateral or third-party pages that predate October 2024.

Separate the technology from the branding. The scanning engine and the BDSA data did not change on the day the name did. Evaluate the SCA capability on its merits, coverage, accuracy, ecosystem support, and how well it fits into your pipeline.

Weigh breadth against fit. Black Duck sells a full AppSec suite. If you need only SCA, you are buying into a broad platform, which may be more than you need and more than you want to pay for. Lighter-weight, developer-first SCA tools, including Safeguard, take a narrower, pipeline-native approach; whether that suits you depends on whether you want a single enterprise suite or focused tooling that slots into existing CI. Our comparison of SCA approaches frames that trade-off in more detail.

Choosing an SCA Tool in 2025

The Black Duck and Synopsys reshuffle is a useful reminder that vendor structure changes, and your open source risk management should not be hostage to any single one. Whatever you choose, the fundamentals hold: accurate component identification, timely vulnerability data, clear license visibility, and tight integration into how your developers already work. Judge Black Duck, or any SCA tool, against those, confirm the commercial specifics for the current independent entity, and do not let a familiar-but-outdated brand association do your evaluation for you.

FAQ

Is Black Duck still part of Synopsys?

No. On October 1, 2024, the Synopsys Software Integrity Group was acquired by Clearlake Capital and Francisco Partners and became the independent company Black Duck Software, Inc. Synopsys no longer owns it.

Why do I still see "Synopsys Black Duck" in documentation?

That reflects the pre-October-2024 branding, when the product lived inside the Synopsys Software Integrity Group. It is the same product line now sold simply as Black Duck. Treat the Synopsys association as historical.

What does Black Duck SCA do?

Black Duck software composition analysis scans code and binaries to inventory open source components, match them against known vulnerabilities and license terms, and enforce policy. It draws on public vulnerability data plus its own Black Duck Security Advisories (BDSA) feed.

Should the spinoff change my buying decision?

It is a factor, not a verdict. An independent, focused company may iterate faster, but private-equity ownership warrants asking about pricing, support, and roadmap continuity. Confirm current commercial terms directly rather than relying on Synopsys-era information.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.