We use BlackDuck at work to scan our jar for open source components with weak licenses. Thing is, BlackDuck's scan tool takes too long (60+ min on a 400mb jar), and their support kinda sucks.
Anyone have recommendations on a better tool? I'm googling the competitors but would be interested to know what people's experiences were (as opposed to just reading the shiny marketing-speak)
I'm not sure about better, or what features you are looking for specifically. But, check out: WhiteSource CheckMarx OSA tools - though very new Veracode has a nice OSA / CVE tool And there are a whole slew of open source tools too.