We performed a comparison between WhiteSource and SonarQube based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: SonarQube comes out on top in this comparison. It is high performing and user-friendly. In addition, it is less expensive than WhiteSource.
"The license management of WhiteSource was at a good level. As compared to other tools that I have used, its functionality for the licenses for the code libraries was quite good. Its UI was also fine."
"Mend has reduced our open-source software vulnerabilities and helped us remediate issues quickly. My company's policy is to ensure that vulnerabilities are fixed before it gets to production."
"The solution boasts a broad range of features and covers much of what an ideal SCA tool should."
"The vulnerability analysis is the best aspect of the solution."
"The most valuable feature is the inventory, where it compiles a list of all of the third-party libraries that we have on our estate."
"The solution is scalable."
"WhiteSource helped reduce our mean time to resolution since the adoption of the product."
"Attribution and license due diligence reports help us with aggregating the necessary data that we, in turn, have to provide to satisfy the various licenses copyright and component usage disclosures in our software."
"It has very good scalability and stability."
"It is an easy tool that you can deploy and configure. After that you can measure the history of your obligation and integrate it with other tools like GitLab or GitHub or Azure DevOps to do quality code analysis."
"SonarQube is a fantastic tool which saves us precious time."
"The tool helps us to monitor and manage violations. It manages the bugs and security violations."
"The most valuable feature of this solution is that it is free."
"Any developer can easily identify issues using the process flow or steps provided by SonarQube. In terms of integration, SonarQube makes it quite easy, simplifying the steps for users."
"We are using the Community edition. So, we don't have to incur any licensing costs. This is the best part."
"Using SonarQube has helped us to identify areas of technical debt to work on, resulting in better code, fewer vulnerabilities, and fewer bugs."
"WhiteSource only produces a report, which is nice to look at. However, you have to check that report every week, to see if something was found that you don't want. It would be great if the build that's generating a report would fail if it finds a very important vulnerability, for instance."
"WhiteSource needs improvement in the scanning of the containers and images with distinguishing the layers."
"Some detected libraries do not specify a location of where in the source they were matched from, which is something that should be enhanced to enable quicker troubleshooting."
"We have ended our relationship with WhiteSource. We were using an agent that we built in the pipeline so that you can scan the projects during build time. But unfortunately, that agent didn't work at all. We have more than 500 projects, and it doubled or tripled the build time. For other projects, we had the failure of the builds without any known reason. It was not usable at all. We spent maybe one year working on the issues to try to make it work, but it didn't in the end. We should be able to integrate it with ID and Shift Left so that the developers are able to see the scan results without waiting for the build to fail."
"I would like to have an additional compliance pack. Currently, it does not have anything for the CIS framework or the NIST framework. If we directly run a scan, and it is under the CIS framework, we can directly tell the auditor that this product is now CIS compliant."
"We have been looking at how we could improve the automation to human involvement ratio from 60:40 to 70:30, or even potentially 80:20, as there is room for improvement here. We are discussing this internally and with Mend; they are very accommodating to us. We think they openly receive our feedback and do their best to implement our thoughts into the roadmap."
"The dashboard UI and UX are problematic."
"WhiteSource Prioritize should be expanded to cover more than Java and JavaScript."
"The reporting is good, but I am not able to download a specific report as a PDF, so downloading reports is something that should be looked at."
"The software testing tool capability could improve. It does not always integrate well. You have to use a specific plugin and the plugin does not always go in Apple's applications."
"SonarQube's detail in the security could be improved. It may be helpful to have additional details, with regards to Oracle PL/SQL. For example, it's neither as built nor as thorough as Java. For now, this is the only additional feature I would like to see."
"For improvement, this solution could be offered on Docker and the cloud and the support for this solution could be improved. Customizing rules could also be made simpler."
"New plug-ins should be integrated into SonarCloud to give more flexibility to the product."
"Their dashboarding is very limited. They can improve their dashboards for multiple areas, such as security review, maintainability, etc. They have all this information, so they should publish all this information on the dashboard so that the users can view the summary and then analyze it further. This is something that I would like to see in the next version."
"We found a solution with dynamic testing, and are looking to find a solution that can be used for both types of testing."
"You may need to purchase add-ons to get the useability you desire."
Mend.io is ranked 5th in Application Security Tools with 29 reviews while SonarQube is ranked 1st in Application Security Tools with 111 reviews. Mend.io is rated 8.4, while SonarQube is rated 8.0. The top reviewer of Mend.io writes "Easy to use, great for finding vulnerabilities, and simple to set up". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Mend.io is most compared with Black Duck, Snyk, Veracode, Checkmarx One and JFrog Xray, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Veracode and OWASP Zap. See our Mend.io vs. SonarQube report.
See our list of best Application Security Tools vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.