We performed a comparison between Checkmarx One, Mend.io, and Polyspace Code Prover based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools."The product's most valuable feature is static code and supply chain effect analysis. It provides a lot of visibility."
"We use the solution for dynamic application testing."
"The main thing we find valuable about Checkmarx is the ease of use. It's easy to initiate scans and triage defects."
"Most valuable features include: ease of use, dashboard. interface and the ability to report."
"The most valuable features of Checkmarx are difficult to pinpoint because of the way the functionalities and the features are intertwined, it's difficult to say which part of them I prefer most. You initiate the scan, you have a scan, you have the review set, and reporting, they all work together as one whole process. It's not like accounting software, where you have the different features, et cetera."
"We use the solution to validate the source code and do SAST and security analysis."
"The user interface is modern and nice to use."
"The setup is fairly easy. We didn't struggle with the process at all."
"The license management of WhiteSource was at a good level. As compared to other tools that I have used, its functionality for the licenses for the code libraries was quite good. Its UI was also fine."
"There are multiple different integrations there. We use Mend for CI/CD that goes through Azure as well. It works seamlessly. We never have any issues with it."
"The results and the dashboard they provide are good."
"Our dev team uses the fix suggestions feature to quickly find the best path for remediation."
"We can take some measures to improve things, replace a library, or update a library which was too old or showed severe bugs."
"The solution is scalable."
"The reporting capability gives us the option to generate an open-source license report in a single click, which gets all copyright and license information, including dependencies."
"Its ease of use and good results are the most valuable."
"When we work on safety modules, it is mandatory to fulfill ISO 26262 compliance. Using Prover helps fulfill the standard on top of many other quality checks, like division by zero, data type casts, and null pointer dereferences."
"The outputs are very reliable."
"Polyspace Code Prover has made me realize it differs from other static code analysis tools because it runs the code. So it's quite distinct in that aspect."
"Polyspace Code Prover is a very user-friendly tool."
"The product detects memory corruptions."
"Checkmarx is not good because it has too many false positive issues."
"It is an expensive solution."
"They can support the remaining languages that are currently not supported. They can also create a different model that can identify zero-day attacks. They can work on different patterns to identify and detect zero-day vulnerability attacks."
"Checkmarx needs to improve the false positives and provide more accuracy in identifying vulnerabilities. It misses important vulnerabilities."
"The integration could improve by including, for example, DevSecOps."
"I really would like to integrate it as a service along with the SAP HANA Cloud Platform. It will then be easy to use it directly as a service."
"I would like to see the DAST solution in the future."
"The lack of ability to review compiled source code. It would then be able to compete with other scanning tools, such as Veracode."
"I would like to have an additional compliance pack. Currently, it does not have anything for the CIS framework or the NIST framework. If we directly run a scan, and it is under the CIS framework, we can directly tell the auditor that this product is now CIS compliant."
"WhiteSource only produces a report, which is nice to look at. However, you have to check that report every week, to see if something was found that you don't want. It would be great if the build that's generating a report would fail if it finds a very important vulnerability, for instance."
"I rated the solution an eight out of ten because WhiteSource hasn't built in a couple of features that we would have loved to use and they say they're on their roadmap. I'm hoping that they'll be able to build and deliver in 2022."
"The turnaround time for upgrading databases for this tool as well as the accuracy could be improved."
"WhiteSource Prioritize should be expanded to cover more than Java and JavaScript."
"The UI can be slow once in a while, and we're not sure if it's because of the amount of data we have, or it is just a slow product, but it would be nice if it could be improved."
"We have ended our relationship with WhiteSource. We were using an agent that we built in the pipeline so that you can scan the projects during build time. But unfortunately, that agent didn't work at all. We have more than 500 projects, and it doubled or tripled the build time. For other projects, we had the failure of the builds without any known reason. It was not usable at all. We spent maybe one year working on the issues to try to make it work, but it didn't in the end. We should be able to integrate it with ID and Shift Left so that the developers are able to see the scan results without waiting for the build to fail."
"On the reporting side, they could make some improvements. They are making the reports better and better, but sometimes it takes a lot of time to generate a report for our entire organization."
"I'd like the data to be taken from any format."
"Using Code Prover on large applications crashes sometimes."
"The tool has some stability issues."
"Automation could be a challenge."
"One of the main disadvantages is the time it takes to initiate the first run."