We performed a comparison between WhiteSource and SonarQube based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: SonarQube comes out on top in this comparison. It is high performing and user-friendly. In addition, it is less expensive than WhiteSource.
"We find licenses together with WhiteSource which are associated with a certain library, then we get a classification of the license. This is with respect to criticality and vulnerability, so we could take action and improve some things, or replace a third-party library which seems to be too risky for us to use on legal grounds."
"The most valuable feature is the unified JAR to scan for all langs (wss-scanner jar)."
"The solution is scalable."
"WhiteSource helped reduce our mean time to resolution since the adoption of the product."
"Attribution and license due diligence reports help us with aggregating the necessary data that we, in turn, have to provide to satisfy the various licenses copyright and component usage disclosures in our software."
"I am the organizational deployment administrator for this tool, and I, along with other users in our company, especially the security team, appreciate the solution for several reasons. The UI is excellent, and scanning for security threats fits well into our workflow."
"With the fix suggestions feature, not only do you get the specific trace back to where the vulnerability is within your code, but you also get fix suggestions."
"The best feature is that the Mend R&D team does their due diligence for all the vulnerabilities. In case they observe any important or critical vulnerabilities, such as the Log4j-related vulnerability, we usually get a dedicated email from our R&D team saying that this particular vulnerability has been exploited in the world, and we should definitely check our project for this and take corrective actions."
"The most valuable features are that it is user-friendly, easy to access, and they provide good training files."
"The depth features I have found most valuable. You receive a quick comprehensive comparison overview regarding the current release and the last release and what type of depths dependency or duplication should be used. This is going to help you to make a more readable code and have more flexibility for the engineers to understand how things should work when they do not know."
"There are many options and examples available in the tool that help us fix the issues it shows us."
"We can create a Quality Gate in order to fail Jenkins jobs where the code coverage is lower than the set percentage."
"It is working fine. It provides a good value for money."
"We have worked with the support from SonarQube and we have had good experiences."
"I follow Quality Gate's graduation model within organization, and it is extremely helpful for me to benchmark products."
"I like that it's easy to navigate not just in terms of code findings but you can actually see them in the context of your source code because it gives you a copy of your code with the items that it found and highlights them. You can see it directly in your code, so you can easily go back and make the corrections in the code. It basically finds the problems for you and tells you where they are."
"The initial setup could be simplified."
"It would be nice to have a better way to realize its full potential and translate it within the UI or during onboarding."
"The dashboard UI and UX are problematic."
"At times, the latency of getting items out of the findings after they're remediated is higher than it should be."
"WhiteSource Prioritize should be expanded to cover more than Java and JavaScript."
"It would be good if it can do dynamic code analysis. It is not necessarily in that space, but it can do more because we have too many tools. Their partner relationship support is a little bit confusing. They haven't really streamlined the support process when we buy through a reseller. They should improve their process."
"If anything, I would spend more time making this more user-friendly, better documenting the CLI, and adding more examples to help expand the current documentation."
"WhiteSource only produces a report, which is nice to look at. However, you have to check that report every week, to see if something was found that you don't want. It would be great if the build that's generating a report would fail if it finds a very important vulnerability, for instance."
"Technical support and the price could be better."
"There needs to be a shareable reporting piece or something we can click and generate easily."
"There are sometimes security breaches in our code, which aren't be caught by SonarQube. In the security area, SonarCube has to improve. It needs to better compete with other products."
"We also use Fortify, which is another tool to find security errors. Fortify is a better security tool. It is better than SonarQube in finding errors. Sometimes, SonarQube doesn't find some of the errors that Fortify is able to find. Fortify also has a community, which SonarQube doesn't have. Its installation is a little bit complex. We need to install a database, install the product, and specify the version of the database and the product. They can simplify the installation and make it easier. We use docker for the installation because it is easier to use. Its dashboard needs to be improved. It is not intuitive. It is hard to understand the interface, and it can be improved to provide a better user experience."
"Code security could be better. They are already focusing on it, but I see a lot of improvement opportunities over there. I can see a lot of false positives in terms of security. They need to make the tests more accurate so that the false positives are not detected so frequently. It would also help if they provided us with an installer."
"We found a solution with dynamic testing, and are looking to find a solution that can be used for both types of testing."
"The solution could improve by having better-consulting services."
"The reporting can be improved."
Mend.io is ranked 6th in Application Security Tools with 29 reviews while SonarQube is ranked 1st in Application Security Tools with 108 reviews. Mend.io is rated 8.4, while SonarQube is rated 8.0. The top reviewer of Mend.io writes "Easy to use, great for finding vulnerabilities, and simple to set up". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Mend.io is most compared with Black Duck, Snyk, Checkmarx, Veracode and JFrog Xray, whereas SonarQube is most compared with Checkmarx, SonarCloud, Coverity, Veracode and GitLab. See our Mend.io vs. SonarQube report.
See our list of best Application Security Tools vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.