Cancel
You must select at least 2 products to compare!
Mend.io Logo
10,901 views|6,545 comparisons
Sonar Logo
57,256 views|45,052 comparisons
Comparison Buyer's Guide
Executive Summary
Updated on May 19, 2022

We performed a comparison between WhiteSource and SonarQube based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.

  • Ease of Deployment: Reviewers agree that the installation of both solutions is a straightforward process.
  • Features: Users of both products are happy with their stability and scalability. WhiteSource users like its reporting and analytic capabilities and say it is good at identifying security vulnerabilities. Several WhiteSource users mention that its UI needs to be improved. SonarQube users praise its code quality detection and say it is user-friendly, robust, and provides support for many programming languages. Several users note that SonarQube needs better exporting and sharing options.
  • Pricing: Most WhiteSource users feel it is an expensive product, whereas SonarQube users say it is reasonably priced. SonarQube also offers a free version.

  • ROI: Reviewers of both products report seeing an ROI.
  • Service and Support: Most WhiteSource users report being satisfied with the level of support they receive. Some SonarQube users are satisfied with the support they receive while others write that the support’s response time is slow.

Comparison Results: SonarQube comes out on top in this comparison. It is high performing and user-friendly. In addition, it is less expensive than WhiteSource.

To learn more, read our detailed Mend.io vs. SonarQube Report (Updated: March 2024).
765,234 professionals have used our research since 2012.
Q&A Highlights
Question: How does WhiteSource compare with SonarQube?
Answer: Red Hat Ceph does well in simplifying storage integration by replacing the need for numerous storage solutions. This solution allows for multiple copies of replicated and coded pools to be kept, easy replacement of failed hard drives, and easy replacement of scaled-out nodes. Red Hat Ceph continues working even when there are failures. We experienced some stability issues when we went beyond the default factor, which is 3. We found that the rebalancing and recovery processes can be a bit slow. Red Hat Ceph can be pretty complex to deploy and has a very big learning curve. MinIO is software-defined, runs in industry-standard hardware, and is an open-source solution. The retrieval of objects with MinIO is significantly better than many of the other solutions we considered. We found deployment to be very simple and even with numerous updates, MinIO ran seamlessly - we experienced no downtime. MinIO is amazing with regard to processing speed, volume, and accessibility to data. It can store large amounts of data, and you can retrieve, load, and transform the data quickly. MinIO offers both a browser interface and a command interface, which we found very useful. MinIO is lacking in a few documentation and monitoring tools that other solutions provide, though. It would be a better and more flexible solution if you could use an uneven disk structure. It would also be great to include some sort of graphical representation of data, like size and data type. Conclusion: We were looking for a high-performance object storage system that would work well with enterprise systems. We found that MinIO offered the stability and scalability in addition to the ability to deploy on-premise, in the cloud, or hybrid options most suitable for our needs.
Featured Review
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"We find licenses together with WhiteSource which are associated with a certain library, then we get a classification of the license. This is with respect to criticality and vulnerability, so we could take action and improve some things, or replace a third-party library which seems to be too risky for us to use on legal grounds.""The most valuable feature is the unified JAR to scan for all langs (wss-scanner jar).""The solution is scalable.""WhiteSource helped reduce our mean time to resolution since the adoption of the product.""Attribution and license due diligence reports help us with aggregating the necessary data that we, in turn, have to provide to satisfy the various licenses copyright and component usage disclosures in our software.""I am the organizational deployment administrator for this tool, and I, along with other users in our company, especially the security team, appreciate the solution for several reasons. The UI is excellent, and scanning for security threats fits well into our workflow.""With the fix suggestions feature, not only do you get the specific trace back to where the vulnerability is within your code, but you also get fix suggestions.""The best feature is that the Mend R&D team does their due diligence for all the vulnerabilities. In case they observe any important or critical vulnerabilities, such as the Log4j-related vulnerability, we usually get a dedicated email from our R&D team saying that this particular vulnerability has been exploited in the world, and we should definitely check our project for this and take corrective actions."

More Mend.io Pros →

"The most valuable features are that it is user-friendly, easy to access, and they provide good training files.""The depth features I have found most valuable. You receive a quick comprehensive comparison overview regarding the current release and the last release and what type of depths dependency or duplication should be used. This is going to help you to make a more readable code and have more flexibility for the engineers to understand how things should work when they do not know.""There are many options and examples available in the tool that help us fix the issues it shows us.""We can create a Quality Gate in order to fail Jenkins jobs where the code coverage is lower than the set percentage.""It is working fine. It provides a good value for money.""We have worked with the support from SonarQube and we have had good experiences.""I follow Quality Gate's graduation model within organization, and it is extremely helpful for me to benchmark products.""I like that it's easy to navigate not just in terms of code findings but you can actually see them in the context of your source code because it gives you a copy of your code with the items that it found and highlights them. You can see it directly in your code, so you can easily go back and make the corrections in the code. It basically finds the problems for you and tells you where they are."

More SonarQube Pros →

Cons
"The initial setup could be simplified.""It would be nice to have a better way to realize its full potential and translate it within the UI or during onboarding.""The dashboard UI and UX are problematic.""At times, the latency of getting items out of the findings after they're remediated is higher than it should be.""WhiteSource Prioritize should be expanded to cover more than Java and JavaScript.""It would be good if it can do dynamic code analysis. It is not necessarily in that space, but it can do more because we have too many tools. Their partner relationship support is a little bit confusing. They haven't really streamlined the support process when we buy through a reseller. They should improve their process.""If anything, I would spend more time making this more user-friendly, better documenting the CLI, and adding more examples to help expand the current documentation.""WhiteSource only produces a report, which is nice to look at. However, you have to check that report every week, to see if something was found that you don't want. It would be great if the build that's generating a report would fail if it finds a very important vulnerability, for instance."

More Mend.io Cons →

"Technical support and the price could be better.""There needs to be a shareable reporting piece or something we can click and generate easily.""There are sometimes security breaches in our code, which aren't be caught by SonarQube. In the security area, SonarCube has to improve. It needs to better compete with other products.""We also use Fortify, which is another tool to find security errors. Fortify is a better security tool. It is better than SonarQube in finding errors. Sometimes, SonarQube doesn't find some of the errors that Fortify is able to find. Fortify also has a community, which SonarQube doesn't have. Its installation is a little bit complex. We need to install a database, install the product, and specify the version of the database and the product. They can simplify the installation and make it easier. We use docker for the installation because it is easier to use. Its dashboard needs to be improved. It is not intuitive. It is hard to understand the interface, and it can be improved to provide a better user experience.""Code security could be better. They are already focusing on it, but I see a lot of improvement opportunities over there. I can see a lot of false positives in terms of security. They need to make the tests more accurate so that the false positives are not detected so frequently. It would also help if they provided us with an installer.""We found a solution with dynamic testing, and are looking to find a solution that can be used for both types of testing.""The solution could improve by having better-consulting services.""The reporting can be improved."

More SonarQube Cons →

Pricing and Cost Advice
  • "We are paying a lot of money to use WhiteSource. In our company, it is not easy to argue that it is worth the price. ​"
  • "The version that we are using, WhiteSource Bolt, is a free integration with Azure DevOps."
  • "Pricing is competitive."
  • "The solution involves a yearly licensing fee."
  • "As we were using an SaaS-based service, the solution must be scalable, although my understanding is that this is based on the licensing model one is using."
  • "WhiteSource is much more affordable than Veracode."
  • "This is an expensive solution."
  • "When comparing the price of WhiteSource to the competition it is priced well. The cost for 50 users is approximately $18,000 annually."
  • More Mend.io Pricing and Cost Advice →

  • "This is open source."
  • "We did not purchase a license (required for C++ support), but this option was considered."
  • "Get the paid version which allows the customized dashboard and provides technical support."
  • "People can try the free licenses and later can seek buying plugins/support, etc. once they started liking it."
  • "This product is open source and very convenient."
  • "The licence is standard open source licensing"
  • "The price point on SonarQube is good."
  • "Some of the plugins that were previously free are not free now."
  • More SonarQube Pricing and Cost Advice →

    report
    Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
    765,234 professionals have used our research since 2012.
    Questions from the Community
    Top Answer:Red Hat Ceph does well in simplifying storage integration by replacing the need for numerous storage solutions. This solution allows for multiple copies of replicated and coded pools to be kept, easy… more »
    Top Answer:We researched Black Duck but ultimately chose WhiteSource when looking for an application security tool. WhiteSource is a software solution that enables agile open source security and license… more »
    Top Answer:The best feature is that the Mend R&D team does their due diligence for all the vulnerabilities. In case they observe any important or critical vulnerabilities, such as the Log4j-related… more »
    Top Answer:I am not very familiar with SonarQube and their solutions, so I can not answer But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have  a look… more »
    Top Answer:SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use… more »
    Top Answer:We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing… more »
    Ranking
    Views
    10,901
    Comparisons
    6,545
    Reviews
    11
    Average Words per Review
    1,333
    Rating
    8.5
    Views
    57,256
    Comparisons
    45,052
    Reviews
    18
    Average Words per Review
    397
    Rating
    8.0
    Comparisons
    Black Duck logo
    Compared 16% of the time.
    Snyk logo
    Compared 10% of the time.
    Checkmarx logo
    Compared 10% of the time.
    Veracode logo
    Compared 9% of the time.
    JFrog Xray logo
    Compared 5% of the time.
    Checkmarx logo
    Compared 22% of the time.
    SonarCloud logo
    Compared 13% of the time.
    Coverity logo
    Compared 11% of the time.
    Veracode logo
    Compared 10% of the time.
    GitLab logo
    Compared 2% of the time.
    Also Known As
    WhiteSource, Mend SCA
    Sonar
    Learn More
    Interactive Demo
    Mend.io
    Demo Not Available
    Overview

    Mend.io is a software composition analysis tool that secures what developers create. The solution provides an automated reduction of the software attack surface, reduces developer burdens, and accelerates app delivery. Mend.io provides open-source analysis with its in-house and other multiple sources of software vulnerabilities. In addition, the solution offers license and policy violation alerts, has great pipeline integration, and, since it is a SaaS (software as a service), it doesn’t require you to physically maintain servers or data centers for any implementation. Not only does Mend.io reduce enterprise application security risk, it also helps developers meet deadlines faster.

    Mend.io Features

    Mend.io has many valuable key features. Some of the most useful ones include:

    • Vulnerability analysis
    • Automated remediation
    • Seamless integration
    • Business prioritization
    • Limitless scalability
    • Intuitive interface
    • Language support
    • Integration
    • Continuous monitoring
    • Remediation suggestions
    • Customization

    Mend.io Benefits

    There are many benefits to implementing Mend.io. Some of the biggest advantages the solution offers include:

    • Easy to use: The Mend.io platform is very user-friendly and easy to set up.
    • Third-party libraries: The solution eases the process of keeping track of all the used third-party dependencies within a product. It not only scans for the pure occurrence (also transitively) but also takes care of licenses and vulnerabilities.
    • Static code analysis: With Mend.io’s static code analysis, you can quickly identify security weaknesses in custom code across desktop, web, and mobile applications.
    • Broad support: Mend.io provides 27 different programming languages and various programming frameworks.
    • Easy integration: Mend.io makes integration very easy with existing DevOps environments and CI/CD pipelines so developers don’t need to manually configure or trigger the scan.
    • Ultra-fast scanning engine: The solution’s scanning engine generates results up to ten times faster than legacy SAST solutions.
    • Unified developer experience: Mend.io has a unified developer experience inside the code repository that shows side-by-side security alerts and remediation suggestions for custom code and open-source code.

    Reviews from Real Users

    Below are some reviews and helpful feedback written by PeerSpot users currently using the Mend.io solution.

    Jeffrey H., System Manager of Cloud Engineering at Common Spirit, says, “Finding vulnerabilities is pretty easy. Mend.io (formerly WhiteSource) does a great job of that and we had quite a few when we first put this in place. Mend.io does a very good job of finding the open-source, checking the versions, and making sure they're secure. They notify us of critical high, medium, and low impacts, and if anything is wrong. We find the product very easy to use and we use it as a core part of our strategy for scanning product code moving toward release.”

    PeerSpot reviewer Ben D., Head of Software Engineering at a legal firm, mentions, “The way WhiteSource scans the code is great. It’s easy to identify and remediate open source vulnerabilities using this solution. WhiteSource helped reduce our mean time to resolution since we adopted the product. In terms of integration, it's pretty easy.”

    An IT Service Manager at a wholesaler/distributor comments, “Mend.io provides threat detection and an excellent UI in a highly stable solution, with outstanding technical support.”

    Another reviewer, Kevin D., Intramural OfficialIntramural at Northeastern University, states, "The vulnerability analysis is the best aspect of the solution."

    SonarQube is a self-managed open-source platform that helps developers create code devoid of quality and vulnerability issues. By integrating seamlessly with the top DevOps platforms in the Continuous Integration (CI) pipeline, SonarQube continuously inspects projects across multiple programming languages, providing immediate status feedback while coding. SonarQube’s quality gates become part of your release pipeline, displaying pass/fail results for new code based on quality profiles you customize to your company standards. Following Sonar’s Clean as You Code methodology guarantees that only software of the highest quality makes it to production.

    At its core, SonarQube includes a static code analyzer that identifies bugs, security vulnerabilities, hidden secrets, and code smells. The platform guides you through issue resolution, fostering a culture of continuous improvement. SonarQube’s comprehensive reporting is a valuable tool for dev teams to monitor their codebase's overall health and quality across multiple projects in their portfolio. With SonarQube, you can achieve a state of Clean Code, leading to secure, reliable, and maintainable software.

    Sonar is the only solution combining the power of industry-leading software quality analysis with static application security testing (SAST) and real-time coding guidance in the IDE (with SonarLint) to meet the DevOps and DevSecOps demand of putting agility, automation, and security in the hands of developers. Further accelerate DevOps continuous integration by helping developers find and fix issues in code before the software testing stage, reducing the churn of finding, fixing, rebuilding, and retesting your app.

    With over 5,000 Clean Code rules, SonarQube analyzes 30+ of the most popular programming languages, including dozens of frameworks, the top DevOps platforms (GitLab, GitHub, Azure DevOps, and Bitbucket, and more), and the leading infrastructure as code (IaC) platforms.

    SonarQube is the most trusted static code analyzer used by over 7 million developers and 400,000 organizations globally to clean over half a trillion lines of code.

    Sample Customers
    Microsoft, Autodesk, NCR, Target, IBM, vodafone, Siemens, GE digital, KPMG, LivePerson, Jack Henry and Associates
    Top Industries
    REVIEWERS
    Computer Software Company33%
    Financial Services Firm11%
    Wholesaler/Distributor6%
    University6%
    VISITORS READING REVIEWS
    Financial Services Firm16%
    Computer Software Company16%
    Manufacturing Company10%
    Insurance Company5%
    REVIEWERS
    Computer Software Company30%
    Financial Services Firm21%
    Comms Service Provider7%
    Insurance Company6%
    VISITORS READING REVIEWS
    Financial Services Firm17%
    Computer Software Company15%
    Manufacturing Company11%
    Government6%
    Company Size
    REVIEWERS
    Small Business36%
    Midsize Enterprise7%
    Large Enterprise57%
    VISITORS READING REVIEWS
    Small Business19%
    Midsize Enterprise14%
    Large Enterprise67%
    REVIEWERS
    Small Business25%
    Midsize Enterprise15%
    Large Enterprise60%
    VISITORS READING REVIEWS
    Small Business17%
    Midsize Enterprise13%
    Large Enterprise71%
    Buyer's Guide
    Mend.io vs. SonarQube
    March 2024
    Find out what your peers are saying about Mend.io vs. SonarQube and other solutions. Updated: March 2024.
    765,234 professionals have used our research since 2012.

    Mend.io is ranked 6th in Application Security Tools with 29 reviews while SonarQube is ranked 1st in Application Security Tools with 108 reviews. Mend.io is rated 8.4, while SonarQube is rated 8.0. The top reviewer of Mend.io writes "Easy to use, great for finding vulnerabilities, and simple to set up". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Mend.io is most compared with Black Duck, Snyk, Checkmarx, Veracode and JFrog Xray, whereas SonarQube is most compared with Checkmarx, SonarCloud, Coverity, Veracode and GitLab. See our Mend.io vs. SonarQube report.

    See our list of best Application Security Tools vendors.

    We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.