• Home
  • Mend vs. SonarQube

Mend vs SonarQube comparison

Cancel
You must select at least 2 products to compare!
Veracode Logo

Veracode

Read 27 Veracode reviews
41,100 views|24,342 comparisons
Mend Logo

Mend

Read 13 Mend reviews
19,920 views|14,073 comparisons
Sonar Logo

SonarQube

Read 39 SonarQube reviews
85,562 views|68,825 comparisons
Comparison Buyer's Guide
Download the complete report
Buyer's Guide
Mend vs. SonarQube
March 2023
Executive Summary
Updated on May 19, 2022

We performed a comparison between WhiteSource and SonarQube based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.

  • Ease of Deployment: Reviewers agree that the installation of both solutions is a straightforward process.
  • Features: Users of both products are happy with their stability and scalability. WhiteSource users like its reporting and analytic capabilities and say it is good at identifying security vulnerabilities. Several WhiteSource users mention that its UI needs to be improved. SonarQube users praise its code quality detection and say it is user-friendly, robust, and provides support for many programming languages. Several users note that SonarQube needs better exporting and sharing options.
  • Pricing: Most WhiteSource users feel it is an expensive product, whereas SonarQube users say it is reasonably priced. SonarQube also offers a free version.

  • ROI: Reviewers of both products report seeing an ROI.
  • Service and Support: Most WhiteSource users report being satisfied with the level of support they receive. Some SonarQube users are satisfied with the support they receive while others write that the support’s response time is slow.

Comparison Results: SonarQube comes out on top in this comparison. It is high performing and user-friendly. In addition, it is less expensive than WhiteSource.

To learn more, read our detailed Mend vs. SonarQube Report (Updated: March 2023).
Download the complete report
685,707 professionals have used our research since 2012.
Q&A Highlights
Question: How does WhiteSource compare with SonarQube?
Answer: Red Hat Ceph does well in simplifying storage integration by replacing the need for numerous storage solutions. This solution allows for multiple copies of replicated and coded pools to be kept, easy replacement of failed hard drives, and easy replacement of scaled-out nodes. Red Hat Ceph continues working even when there are failures. We experienced some stability issues when we went beyond the default factor, which is 3. We found that the rebalancing and recovery processes can be a bit slow. Red Hat Ceph can be pretty complex to deploy and has a very big learning curve. MinIO is software-defined, runs in industry-standard hardware, and is an open-source solution. The retrieval of objects with MinIO is significantly better than many of the other solutions we considered. We found deployment to be very simple and even with numerous updates, MinIO ran seamlessly - we experienced no downtime. MinIO is amazing with regard to processing speed, volume, and accessibility to data. It can store large amounts of data, and you can retrieve, load, and transform the data quickly. MinIO offers both a browser interface and a command interface, which we found very useful. MinIO is lacking in a few documentation and monitoring tools that other solutions provide, though. It would be a better and more flexible solution if you could use an uneven disk structure. It would also be great to include some sort of graphical representation of data, like size and data type. Conclusion: We were looking for a high-performance object storage system that would work well with enterprise systems. We found that MinIO offered the stability and scalability in addition to the ability to deploy on-premise, in the cloud, or hybrid options most suitable for our needs.
Featured Review
Rishabh Khanna
Researched SonarQube but chose Veracode: Good for legacy technologies but the DAST engines are primitive
We initially had more than 15,000 vulnerabilities. Veracode helped us to regulate all the teams. I gave the consult level access and a basic level... Read more →
Anonymous User
Once it's configured, it's seamless for the development community
Mend has reduced our open-source software vulnerabilities and helped us remediate issues quickly. My company's policy is to ensure that... Read more →
Anonymous User
Researched Mend but chose SonarQube: Code quality assurance solution that supports many coding languages
This solution has helped with the integration and building of our CICD pipeline. Without any scans or assessments, the pipeline and build are not... Read more →
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"Veracode's technical support is great. They assigned us a TAM and once a week, we have a brief engagement with the TAM to verify that everything's going well. If we have any outstanding issues, they get serviced and addressed.""The dynamic scanning tool is what I like the best. Compared to other tools that I've used for dynamic scanning, it's much faster and easier to use.""The best feature is definitely the detailed reports. It provides code-related queries in the order of high, medium, and low depending on what we need to do. Veracode is user-friendly as well.""Good static analysis and dynamic analysis.""I like Veracode's integration with our CI/CD. It automatically scans our code when we do the build. It can also detect any security flaws in our third-party libraries. Veracode is good at pinpointing the sections of code that have vulnerabilities.""The most valuable feature is the static scan that checks for security issues.""Veracode's integration with our continuous integration solution is what I've found to be the most valuable feature. It is easy to connect the two and to run scans in an automated way without needing as much manual intervention.""In pipeline scanning, there is a configuration that can be set with respect to the security level of the flaw. If there is a high or a critical issue, there's a way the build can be failed and blocked before going into production."

More Veracode Pros →

"The dashboard view and the management view are most valuable.""The solution boasts a broad range of features and covers much of what an ideal SCA tool should.""We use a lot of open sources with a variety of containers, and the different open sources come with different licenses. Some come with dual licenses, some are risky and some are not. All our three use cases are equally important to us and we found WhiteSource handles them decently.""The solution is scalable.""We set the solution up and enabled it and we had everything running pretty quickly.""There are multiple different integrations there. We use Mend for CI/CD that goes through Azure as well. It works seamlessly. We never have any issues with it.""I am the organizational deployment administrator for this tool, and I, along with other users in our company, especially the security team, appreciate the solution for several reasons. The UI is excellent, and scanning for security threats fits well into our workflow.""Mend has reduced our open-source software vulnerabilities and helped us remediate issues quickly. My company's policy is to ensure that vulnerabilities are fixed before it gets to production."

More Mend Pros →

"The solution offers a very good community edition.""The depth features I have found most valuable. You receive a quick comprehensive comparison overview regarding the current release and the last release and what type of depths dependency or duplication should be used. This is going to help you to make a more readable code and have more flexibility for the engineers to understand how things should work when they do not know.""My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it.""The fact that the solution does security scanning is valuable.""The solution has a wide variety of features and an open-source community that you are able to learn Java, JavaScript, or any other programing language.""I like that it's easy to navigate not just in terms of code findings but you can actually see them in the context of your source code because it gives you a copy of your code with the items that it found and highlights them. You can see it directly in your code, so you can easily go back and make the corrections in the code. It basically finds the problems for you and tells you where they are.""The most valuable features are the analysis and detection of issues within the application code.""The reporting and the results are quick. It gets integrated within the pipeline well."

More SonarQube Pros →

Cons
"One of the most important areas that need improvement for Veracode is its DaaS. Veracode's DAST engines are primitive.""The zip file scanning has room for improvement.""The solution could improve the Dynamic Analysis Security Testing(DAST).""I've seen slightly better static analysis tools from other companies when it comes to speed and ease of use.""The sandbox could use some improvement; when creating a sandbox, it requires us to put the application name in twice, which seems unnecessary.""Scheduling can be a little difficult. For instance, if you set up recurring scheduled scans and a developer comes in and says, "Hey, I have this critical release that happened outside of our normal release patterns and they want you to scan it," we actually have to change our schedule configuration and that means we lose the recurring scheduling settings we had.""Searching for applications in Veracode is a little bit difficult. We have to minimize the length of an application's name to 47 characters. It would be good if this limit could be increased so that an application's name can be properly reflected in Veracode.""I do expect large applications with millions of lines of code to take a while, but it would be nice if there was a possibility to be able to have a baseline initial scan. I know that Veracode touts that there are Pipeline Scans that are supposed to take 90 seconds or less, and we've tried to do that ourselves with our ERP application. However, it actually times out after two hours of scanning. If the static scan itself or another option to run a lower tier scan can be integrated earlier on into our SDLC, it would be great. Right now, it takes so long that we usually leave it till a bit later in the cycle, whereas if it ran faster, we could push it to the time when a developer will be checking in code. That would make us feel a lot more confident that we'd be able to catch things almost instantaneously."

More Veracode Cons →

"The only thing that I don't find support for on Mend Prioritize is C++.""The initial setup could be simplified.""WhiteSource only produces a report, which is nice to look at. However, you have to check that report every week, to see if something was found that you don't want. It would be great if the build that's generating a report would fail if it finds a very important vulnerability, for instance.""At times, the latency of getting items out of the findings after they're remediated is higher than it should be.""They're working on a UI refresh. That's probably been one of the pain points for us as it feels like a really old application.""I would like to see the static analysis included with the open-source version.""It should support multiple SBOM formats to be able to integrate with old industry standards.""Mend supports most of the common package managers, but it doesn't support some that we use. I would appreciate it if they can quickly make these changes to add new package managers when necessary."

More Mend Cons →

"The handling of the contents of Docker container images could be better.""Technical support and the price could be better.""The solution could improve by providing more advanced technologies.""There are times that we have the database crash. However, this might be an issue with how we have configured it and not a software issue. Apart from this, I do not see any issues with the solution.""A little bit more emphasis on security and a bit more security scanning features would be nice.""Code security could be better. They are already focusing on it, but I see a lot of improvement opportunities over there. I can see a lot of false positives in terms of security. They need to make the tests more accurate so that the false positives are not detected so frequently. It would also help if they provided us with an installer.""SonarQube could be improved with more dynamic testing—basically, now, it's a static code analysis scan. For example, when the developer writes the code and does the corresponding unit test, he can cover functional and non-functional. So the SonarQube could be improved by helping to execute unit tests and test dynamically, using various parameters, and to help detect any vulnerabilities. Currently, it'll just give the test case and say whether it passes or fails—it won't give you any other input or dynamic testing. They could use artificial intelligence to build a feature that would help developers identify and fix issues in the early stages, which would help us deliver the product and reduce costs. Another area with room for improvement is in regard to automating things, since the process currently needs to be done manually.""The implementation of the solution is straightforward. However, we did have some initial initialization issues at the of the projects. I don't think it was SonarQube's fault. It was the way it was implemented in our organization because it's mainly integrated with many software, such as Jira, Confluence, and Butler."

More SonarQube Cons →

Pricing and Cost Advice
  • "From a cost perspective, it seems okay, although we will probably evaluate alternatives next time it's up for renewal because for us, it's a relatively high cost, and we want to make sure that we are using our resources most appropriately."
  • "The pricing is a little on the high side but since we combine our product into one suite, it is easy to do and works well for us."
  • "It is quite good. If you adapt it for the whole organization, it is quite affordable. The pricing plans are good as compared to the other competitors, and any small, medium, or big company can easily adopt Veracode. Its cost includes deployment, training, and support for one year."
  • "The cost has been a barrier to wider use here. I think my team is the only one at the university. Other folks might like to use it, but it's pretty pricey. You could see what else is in the market, but I hear that's the price for most solutions. You might not find a better deal in the market, or it might be an incomplete solution. I mean, for the level of interaction we get with Veracode staff, it's been pretty good."
  • "There is a fee to scale up the solution which I consider expensive."
  • "I know that Veracode is a semi-pricey solution. If you are serious about security, I would recommend that you use an open-source option to learn how the scanning process works and then look into Veracode if you want to really step up your game and have an all-in-one solution."
  • "I wouldn't really recommend Veracode for a small firm, because it might be a little pricey for them. But for a large organization, with more than 1,000 applications in the enterprise, there are tiered levels of pricing."
  • "There are no setup or implementation charges. They offer a free trial and free consulting services... The price depends on your requirements, your source code sizes, and how complicated your source code is."

    • More Veracode Pricing and Cost Advice →

  • "The solution involves a yearly licensing fee."
  • "As we were using an SaaS-based service, the solution must be scalable, although my understanding is that this is based on the licensing model one is using."
  • "WhiteSource is much more affordable than Veracode."
  • "This is an expensive solution."
  • "When comparing the price of WhiteSource to the competition it is priced well. The cost for 50 users is approximately $18,000 annually."
  • "Its pricing model is per developer. It depends on the number of developers in the company. The license is for a minimum of 20 developers. So, even if you are a small startup with less than 10 developers, you have to buy a license for 20 developers on a yearly subscription, which makes it quite expensive for startup customers. I provide consultation to startup accelerators. They're small at the beginning, and only once they grow to 20 developers, they can afford this tool. As a result, WhiteSource is missing this target audience. Their licensing is not flexible."
  • "We always negotiate for the best price possible, and as far as I know, Mend has done an excellent job with their pricing. Our management is happy with the pricing, which has led to renewals."
  • "Pricing and licensing are comparable to other tools. When we started, it was less than our existing solution. I can't go into specifics, but it isn't cheap."

    • More Mend Pricing and Cost Advice →

  • "The beauty of this solution is the free open-source version is capable enough in doing pretty much what an enterprise-level version can do."
  • "I requested this license for one million lines of code and they accepted this."
  • "SonarQube price is a little bit higher than Kiuwan's. Kiuwan also gives a little bit of flexibility in terms of pricing."
  • "This solution is free."
  • "We're using the Community Edition, and we don't pay for anything."
  • "It is very expensive. Its price should be improved."
  • "The price of the solution could be reduced."
  • "The price of this solution is more expensive than competitors. However, it works better than competitors."

    • More SonarQube Pricing and Cost Advice →

    report
    See Which Vendors Are Best For You
    Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
    See Recommendations
    685,707 professionals have used our research since 2012.
    Questions from the Community
    Which gives you more for your money - SonarQube or Veracode?
    Top Answer:SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis… more »
    Read all 6 answers   →
    What do you like most about Veracode?
    Top Answer:The user interface is excellent, the code review process is quick and provides great analytics to understand our code… more »
    Read all 72 answers   →
    What is your experience regarding pricing and costs for Veracode?
    Top Answer:It is quite good. If you adapt it for the whole organization, it is quite affordable. The pricing plans are good as… more »
    Read all 42 answers   →
    How does WhiteSource compare with SonarQube?
    Top Answer:Red Hat Ceph does well in simplifying storage integration by replacing the need for numerous storage solutions. This… more »
    How does WhiteSource compare with Black Duck?
    Top Answer:We researched Black Duck but ultimately chose WhiteSource when looking for an application security tool. WhiteSource is… more »
    What do you like most about WhiteSource?
    Top Answer:The license management of WhiteSource was at a good level. As compared to other tools that I have used, its… more »
    Read all 11 answers   →
    Is SonarQube the best tool for static analysis?
    Top Answer:I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which… more »
    Read all 10 answers   →
    How would you decide between Coverity and Sonarqube?
    Top Answer:We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security… more »
    How does Snyk compare with SonarQube?
    Top Answer:Snyk does a great job identifying and reducing vulnerabilities. This solution is fully automated and monitors 24/7 to… more »
    Comparisons
    Checkmarx logo
    Checkmarx vs. Veracode
    Compared 14% of the time.
    OWASP Zap logo
    OWASP Zap vs. Veracode
    Compared 5% of the time.
    SonarCloud logo
    SonarCloud vs. Veracode
    Compared 5% of the time.
    HCL AppScan logo
    HCL AppScan vs. Veracode
    Compared 4% of the time.
    More Veracode Competitors   →
    + Add more products to compare
    Black Duck logo
    Black Duck vs. Mend
    Compared 19% of the time.
    Snyk logo
    Snyk vs. Mend
    Compared 16% of the time.
    Checkmarx logo
    Checkmarx vs. Mend
    Compared 5% of the time.
    Sonatype Nexus Lifecycle logo
    Sonatype Nexus Lifecycle vs. Mend
    Compared 5% of the time.
    JFrog Xray logo
    JFrog Xray vs. Mend
    Compared 4% of the time.
    More Mend Competitors   →
    + Add more products to compare
    Checkmarx logo
    Checkmarx vs. SonarQube
    Compared 23% of the time.
    Coverity logo
    Coverity vs. SonarQube
    Compared 14% of the time.
    Snyk logo
    Snyk vs. SonarQube
    Compared 12% of the time.
    CAST Highlight logo
    CAST Highlight vs. SonarQube
    Compared 2% of the time.
    More SonarQube Competitors   →
    + Add more products to compare
    Also Known As
    WhiteSource
    Sonar
    Learn More
    Veracode
    Mend
    Sonar
    Overview

    Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.

    Mend is a software composition analysis tool that secures what developers create. The solution provides automated reduction of software attack surface, reduces developer burdens, and accelerates app delivery. Mend provides open-source analysis with its in-house and other multiple sources of software vulnerabilities. In addition, the solution offers license and policy violations alerts, has great pipeline integration, and, since it is a SaaS (software as a service), it doesn’t require you to physically maintain servers or data centers for any implementation. Not only does Mend reduce enterprise application security risk, it also helps developers meet deadlines faster.

    Mend Features

    Mend has many valuable key features. Some of the most useful ones include:

    • Vulnerability analysis
    • Automated remediation
    • Seamless integration
    • Business prioritization
    • Limitless scalability
    • Intuitive interface
    • Language support
    • Integration
    • Continuous monitoring
    • Remediation suggestions
    • Customization

    Mend Benefits

    There are many benefits to implementing Mend. Some of the biggest advantages the solution offers include:

    • Easy to use: The Mend platform is very user friendly and easy to set up.
    • Third-party libraries: The solution eases the process of keeping track of all the used third-party dependencies within a product. It not only scans for the pure occurrence (also transitively) but also takes care of licenses and vulnerabilities.
    • Static code analysis: With Mend’s static code analysis, you can quickly identify security weaknesses in custom code across desktop, web, and mobile applications.
    • Broad support: Mend provides 27 different programming languages and various programming frameworks.
    • Easy integration: Mend makes integration very easy with existing DevOps environments and CI/CD pipelines so developers don’t need to manually configure or trigger the scan.
    • Ultra-fast scanning engine: The solution’s scanning engine generates results up to ten times faster than legacy SAST solutions.
    • Unified developer experience: Mend has a unified developer experience inside the code repository that shows side-by-side security alerts and remediation suggestions for custom code and open-source code.

    Reviews from Real Users

    Below are some reviews and helpful feedback written by PeerSpot users currently using the Mend solution.

    Jeffrey H., System Manager of Cloud Engineering at Common Spirit, says, “Finding vulnerabilities is pretty easy. Mend (formerly WhiteSource) does a great job of that and we had quite a few when we first put this in place. Mend does a very good job of finding the open-source, checking the versions, and making sure they're secure. They notify us of critical high, medium, and low impacts, and if anything is wrong. We find the product very easy to use and we use it as a core part of our strategy for scanning product code moving toward release.”

    PeerSpot reviewer Ben D., Head of Software Engineering at a legal firm, mentions, “The way WhiteSource scans the code is great. It’s easy to identify and remediate open source vulnerabilities using this solution. WhiteSource helped reduce our mean time to resolution since we adopted the product. In terms of integration, it's pretty easy.”

    An IT Service Manager at a wholesaler/distributor comments, “Mend provides threat detection and an excellent UI in a highly stable solution, with outstanding technical support.”

    Another reviewer, Kevin D., Intramural OfficialIntramural at Northeastern University, states, "The vulnerability analysis is the best aspect of the solution."

    SonarQube is the leading tool for continuously inspecting Code Quality and Code Security, and guiding development teams during code reviews. SonarQube provides clear remediation guidance for 27 languages so developers can understand and fix issues, and so teams can deliver better and safer software. SonarQube integrates into your workflow to provide the right feedback at the right time: in-IDE with SonarLint, in pull requests, and in SonarQube itself. With over 225,000 deployments helping small development teams and global organizations, SonarQube provides the means for teams and companies around the world to own and impact their Code Quality and Code Security.

    Offer
    Keep your software secure
    Find out more

    Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.

    Learn more about Mend
    Learn More
    Learn more about SonarQube
    Learn More
    Sample Customers
    State of Missouri, Rekner
    Microsoft, Autodesk, NCR, Forgerock, The Home Depot, Bosch, IBM, GE digital, KPMG, LivePerson, Jack Henry and Associates
    Bank of America, Siemens, Cognizant, Thales, Cisco, eBay
    Top Industries
    REVIEWERS
    Financial Services Firm31%
    Computer Software Company11%
    Insurance Company9%
    Healthcare Company6%
    VISITORS READING REVIEWS
    Computer Software Company19%
    Financial Services Firm16%
    Comms Service Provider8%
    Manufacturing Company7%
    REVIEWERS
    Computer Software Company33%
    Financial Services Firm11%
    Wholesaler/Distributor6%
    University6%
    VISITORS READING REVIEWS
    Computer Software Company22%
    Financial Services Firm13%
    Comms Service Provider8%
    Manufacturing Company7%
    REVIEWERS
    Computer Software Company24%
    Financial Services Firm20%
    Comms Service Provider10%
    Manufacturing Company7%
    VISITORS READING REVIEWS
    Computer Software Company18%
    Financial Services Firm17%
    Manufacturing Company8%
    Comms Service Provider8%
    Company Size
    REVIEWERS
    Small Business25%
    Midsize Enterprise22%
    Large Enterprise52%
    VISITORS READING REVIEWS
    Small Business17%
    Midsize Enterprise12%
    Large Enterprise71%
    REVIEWERS
    Small Business35%
    Midsize Enterprise8%
    Large Enterprise58%
    VISITORS READING REVIEWS
    Small Business19%
    Midsize Enterprise13%
    Large Enterprise68%
    REVIEWERS
    Small Business26%
    Midsize Enterprise17%
    Large Enterprise56%
    VISITORS READING REVIEWS
    Small Business15%
    Midsize Enterprise12%
    Large Enterprise72%
    Buyer's Guide
    Mend vs. SonarQube
    March 2023
    Free Report: Mend vs. SonarQube
    Find out what your peers are saying about Mend vs. SonarQube and other solutions. Updated: March 2023.
    DOWNLOAD NOW
    685,707 professionals have used our research since 2012.

    Mend is ranked 4th in Application Security Tools with 13 reviews while SonarQube is ranked 1st in Application Security Tools with 39 reviews. Mend is rated 8.2, while SonarQube is rated 8.2. The top reviewer of Mend writes "Easy to use, great for finding vulnerabilities, and simple to set up". On the other hand, the top reviewer of SonarQube writes "Open-source, stable, and finds the problems for you and tells you where they are". Mend is most compared with Black Duck, Snyk, Checkmarx, Sonatype Nexus Lifecycle and JFrog Xray, whereas SonarQube is most compared with Checkmarx, Coverity, Snyk, Sonatype Nexus Lifecycle and CAST Highlight. See our Mend vs. SonarQube report.

    See our list of best Application Security Tools vendors.

    We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.