Try our new research platform with insights from 80,000+ expert users

Mend.io vs Sonatype Repository Firewall comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Oct 8, 2024

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

Mend.io
Ranking in Application Security Tools
17th
Ranking in Software Composition Analysis (SCA)
7th
Average Rating
8.4
Reviews Sentiment
7.1
Number of Reviews
31
Ranking in other categories
Static Code Analysis (4th), Software Supply Chain Security (1st)
Sonatype Repository Firewall
Ranking in Application Security Tools
31st
Ranking in Software Composition Analysis (SCA)
15th
Average Rating
8.2
Reviews Sentiment
7.0
Number of Reviews
4
Ranking in other categories
No ranking in other categories
 

Mindshare comparison

As of July 2025, in the Application Security Tools category, the mindshare of Mend.io is 3.6%, up from 3.3% compared to the previous year. The mindshare of Sonatype Repository Firewall is 0.5%, up from 0.3% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Application Security Tools
 

Featured Reviews

meetharoon - PeerSpot reviewer
Enables smooth management of vulnerabilities and promotes a shift towards a culture of security
We have witnessed Mend.io for its high stability, consistently living up to our expectations in terms of performance and reliability. Our developers have reported very few issues and almost minimal to zero downtime, which is a critical factor for our organization to rely on Mend SCA to secure our applications. We didn't experience any major issues in the stability of the product. This level of dependability is crucial for our hundreds of development teams that need to maintain continuous integration and deployment processes without interruptions. We realize the solution's architecture is designed to support a wide range of use cases, making it suitable for organizations of varying sizes and complexities. As a SaaS (Software as a Service) offering, Mend.io eliminates the need for physical server management, which further contributes to its stability. Users can access the platform without worrying about hardware failures or maintenance issues that can affect on-premises solutions. Moreover, Mend.io's integration capabilities with existing workflows—including IDEs, repositories, and CI/CD pipelines—enhance its stability by providing a seamless user experience. This integration allows teams to incorporate security scanning into their development processes without significant disruptions, which is often a challenge with less stable solutions. Feedback from our developers and architects highlights the tool's effectiveness in reducing open-source software vulnerabilities while maintaining a streamlined development lifecycle. Our organization have experienced improved code quality and faster incident response times as a result of using Mend.io. The platform's intuitive dashboard and management views are also praised by our developers for their usability, contributing to a positive user experience. In short, Mend.io stands out as a dependable and reliable solution in the realm of software composition analysis. Its high stability, combined with robust integration capabilities and user-friendly features, makes it an excellent choice for organizations seeking to enhance their security posture while minimizing operational disruptions.
Ashish Shukla - PeerSpot reviewer
You will get clean code every time, and that's a great achievement
For the QA team, it's a really good tool. For those who are not on the QA team, it is also a good tool to use for SDL in the SDLC. It plays a very critical role of doing the automatic quality check recommendation. Meaning, when using this tool, people can easily rectify the issues in the environment itself, instead of going to a higher environment and identifying them. This tool is quite easy to use and learn. We decided that there was no need to hire anyone new who would specialize in this. We had a team of about five to ten people who learned how to use this tool. There are some other automation tools like Jenkins, for example, that require a lot of effort to configure and write out the code, but you do not need to do such for this tool. I thought outside of the box and saw that there are many options available to us when using this tool. The plugins are there, you can download and use the tool at ease and you do not need to do any kind of development. Overall, it’s quite easy to use.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"Mend.io is very robust in terms of managing third-party dependencies."
"It gives us full visibility into what we're using, what needs to be updated, and what's vulnerable, which helps us make better decisions."
"The license management of WhiteSource was at a good level. As compared to other tools that I have used, its functionality for the licenses for the code libraries was quite good. Its UI was also fine."
"WhiteSource is unique in the scanning of open-source licenses. Additionally, the vulnerabilities aspect of the solution is a benefit. We don't use WhiteSource in the whole organization, but we use it for some projects. There we receive a sense of the vulnerabilities of the open-source components, which improves our security work. The reports are automated which is useful."
"The overall support that we receive is pretty good. ​"
"Its ease of use and good results are the most valuable."
"Mend has reduced our open-source software vulnerabilities and helped us remediate issues quickly. My company's policy is to ensure that vulnerabilities are fixed before it gets to production."
"The solution boasts a broad range of features and covers much of what an ideal SCA tool should."
"The firewall is the only solution that supports Nexus Repository."
"The customer service is fantastic."
"Another thing that I like about Sonatype is that if you download something today, and five days from today it becomes vulnerable, it will notify you."
"The product's network and intrusion protection features are valuable. It also has rules and compliance features for security."
 

Cons

"Some detected libraries do not specify a location of where in the source they were matched from, which is something that should be enhanced to enable quicker troubleshooting."
"WhiteSource Prioritize should be expanded to cover more than Java and JavaScript."
"I would like to have an additional compliance pack. Currently, it does not have anything for the CIS framework or the NIST framework. If we directly run a scan, and it is under the CIS framework, we can directly tell the auditor that this product is now CIS compliant."
"WhiteSource needs improvement in the scanning of the containers and images with distinguishing the layers."
"The UI can be slow once in a while, and we're not sure if it's because of the amount of data we have, or it is just a slow product, but it would be nice if it could be improved."
"Mend supports most of the common package managers, but it doesn't support some that we use. I would appreciate it if they can quickly make these changes to add new package managers when necessary."
"The UI is not that friendly and you need to learn how to navigate easily."
"Make the product available in a very stable way for other web browsers."
"There are several features lacking in the current offering, particularly concerning container support and AI packages."
"What I don't like is the lack of an option to pick up the phone and call someone for support. That is something they need to improve on. They need to have a professional services package, or they need to include that option with their services."
"There are several features lacking in the current offering, particularly concerning container support and AI packages, like humming phase support."
"The tool needs to improve its file systems. The product should also include zero test feature."
 

Pricing and Cost Advice

"Mend is costly but not overly expensive. The license was quite expensive this year, but we managed to negotiate the price down to the same as last year. At the same time, it's a good value. We're getting what we're paying for and still not using all the features. We could probably get more out of the tool and make it more valuable. At the moment, we don't have the capacity to do that."
"When comparing the price of WhiteSource to the competition it is priced well. The cost for 50 users is approximately $18,000 annually."
"It is fairly priced."
"We are paying a lot of money to use WhiteSource. In our company, it is not easy to argue that it is worth the price. ​"
"Pricing is competitive."
"As we were using an SaaS-based service, the solution must be scalable, although my understanding is that this is based on the licensing model one is using."
"We always negotiate for the best price possible, and as far as I know, Mend has done an excellent job with their pricing. Our management is happy with the pricing, which has led to renewals."
"The version that we are using, WhiteSource Bolt, is a free integration with Azure DevOps."
"The pricing is reasonable if you're a large enterprise developing code. It's not super-expensive."
report
Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
860,632 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
16%
Computer Software Company
15%
Manufacturing Company
11%
Insurance Company
5%
Financial Services Firm
25%
Government
12%
University
8%
Manufacturing Company
8%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
No data available
 

Questions from the Community

How does WhiteSource compare with SonarQube?
Red Hat Ceph does well in simplifying storage integration by replacing the need for numerous storage solutions. This solution allows for multiple copies of replicated and coded pools to be kept, ea...
How does WhiteSource compare with Black Duck?
We researched Black Duck but ultimately chose WhiteSource when looking for an application security tool. WhiteSource is a software solution that enables agile open source security and license compl...
What do you like most about Mend.io?
The best feature is that the Mend R&D team does their due diligence for all the vulnerabilities. In case they observe any important or critical vulnerabilities, such as the Log4j-related vulner...
What is your experience regarding pricing and costs for Sonatype Nexus Firewall?
Also, I consider it average. Some people might consider it expensive, however, since it supports many beautiful features, I would say it is worth it.
What is your primary use case for Sonatype Nexus Firewall?
Many companies, including ours, use Nexus Repository due to concerns about malware and critical vulnerabilities. There should be a specific method to prevent malicious packages from entering the in...
What advice do you have for others considering Sonatype Nexus Firewall?
I would give the solution eight out of ten. I would look at the comparison of Sonatype to some other firewalls. There is room for improvement, especially mentioning container support and AI packages.
 

Also Known As

WhiteSource, Mend SCA, Mend.io Supply Chain Defender, Mend SAST
Sonatype Nexus Firewall, Nexus Firewall
 

Overview

 

Sample Customers

Microsoft, Autodesk, NCR, Target, IBM, vodafone, Siemens, GE digital, KPMG, LivePerson, Jack Henry and Associates
EDF, Tomitribe, Crosskey, Blackboard, Travel audience
Find out what your peers are saying about Mend.io vs. Sonatype Repository Firewall and other solutions. Updated: May 2025.
860,632 professionals have used our research since 2012.