We changed our name from IT Central Station: Here's why

SonarQube vs WhiteSource comparison

Cancel
You must select at least 2 products to compare!
Veracode Logo
60,232 views|33,073 comparisons
SonarQube Logo
88,482 views|72,676 comparisons
WhiteSource Logo
19,539 views|15,497 comparisons
Comparison Summary
Question: How does WhiteSource compare with SonarQube?
Answer: Red Hat Ceph does well in simplifying storage integration by replacing the need for numerous storage solutions. This solution allows for multiple copies of replicated and coded pools to be kept, easy replacement of failed hard drives, and easy replacement of scaled-out nodes. Red Hat Ceph continues working even when there are failures. We experienced some stability issues when we went beyond the default factor, which is 3. We found that the rebalancing and recovery processes can be a bit slow. Red Hat Ceph can be pretty complex to deploy and has a very big learning curve. MinIO is software-defined, runs in industry-standard hardware, and is an open-source solution. The retrieval of objects with MinIO is significantly better than many of the other solutions we considered. We found deployment to be very simple and even with numerous updates, MinIO ran seamlessly - we experienced no downtime. MinIO is amazing with regard to processing speed, volume, and accessibility to data. It can store large amounts of data, and you can retrieve, load, and transform the data quickly. MinIO offers both a browser interface and a command interface, which we found very useful. MinIO is lacking in a few documentation and monitoring tools that other solutions provide, though. It would be a better and more flexible solution if you could use an uneven disk structure. It would also be great to include some sort of graphical representation of data, like size and data type. Conclusion: We were looking for a high-performance object storage system that would work well with enterprise systems. We found that MinIO offered the stability and scalability in addition to the ability to deploy on-premise, in the cloud, or hybrid options most suitable for our needs.
Featured Review
Find out what your peers are saying about SonarQube vs. WhiteSource and other solutions. Updated: January 2022.
564,729 professionals have used our research since 2012.
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"Integrations into our developer's IDE (Greenlight) and the DevOps Pipeline SAST / SourceClear Integrations has particularly increased our time to market and confidence.""It's comprehensive from a feature standpoint.""The main feature that I have found valuable is the solution's ability to find issues in static analysis. Additionally, there are plenty of useful tools.""There are quite a few features that are very reliable, like the newly launched Veracode Pipelines Scan, which is pretty awesome. It supports the synchronous pipeline pretty well. We been using it out of the Jira plugin, and that is fantastic.""The time savings has been tremendous. We saw ROI in the first six months.""The centralized view of different testing types helps reduce our risk exposure. The development teams have the freedom to choose their own libraries and languages. What happens is sometimes developers feel like a particular library is okay to use, then they will start using it, developing some functionality around it. However, as per our mandate, for every new repository that gets added and scanned, a report gets published. Based on that report, we decide if we can continue. In the past, we have found, by mistake, some developers have used copyleft licenses, which are a bit risky to use. We immediately replace these with more permissive, open-source licenses, so we are safe in the end.""The policy reporting for ensuring compliance with industry standards and regulations is pretty comprehensive, especially around PCI. If you do the static analysis, the dynamic analysis, and then a manual penetration test, it aggregates all of these results into one report. And then they create a PCI-specific report around it which helps to illustrate how the application adheres to different standards.""Good static analysis and dynamic analysis."

More Veracode Pros →

"The most valuable features are the analysis and detection of issues within the application code.""SonarQube is good in terms of code review and to report on basic vulnerabilities in your applications.""It provides you with many features, as it does with the premium model, but there are still extra features that can be purchased if needed.""It is working fine. It provides a good value for money.""The most valuable features are code scanning and Quality Gates.""Engineers have also learned from the results and have improved themselves as engineers. This will help them with their careers.""The most valuable feature of SonarQube I have found to be the configuration that has allowed us to can make adjusts to the demands of the code review. It gives a specified classification regarding the skill, prioritization, and it is easy for me to review and make my code.""It provides the security that is required from a solution for financial businesses."

More SonarQube Pros →

"The results and the dashboard they provide are good.""The solution boasts a broad range of features and covers much of what an ideal SCA tool should.""The most valuable feature is the unified JAR to scan for all langs (wss-scanner jar).""The solution is scalable.""The license management of WhiteSource was at a good level. As compared to other tools that I have used, its functionality for the licenses for the code libraries was quite good. Its UI was also fine.""Our dev team uses the fix suggestions feature to quickly find the best path for remediation.""Its ease of use and good results are the most valuable."

More WhiteSource Pros →

Cons
"Another problem we have is that, while it is integrated with single sign-on—we are using Okta—the user interface is not great. That's especially true for a permanent link of a report of a page. If you access it, it goes to the normal login page that has nothing that says "Log in with single sign-on," unlike other software as a service that we use. It's quite bothersome because it means that we have to go to the Okta dashboard, find the Veracode link, and log in through it. Only at that point can we go to the permanent link of the page we wanted to access.""Sometimes, I get feedback from a developer saying, "They are scanning a Python code, but getting feedback around Java code." While the remediation and guidelines are there, improvement is still required, e.g., you won't get the exact guidelines, but you can get some sort of a high-level insights.""The product has issues with scanning.""When it comes to the speed of the pipeline scan, one of the things we have found with Veracode is that it's very fast with Java-based applications but a bit slow with C/C++ based applications. So we have implemented the pipeline scan only for Java-based applications not for the C/C++ applications.""Sometimes the scans are not done quickly, but the solutions that it provides are really good. The quality is high, but the analysis is not done extremely quickly.""Scheduling can be a little difficult. For instance, if you set up recurring scheduled scans and a developer comes in and says, "Hey, I have this critical release that happened outside of our normal release patterns and they want you to scan it," we actually have to change our schedule configuration and that means we lose the recurring scheduling settings we had.""Improve Mobile Application Dynamic Scanning DAST - .ipa and .apk""There is much to be desired of UI and user experience. The UI is very slow. With every click, it just takes a lot of time for the pages to load. We have seen this consistently since getting this solution. The UI and UX are very disjointed."

More Veracode Cons →

"The exporting capabilities could be improved. Currently, exporting is fully dependent on the SonarQube environment.""There are limitations to the free version that limit development options as far as languages.""Code security scanning could be improved.""If the product could assist us with fixing issues by giving us more pointers then it would help to resolve more of the warnings without such a commitment in terms of time.""The solution could improve by having better-consulting services.""The pricing could be reduced a bit. It's a little expensive.""The interface could be a little better and should be enhanced.""We also use Fortify, which is another tool to find security errors. Fortify is a better security tool. It is better than SonarQube in finding errors. Sometimes, SonarQube doesn't find some of the errors that Fortify is able to find. Fortify also has a community, which SonarQube doesn't have. Its installation is a little bit complex. We need to install a database, install the product, and specify the version of the database and the product. They can simplify the installation and make it easier. We use docker for the installation because it is easier to use. Its dashboard needs to be improved. It is not intuitive. It is hard to understand the interface, and it can be improved to provide a better user experience."

More SonarQube Cons →

"I would like to see the static analysis included with the open-source version.""The UI can be slow once in a while, and we're not sure if it's because of the amount of data we have, or it is just a slow product, but it would be nice if it could be improved.""The initial setup could be simplified.""The dashboard UI and UX are problematic.""It would be good if it can do dynamic code analysis. It is not necessarily in that space, but it can do more because we have too many tools. Their partner relationship support is a little bit confusing. They haven't really streamlined the support process when we buy through a reseller. They should improve their process.""The solution lacks the code snippet part.""We have ended our relationship with WhiteSource. We were using an agent that we built in the pipeline so that you can scan the projects during build time. But unfortunately, that agent didn't work at all. We have more than 500 projects, and it doubled or tripled the build time. For other projects, we had the failure of the builds without any known reason. It was not usable at all. We spent maybe one year working on the issues to try to make it work, but it didn't in the end. We should be able to integrate it with ID and Shift Left so that the developers are able to see the scan results without waiting for the build to fail."

More WhiteSource Cons →

Pricing and Cost Advice
  • "For the value we get out of it, coupled with the live defect review sessions, we find it an effective value for the money. We are a larger organization."
  • "I don't really know about the pricing, but I'd say it's worth whatever Veracode is charging, because the solution is that good."
  • "Veracode's price is high. I would like them to better optimize their pricing."
  • "If I compare the pricing with other software tools, then it is quite competitive. Whatever the price is, they have always given us a good discount."
  • "Veracode is expensive. Some of its products are expensive. I don't think it's way more expensive than its competitors. The dynamic is definitely worth it, as I think it's cheaper than the competitors. The static scan is a little bit more expensive, around 20 percent more expensive. The manual pen test is more expensive, but it is an expensive service because it's a manual pen test and we also do retests. I don't think it is way more expensive than the competitors, but it's about 15 to 20 percent more expensive."
  • "We use this product per project rather than per developer... Your development model will really determine what the best fit is for you in terms of licensing, because of the project-based licensing. If you do a few projects, that's more attractive. If you have a large number of developers, that would also make the product a little more attractive."
  • "The pricing is really fair compared to a lot of other tools on the market."
  • "It is very reasonably priced compared to what we were paying our previous vendor. For the same price, we are getting much more value and reducing our AppSec costs from 40 to 50 percent."
  • More Veracode Pricing and Cost Advice →

  • "I was using the Community Edition, which is available free of charge."
  • "The developer edition is based on cost per lines of code."
  • "We are using the open-source version, which is available free of cost."
  • "There is both a free and licensed version. The free version has limitations on development languages and support."
  • "For the Community edition, there is no extra cost. It's totally free. The Enterprise edition, Data Center edition, and Developer edition are the paid versions."
  • "We are using the open-source community version, but there are enterprise licenses available."
  • "SonarQube is an open-source product that can be used free of charge."
  • "I am satisfied with the pricing."
  • More SonarQube Pricing and Cost Advice →

  • "The solution involves a yearly licensing fee."
  • "As we were using an SaaS-based service, the solution must be scalable, although my understanding is that this is based on the licensing model one is using."
  • "WhiteSource is much more affordable than Veracode."
  • More WhiteSource Pricing and Cost Advice →

    report
    Use our free recommendation engine to learn which Application Security solutions are best for your needs.
    564,729 professionals have used our research since 2012.
    Questions from the Community
    Top Answer: 
    SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis… more »
    Top Answer: 
    There is a single area on the dashboard where you can get a full view of all of the tests and the results from… more »
    Top Answer: 
    I was impressed with the pricing we got from Veracode. I was able to make it work very well within our budget.
    Top Answer: 
    I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which… more »
    Top Answer: 
    We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security… more »
    Top Answer: 
    Snyk does a great job identifying and reducing vulnerabilities. This solution is fully automated and monitors 24/7 to… more »
    Top Answer: 
    Red Hat Ceph does well in simplifying storage integration by replacing the need for numerous storage solutions. This… more »
    Top Answer: 
    We researched Black Duck but ultimately chose WhiteSource when looking for an application security tool. WhiteSource is… more »
    Top Answer: 
    The license management of WhiteSource was at a good level. As compared to other tools that I have used, its… more »
    Comparisons
    Also Known As
    Sonar
    Learn More
    Overview

    Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.

    SonarQube is the leading tool for continuously inspecting Code Quality and Code Security, and guiding development teams during code reviews. SonarQube provides clear remediation guidance for 27 languages so developers can understand and fix issues, and so teams can deliver better and safer software. SonarQube integrates into your workflow to provide the right feedback at the right time: in-IDE with SonarLint, in pull requests, and in SonarQube itself. With over 225,000 deployments helping small development teams and global organizations, SonarQube provides the means for teams and companies around the world to own and impact their Code Quality and Code Security.

    The leading solution for agile open source security and license compliance management, WhiteSource integrates with the DevOps pipeline to detect vulnerable open source libraries in real-time.

    It provides remediation paths and policy automation to speed up time-to-fix. It also prioritizes vulnerability alerts based on usage analysis.

    We support over 200 programming languages and offer the widest vulnerability database aggregating information from dozens of peer-reviewed, respected sources.

    Offer
    Keep your software secure

    Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.

    Learn more about SonarQube
    Learn more about WhiteSource
    Sample Customers
    State of Missouri, Rekner
    Bank of America, Siemens, Cognizant, Thales, Cisco, eBay
    Microsoft, Autodesk, NCR, Comcast, Nokia, Forgerock, indeed.com, GE digital, KPMG, LivePerson, Jack Henry and Associates
    Top Industries
    REVIEWERS
    Financial Services Firm30%
    Computer Software Company12%
    Insurance Company9%
    Healthcare Company7%
    VISITORS READING REVIEWS
    Computer Software Company29%
    Comms Service Provider17%
    Financial Services Firm11%
    Manufacturing Company6%
    REVIEWERS
    Computer Software Company23%
    Financial Services Firm21%
    Comms Service Provider10%
    Manufacturing Company8%
    VISITORS READING REVIEWS
    Computer Software Company28%
    Comms Service Provider17%
    Financial Services Firm12%
    Manufacturing Company7%
    REVIEWERS
    Computer Software Company40%
    Media Company10%
    Energy/Utilities Company10%
    Consumer Goods Company10%
    VISITORS READING REVIEWS
    Computer Software Company34%
    Comms Service Provider20%
    Financial Services Firm7%
    Manufacturing Company5%
    Company Size
    REVIEWERS
    Small Business24%
    Midsize Enterprise25%
    Large Enterprise51%
    VISITORS READING REVIEWS
    Small Business26%
    Midsize Enterprise31%
    Large Enterprise43%
    REVIEWERS
    Small Business28%
    Midsize Enterprise18%
    Large Enterprise54%
    VISITORS READING REVIEWS
    Small Business30%
    Midsize Enterprise21%
    Large Enterprise50%
    REVIEWERS
    Small Business31%
    Midsize Enterprise6%
    Large Enterprise63%
    VISITORS READING REVIEWS
    Small Business16%
    Midsize Enterprise13%
    Large Enterprise71%
    Find out what your peers are saying about SonarQube vs. WhiteSource and other solutions. Updated: January 2022.
    564,729 professionals have used our research since 2012.

    SonarQube is ranked 1st in Application Security with 52 reviews while WhiteSource is ranked 8th in Application Security with 7 reviews. SonarQube is rated 8.0, while WhiteSource is rated 7.6. The top reviewer of SonarQube writes "Good integration and has useful feedback features, such as Quality Gate ". On the other hand, the top reviewer of WhiteSource writes "Good reporting and trace analysis allows us to find and solve open-source concerns quickly". SonarQube is most compared with Checkmarx, Coverity, Sonatype Nexus Lifecycle, Micro Focus Fortify on Demand and Snyk, whereas WhiteSource is most compared with Black Duck, Snyk, Sonatype Nexus Lifecycle, Checkmarx and Micro Focus Fortify on Demand. See our SonarQube vs. WhiteSource report.

    See our list of best Application Security vendors.

    We monitor all Application Security reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.