Mend.io Reviews

I use this solution for product inventory trace and 3PPs handling in aspect of License Compliance & Security.

I've been using both the UI & API.

At first, WhiteSource was great in regards to have a clear picture of what we use in our products.

Then later, we started having different issues with WhiteSource, especially in our containers/Docker images. The problem has not been resolved yet, even after many followups on this matter.

The most valuable features are the reporting, customizing libraries "In-house, White list, license selection", comparing the products/projects, and License & Copyright resolution.

WhiteSource needs improvement in the scanning of the containers and images with distinguishing the layers.

This solution needs better support and customer service.

I have been using WhiteSource for one year.

Our primary use for WhiteSource is security and license risk detection in open-source, third-party libraries and components. We run scans from multiple source control and build systems (TFS, ADO, Jenkins, ...). Some of our scans are automated, while others are done manually with the unified file agent in offline mode scan, and then the resulting "wsjson" file is uploaded to the WS SaaS portal.

We moved from Black Duck to WhiteSource as it was a more modern and scalable solution, with better integration support to various build and source environments. The ease of running scans and getting results quickly enables our developers to address issues quicker. 

The most valuable features of this solution are:

1. The vulnerability and license alerts are the main purposes of us utilizing this tool. We don't want to ship software and mistakenly include a GPL component. Similarly, we want to stay up to date on all vulnerabilities in third-party libraries so we can take action if our software solutions are impacted.
2. Implementing policies is helpful because it's great when certain "no-nos" can be codified as policies and auto-rejected.
3. Attribution and license due diligence reports help us with aggregating the necessary data that we, in turn, have to provide to satisfy the various licenses copyright and component usage disclosures in our software.

Places in need of improvement are:

1. Some detected libraries do not specify a location of where in the source they were matched from, which is something that should be enhanced to enable quicker troubleshooting.
2. Manual uploads of "wsjson" files can only be done by a global admin. Product administrators should be given this right for uploading files to their products/projects.
   
3. Better support for proxies is needed when running the unified file agent behind a proxy. It can be made to work, but the Java proxy config and cert trust for MitM traffic inspection are very painful to set up.

We have been using WhiteSource for two years.

In our two years of usage, there has been a negligible amount of downtime. We have, however, experienced occasional issues with certain features of the offer that created some friction and grumblings from our devs using the portal, but those have typically been resolved fairly quickly. 

This is a SaaS offering that has so far taken everything we have thrown at it (150+ products, with multiple projects in each). Certain reports that aggregate data globally could take a while to churn, but well within acceptable time-frames.

Responses are quick; TS works hard to resolve issues quickly. 

Prior to this solution, we used Black Duck. As of two years ago, when we made the switch, WhiteSource's UI was more modern, the SaaS solution more scalable, and the integration capabilities far superior. The detection accuracy between the two was quite similar. 

Setting up the tool for automated usage is very straightforward. Follow the documentation carefully and you will likely be fully up and running in between 15 and 60 mins.

We implemented this solution using our in-house team.

Pricing is competitive.

We also use NPM Audit and Snyk, but as an augmentation; not as competitors. 

Our primary use for WhiteSource Bolt is to gain visibility over third-party libraries in order to perform vulnerability assessments and take care of licensing issues.

We are using this solution within our Microsoft Azure tenants. Essentially, we are using it in a private cloud.

The most valuable feature is the inventory, where it compiles a list of all of the third-party libraries that we have on our estate. This helps us quite a bit.

We specifically use this solution within our CICD pipelines in Azure DevOps, and we would like to have a gate so that if the score falls below a certain value then we can block the pipeline from running. This would give us some sort of automated assurance. This is probably the feature that we'd most like to see.

Generally, the stability is pretty good. The only thing we have noticed in the past couple of weeks is that it's been quite slow at times. We are reaching out to them over the issue.

We haven't deployed it on a massive scale so we may not be able to judge the scalability. We run through perhaps ten deployments in a day, and we have not seen any issues.

We use this for anything that gets deployed, which is every pipeline that we run through our CICD.

I haven't needed to engage with technical support for this solution.

For this use case, we did not use another solution prior to this one.

Given that it is a cloud-based solution, it is really easy. The deployment takes a couple of minutes.

The version that we are using, WhiteSource Bolt, is a free integration with Azure DevOps.

We are still evaluating at the moment, and have not officially adopted WhiteSource as of yet.

For anybody who is researching this type of solution, my suggestion is to try them first. We tried quite a few of the various toolings available, and some of them are just not workable. They're very different on paper, so you have to use them to really compare them.

I would rate this solution a seven out of ten.

Our primary use is to find all the third-party libraries and open source libraries which are hidden in the software, such that no third-party libraries are forgotten.

1. To get an overview of all these third-party components.
2. To get some information from WhiteSource about which licenses are behind the third-party tool, and what implications these might have for us.

We find licenses together with WhiteSource which are associated with a certain library, then we get a classification of the license. This is with respect to criticality and vulnerability, so we could take action and improve some things, or replace a third-party library which seems to be too risky for us to use on legal grounds. Then, we can take some measures to improve things, replace a library, or update a library which was too old or showed severe bugs, etc.

Several dashboards. The licenses dashboard, which gives me an overview of all the licenses used in our software. For example, right at the moment, there are several hundreds of licenses used. The licenses dashboard and release management dashboard along with reports (like risk, vulnerabilities, high severity, bug alerts, etc.).

Every product has room for improvement, including WhiteSource. The stability of the product is web-based. We are obliged to use the Internet Explorer, and from time-to-time I get messages which tells me that I do not have the rights to use WhiteSource, which is obviously wrong. I also suggested it to WhiteSource, and they told me that WhiteSource only works reliably for Firefox and Chrome. This has some room for improvement for me. Make the product available in a very stable way for other web browsers. 

From time to time, the dashboards don't display the full content that I expect. It seems that licenses are not shown nor are products are shown in full detail. I am just missing things at times. This might be due to the Internet Explorer issue, and if I am not using the right web browser, then maybe it does not work correctly. 

From time-to-time, it seems in Internet Explorer, which we use here in our company, the product is not stable in all cases. I get wrong error messages, and it seems that WhiteSource does not display all the contents that should be there. 

It is good enough. We can live with it in this situation. Though maybe it would be much better if we used Chrome or Firefox.

The picture that I have of it is that it is not yet a fully 100% stable software. This is the impression that I have. It is not 100% stable and reliable, but it is good enough that we can work with it.

We have only six software projects included right now. Altogether, we have several hundred third-party open source components. With this amount of objects displayed in the dashboards, it is working pretty well. I cannot say anything which goes beyond that amount. 

From time-to-time, I have the impression that if it is a long list (e.g., if I have several hundreds of entries in a list), that this list might somehow get a little bit difficult to handle with the scroll bar in finding things. This could be improved, in regards to handling a lot of data. It seems a little bit limited.

We have tech calls with WhiteSource on a regular basis, about every four weeks. 

The customer success manager, who is responsible for us, works with us pretty well. Every several weeks, we have a phone call, then we try to move one step forward to improve things, and so on. 

The overall support that we receive is pretty good. 

We did not use anything before WhiteSource. 

It was not that easy, but easy enough to go ahead. 

From time-to-time, we get some hints from the support on how to work with it. The dashboard is pretty good, so one can easily find things that they are looking for. However, the topic search, it is very complex and complicated to get a qualified picture of all these licenses. I know that there are online resources for us which we can take into account, but taking everything together, it still remains quite complicated for us to work with it.

Up until now, we were convinced that the return of investment was not really the case. However, we will see if maybe we get enough benefit out of the tool that we can argue internally that it is really worth using it.

When using WhiteSource, you cannot really be sure what the ROI is. It is an indication, a hint, that maybe you should look at these licenses or those licenses. However, maybe it has not found everything. Nobody can guarantee that we now have the complete picture. It is maybe an improved picture on all this third-party open-source stuff, but maybe it is also not the complete picture.

We are paying a lot of money to use WhiteSource. In our company, it is not easy to argue that it is worth the price. 

We did evaluate another tool along with WhiteSource, but we decided to take WhiteSource. There was this other tool, Black Duck, but we decided to work with WhiteSource.

However, we have not fully evaluated this tool. It seemed too complicated for us, so at a certain point, we just decided to work with WhiteSource further on.

I recommend using WhiteSource to other companies if they are in a similar situation that we are. If they are having real problems in dealing with all these open source licenses, then it is a good approach to use WhiteSource and get a handle of the whole topic. 

I do recommend it.

To prevent shipping commercial or GPL libraries, we scan our repositories.

Scanning/collecting third-party libraries and classifying license types. In this way we ensure our third-party software policy is followed and that we’re not using “forbidden” libraries.

Better ACL and more role definitions. This product could be used by large organisations but it definitely needs a better role/action model.

Right now (in my understanding) there are roles for WhiteSource Admin and Members and Product Admins and Members.

Here are some suggestions:

• When you create a new product “A” (for example)  then automatically create the user groups A-Admin, A-Members, A-Alerts and A-Approvers. In that way you just need to assign users.
• Have a new role “Product Status Updates”,  because I don’t want all product admins to receive the status or to have all who get the status as product admins.
• Have a new role “WhiteSource Status Updates” - I want to have different groups to be admins or to receive a status report.
• Have a new role “Audit” to receive audits.

One to three years.

No issues, it's working really well.

No issues so far.

Eight out of 10. Always responsive.

We were using editors or Wiki to keep that information, but obviously it was not updated.

It wasn’t too complex because you have different options for integrating your repositories, from a simple directory scan to a complex plug-in. We decided to begin with the simplest one and adopt new integrations step by step.

Pricing / licensing model changed during last year so I don’t have an opinion here yet.

I evaluated Black Duck.

It’s important to define guidelines and best practices regarding how to use the product internally; who defines what? Who accesses what? 

Best way to integrate my GitHub repo, my Maven project, etc.

With WhiteSource, we have been able to automate the scan of our Open Source dependencies. Before, it was a 50% automated in-house solution.

• Open Source dependencies scan
• Common Vulnerabilities and Exposures (CVE) detection
• Useful license and copyright reports.
• Dashboards to manage the risk by product or by organisation.

We are using a lot of Open Source components to develop our products. WhiteSource is the perfect tool to manage the Open Source governance. All our continuous integration stack is using WhiteSource to scan our dependencies (Maven, NPM, Docker).

Next, we are integrating the WhiteSource reports in our products (in a legal-notices folder) to store all the copyright and licensing information. WhiteSource replaced a painful and complex in-house solution, now it's fully automated.

Notifications could be improved. Everything else is OK.

If one of our products is using a dependency with a black-listed license (LGPL, for example) we like to notify the developer who added this dependency. And we use the same notification if you try to use a component with no license or no copyright information.

No issues.

No issues.

Customer Service:

A nine out of 10. They are really reactive when we have a question.

Technical Support:

A nine out of 10. They are really reactive when we have a question.

We were using an in-house solution based on some Maven plugins. The process was not fully-automated. We were looking for a fully-automated solution.

Really straightforward. The first scan was ready in 30 minutes.

My team (release engineering) implemented WhiteSource for our company.

We are really happy to use WhiteSource. A lot of time has been saved and the results are more accurate.

The setup cost is cheap. For our company, we received a good price to manage unlimited products and versions.

We did a comparison with Black Duck, but WhiteSource was better at managing the Open Source stuff.

We are a happy customer.

The inventory management as well as the ability to identify security vulnerabilities has been the most valuable for our business. 

The turnaround time for upgrading databases for this tool as well as the accuracy could be improved. 

It would be good if containerization could be included under the current licensing but this is not something I have looked into.

I have been using this solution for four years.

This is a stable solution.

This is a scalable solution. 

This solution offers good support which we have used multiple times. 

Positive

The initial setup of this solution was straightforward and easy.

This is an expensive solution. 

When setting up this solution, it is important to have clear cut planning and to define the automation rules. 

I would recommend using WhiteSource. It has an edge over other tools in the market and is a faster solution. 

WhiteSource is easy to integrate with the CICD pipeline and runs standalone scans as it is a SaaS deployment. Integration of this solution does not require much time or knowledge. 

I would rate this solution a nine out of ten.