At times, the latency of getting items out of the findings after they're remediated is higher than it should be.

If I had to choose one area of improvement, it would be to have the support system in one place. At the moment, all matters regarding support run through Salesforce SaaS solutions.

I'm sure there are more improvements that can happen with WhiteSource’s IDE tool, however, it's still useful. We still have an open ticket regarding some slow scans since we have some fairly complex projects that take a long time to scan. That's been the only slightly negative experience with the tool and we work hard to try to fix it.

WhiteSource is working on a UI refresh. That's probably been one of the pain points for us as it feels like a really old application. Although we are used to it, when filtering lists, we feel like we are using an application from the 1990s. It's my understanding that they have some improvements coming and I hope to take part in a trial for that.

I've also recently looked at their SaaS tool. I've done a trial with it and at the moment it’s a separate product. I'd like to see all of the products merged into one, so that there would be one place to go for everything and all of the support, FaaS, SCA, and more.

The pricing model needs some changes. It is being offered in bulks of a minimum of 20 developers, which means that small startups with less than 20 developers cannot afford to buy the minimum bulk. There is no flexible pricing model to choose a plan with partial functionality and for less than 20.

The GUI should support the export of multiple SBOM formats, today this is the transparency expected by federal agencies from companies that write software. 
There is no one standard yet in the industry for SBOM, so leading tools like WhiteSource should be able to support multiple formats.

I am not clear if WhiteSource provides on-premises service. I know that its competitors provide on-premises and SaaS-based services for the same licensing fee and model, but I am not sure if this applies to WhiteSource, as well. I believe it does not. 

It is preferable to use on-cloud services, although on-premises one should equally be an option, if I would prefer to not go for SaaS-based hosting. The licensing model should be the same for the different options. 

The initial setup could be simplified. 

WhiteSource only produces a report, which is nice to look at. However, you have to check that report every week, to see if something was found that you don't want. It would be great if the build that's generating a report would fail if it finds a very important vulnerability, for instance.

We have ended our relationship with WhiteSource. We were using an agent that we built in the pipeline so that you can scan the projects during build time. But unfortunately, that agent didn't work at all. We have more than 500 projects, and it doubled or tripled the build time. For other projects, we had the failure of the builds without any known reason. It was not usable at all. We spent maybe one year working on the issues to try to make it work, but it didn't in the end. 

We should be able to integrate it with ID and Shift Left so that the developers are able to see the scan results without waiting for the build to fail.

The turnaround time for upgrading databases for this tool as well as the accuracy could be improved. 

It would be good if containerization could be included under the current licensing but this is not something I have looked into.

The solution lacks the code snippet part. I plan to raise this issue with those at WhiteSource.

It would be good if it can do dynamic code analysis. It is not necessarily in that space, but it can do more because we have too many tools.

Their partner relationship support is a little bit confusing. They haven't really streamlined the support process when we buy through a reseller. They should improve their process.

I would like to see the static analysis included with the open-source version. That would be good.