At times, the latency of getting items out of the findings after they're remediated is higher than it should be.

Mend supports most of the common package managers, but it doesn't support some that we use. I would appreciate it if they can quickly make these changes to add new package managers when necessary.

All applications in the world that are created have room for improvement.

Within Mend itself, there’s Mend Prioritize, which prioritizes the vulnerability automatically by itself with relevance to our application. Mend Prioritize has support for five or six languages right now, including JavaScript, C, and C#. The only thing that I don't find support for on Mend Prioritize is C++, which they'll be working on since the product is under development. Once that's done, we can also add it into Mend Prioritize for our weekly scans, which will help us with our analysis and efforts for remediation.

It's everything we need right now. There's nothing as such that’s out of the world that they should do. We use it just for one thing and focus on that. Therefore, they should not do anything else. We're fine with it as it is.

On the reporting side, they could make some improvements. They are making the reports better and better, but sometimes it takes a lot of time to generate a report for our entire organization.

They also need to provide customizable reports. As a customer, I would like to create my own reports by selecting the relevant columns and data and saving these reports. That way, people in our organization could go to the Mend UI and generate these reports. That feature is not available.

One other area where they could improve would be implementing a version number between the product and projects. In some tools, you can manage the version. Today, in Mend.io, I have to create one product for every version (such as 7.1, 7.2, and 7.3). Many are requesting that Mend provide a version number field.

The last issue is the UI. They have been trying to improve the UI for many years. It has been taking a long time. It would be really nice to have a nice, modern UI so that developers could say to their managers, "Wow, it's new, it's nice, it works well, and it's fast." 

If I had to choose one area of improvement, it would be to have the support system in one place. At the moment, all matters regarding support run through Salesforce SaaS solutions.

I'm sure there are more improvements that can happen with WhiteSource’s IDE tool, however, it's still useful. We still have an open ticket regarding some slow scans since we have some fairly complex projects that take a long time to scan. That's been the only slightly negative experience with the tool and we work hard to try to fix it.

WhiteSource is working on a UI refresh. That's probably been one of the pain points for us as it feels like a really old application. Although we are used to it, when filtering lists, we feel like we are using an application from the 1990s. It's my understanding that they have some improvements coming and I hope to take part in a trial for that.

I've also recently looked at their SaaS tool. I've done a trial with it and at the moment it’s a separate product. I'd like to see all of the products merged into one, so that there would be one place to go for everything and all of the support, FaaS, SCA, and more.

The pricing model needs some changes. It is being offered in bulks of a minimum of 20 developers, which means that small startups with less than 20 developers cannot afford to buy the minimum bulk. There is no flexible pricing model to choose a plan with partial functionality and for less than 20.

The GUI should support the export of multiple SBOM formats, today this is the transparency expected by federal agencies from companies that write software. 
There is no one standard yet in the industry for SBOM, so leading tools like WhiteSource should be able to support multiple formats.

Mend lets you create custom policies. They're not too complicated to set up, but it would be helpful if they had some preconfigured policies to match what we have in Azure DevOps. That would save us a lot of time. It's tedious to configure the policies manually, and I lack the capacity to do it right now. Other products have preconfigured packs and templates, and Mend doesn't.

Also, the dashboard is busy. It's a little bit over-engineered. There's a lot of information, and the layout could be a bit cleaner. Maybe they could reduce the amount of visibility on the dashboard.

I would like to have an additional compliance pack. Currently, it does not have anything for the CIS framework or the NIST framework. If we directly run a scan, and it is under the CIS framework, we can directly tell the auditor that this product is now CIS compliant.

We have been looking at how we could improve the automation to human involvement ratio from 60:40 to 70:30, or even potentially 80:20, as there is room for improvement here. We are discussing this internally and with Mend; they are very accommodating to us. We think they openly receive our feedback and do their best to implement our thoughts into the roadmap.

I consider scan reports to be another area for improvement, but this is also an area of improvement for user management on our end. We need to train end users on how to deal with alerts and the best approach to take for new projects.

We have weekly meetings with Mend and encourage all users who integrate the solution into their product life cycle to attend. This has been very useful, as these technical meetings assist our staff in the best use practices and improving their interpretation of reports, which allows us to leverage the product to our greatest advantage. We are also able to ask for solutions adaptations to suit our requirements, as we produce hardware as a company, not virtual products. 

I would like to see the static analysis included with the open-source version. That would be good.

WhiteSource only produces a report, which is nice to look at. However, you have to check that report every week, to see if something was found that you don't want. It would be great if the build that's generating a report would fail if it finds a very important vulnerability, for instance.

WhiteSource Prioritize should be expanded to cover more than Java and JavaScript.
We are currently using WhiteSource Prioritize for Java and it cuts our vulnerability alerts by almost 90%. However, Prioritize doesn't cover python or other languages at this point and our developers are required to deal with many open source security alerts. The problem is that now our developers are aware that most open source security alerts are not impacting the security of their applications and it's harder to get their cooperation. We are waiting for WhiteSource to announce support ifor Python and other languages.

The agent usage was not as smooth as the online experience. It lacks in terms of documentation and the errors and warnings it produces are not always very clear. We were able to get it up and running in a short while by getting help from support, which was very approachable and reliable.

If anything, I would spend more time making this more user-friendly, better documenting the CLI, and adding more examples to help expand the current documentation.

I would also like to get better integration with Google Docs.

Places in need of improvement are:

1. Some detected libraries do not specify a location of where in the source they were matched from, which is something that should be enhanced to enable quicker troubleshooting.
2. Manual uploads of "wsjson" files can only be done by a global admin. Product administrators should be given this right for uploading files to their products/projects.
   
3. Better support for proxies is needed when running the unified file agent behind a proxy. It can be made to work, but the Java proxy config and cert trust for MitM traffic inspection are very painful to set up.

We specifically use this solution within our CICD pipelines in Azure DevOps, and we would like to have a gate so that if the score falls below a certain value then we can block the pipeline from running. This would give us some sort of automated assurance. This is probably the feature that we'd most like to see.

I am not clear if WhiteSource provides on-premises service. I know that its competitors provide on-premises and SaaS-based services for the same licensing fee and model, but I am not sure if this applies to WhiteSource, as well. I believe it does not. 

It is preferable to use on-cloud services, although on-premises one should equally be an option, if I would prefer to not go for SaaS-based hosting. The licensing model should be the same for the different options. 

The initial setup could be simplified. 

The changes that we would like to see are mostly usability issues.

The UI can be slow once in a while, and we're not sure if it's because of the amount of data we have, or it is just a slow product, but it would be nice if it could be improved.

The UI is also too crowded. I believe that less information, or a different data summary, can be more readable. I know this is something they’re currently working on, but not sure where it stands. 

Reporting could be easier, as it does not export filtered-down lists. It would be really valuable to add the ability to customize options in the reports.

It would be nice to have a better way to realize its full potential and translate it within the UI or during onboarding.

Better ACL and more role definitions. This product could be used by large organisations but it definitely needs a better role/action model.

Right now (in my understanding) there are roles for WhiteSource Admin and Members and Product Admins and Members.

Here are some suggestions:

• When you create a new product “A” (for example)  then automatically create the user groups A-Admin, A-Members, A-Alerts and A-Approvers. In that way you just need to assign users.
• Have a new role “Product Status Updates”,  because I don’t want all product admins to receive the status or to have all who get the status as product admins.
• Have a new role “WhiteSource Status Updates” - I want to have different groups to be admins or to receive a status report.
• Have a new role “Audit” to receive audits.

Every product has room for improvement, including WhiteSource. The stability of the product is web-based. We are obliged to use the Internet Explorer, and from time-to-time I get messages which tells me that I do not have the rights to use WhiteSource, which is obviously wrong. I also suggested it to WhiteSource, and they told me that WhiteSource only works reliably for Firefox and Chrome. This has some room for improvement for me. Make the product available in a very stable way for other web browsers. 

From time to time, the dashboards don't display the full content that I expect. It seems that licenses are not shown nor are products are shown in full detail. I am just missing things at times. This might be due to the Internet Explorer issue, and if I am not using the right web browser, then maybe it does not work correctly. 

The solution lacks the code snippet part. I plan to raise this issue with those at WhiteSource.

We have ended our relationship with WhiteSource. We were using an agent that we built in the pipeline so that you can scan the projects during build time. But unfortunately, that agent didn't work at all. We have more than 500 projects, and it doubled or tripled the build time. For other projects, we had the failure of the builds without any known reason. It was not usable at all. We spent maybe one year working on the issues to try to make it work, but it didn't in the end. 

We should be able to integrate it with ID and Shift Left so that the developers are able to see the scan results without waiting for the build to fail.

The UI is not that friendly and you need to learn how to navigate easily. It also doesn’t run as smoothly as I would want or expect, and I believe it requires some improvements. That said, the Success team is very attentive and does reply and answer related matters quite fast.

Currently, effective vulnerabilities are only available in two languages, which is great, but I would be very happy to see more languages. It does cover most of our libraries, but we do have other languages in use. More coverage on that aspect would be helpful.

The dashboard UI and UX are problematic. This solution looks like a 1995 web site and it's very hard to understand what the issue is and why it failed.

Notifications could be improved. Everything else is OK.

If one of our products is using a dependency with a black-listed license (LGPL, for example) we like to notify the developer who added this dependency. And we use the same notification if you try to use a component with no license or no copyright information.

It would be good if it can do dynamic code analysis. It is not necessarily in that space, but it can do more because we have too many tools.

Their partner relationship support is a little bit confusing. They haven't really streamlined the support process when we buy through a reseller. They should improve their process.

The turnaround time for upgrading databases for this tool as well as the accuracy could be improved. 

It would be good if containerization could be included under the current licensing but this is not something I have looked into.

WhiteSource needs improvement in the scanning of the containers and images with distinguishing the layers.

This solution needs better support and customer service.