Coming October 25: PeerSpot Awards will be announced! Learn more
Buyer's Guide
Application Security Tools
October 2022
Get our free report covering JFrog, Synopsys, Sonar, and other competitors of Sonatype Nexus Firewall. Updated: October 2022.
635,987 professionals have used our research since 2012.

Read reviews of Sonatype Nexus Firewall alternatives and competitors

Shashidhar Gowda - PeerSpot reviewer
Program and Portfolio Management at Acceldata
Real User
Top 20
Highly scalable, reliable, and knowledgeable support
Pros and Cons
  • "We use a lot of open sources with a variety of containers, and the different open sources come with different licenses. Some come with dual licenses, some are risky and some are not. All our three use cases are equally important to us and we found WhiteSource handles them decently."
  • "I rated the solution an eight out of ten because WhiteSource hasn't built in a couple of features that we would have loved to use and they say they're on their roadmap. I'm hoping that they'll be able to build and deliver in 2022."

What is our primary use case?

We have started the trial version of WhiteSource last week. We concluded the trial this week and we are beginning to use the full licensed solution later on in the week.

We use WhiteSource for automating open-source vulnerability, by finding the open-source libraries that were used and fixing them. Additionally, we set up policies to disallow some of the risky open sources to be used in our solutions by developers. We are able to scan and fix vulnerabilities in our containers, to ensure that if there are any licenses that violate the open source usage or put our product at risk, we make sure that either we remove or remediate the open sources with risky licenses. Those are the main three use cases.

How has it helped my organization?

We did not have much security compliance implemented in our solutions. Whatever we did, we had to use the AWS built-in OWASP scanning, and we had to manually find out the versions of the open sources that fixed the issues of vulnerability. We then had to make sure that that updated version is sent in and code merged for a test. We found sometimes it took a lot of research to make sure that the version that we are upgrading to did fix the issue, et cetera. However, this is all manual research and is dependent on the knowledge of the developer or the engineer who did this work. It took time and did not ensure a high percentage of security compliance. With WhiteSource in place, we are going to be able to do the whole process automatically and it will be confident that we removed the vulnerabilities and license violations.

We are saving time that we spent on resources because we no longer have to do it manually. We will now have confidence that there are not many errors made.  We are able to do much more vulnerability fixing than we did manually, there are cost-savings, and less work involved.

What is most valuable?

We use a lot of open sources with a variety of containers, and the different open sources come with different licenses. Some come with dual licenses, some are risky and some are not. All our three use cases are equally important to us and we found WhiteSource handles them decently.

For how long have I used the solution?

I have been using WhiteSource for approximately one week.

What do I think about the stability of the solution?

We have not used the solution very long to give us a full picture of the stability. However, from what we have seen from the trials it is impressive.

The solution only required a few hours of work from one DevOps engineer in a week.

What do I think about the scalability of the solution?

WhiteSource's scalability is extremely good. We can add more repositories, projects, and people as we need. There's no problem with the scalability. We did not find any slowness, performance stress, or load-related issues when we did the trials. WhiteSource can handle up to a few thousand concurrent users without any issues.

Once we have the solution fully licensed we will have approximately 50 people using it.

Ou usage of WhiteSource will increase as we add more people, but it's going to be the same code base. The number of users will increase, but the scope of the solution usage in terms of the number of solutions will remain the same.

How are customer service and support?

Their pricing is different for many of the solutions we have tried. In Sonatype, especially, the agents are extremely technically knowledgeable. The sales team and the sales engineering we spoke to are extremely knowledgeable. They had 100 percent of all the answers to the questions that we asked. In the case of Snyk, their support had to go and come back to us and their support pricing is very expensive. Even with the trials that we did, we did not try the paid version of their software that included dedicated customer support.

WhiteSource agents are knowledgeable. In a couple of cases, they had to go back and work with the engineering for a resolution. However, the support that is included in the plan that we bought is good. In the other two options, the pricing did not include the ongoing SLA-based support. With WhiteSource, they include SLA-based support, 24/7, in their enterprise plan, which is comparable to the plans with Sonatype and Snyk where they don't include the support.

I rate the support of WhiteSource a seven out of ten.

I rated the solution an eight out of ten because WhiteSource hasn't built in a couple of features that we would have loved to use and they say they're on their roadmap. I'm hoping that they'll be able to build and deliver in 2022.

Which solution did I use previously and why did I switch?

We use trials of many solutions, such as Snyk and Sonatype.

How was the initial setup?

WhiteSource's initial setup is very straightforward. In all three use cases, it was very straightforward. With Sonatype, we used the on-premise version, but with Snyk and WhiteSource, we used their cloud version. It did take a little time to set up Sonatype, but it was straightforward. We had people helping and guiding us on a Zoom call in all three use cases. It did not take long or was it complicated in either of the use cases. Overall all it took was under an hour.

What about the implementation team?

We did the implementation ourselves with the sales engineers.

What was our ROI?

We haven't calculated our return on investment in terms of resource savings. While we were doing everything manually, but still we were not able to do everything. Now we have a solution, we can save the human resources that are being paid for. Our return on investment, in terms of our ability to showcase our solutions as secure and sell them, is going to be multifold. I'm expecting, at least, the return on investment of new sales and cross-sales will be at least six times higher.

What's my experience with pricing, setup cost, and licensing?

When comparing the price of WhiteSource to the competition it is priced well. The cost for 50 users is approximately $18,000 annually.

Which other solutions did I evaluate?

We evaluated many solutions, such as Snyk, Sonatype, SonarQube, Checkmarx, and a couple of others.

What other advice do I have?

When people start looking at solutions that are available for open source, static code analysis, container scanning, and infrastructure as a code, there are many solutions. Many companies have productized these different services into different solutions, but when they sell them they combine everything into one platform. This can be extremely expensive and confusing. In the beginning, it all starts looking like they're all interdependent and buy and use all of them to be able to make them work, which is not the case. Finalize your use cases, what exactly you need a solution for, before even starting your evaluation. For example, our primary use case was open source and open source alone. When we started looking at the solutions, the companies threw at us things that we did not need, and we were confused at some stages. We did not give up and continued our POCs and went into more detail on the solutions that the vendors are offering.

In some cases, we didn't have the ability to evaluate some of the solutions they were providing, because we did not want them. We did not have the solution's codebases. For example, to evaluate some of the features, it's extremely important to discuss internally and make sure your use cases are before starting the evaluation of the solution. During the evaluation, stick to only the solutions or part of the solution that the vendors are providing that satisfies your use cases. Do not go beyond it and pay for something that you will not use once you buy them. It's confusing once you start the trials unless you have not done the background work or homework, you may end up buying things that you don't need at expensive prices.

I rate WhiteSource an eight out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Mohanraj Vellingiri - PeerSpot reviewer
Tools manager at a retailer with 10,001+ employees
Real User
It supports 29 languages
Pros and Cons
  • "SonarQube is one of the more popular solutions because it supports 29 languages."
  • "I would also like SonarQube to be able to write custom scanning rules. More documentation would be helpful as well because some of our guys were struggling with the customization script."

What is our primary use case?

SonarQube is a code-scanning tool that ensures people follow the right coding standard. It detects any memory leaks or unwanted functions that have been written so developers can optimize the code for better performance. We don't know too much about how our customers use SonarQube because we just set it up for them. We show them how the reporting works and what to do to fix common issues. 

What is most valuable?

SonarQube is one of the more popular solutions because it supports 29 languages.

What needs improvement?

SonarQube supports most database languages, like SQL queries, PL/SQL, etc., but some newer programming languages are not there. For example, it's missing some more popular languages like Apache Groovy. I would like to see some support for scanning these new popular languages.

I would also like SonarQube to be able to write custom scanning rules. More documentation would be helpful as well because some of our guys were struggling with the customization script. 

For how long have I used the solution?

I've been using SonarQube for the past eight years or so. I am a DevOps consultant who helps the end-users set up their environments. My clients operate in various industries, including the service industry. 

How was the initial setup?

SonarQube takes five to 10 minutes to install, and I train people on this technology, so I install it for them and teach them how to use it. On Linux, it maybe takes another five or 10 minutes, but it is straightforward.

We first try it out with a limited number of users, so four or five users will run it, but the report is shared with multiple users. The report generated will go to thousands of users. You run the report from the DevOps point of view, then share it with everyone.

What's my experience with pricing, setup cost, and licensing?

I'm involved in the price discussions, so I'm unaware of the cost. However, I don't see any other competitors in the same space. There are one or two, but they're not popular. SonarQube is free for one user, so people can explore it, but if they need enterprise support, they can buy licenses, and we can go forward.

Which other solutions did I evaluate?

SonarQube is the only code scanning software I've tried, but I've also seen Nexus Scanner. However, it's not for binary scanning and so forth. It won't scan your source code. It's just an artifact scanner. 

What other advice do I have?

I rate SonarQube eight out of 10. I always recommend SonarQube because it is also available in an open-source version, so people can understand the power of this tool and how it can help in an IT setting. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Buyer's Guide
Application Security Tools
October 2022
Get our free report covering JFrog, Synopsys, Sonar, and other competitors of Sonatype Nexus Firewall. Updated: October 2022.
635,987 professionals have used our research since 2012.