We changed our name from IT Central Station: Here's why

WhiteSource OverviewUNIXBusinessApplication

WhiteSource is #3 ranked solution in top Software Composition Analysis (SCA) tools and #8 ranked solution in application security tools. PeerSpot users give WhiteSource an average rating of 8 out of 10. WhiteSource is most commonly compared to SonarQube: WhiteSource vs SonarQube. WhiteSource is popular among the large enterprise segment, accounting for 71% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 34% of all views.
What is WhiteSource?

The leading solution for agile open source security and license compliance management, WhiteSource integrates with the DevOps pipeline to detect vulnerable open source libraries in real-time.

It provides remediation paths and policy automation to speed up time-to-fix. It also prioritizes vulnerability alerts based on usage analysis.

We support over 200 programming languages and offer the widest vulnerability database aggregating information from dozens of peer-reviewed, respected sources.

Buyer's Guide

Download the Software Composition Analysis (SCA) Buyer's Guide including reviews and more. Updated: January 2022

WhiteSource Customers

Microsoft, Autodesk, NCR, Comcast, Nokia, Forgerock, indeed.com, GE digital, KPMG, LivePerson, Jack Henry and Associates

WhiteSource Video

WhiteSource Pricing Advice

What users are saying about WhiteSource pricing:
  • "As we were using an SaaS-based service, the solution must be scalable, although my understanding is that this is based on the licensing model one is using."
  • "The solution involves a yearly licensing fee."
  • "WhiteSource is much more affordable than Veracode."
  • WhiteSource Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Alon Michaeli
    Founder & CEO at Data+
    Real User
    Good reporting and trace analysis allows us to find and solve open-source concerns quickly
    Pros and Cons
    • "Our dev team uses the fix suggestions feature to quickly find the best path for remediation."
    • "The UI can be slow once in a while, and we're not sure if it's because of the amount of data we have, or it is just a slow product, but it would be nice if it could be improved."

    What is our primary use case?

    We use WhiteSource mainly to:

    1. Detect and automate vulnerability remediation. We started to research solutions since our dev teams are unable to meet sprint deadlines and keep track of product security. Most of our code scans are automated and integrated within our pipeline, which integrates with our CI server. With some, we run them manually using an agent. We recently started using the repository integration with Github, too, pre-build.
    2. License reporting and attribution reports. We use attribution reports and due diligence reports to asses risks associated with open-source licenses.

    How has it helped my organization?

    WhiteSource is very easy to run and use. It reduced significantly the time our developers used to spend on issues in open-source libraries. We used a free tool before and the number of alerts was too high to handle.

    We recently implemented WhiteSource on our Github account.

    It provides our developers with better visibility into open source libraries within their code environment, which helps the company in ensuring dev adoption.

    When it comes to open-source licenses, it really simplified reporting as it provides an inventory list in a simple report. Before WhiteSource it was almost impossible, mostly due to transitive dependencies.

    What is most valuable?

    The most valuable features for us are:

    1. Fix suggestions. Our dev team uses the fix suggestions feature to quickly find the best path for remediation. Before that you would have to research online for fixes, and most of the time it’s not that straightforward.
    2. Trace analysis. Trace analysis enables our team to get the fix, including a clear path to the vulnerable method. This saves quite some time.
    3. Open-source inventory reports. These reports are easy to manage and provide a clear view of our open-source assets. There’s also an option to create policies around that.

    What needs improvement?

    The changes that we would like to see are mostly usability issues.

    The UI can be slow once in a while, and we're not sure if it's because of the amount of data we have, or it is just a slow product, but it would be nice if it could be improved.

    The UI is also too crowded. I believe that less information, or a different data summary, can be more readable. I know this is something they’re currently working on, but not sure where it stands. 

    Reporting could be easier, as it does not export filtered-down lists. It would be really valuable to add the ability to customize options in the reports.

    For how long have I used the solution?

    We have been using WhiteSource for one and a half years.

    What do I think about the stability of the solution?

    Stable.

    What do I think about the scalability of the solution?

    Didn't have any problems related to scale so far.

    Which solution did I use previously and why did I switch?

    No

    What was our ROI?

    I can easily generate reports and get a quick overview of my status.

    Which other solutions did I evaluate?

    Yes, Snyk

    Which deployment model are you using for this solution?

    Public Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Principal Software Architect at a tech services company with 10,001+ employees
    Real User
    Top 20
    Scalable and stable, with a broad range of features
    Pros and Cons
    • "The solution boasts a broad range of features and covers much of what an ideal SCA tool should."
    • "The initial setup could be simplified."

    What is our primary use case?

    To my knowledge, we are using the latest, SaaS, version. 

    What is most valuable?

    The solution boasts a broad range of features and covers much of what an ideal SCA tool should. It covers the containers. One can create his teams and, should he encounter an issue, send an alert to the team's DL. 

    I am quite happy with WhiteSource. It is very good and provides many things, including extensive reports involving vulnerabilities. 

    What needs improvement?

    I am not clear if WhiteSource provides on-premises service. I know that its competitors provide on-premises and SaaS-based services for the same licensing fee and model, but I am not sure if this applies to WhiteSource, as well. I believe it does not. 

    It is preferable to use on-cloud services, although on-premises one should equally be an option, if I would prefer to not go for SaaS-based hosting. The licensing model should be the same for the different options. 

    The initial setup could be simplified. 

    For how long have I used the solution?

    I have been using WhiteSource for more than a year. 

    What do I think about the stability of the solution?

    The solution is very stable. 

    What do I think about the scalability of the solution?

    It is a preferequisite that the solution is scalable, as it is SaaS-based. 

    How are customer service and technical support?

    I have not had experience with customer support. 

    How was the initial setup?

    The initial setup was of an intermediate complexity. It was neither complex, nor straightforward. It could have been easier. Understandably, it involved a certain amount of configuration. 

    What's my experience with pricing, setup cost, and licensing?

    I cannot comment on billing, as this was handled by other departments in my previous organization. 

    As we were using an SaaS-based service, the solution must be scalable, although my understanding is that this is based on the licensing model one is using. 

    Which other solutions did I evaluate?

    The reason I logged into the IT Central Station web site is because I was looking for crisp documentation so that I may compare WhiteSource with Black Duck. I did not find what I was looking for. All I found was a conglomerate of user experiences, not the research reports I was searching for.

    I am currently using both of these products.

    What other advice do I have?

    I rate Whitesource as an eight out of ten. 

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    Find out what your peers are saying about WhiteSource, Synopsys, Snyk and others in Software Composition Analysis (SCA). Updated: January 2022.
    564,729 professionals have used our research since 2012.
    Business Process Analyst at a financial services firm with 1,001-5,000 employees
    Real User
    Top 20
    Unstable, caused build failures, and doubled or tripled the build time
    Pros and Cons
    • "The license management of WhiteSource was at a good level. As compared to other tools that I have used, its functionality for the licenses for the code libraries was quite good. Its UI was also fine."
    • "We have ended our relationship with WhiteSource. We were using an agent that we built in the pipeline so that you can scan the projects during build time. But unfortunately, that agent didn't work at all. We have more than 500 projects, and it doubled or tripled the build time. For other projects, we had the failure of the builds without any known reason. It was not usable at all. We spent maybe one year working on the issues to try to make it work, but it didn't in the end. We should be able to integrate it with ID and Shift Left so that the developers are able to see the scan results without waiting for the build to fail."

    What is most valuable?

    The license management of WhiteSource was at a good level. As compared to other tools that I have used, its functionality for the licenses for the code libraries was quite good. Its UI was also fine.

    What needs improvement?

    We have ended our relationship with WhiteSource. We were using an agent that we built in the pipeline so that you can scan the projects during build time. But unfortunately, that agent didn't work at all. We have more than 500 projects, and it doubled or tripled the build time. For other projects, we had the failure of the builds without any known reason. It was not usable at all. We spent maybe one year working on the issues to try to make it work, but it didn't in the end. 

    We should be able to integrate it with ID and Shift Left so that the developers are able to see the scan results without waiting for the build to fail.

    For how long have I used the solution?

    I have used this solution for one year. 

    What do I think about the stability of the solution?

    I wouldn't call it stable because we could not build it into the pipeline, and it caused failures.

    How are customer service and technical support?

    They were quite responsive, but in the end, they couldn't help with anything to make it work. For any feature requests that we had on our side, they always claimed that they were part of the roadmap, but after that, nothing happened.

    How was the initial setup?

    It was quite straightforward. It was intended to be done on the DevOps side. It was nothing special. It didn't work after the setup. It caused build failures.

    What other advice do I have?

    I would rate WhiteSource a three out of ten considering the fact that we couldn't use it while we were paying for it. It had good features, but we couldn't use it.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    DevOps CI/CD Team Lead at a computer software company with 10,001+ employees
    Real User
    Technology-agnostic scanning facilitates security auditing, but the UI needs improvement
    Pros and Cons
    • "The most valuable feature is the unified JAR to scan for all langs (wss-scanner jar)."
    • "The dashboard UI and UX are problematic."

    What is our primary use case?

    We use this solution for scanning NodeJS and Maven projects during the CI/CD processes. We have hundreds of scans per day for any project that runs on our CI and passes the release build.

    This means that any release build runs the WhiteSource scan before deployment to production clusters, which ensures that we are pretty covered in terms of licenses for open source dependencies.

    We are running on top of hundreds of microservices and thousands of daily builds, of which part of them are moving to production deployment eventually.  

    How has it helped my organization?

    In general, we are covered for open source licensing issues and CVE errors on particular versions for open source dependencies. Moreover, we have covered ourselves for security auditing by stating that we are users of WhiteSource.

    What is most valuable?

    The most valuable feature is the unified JAR to scan for all langs (wss-scanner jar). It helps us to scan easily and is agnostic to the technology.

    What needs improvement?

    The dashboard UI and UX are problematic. This solution looks like a 1995 web site and it's very hard to understand what the issue is and why it failed.

    For how long have I used the solution?

    I have been using WhiteSource for almost five years.

    What do I think about the stability of the solution?

    The stability is great.

    How are customer service and technical support?

    Our account manager is the best!

    Which solution did I use previously and why did I switch?

    This is my first open-source scanning solution.

    What about the implementation team?

    The setup was performed independently.

    Which other solutions did I evaluate?

    I didn't choose it but I saw a demo of Synk.

    What other advice do I have?

    Improve the UI please... developers cannot find themselves in this dashboard.

    Which deployment model are you using for this solution?

    Private Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    AnandHosamani
    FOSS Coordinator at a manufacturing company with 5,001-10,000 employees
    Real User
    Top 5
    A stable and scalable solution for free and open source scanning

    What is our primary use case?

    I use the solution for free and open source scanning. 

    What needs improvement?

    The solution lacks the code snippet part. I plan to raise this issue with those at WhiteSource.

    For how long have I used the solution?

    I have been using WhiteSource for more than a year. 

    What do I think about the stability of the solution?

    The solution is scalable. 

    What do I think about the scalability of the solution?

    The solution is stable. 

    How are customer service and technical support?

    The technical support is good, although not the best. It could be more customer friendly. 

    How was the initial setup?

    The initial setup was straightforward. Installation took no more than five minutes. 

    What about the implementation team?

    CI/CD integration…

    What is our primary use case?

    I use the solution for free and open source scanning. 

    What needs improvement?

    The solution lacks the code snippet part. I plan to raise this issue with those at WhiteSource.

    For how long have I used the solution?

    I have been using WhiteSource for more than a year. 

    What do I think about the stability of the solution?

    The solution is scalable. 

    What do I think about the scalability of the solution?

    The solution is stable. 

    How are customer service and technical support?

    The technical support is good, although not the best. It could be more customer friendly. 

    How was the initial setup?

    The initial setup was straightforward.

    Installation took no more than five minutes. 

    What about the implementation team?

    CI/CD integration required the use of a consultant. 

    We did not require much technical team for this. The team consists of four people. 

    What's my experience with pricing, setup cost, and licensing?

    The solution involves a yearly licensing fee. 

    Which other solutions did I evaluate?

    There were only two products at this point in time which we evaluated, the solution being one of these. We plan to reevaluate its use. 

    What other advice do I have?

    The solution is only cloud-based, not on-premises. 

    It is user-friendly. 

    There are around 50 people currently using it in our organization. 

    I rate WhiteSource as an eight out of ten. 

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    Sr. Director, Cloud Operations at a computer software company with 1,001-5,000 employees
    Real User
    Top 20
    Easy to use, easy to set up, and gives good results

    What is most valuable?

    Its ease of use and good results are the most valuable.

    What needs improvement?

    It would be good if it can do dynamic code analysis. It is not necessarily in that space, but it can do more because we have too many tools. Their partner relationship support is a little bit confusing. They haven't really streamlined the support process when we buy through a reseller. They should improve their process.

    For how long have I used the solution?

    I have been using this solution for one month. I am using its latest version.

    What do I think about the scalability of the solution?

    We are still implementing it. We haven't gone through scalability, but we don't expect any problem.

    How are customer service and technical support?

    Their support is average. Their…

    What is most valuable?

    Its ease of use and good results are the most valuable.

    What needs improvement?

    It would be good if it can do dynamic code analysis. It is not necessarily in that space, but it can do more because we have too many tools.

    Their partner relationship support is a little bit confusing. They haven't really streamlined the support process when we buy through a reseller. They should improve their process.

    For how long have I used the solution?

    I have been using this solution for one month. I am using its latest version.

    What do I think about the scalability of the solution?

    We are still implementing it. We haven't gone through scalability, but we don't expect any problem.

    How are customer service and technical support?

    Their support is average. Their partner relationship support is a little bit confusing. They haven't really streamlined the support process when we buy through a reseller. 

    How was the initial setup?

    The initial setup was pretty straightforward. The deployment took about three weeks.

    What about the implementation team?

    We did it ourselves.

    What other advice do I have?

    I would rate WhiteSource a nine out of ten. It is a good product.

    Which deployment model are you using for this solution?

    Hybrid Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Senior Lead Software Engineer at a tech services company with 10,001+ employees
    Real User
    Integrates well with Azure DevOps, stable, and affordable
    Pros and Cons
    • "The results and the dashboard they provide are good."
    • "I would like to see the static analysis included with the open-source version."

    What is most valuable?

    The integration with Azure DevOps was good.

    The results and the dashboard they provide are good.

    It was pretty straightforward for me.

    What needs improvement?

    I would like to see the static analysis included with the open-source version. That would be good.

    For how long have I used the solution?

    I used the trial version of WhiteSource for a month. We chose to work with Veracode instead.

    What do I think about the stability of the solution?

    It's was pretty stable. I don't have any complaints about the stability of WhiteSource.

    How are customer service and technical support?

    I did not have any contact with the technical support. I did not have any issues in the time that I used this solution.

    What's my experience with pricing, setup cost, and licensing?

    It was approximately $2,000 per year or per month, I don't recall exactly.

    When compared with Veracode, Veracode was very very expensive. It was approximately $200,000.00 per year for the whole Suite.

    WhiteSource is much more affordable than Veracode.

    Which other solutions did I evaluate?

    We are evaluating Veracode.

    What other advice do I have?

    It was pretty good. I would rate WhiteSource an eight out of ten.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate