We performed a comparison between WhiteSource and SonarQube based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: SonarQube comes out on top in this comparison. It is high performing and user-friendly. In addition, it is less expensive than WhiteSource.
"We set the solution up and enabled it and we had everything running pretty quickly."
"I am the organizational deployment administrator for this tool, and I, along with other users in our company, especially the security team, appreciate the solution for several reasons. The UI is excellent, and scanning for security threats fits well into our workflow."
"We find licenses together with WhiteSource which are associated with a certain library, then we get a classification of the license. This is with respect to criticality and vulnerability, so we could take action and improve some things, or replace a third-party library which seems to be too risky for us to use on legal grounds."
"WhiteSource helped reduce our mean time to resolution since the adoption of the product."
"Enables scanning/collecting third-party libraries and classifying license types. In this way we ensure our third-party software policy is followed."
"The most valuable feature is the inventory, where it compiles a list of all of the third-party libraries that we have on our estate."
"What is very nice is that the product is very easy to set up. When you want to implement Mend.io, it just takes a few minutes to create your organization, create your products, and scan them. It's really convenient to have Mend scanning your products in less than one hour."
"The most valuable features are the reporting, customizing libraries "In-house, White list, license selection", comparing the products/projects, and License & Copyright resolution."
"It is working fine. It provides a good value for money."
"The solution has a plug-in that supports both C and C++ languages."
"SonarQube is good in terms of code review and to report on basic vulnerabilities in your applications."
"The solution has a wide variety of features and an open-source community that you are able to learn Java, JavaScript, or any other programing language."
"All the features of the solution are quite good."
"There is a free version."
"The static code analysis of the solution is the most important aspect for us. When it comes to security breaches within the code, we can leverage some rules to allow us to identify the repetition in our code and the possible targets that we may have. It makes it very easy to review our code for security purposes."
"Provides local scanning for developers."
"On the reporting side, they could make some improvements. They are making the reports better and better, but sometimes it takes a lot of time to generate a report for our entire organization."
"Make the product available in a very stable way for other web browsers."
"At times, the latency of getting items out of the findings after they're remediated is higher than it should be."
"WhiteSource only produces a report, which is nice to look at. However, you have to check that report every week, to see if something was found that you don't want. It would be great if the build that's generating a report would fail if it finds a very important vulnerability, for instance."
"The UI is not that friendly and you need to learn how to navigate easily."
"WhiteSource Prioritize should be expanded to cover more than Java and JavaScript."
"We specifically use this solution within our CICD pipelines in Azure DevOps, and we would like to have a gate so that if the score falls below a certain value then we can block the pipeline from running."
"The dashboard UI and UX are problematic."
"During the setup process, we only had one issue related to the number of available files. To perform the analysis, you have quite a lot of available file handles, so we had to increase that limit."
"We previously experienced issues with security but a segregated security violation has been implemented and the issues we experienced are being fixed."
"SonarQube could improve its static application security testing as per the industry standard."
"Dynamic scanning is missing and there are some issues with security scanning."
"The security in SonarQube could be better."
"I think the code security can be improved."
"Our developers have complained about the Quality Gates and the number of false positives that this product reports."
"This solution finds issues that are similar to what is found by Checkmarx, and it would be nice if the overlap could be eliminated."
Mend.io is ranked 5th in Application Security Tools with 29 reviews while SonarQube is ranked 1st in Application Security Tools with 112 reviews. Mend.io is rated 8.4, while SonarQube is rated 8.0. The top reviewer of Mend.io writes "Easy to use, great for finding vulnerabilities, and simple to set up". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Mend.io is most compared with Black Duck, Snyk, Veracode, Checkmarx One and JFrog Xray, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Veracode and OWASP Zap. See our Mend.io vs. SonarQube report.
See our list of best Application Security Tools vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.