We performed a comparison between Black Duck, FlexNet Code Insight, and Mend.io based on real PeerSpot user reviews.
Find out what your peers are saying about Synopsys, Snyk, Veracode and others in Software Composition Analysis (SCA)."The solution is very good at scanning and evaluating open source software."
"It is able to drill down to the source level."
"The UI is the solution's most valuable feature since it allows for easy pipeline integration."
"The most valuable feature of Black Duck is the seamless integration to scan our Docker binary files, it provides us all open vulnerabilities, and it ensures a reference point from where it finds the vulnerability is up to date. For example, if there is any new vulnerability found, they are immediately available in the Black Duck. There is no delay in finding the vulnerabilities, they are called out in our code immediately."
"I like the fact that the product auto analyzes components."
"The solution is stable."
"It highlights what the developers have done, and it shows the impact from an intellectual property point of view."
"Policy management is a valuable feature."
"It had a web interface into the reporting tools that was decent, and open source components could be reported per project and/or aggregated similar to other software composition tools."
"The inventory management as well as the ability to identify security vulnerabilities has been the most valuable for our business."
"The vulnerability analysis is the best aspect of the solution."
"WhiteSource helped reduce our mean time to resolution since the adoption of the product."
"The solution boasts a broad range of features and covers much of what an ideal SCA tool should."
"I am the organizational deployment administrator for this tool, and I, along with other users in our company, especially the security team, appreciate the solution for several reasons. The UI is excellent, and scanning for security threats fits well into our workflow."
"What is very nice is that the product is very easy to set up. When you want to implement Mend.io, it just takes a few minutes to create your organization, create your products, and scan them. It's really convenient to have Mend scanning your products in less than one hour."
"The most valuable feature is the inventory, where it compiles a list of all of the third-party libraries that we have on our estate."
"It gives us full visibility into what we're using, what needs to be updated, and what's vulnerable, which helps us make better decisions."
"It needs to be more user-friendly for developers and in general, to ensure compliance."
"I would like to see more integration with other solutions, such as IntelliJ IDEA."
"The initial setup could be simplified. It was somewhat complex."
"The tool needs to improve its pricing. Its configuration is complex and can be improved."
"The solution's pricing model and documentation areas of concern where improvement is needed."
"The scanner client is limited by the size of software it can handle."
"The solution must provide more open APIs."
"We have been having some issues with the latest releases where we are not able to scan our applications with the help of Black Duck."
"I found the user interface cumbersome and difficult to use."
"On the reporting side, they could make some improvements. They are making the reports better and better, but sometimes it takes a lot of time to generate a report for our entire organization."
"WhiteSource Prioritize should be expanded to cover more than Java and JavaScript."
"I would like to see the static analysis included with the open-source version."
"They're working on a UI refresh. That's probably been one of the pain points for us as it feels like a really old application."
"We have ended our relationship with WhiteSource. We were using an agent that we built in the pipeline so that you can scan the projects during build time. But unfortunately, that agent didn't work at all. We have more than 500 projects, and it doubled or tripled the build time. For other projects, we had the failure of the builds without any known reason. It was not usable at all. We spent maybe one year working on the issues to try to make it work, but it didn't in the end. We should be able to integrate it with ID and Shift Left so that the developers are able to see the scan results without waiting for the build to fail."
"It would be nice to have a better way to realize its full potential and translate it within the UI or during onboarding."
"The UI can be slow once in a while, and we're not sure if it's because of the amount of data we have, or it is just a slow product, but it would be nice if it could be improved."
"I would like to have an additional compliance pack. Currently, it does not have anything for the CIS framework or the NIST framework. If we directly run a scan, and it is under the CIS framework, we can directly tell the auditor that this product is now CIS compliant."
Earn 20 points
