We performed a comparison between Mend.io, Polyspace Code Prover, and SonarQube based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools."It gives us full visibility into what we're using, what needs to be updated, and what's vulnerable, which helps us make better decisions."
"Mend has reduced our open-source software vulnerabilities and helped us remediate issues quickly. My company's policy is to ensure that vulnerabilities are fixed before it gets to production."
"The results and the dashboard they provide are good."
"The most valuable feature is the unified JAR to scan for all langs (wss-scanner jar)."
"The vulnerability analysis is the best aspect of the solution."
"WhiteSource is unique in the scanning of open-source licenses. Additionally, the vulnerabilities aspect of the solution is a benefit. We don't use WhiteSource in the whole organization, but we use it for some projects. There we receive a sense of the vulnerabilities of the open-source components, which improves our security work. The reports are automated which is useful."
"The reporting capability gives us the option to generate an open-source license report in a single click, which gets all copyright and license information, including dependencies."
"The overall support that we receive is pretty good. "
"The outputs are very reliable."
"Polyspace Code Prover is a very user-friendly tool."
"The product detects memory corruptions."
"When we work on safety modules, it is mandatory to fulfill ISO 26262 compliance. Using Prover helps fulfill the standard on top of many other quality checks, like division by zero, data type casts, and null pointer dereferences."
"Polyspace Code Prover has made me realize it differs from other static code analysis tools because it runs the code. So it's quite distinct in that aspect."
"The most valuable features are the dashboard, the ability to drill down to the code, user-friendly, and the technical debt estimation."
"Engineers have also learned from the results and have improved themselves as engineers. This will help them with their careers."
"The most valuable function is its usability."
"We use this solution for qualitative coding. We make use of the SonarLint plugin as well as the dashboard."
"It provides you with many features, as it does with the premium model, but there are still extra features that can be purchased if needed."
"It is an easy tool that you can deploy and configure. After that you can measure the history of your obligation and integrate it with other tools like GitLab or GitHub or Azure DevOps to do quality code analysis."
"The SonarQube dashboard looks great."
"This solution has helped with the integration and building of our CICD pipeline."
"I would like to have an additional compliance pack. Currently, it does not have anything for the CIS framework or the NIST framework. If we directly run a scan, and it is under the CIS framework, we can directly tell the auditor that this product is now CIS compliant."
"Mend supports most of the common package managers, but it doesn't support some that we use. I would appreciate it if they can quickly make these changes to add new package managers when necessary."
"WhiteSource only produces a report, which is nice to look at. However, you have to check that report every week, to see if something was found that you don't want. It would be great if the build that's generating a report would fail if it finds a very important vulnerability, for instance."
"The only thing that I don't find support for on Mend Prioritize is C++."
"They're working on a UI refresh. That's probably been one of the pain points for us as it feels like a really old application."
"WhiteSource Prioritize should be expanded to cover more than Java and JavaScript."
"The turnaround time for upgrading databases for this tool as well as the accuracy could be improved."
"I rated the solution an eight out of ten because WhiteSource hasn't built in a couple of features that we would have loved to use and they say they're on their roadmap. I'm hoping that they'll be able to build and deliver in 2022."
"Automation could be a challenge."
"One of the main disadvantages is the time it takes to initiate the first run."
"I'd like the data to be taken from any format."
"The tool has some stability issues."
"Using Code Prover on large applications crashes sometimes."
"The reporting is good, but I am not able to download a specific report as a PDF, so downloading reports is something that should be looked at."
"The solution could improve by providing more advanced technologies."
"The solution is a bit lacking on the security side, in terms of finding and identifying vulnerabilities."
"There isn't a very good enterprise report."
"I would also like SonarQube to be able to write custom scanning rules. More documentation would be helpful as well because some of our guys were struggling with the customization script."
"The exporting capabilities could be improved. Currently, exporting is fully dependent on the SonarQube environment."
"SonarQube could be improved with more dynamic testing—basically, now, it's a static code analysis scan. For example, when the developer writes the code and does the corresponding unit test, he can cover functional and non-functional. So the SonarQube could be improved by helping to execute unit tests and test dynamically, using various parameters, and to help detect any vulnerabilities. Currently, it'll just give the test case and say whether it passes or fails—it won't give you any other input or dynamic testing. They could use artificial intelligence to build a feature that would help developers identify and fix issues in the early stages, which would help us deliver the product and reduce costs. Another area with room for improvement is in regard to automating things, since the process currently needs to be done manually."
"SonarQube is not development-centric like Snyk."
