WhiteSource Review

Enables scanning of third-party libraries to ensure policy compliance but needs better role definition


How has it helped my organization?

To prevent shipping commercial or GPL libraries, we scan our repositories.

What is most valuable?

Scanning/collecting third-party libraries and classifying license types. In this way we ensure our third-party software policy is followed and that we’re not using “forbidden” libraries.

What needs improvement?

Better ACL and more role definitions. This product could be used by large organisations but it definitely needs a better role/action model.

Right now (in my understanding) there are roles for WhiteSource Admin and Members and Product Admins and Members.

Here are some suggestions:

  • When you create a new product “A” (for example)  then automatically create the user groups A-Admin, A-Members, A-Alerts and A-Approvers. In that way you just need to assign users.
  • Have a new role “Product Status Updates”,  because I don’t want all product admins to receive the status or to have all who get the status as product admins.
  • Have a new role “WhiteSource Status Updates” - I want to have different groups to be admins or to receive a status report.
  • Have a new role “Audit” to receive audits.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

No issues, it's working really well.

What do I think about the scalability of the solution?

No issues so far.

How is customer service and technical support?

Eight out of 10. Always responsive.

Which solutions did we use previously?

We were using editors or Wiki to keep that information, but obviously it was not updated.

How was the initial setup?

It wasn’t too complex because you have different options for integrating your repositories, from a simple directory scan to a complex plug-in. We decided to begin with the simplest one and adopt new integrations step by step.

What's my experience with pricing, setup cost, and licensing?

Pricing / licensing model changed during last year so I don’t have an opinion here yet.

Which other solutions did I evaluate?

I evaluated Black Duck.

What other advice do I have?

It’s important to define guidelines and best practices regarding how to use the product internally; who defines what? Who accesses what? 

Best way to integrate my GitHub repo, my Maven project, etc.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
1 visitor found this review helpful
2 Comments
fancyjerryVendor

Thanks for sharing. we are also considering whitesource solution and this Review helps.

29 October 18
Patricia A. Johnson Vendor

Thanks for your comment! If you have any questions during your review process of WhiteSource's solution I would be happy to assist you.

31 October 18
Guest

Sign Up with Email