What is our primary use case?
Our primary use for WhiteSource is security and license risk detection in open-source, third-party libraries and components. We run scans from multiple source control and build systems (TFS, ADO, Jenkins, ...). Some of our scans are automated, while others are done manually with the unified file agent in offline mode scan, and then the resulting "wsjson" file is uploaded to the WS SaaS portal.
How has it helped my organization?
We moved from Black Duck to WhiteSource as it was a more modern and scalable solution, with better integration support to various build and source environments. The ease of running scans and getting results quickly enables our developers to address issues quicker.
What is most valuable?
The most valuable features of this solution are:
- The vulnerability and license alerts are the main purposes of us utilizing this tool. We don't want to ship software and mistakenly include a GPL component. Similarly, we want to stay up to date on all vulnerabilities in third-party libraries so we can take action if our software solutions are impacted.
- Implementing policies is helpful because it's great when certain "no-nos" can be codified as policies and auto-rejected.
- Attribution and license due diligence reports help us with aggregating the necessary data that we, in turn, have to provide to satisfy the various licenses copyright and component usage disclosures in our software.
What needs improvement?
Places in need of improvement are:
- Some detected libraries do not specify a location of where in the source they were matched from, which is something that should be enhanced to enable quicker troubleshooting.
- Manual uploads of "wsjson" files can only be done by a global admin. Product administrators should be given this right for uploading files to their products/projects.
- Better support for proxies is needed when running the unified file agent behind a proxy. It can be made to work, but the Java proxy config and cert trust for MitM traffic inspection are very painful to set up.
For how long have I used the solution?
We have been using WhiteSource for two years.
What do I think about the stability of the solution?
In our two years of usage, there has been a negligible amount of downtime. We have, however, experienced occasional issues with certain features of the offer that created some friction and grumblings from our devs using the portal, but those have typically been resolved fairly quickly.
What do I think about the scalability of the solution?
This is a SaaS offering that has so far taken everything we have thrown at it (150+ products, with multiple projects in each). Certain reports that aggregate data globally could take a while to churn, but well within acceptable time-frames.
How are customer service and technical support?
Responses are quick; TS works hard to resolve issues quickly.
Which solution did I use previously and why did I switch?
Prior to this solution, we used Black Duck. As of two years ago, when we made the switch, WhiteSource's UI was more modern, the SaaS solution more scalable, and the integration capabilities far superior. The detection accuracy between the two was quite similar.
How was the initial setup?
Setting up the tool for automated usage is very straightforward. Follow the documentation carefully and you will likely be fully up and running in between 15 and 60 mins.
What about the implementation team?
We implemented this solution using our in-house team.
What's my experience with pricing, setup cost, and licensing?
Which other solutions did I evaluate?
We also use NPM Audit and Snyk, but as an augmentation; not as competitors.
Which deployment model are you using for this solution?
Which version of this solution are you currently using?
SaaS - always on the latest