What is our primary use case?
We use WhiteSource to monitor our open-source usage. Specifically to avoid legal issues with open-source licensing, which may deter potential buyers or investors. Additionally, we analysed the code for security vulnerabilities.
We found the effective vulnerabilities report very useful since it lowered the number of actual defects found in the product and saved us a lot of work. Our environment is made of micro-services running in Kubernetes using NodeJS and Typescript for the backend, and AngularJS for the frontend. We use MongoDB, Redis, RabbitMQ, and ELK.
How has it helped my organization?
WhiteSource allowed us to minimize our exposure to open-source vulnerabilities with ease. Aside from identifying the out-dated or compromised packages really easily, it allows us to actually see which vulnerabilities are effectively relevant for us. In this case, it saved us *A LOT* of refactors and redesigns of code, which would have been considered vulnerable otherwise.
We integrated WhiteSource into our build system to ensure we keep our code secure and don't introduce new problems as we go. This allows us to have more predictability into the work process as security now becomes a constant work-in-progress instead of a major bulk of work every now and then.
What is most valuable?
For us, the most valuable tool was open-source licensing analysis. Although we don't use it on a weekly basis, when we needed to produce a reliable analysis of our open-source licensing exposure, we found it very very effective. Considering the alternatives, which were to analyse manually, WhiteSource saved us a ton of work that we really needed to complete in a short time. It would have involved finding all the different packages, be them in package.json files or analyse the docker images, and then find their effective license, which in itself is not a simple task.
What needs improvement?
The agent usage was not as smooth as the online experience. It lacks in terms of documentation and the errors and warnings it produces are not always very clear. We were able to get it up and running in a short while by getting help from support, which was very approachable and reliable.
If anything, I would spend more time making this more user-friendly, better documenting the CLI, and adding more examples to help expand the current documentation.
I would also like to get better integration with Google Docs.
For how long have I used the solution?
We have been using WhiteSource for a few months.
Which solution did I use previously and why did I switch?
We did not use another solution prior to this one.
Which other solutions did I evaluate?
We did not evaluate other options.
What other advice do I have?
Overall, this is a great product.
Which deployment model are you using for this solution?