What is our primary use case?
We use WhiteSource mainly to:
- Detect and automate vulnerability remediation. We started to research solutions since our dev teams are unable to meet sprint deadlines and keep track of product security. Most of our code scans are automated and integrated within our pipeline, which integrates with our CI server. With some, we run them manually using an agent. We recently started using the repository integration with Github, too, pre-build.
- License reporting and attribution reports. We use attribution reports and due diligence reports to asses risks associated with open-source licenses.
How has it helped my organization?
WhiteSource is very easy to run and use. It reduced significantly the time our developers used to spend on issues in open-source libraries. We used a free tool before and the number of alerts was too high to handle.
We recently implemented WhiteSource on our Github account.
It provides our developers with better visibility into open source libraries within their code environment, which helps the company in ensuring dev adoption.
When it comes to open-source licenses, it really simplified reporting as it provides an inventory list in a simple report. Before WhiteSource it was almost impossible, mostly due to transitive dependencies.
What is most valuable?
The most valuable features for us are:
- Fix suggestions. Our dev team uses the fix suggestions feature to quickly find the best path for remediation. Before that you would have to research online for fixes, and most of the time it’s not that straightforward.
- Trace analysis. Trace analysis enables our team to get the fix, including a clear path to the vulnerable method. This saves quite some time.
- Open-source inventory reports. These reports are easy to manage and provide a clear view of our open-source assets. There’s also an option to create policies around that.
What needs improvement?
The changes that we would like to see are mostly usability issues.
The UI can be slow once in a while, and we're not sure if it's because of the amount of data we have, or it is just a slow product, but it would be nice if it could be improved.
The UI is also too crowded. I believe that less information, or a different data summary, can be more readable. I know this is something they’re currently working on, but not sure where it stands.
Reporting could be easier, as it does not export filtered-down lists. It would be really valuable to add the ability to customize options in the reports.
For how long have I used the solution?
We have been using WhiteSource for one and a half years.
What do I think about the stability of the solution?
What do I think about the scalability of the solution?
Didn't have any problems related to scale so far.
Which solution did I use previously and why did I switch?
What was our ROI?
I can easily generate reports and get a quick overview of my status.
Which other solutions did I evaluate?
Which deployment model are you using for this solution?