What is our primary use case?
We use WhiteSource mainly to automate open source vulnerability detection and remediation, as well as for license compliance.
I’m less on the side of the license but mainly use the service to get control over vulnerabilities, detect the ones that affect us and remediate accordingly.
We integrate WhiteSource to our pipeline via CI server integration and now started using the GitHub integration too. We also run an agent in specific use cases.
How has it helped my organization?
WhiteSource improved our team’s ability to deal with vulnerabilities in a timely manner. Most of the time the alerts pile up and no one wants to deal with it, but the process now is much more simplified and convenient. It is still a task, but the service reduces the time spent on it significantly. It is very easy to use and the research decreased to almost none.
The GitHub integration provides us with the option to prevent security issues related to our open source libraries pre-build. It helped our teams discover vulnerabilities before usage, and fix issues within our existing environment and workflow.
What is most valuable?
The policy automation on effective vulnerabilities feature had a major impact on how we address open source vulnerabilities since it focuses on effective vulnerabilities and directs you to the specific methods. Other services will give a much larger list to remediate. I believe it cuts around 80% of alerts.
With the fix suggestions feature, not only do you get the specific trace back to where the vulnerability is within your code, but you also get fix suggestions. It sounds simple but I haven’t seen this capability with any other solution. This saves quite some time.
There are more small things within the UI that focus on giving the quickest remediation path, and I believe this is the WhiteSource’s strongest area.
What needs improvement?
The UI is not that friendly and you need to learn how to navigate easily. It also doesn’t run as smoothly as I would want or expect, and I believe it requires some improvements. That said, the Success team is very attentive and does reply and answer related matters quite fast.
Currently, effective vulnerabilities are only available in two languages, which is great, but I would be very happy to see more languages. It does cover most of our libraries, but we do have other languages in use. More coverage on that aspect would be helpful.
For how long have I used the solution?
I have been using WhiteSource for one and a half years.
What do I think about the stability of the solution?
We evaluated a few tools before moving forward with WhiteSource, and I have used other free tools as well. Comparing WhiteSource to others, some are stronger in terms of stability and UI performance, but don’t provide as much value as WhiteSource (by far).
On the results side, the databases are updated regularly and the results are very accurate. We requested some libraries for review here and there, but nothing major. 99.9% of the time we have accurate and proactive data.
What do I think about the scalability of the solution?
We started off slowly with WhiteSource and never experienced any issues around this topic.
That said, I’m not sure if it plays a part in the UI issues.
How are customer service and technical support?
Technical support is the best I’ve ever worked with.
They really take seriously customers' requests (and we sent over quite a few), and always reach out to help us make the most out of the platform.
I have never received a late reply, and the CS has a really good relationship with the team.
Which solution did I use previously and why did I switch?
We didn't use anything before, only manually.
How was the initial setup?
The initial setup was quick and easy. The CS team and the documentation were very helpful. We kicked off in a few days and the integration went smoothly.
Which other solutions did I evaluate?
We’ve evaluated Snyk, also used their free version and free dependency checkers.