Most Helpful Review
Researched WhiteSource but chose Veracode: Offers everything for both static code analysis and dynamic code analysis
Researched WhiteSource but chose Sonatype Nexus Lifecycle: Helps our developers be aware of duplicate components in their code, but .NET open-source licensing recognition needs work
Find out what your peers are saying about Sonatype Nexus Lifecycle vs. WhiteSource and other solutions. Updated: September 2020.
437,168 professionals have used our research since 2012.
We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
The reporting being highly accurate is pretty cool. I use another product and I was always looking for answers as to what line, which part of the code, was wrong, and what to do about it. Veracode seems to have a solid database to look things up and a website to look things up.
Veracode's cloud-based approach, coupled with the appliance that lets us use Veracode to scan internal-only web applications, has provided a seamless, always-up-to-date application security scanning solution.
The source composition analysis component is great because it gives our developers some comfort in using new libraries.
Integrations into our developer's IDE (Greenlight) and the DevOps Pipeline SAST / SourceClear Integrations has particularly increased our time to market and confidence.
Veracode is a valuable tool in our secure SDLC process.
We used it for performing security checks. We have many Java applications and Android applications. Essentially it was used for checking the security validations for compliance purposes.
I have used this solution in multiple projects for vulnerability testing and finding security leaks within the code.
The most valuable feature comes from the fact that it is cloud-based, and I can scale up without having to worry about any other infrastructure needs.
When I started to install the Nexus products and started to integrate them into our development cycle, it helped us construct or fill out our development process in general. The build stage is a really good template for us and it helped establish a structure that we could build our whole continuous integration and development process around. Now our git repos are tagged for different build stages data, staging, and for release. That aligns with the Nexus Lifecycle build stages.
The component piece, where you can analyze the component, is the most valuable. You can pull the component up and you can look at what versions are bad, what versions are clean, and what versions haven't been reported on yet. You can make decisions based off of that, in terms of where you want to go. I like that it puts all that information right there in a window for you.
The scanning capability is its most valuable feature, discovering vulnerable open source libraries.
The report part is quite easy to read. The report part is very important to us because that is how we communicate to our security officer and the security committee. Therefore, we need to have a complete report that we can generate and pass onto them for review.
The policy engine is really cool. It allows you to set different types of policy violations, things such as the age of the component and the quality: Is it something that's being maintained? Those are all really great in helping get ahead of problems before they arise. You might otherwise end up with a library that's end-of-life and is not going to get any more fixes.
The data quality is really good. They've got some of the best in the industry as far as that is concerned. As a result, it helps us to resolve problems faster. The visibility of the data, as well as their features that allow us to query and search - and even use it in the development IDE - allow us to remediate and find things faster.
With the plugin for our IDE that Sonatype provides, we can check whether a library has security, quality, or licensing issues very easily. Which is nice because Googling for this stuff can be a bit cumbersome. By checking it before code is even committed, we save ourselves from getting notifications.
It integrates well with our existing DevOp tools because we can integrate it in our build pipeline. We can also trigger our build pipeline to create warnings and let the build fail if there is a critical vulnerability that violates our policy.
The most valuable feature is the unified JAR to scan for all langs (wss-scanner jar).
Our dev team uses the fix suggestions feature to quickly find the best path for remediation.
The reporting capability gives us the option to generate an open-source license report in a single click, which gets all copyright and license information, including dependencies.
With the fix suggestions feature, not only do you get the specific trace back to where the vulnerability is within your code, but you also get fix suggestions.
It gives us full visibility into what we're using, what needs to be updated, and what's vulnerable, which helps us make better decisions.
For us, the most valuable tool was open-source licensing analysis.
The most valuable features are the reporting, customizing libraries "In-house, White list, license selection", comparing the products/projects, and License & Copyright resolution.
Attribution and license due diligence reports help us with aggregating the necessary data that we, in turn, have to provide to satisfy the various licenses copyright and component usage disclosures in our software.
The triage indicator was kind of hard to find. It's a very small arrow and I had no idea it was there.
One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive.
I think for us the biggest improvement would be to have an indicator when there's something wrong with a scan.
Improve Mobile Application Dynamic Scanning DAST - .ipa and .apk
It needs better controls to include/exclude specific sections when creating a report that can be shared externally with customers and prospects.
One of the things that we have from a reporting point of view, is that we would love to see a graphical report. If you look through a report for something that has come back from Veracode, it takes a whole lot of time to just go through all the pages of the code to figure out exactly what it says. We know certain areas don’t have the greatest security features but those are usually minor and we don’t want to see those types of notifications.
Ideally, I would like better reporting that gives me a more concise and accurate description of what my pain points are, and how to get to them.
I would like to see expanded coverage for supporting more platforms, frameworks, and languages.
They're working on the high-quality data with Conan. For Conan applications, when it was first deployed to Nexus IQ, it would scan one file type for dependencies. We don't use that method in Conan, we use another file type, which is an acceptable method in Conan, and they didn't have support for that other file type. I think they didn't even know about it because they aren't super familiar with Conan yet. I informed them that there's this other file type that they could scan for dependencies, and that's what they added functionality for.
One thing that it is lacking, one thing I don't like, is that when you label something or add a status to it, you do it as an overall function, but you can't go back and isolate a library that you want to call out individually and remove a status from it. It's still lacking some functionality-type things for controlling labels and statuses. I'd like to be able to apply it across all of my apps, but then turn it off for one, and I can't do that.
The reporting capability is good but I wish it was better. I sent the request to support and they raised it as an enhancement within the system. An example is filtering by version. If I have a framework that is used in all applications, but version 1 is used in 50 percent of them and version 2 in 25 percent, they will show as different libraries with different usage. But in reality, they're all using one framework.
One thing that I would like to give feedback on is to scan the binary code. It's very difficult to find. It's under organization and policies where there are action buttons that are not very obvious. I think for people who are using it and are not integrated into it, it is not easy to find the button to load the binary and do the scan. This is if there is no existing, continuous integration process, which I believe most people have, but some users don't have this at the moment. This is the most important function of the Nexus IQ, so I expect it should be right on the dashboard where you can apply your binary and do a quick scan. Right now, it's hidden inside organization and policies. If you select the organization, then you can see in the top corner that there is a manual action which you can approve. There are multiple steps to reach that important function that we need. When we were initially looking at the dashboard, we looked for it and couldn't find it. So, we called our coworker who set up the server and they told us it's not on the dashboard.
The biggest thing that I have run into, which there are ways around, is being able to easily access the auditing data from a third-party tool; being able to pull all of that into one place in a cohesive manner where you can report off of that. We've had a little bit of a challenge with that. There are a number of things available to work with, to help with that in the tool, but we just haven't explored them yet.
As far as the relationship of, and ease of finding the relationships between, libraries and applications across the whole enterprise goes, it still does that. They could make that a little smoother, although right now it's still pretty good.
One of the things that we specifically did ask for is support for transitive dependencies. Sometimes a dependency that we define in our POM file for a certain library will be dependent on other stuff and we will pull that stuff in, then you get a cascade of libraries that are pulled in. This caused confusing to us at first, because we would see a component that would have security ticket or security notification on it and wonder "Where is this coming in from?" Because when we checked what we defined as our dependencies it's not there. It didn't take us too long effort to realize that it was a transitive dependency pulled in by something else, but the question then remains "Which dependency is doing that?"
We cannot currently use the automated pull requests because we are missing the Bitbucket port. We use Bitbucket as our Git repository and automated pull requests only work with GitHub currently. So, we are missing this feature, but we have already addressed this with Sonatype.
The dashboard UI and UX are problematic.
The UI can be slow once in a while, and we're not sure if it's because of the amount of data we have, or it is just a slow product, but it would be nice if it could be improved.
It would be nice to have a better way to realize its full potential and translate it within the UI or during onboarding.
The UI is not that friendly and you need to learn how to navigate easily.
If anything, I would spend more time making this more user-friendly, better documenting the CLI, and adding more examples to help expand the current documentation.
WhiteSource needs improvement in the scanning of the containers and images with distinguishing the layers.
Some detected libraries do not specify a location of where in the source they were matched from, which is something that should be enhanced to enable quicker troubleshooting.
Pricing and Cost Advice
I don't really know about the pricing, but I'd say it's worth whatever Veracode is charging, because the solution is that good.
For the value we get out of it, coupled with the live defect review sessions, we find it an effective value for the money. We are a larger organization.
They have just streamlined the licensing and they have a number of flexible options available, so overall it is quite good, albeit pricey.
They just changed their pricing model two weeks ago. They went from a per-app license to a per-megabyte license. I know that the dynamic scan was $500 per app. Static analysis was about $4500 yearly. The license is only for the number of users, it doesn't matter what data you put in there. That was the old model. I do not know how the new model works.
Veracode has been fair. We use their SaaS solution and it's just an annual subscription.
No issues, the pricing seems reasonable.
Lifecycle, to the best of my recollection, had the best pricing compared with other solutions.
Pricing is decent. It's not horrible. It's middle-of-the-road, as far as our ranking goes. They're a little bit more but that's also because they provide more.
The license fee may be a bit harder for startups to justify. But it will save you a headache later as well as peace of mind. Additionally, it shows your own customers that you value security stuff and will protect yourselves from any licensing issues, which is good marketing too.
In addition to the license fee for IQ Server, you have to factor in some running costs. We use AWS, so we spun up an additional VM to run this. If the database is RDS that adds a little bit extra too. Of course someone could run it on a pre-existing VM or physical server to reduce costs. I should add that compared to the license fee, the running costs are so minimal they had no effect on our decision to use IQ Server.
Our licensing costs are on an annual basis. The Sonatype licensing model is transparent with no hidden costs or holes.
The price is good. We certainly get a lot more in return. However, it's also hard to get the funds to roll out such a product for the entire firm. Therefore, pricing has been a limiting factor for us. However, it's a fair price.
Pricing is comparable with some of the other products. We are happy with the pricing.
We're pretty happy with the price, for what it is delivering for us and the value we're getting from it.
Pricing is competitive.
The version that we are using, WhiteSource Bolt, is a free integration with Azure DevOps.
Questions from the Community
Top Answer: JaeLee, check out our comparison page here of Veracode vs Checkmarx: https://www.itcentralstation.com/products/comparisons/checkmarx_vs_veracode Checkmarx is ranked 4th, while Veracode is ranked… more »
Top Answer: I would recommend Veracode. Our uses cases included removing vulnerable code from our Product and ensuring the product is secure. Veracode helps us in regularly scanning our code base and reporting… more »
Top Answer: SonarQube depends on completely what you configure the Rules. You will have the option of the Profile creation and can be assigned to the Projects. If you configure the project --> under them services… more »
Top Answer: The report part is quite easy to read. The report part is very important to us because that is how we communicate to our security officer and the security committee. Therefore, we need to have a… more »
Top Answer: Our licensing costs are on an annual basis. The Sonatype licensing model is transparent with no hidden costs or holes.
Top Answer: One thing that I would like to give feedback on is to scan the binary code. It's very difficult to find. It's under organization and policies where there are action buttons that are not very obvious… more »
Question: What do you like most about WhiteSource?
Top Answer: The most valuable feature is the unified JAR to scan for all langs (wss-scanner jar).
Top Answer: Pricing is competitive.
Compared 51% of the time.
Compared 15% of the time.
Compared 8% of the time.
Compared 5% of the time.
Compared 1% of the time.
Compared 37% of the time.
Compared 15% of the time.
Compared 7% of the time.
Compared 5% of the time.
Compared 5% of the time.
Compared 21% of the time.
Compared 21% of the time.
Compared 14% of the time.
Compared 6% of the time.
Compared 4% of the time.
Also Known As
Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.
Nexus Lifecycle gives you full control over your software supply chain and allows you to define rules, actions, and policies that work best for your organization and teams.
The leading solution for agile open source security and license compliance management, WhiteSource integrates with the DevOps pipeline to detect vulnerable open source libraries in real-time.
It provides remediation paths and policy automation to speed up time-to-fix. It also prioritizes vulnerability alerts based on usage analysis.
We support over 200 programming languages and offer the widest vulnerability database aggregating information from dozens of peer-reviewed, respected sources.
Learn more about Veracode
Learn more about Sonatype Nexus Lifecycle
Learn more about WhiteSource
|State of Missouri, Rekner||Genome.One, Blackboard, Crediterform, Crosskey, Intuit, Progress Software, Qualys, Liberty Mutual Insurance||Microsoft, Autodesk, NCR, Comcast, Nokia, Forgerock, indeed.com, GE digital, KPMG, LivePerson, Jack Henry and Associates|
Financial Services Firm37%
Consumer Goods Company7%
Computer Software Company44%
Comms Service Provider11%
Financial Services Firm37%
Computer Software Company11%
Comms Service Provider5%
Computer Software Company38%
Comms Service Provider12%
Financial Services Firm6%
Computer Software Company48%
Comms Service Provider13%