WhiteSource Overview

WhiteSource is the #3 ranked solution in our list of top Software Composition Analysis (SCA) tools. It is most often compared to SonarQube: WhiteSource vs SonarQube

What is WhiteSource?

The leading solution for agile open source security and license compliance management, WhiteSource integrates with the DevOps pipeline to detect vulnerable open source libraries in real-time.

It provides remediation paths and policy automation to speed up time-to-fix. It also prioritizes vulnerability alerts based on usage analysis.

We support over 200 programming languages and offer the widest vulnerability database aggregating information from dozens of peer-reviewed, respected sources.

WhiteSource Buyer's Guide

Download the WhiteSource Buyer's Guide including reviews and more. Updated: July 2021

WhiteSource Customers

Microsoft, Autodesk, NCR, Comcast, Nokia, Forgerock, indeed.com, GE digital, KPMG, LivePerson, Jack Henry and Associates

WhiteSource Video

Pricing Advice

What users are saying about WhiteSource pricing:
  • "Pricing is competitive."
  • "The version that we are using, WhiteSource Bolt, is a free integration with Azure DevOps."

Filter Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
reviewer1261788
VP R&D at a computer software company with 51-200 employees
Real User
Policy automation and automatic fix suggestions help us to save time in finding and solving problems

What is our primary use case?

We use WhiteSource mainly to automate open source vulnerability detection and remediation, as well as for license compliance. I’m less on the side of the license but mainly use the service to get control over vulnerabilities, detect the ones that affect us and remediate accordingly. We integrate WhiteSource to our pipeline via CI server integration and now started using the GitHub integration too. We also run an agent in specific use cases.

Pros and Cons

  • "With the fix suggestions feature, not only do you get the specific trace back to where the vulnerability is within your code, but you also get fix suggestions."
  • "The UI is not that friendly and you need to learn how to navigate easily."
reviewer1250697
User at a tech vendor with 1,001-5,000 employees
Vendor
Vulnerability and license alerts help us stay compliant with software releases

What is our primary use case?

Our primary use for WhiteSource is security and license risk detection in open-source, third-party libraries and components. We run scans from multiple source control and build systems (TFS, ADO, Jenkins, ...). Some of our scans are automated, while others are done manually with the unified file agent in offline mode scan, and then the resulting "wsjson" file is uploaded to the WS SaaS portal.

Pros and Cons

  • "Attribution and license due diligence reports help us with aggregating the necessary data that we, in turn, have to provide to satisfy the various licenses copyright and component usage disclosures in our software."
  • "Some detected libraries do not specify a location of where in the source they were matched from, which is something that should be enhanced to enable quicker troubleshooting."
Learn what your peers think about WhiteSource. Get advice and tips from experienced pros sharing their opinions. Updated: July 2021.
523,431 professionals have used our research since 2012.
reviewer1257792
Co Founder at a consumer goods company with 11-50 employees
Real User
Provides full visibility and gives us peace of mind working with open-source libraries

What is our primary use case?

We needed a tool to ensure that we are not using vulnerable libraries or open-source libraries with a copyleft license. We integrated WhiteSource with our repositories and CI server and set up automated policies to reject copyleft licensed libraries because our legal department doesn't allow them. We also have it open Jira issues automatically when a vulnerable library is detected and assign it to an engineer so we can shorten our response time to vulnerabilities detected in our applications. It integrates nicely with our existing workflow.

Pros and Cons

  • "It gives us full visibility into what we're using, what needs to be updated, and what's vulnerable, which helps us make better decisions."
  • "WhiteSource Prioritize should be expanded to cover more than Java and JavaScript."

What other advice do I have?

The good thing is that their product just keeps getting better. They are very attentive to their customers. All in all, if you care about security, this product is a must. We all love open source, but I was always afraid of the headache in handling all the licensing/updates/vulnerabilities. The peace of mind we have now is a total game-changer.
Alon Michaeli
Founder & CEO at Data+
Real User
Top 20
Good reporting and trace analysis allows us to find and solve open-source concerns quickly

What is our primary use case?

We use WhiteSource mainly to: * Detect and automate vulnerability remediation. We started to research solutions since our dev teams are unable to meet sprint deadlines and keep track of product security. Most of our code scans are automated and integrated within our pipeline, which integrates with our CI server. With some, we run them manually using an agent. We recently started using the repository integration with Github, too, pre-build. * License reporting and attribution reports. We use attribution reports and due diligence reports to asses risks associated with open-source licenses.

Pros and Cons

  • "Our dev team uses the fix suggestions feature to quickly find the best path for remediation."
  • "The UI can be slow once in a while, and we're not sure if it's because of the amount of data we have, or it is just a slow product, but it would be nice if it could be improved."
reviewer1255491
VP R&D at a tech services company with 11-50 employees
Real User
Easy open-source vulnerability checking has streamlined our software security process

What is our primary use case?

We use WhiteSource to monitor our open-source usage. Specifically to avoid legal issues with open-source licensing, which may deter potential buyers or investors. Additionally, we analysed the code for security vulnerabilities. We found the effective vulnerabilities report very useful since it lowered the number of actual defects found in the product and saved us a lot of work. Our environment is made of micro-services running in Kubernetes using NodeJS and Typescript for the backend, and AngularJS for the frontend. We use MongoDB, Redis, RabbitMQ, and ELK.

Pros and Cons

  • "For us, the most valuable tool was open-source licensing analysis."
  • "If anything, I would spend more time making this more user-friendly, better documenting the CLI, and adding more examples to help expand the current documentation."

What other advice do I have?

Overall, this is a great product.
reviewer1264290
Project Manager at a wellness & fitness company with 11-50 employees
Real User
Good license and copyright information reporting, and integrates with Jira for ticketing

What is our primary use case?

We started using WhiteSource mainly to scan dependencies and detect open-source licenses, copyright information, and vulnerabilities. We’ve managed to establish an integration with our CICD pipelines and use pretty much all of the automation that is offered, including automated policies.

Pros and Cons

  • "The reporting capability gives us the option to generate an open-source license report in a single click, which gets all copyright and license information, including dependencies."
  • "It would be nice to have a better way to realize its full potential and translate it within the UI or during onboarding."

What other advice do I have?

I believe we’re still in a stage where we’re trying to gain all the benefits of the solution and understand what features can be maximized. The product is simple on one hand as it's so easy to use, run and get insights from, but on the other hand, it offers so much that it’s hard to fully grasp all its capabilities. I’m not sure I have the best knowledge so far to recommend features and capabilities since this is very new to us. Currently, we’re happy to have something that addresses our needs.
Daniel Hall
Technical Architect at Dwr Cymru Welsh Water
Real User
Top 20
Helpful for compiling a list of our third-party libraries, but it needs a quality gate function

What is our primary use case?

Our primary use for WhiteSource Bolt is to gain visibility over third-party libraries in order to perform vulnerability assessments and take care of licensing issues. We are using this solution within our Microsoft Azure tenants. Essentially, we are using it in a private cloud.

Pros and Cons

  • "The most valuable feature is the inventory, where it compiles a list of all of the third-party libraries that we have on our estate."
  • "We specifically use this solution within our CICD pipelines in Azure DevOps, and we would like to have a gate so that if the score falls below a certain value then we can block the pipeline from running."

What other advice do I have?

For anybody who is researching this type of solution, my suggestion is to try them first. We tried quite a few of the various toolings available, and some of them are just not workable. They're very different on paper, so you have to use them to really compare them. I would rate this solution a seven out of ten.
ZD
Business Process Analyst at a financial services firm with 1,001-5,000 employees
Real User
Top 20
Unstable, caused build failures, and doubled or tripled the build time

Pros and Cons

  • "The license management of WhiteSource was at a good level. As compared to other tools that I have used, its functionality for the licenses for the code libraries was quite good. Its UI was also fine."
  • "We have ended our relationship with WhiteSource. We were using an agent that we built in the pipeline so that you can scan the projects during build time. But unfortunately, that agent didn't work at all. We have more than 500 projects, and it doubled or tripled the build time. For other projects, we had the failure of the builds without any known reason. It was not usable at all. We spent maybe one year working on the issues to try to make it work, but it didn't in the end. We should be able to integrate it with ID and Shift Left so that the developers are able to see the scan results without waiting for the build to fail."

What other advice do I have?

I would rate WhiteSource a three out of ten considering the fact that we couldn't use it while we were paying for it. It had good features, but we couldn't use it.
See 4 more WhiteSource Reviews