Please share with the community what you think needs improvement with WhiteSource.
What are its weaknesses? What would you like to see changed in a future version?
I am not clear if WhiteSource provides on-premises service. I know that its competitors provide on-premises and SaaS-based services for the same licensing fee and model, but I am not sure if this applies to WhiteSource, as well. I believe it does not. It is preferable to use on-cloud services, although on-premises one should equally be an option, if I would prefer to not go for SaaS-based hosting. The licensing model should be the same for the different options. The initial setup could be simplified.
The solution lacks the code snippet part. I plan to raise this issue with those at WhiteSource.
We have ended our relationship with WhiteSource. We were using an agent that we built in the pipeline so that you can scan the projects during build time. But unfortunately, that agent didn't work at all. We have more than 500 projects, and it doubled or tripled the build time. For other projects, we had the failure of the builds without any known reason. It was not usable at all. We spent maybe one year working on the issues to try to make it work, but it didn't in the end. We should be able to integrate it with ID and Shift Left so that the developers are able to see the scan results without waiting for the build to fail.
It would be good if it can do dynamic code analysis. It is not necessarily in that space, but it can do more because we have too many tools. Their partner relationship support is a little bit confusing. They haven't really streamlined the support process when we buy through a reseller. They should improve their process.
The dashboard UI and UX are problematic. This solution looks like a 1995 web site and it's very hard to understand what the issue is and why it failed.
The UI is not that friendly and you need to learn how to navigate easily. It also doesn’t run as smoothly as I would want or expect, and I believe it requires some improvements. That said, the Success team is very attentive and does reply and answer related matters quite fast. Currently, effective vulnerabilities are only available in two languages, which is great, but I would be very happy to see more languages. It does cover most of our libraries, but we do have other languages in use. More coverage on that aspect would be helpful.
It would be nice to have a better way to realize its full potential and translate it within the UI or during onboarding.
The changes that we would like to see are mostly usability issues. The UI can be slow once in a while, and we're not sure if it's because of the amount of data we have, or it is just a slow product, but it would be nice if it could be improved. The UI is also too crowded. I believe that less information, or a different data summary, can be more readable. I know this is something they’re currently working on, but not sure where it stands. Reporting could be easier, as it does not export filtered-down lists. It would be really valuable to add the ability to customize options in the reports.
The agent usage was not as smooth as the online experience. It lacks in terms of documentation and the errors and warnings it produces are not always very clear. We were able to get it up and running in a short while by getting help from support, which was very approachable and reliable. If anything, I would spend more time making this more user-friendly, better documenting the CLI, and adding more examples to help expand the current documentation. I would also like to get better integration with Google Docs.
Places in need of improvement are: * Some detected libraries do not specify a location of where in the source they were matched from, which is something that should be enhanced to enable quicker troubleshooting. * Manual uploads of "wsjson" files can only be done by a global admin. Product administrators should be given this right for uploading files to their products/projects. * Better support for proxies is needed when running the unified file agent behind a proxy. It can be made to work, but the Java proxy config and cert trust for MitM traffic inspection are very painful to set up.
WhiteSource needs improvement in the scanning of the containers and images with distinguishing the layers. This solution needs better support and customer service.
We specifically use this solution within our CICD pipelines in Azure DevOps, and we would like to have a gate so that if the score falls below a certain value then we can block the pipeline from running. This would give us some sort of automated assurance. This is probably the feature that we'd most like to see.
What do you like most about WhiteSource?
Thanks for sharing your thoughts with the community!
Let the community know what you think. Share your opinions now!