Try our new research platform with insights from 80,000+ expert users

Mend.io vs SonarQube Server (formerly SonarQube) comparison

Mend.io and Sonar are both solutions in the Application Security Tools category. Mend.io is ranked #17 with an average rating of 9.0, while Sonar is ranked #1 with an average rating of 8.2. Mend.io holds a 3.4% mindshare in AS, compared to Sonar’s 26.7% mindshare. Additionally, 96% of Mend.io users are willing to recommend the solution, compared to 81% of Sonar users who would recommend it.
Mend.io
Read 30 Mend.io reviews
  • 7,253 Views
  • 4,365 Comparison Views
96% willing to recommend
SonarQube Server (formerly ...
Read 113 SonarQube Server (formerly SonarQube) reviews
  • 40,107 Views
  • 32,629 Comparison Views
81% willing to recommend
 

Comparison Buyer's Guide

Download the report
Executive SummaryUpdated on Oct 30, 2024

SonarQube Server and Mend.io are leading software solutions in the code quality and security vulnerability management space. While SonarQube offers broad programming language support and some advanced features, Mend.io has a stronger focus on discovering security vulnerabilities and managing open-source licenses.

Features:SonarQube Server provides wide support for over 20 programming languages, making it versatile for various development environments. It also includes custom coding rules and unit tests for enhanced code quality checks. Its integration capabilities with different CVS systems boost its adaptability. Mend.io excels in security vulnerability detection, offering automated analysis capacities that accurately identify potential security risks. Its focus on open-source license compliance is also a significant feature, ensuring software projects stay within legal boundaries. The automated reporting functions enhance its usability in maintaining application security.

Room for Improvement:SonarQube Server can benefit from enhanced security scanning and broader programming language support. Configuration complexity and performance issues in newer versions need addressing. The dashboard could be more streamlined, and integration capabilities expanded. Mend.io could improve in UI/UX and reporting. Increasing the number of languages supported in its vulnerability detection efforts would widen its applicability. Moreover, faster scanning and report generation times are desired to increase efficiency.

Ease of Deployment and Customer Service:SonarQube Server offers deployment flexibility across hybrid and on-premises environments, though its deployment process can sometimes be complex and require technical expertise. The open-source community is supportive; however, official technical assistance is limited without a paid plan. Mend.io provides straightforward deployment across cloud environments, both public and private. Its customer service is well-rated, showing efficiency in technical support, and ensuring ease of use in different deployment scenarios.

Pricing and ROI:SonarQube Server's open-source version presents a cost-effective solution, though enterprise features might be costly. It remains popular for its ROI in managing code quality with its community edition. Mend.io is positioned as a premium product with higher pricing, reflecting its superior vulnerability management and integration features. Despite higher costs, it is justified by delivering a significant ROI in mitigating security risks and optimizing development workflows.

DOWNLOAD THE COMPLETE REPORT
To learn more, read our detailed Mend.io vs. SonarQube Server (formerly SonarQube) Report (Updated: December 2024).
Buyer's Guide
Mend.io vs. SonarQube Server (formerly SonarQube)
December 2024
Download the complete report
Helped 824,053 peers since 2012
 

Categories and Ranking

Mend.io
Ranking in Application Security Tools
17th
Average Rating
8.4
Reviews Sentiment
7.3
Number of Reviews
30
Ranking in other categories
Software Composition Analysis (SCA) (7th), Static Code Analysis (4th), Software Supply Chain Security (2nd)
SonarQube Server (formerly ...
Ranking in Application Security Tools
1st
Average Rating
8.0
Reviews Sentiment
7.5
Number of Reviews
113
Ranking in other categories
Static Application Security Testing (SAST) (1st), Software Development Analytics (1st)
 

Mindshare comparison

As of December 2024, in the Application Security Tools category, the mindshare of Mend.io is 3.4%, down from 3.9% compared to the previous year. The mindshare of SonarQube Server (formerly SonarQube) is 26.7%, down from 27.4% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Application Security Tools
 

Q&A Highlights

NC
Nov 07, 2021
How does WhiteSource compare with SonarQube?
Red Hat Ceph does well in simplifying storage integration by replacing the need for numerous storage solutions. This solution allows for multiple copies of replicated and coded pools to be kept, easy replacement of failed hard drives, and easy replacement of scaled-out nodes. Red Hat Ceph continues working even when there are failures. We experienced some stability issues when we went beyond the default factor, which is 3. We found that the rebalancing and recovery processes can be a bit slow. Red Hat Ceph can be pretty complex to deploy and has a very big learning curve. MinIO is software-defined, runs in industry-standard hardware, and is an open-source solution. The retrieval of objects with MinIO is significantly better than many of the other solutions we considered. We found deployment to be very simple and even with numerous updates, MinIO ran seamlessly - we experienced no downtime. MinIO is amazing with regard to processing speed, volume, and accessibility to data. It can store large amounts of data, and you can retrieve, load, and transform the data quickly. MinIO offers both a browser interface and a command interface, which we found very useful. MinIO is lacking in a few documentation and monitoring tools that other solutions provide, though. It would be a better and more flexible solution if you could use an uneven disk structure. It would also be great to include some sort of graphical representation of data, like size and data type. Conclusion: We were looking for a high-performance object storage system that would work well with enterprise systems. We found that MinIO offered the stability and scalability in addition to the ability to deploy on-premise, in the cloud, or hybrid options most suitable for our needs.
See all answers
 

Featured Reviews

meetharoon - PeerSpot reviewer
Enables smooth management of vulnerabilities and promotes a shift towards a culture of security
We have witnessed Mend.io for its high stability, consistently living up to our expectations in terms of performance and reliability. Our developers have reported very few issues and almost minimal to zero downtime, which is a critical factor for our organization to rely on Mend SCA to secure our applications. We didn't experience any major issues in the stability of the product. This level of dependability is crucial for our hundreds of development teams that need to maintain continuous integration and deployment processes without interruptions. We realize the solution's architecture is designed to support a wide range of use cases, making it suitable for organizations of varying sizes and complexities. As a SaaS (Software as a Service) offering, Mend.io eliminates the need for physical server management, which further contributes to its stability. Users can access the platform without worrying about hardware failures or maintenance issues that can affect on-premises solutions. Moreover, Mend.io's integration capabilities with existing workflows—including IDEs, repositories, and CI/CD pipelines—enhance its stability by providing a seamless user experience. This integration allows teams to incorporate security scanning into their development processes without significant disruptions, which is often a challenge with less stable solutions. Feedback from our developers and architects highlights the tool's effectiveness in reducing open-source software vulnerabilities while maintaining a streamlined development lifecycle. Our organization have experienced improved code quality and faster incident response times as a result of using Mend.io. The platform's intuitive dashboard and management views are also praised by our developers for their usability, contributing to a positive user experience. In short, Mend.io stands out as a dependable and reliable solution in the realm of software composition analysis. Its high stability, combined with robust integration capabilities and user-friendly features, makes it an excellent choice for organizations seeking to enhance their security posture while minimizing operational disruptions.
Read full review
Wang Dayong - PeerSpot reviewer
Easy to integrate and has a plug-in that supports both C and C++ languages
The product provides false reports sometimes. It also fails to understand the context of the code. It reports that a line of code has issues without considering its relation with the previous line. The product should improve the report quality. While it asks us to improve the code quality, it would be good if it also suggests how to improve the quality.
Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The solution boasts a broad range of features and covers much of what an ideal SCA tool should."
"Attribution and license due diligence reports help us with aggregating the necessary data that we, in turn, have to provide to satisfy the various licenses copyright and component usage disclosures in our software."
"It gives us full visibility into what we're using, what needs to be updated, and what's vulnerable, which helps us make better decisions."
"The best feature is that the Mend R&D team does their due diligence for all the vulnerabilities. In case they observe any important or critical vulnerabilities, such as the Log4j-related vulnerability, we usually get a dedicated email from our R&D team saying that this particular vulnerability has been exploited in the world, and we should definitely check our project for this and take corrective actions."
"WhiteSource is unique in the scanning of open-source licenses. Additionally, the vulnerabilities aspect of the solution is a benefit. We don't use WhiteSource in the whole organization, but we use it for some projects. There we receive a sense of the vulnerabilities of the open-source components, which improves our security work. The reports are automated which is useful."
"The most valuable feature is the inventory, where it compiles a list of all of the third-party libraries that we have on our estate."
"The dashboard view and the management view are most valuable."
"Mend.io is very robust in terms of managing third-party dependencies."
More Mend.io pros
"It helps our developers work more efficiently as we can identify things in a code prior to it being pushed to where it needs to go."
"The solution is stable."
"It assists during the development with SonarLint and helps the developer to change his approach or rather improve his coding pattern or style. That's one advantage I've seen. Another advantage is that we can customize the rules."
"It is a very good tool for analysis and security vulnerability checking."
"I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla."
"SonarQube is good in terms of code review and to report on basic vulnerabilities in your applications."
"The solution has a wide variety of features and an open-source community that you are able to learn Java, JavaScript, or any other programing language."
"We've configured it to run on each commit, providing feedback on our software quality. ]"
More SonarQube Server (formerly SonarQube) pros
 

Cons

"We have ended our relationship with WhiteSource. We were using an agent that we built in the pipeline so that you can scan the projects during build time. But unfortunately, that agent didn't work at all. We have more than 500 projects, and it doubled or tripled the build time. For other projects, we had the failure of the builds without any known reason. It was not usable at all. We spent maybe one year working on the issues to try to make it work, but it didn't in the end. We should be able to integrate it with ID and Shift Left so that the developers are able to see the scan results without waiting for the build to fail."
"They're working on a UI refresh. That's probably been one of the pain points for us as it feels like a really old application."
"Make the product available in a very stable way for other web browsers."
"We have been looking at how we could improve the automation to human involvement ratio from 60:40 to 70:30, or even potentially 80:20, as there is room for improvement here. We are discussing this internally and with Mend; they are very accommodating to us. We think they openly receive our feedback and do their best to implement our thoughts into the roadmap."
"WhiteSource needs improvement in the scanning of the containers and images with distinguishing the layers."
"It would be good if it can do dynamic code analysis. It is not necessarily in that space, but it can do more because we have too many tools. Their partner relationship support is a little bit confusing. They haven't really streamlined the support process when we buy through a reseller. They should improve their process."
"We specifically use this solution within our CICD pipelines in Azure DevOps, and we would like to have a gate so that if the score falls below a certain value then we can block the pipeline from running."
"The dashboard UI and UX are problematic."
More Mend.io cons
"The interface could be a little better and should be enhanced."
"I think the code security can be improved."
"SonarQube can improve by scanning the internal library which currently it does not do. We are looking for a solution for this."
"The product must improve security analysis."
"The BPM language is important and should be considered in SonarQube."
"SonarQube needs to improve its ease of use, integration with third-party platforms, and scalability."
"SonarQube is not development-centric like Snyk."
"The reporting is good, but I am not able to download a specific report as a PDF, so downloading reports is something that should be looked at."
More SonarQube Server (formerly SonarQube) cons
 

Pricing and Cost Advice

"The version that we are using, WhiteSource Bolt, is a free integration with Azure DevOps."
"We always negotiate for the best price possible, and as far as I know, Mend has done an excellent job with their pricing. Our management is happy with the pricing, which has led to renewals."
"WhiteSource is much more affordable than Veracode."
"We are paying a lot of money to use WhiteSource. In our company, it is not easy to argue that it is worth the price. ​"
"As we were using an SaaS-based service, the solution must be scalable, although my understanding is that this is based on the licensing model one is using."
"This is an expensive solution."
"When comparing the price of WhiteSource to the competition it is priced well. The cost for 50 users is approximately $18,000 annually."
"Pricing and licensing are comparable to other tools. When we started, it was less than our existing solution. I can't go into specifics, but it isn't cheap."
More Mend.io pricing and cost advice
"The costs for this application, for the kind of job it does, are pretty decent."
"We are using the Developer Edition and the cost is based on the amount of code that is being processed."
"The beauty of this solution is the free open-source version is capable enough in doing pretty much what an enterprise-level version can do."
"People can try the free licenses and later can seek buying plugins/support, etc. once they started liking it."
"It is very expensive. Its price should be improved."
"On the pricing side, it's 3,000 Euros for 1 million lines of code."
"We did not purchase a license (required for C++ support), but this option was considered."
"We are using the community version of the solution and we plan on purchasing licenses for the upgraded version soon. There is a limitation on how many lines of code can be scanned and this is why we are going to purchase a license for an increased amount."
More SonarQube Server (formerly SonarQube) pricing and cost advice
report
See which vendors are best for you
Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
See recommendations
824,053 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
17%
Computer Software Company
16%
Manufacturing Company
12%
Energy/Utilities Company
5%
Financial Services Firm
17%
Computer Software Company
15%
Manufacturing Company
13%
Government
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

How does WhiteSource compare with SonarQube?
Red Hat Ceph does well in simplifying storage integration by replacing the need for numerous storage solutions. This solution allows for multiple copies of replicated and coded pools to be kept, ea...
See all answers
How does WhiteSource compare with Black Duck?
We researched Black Duck but ultimately chose WhiteSource when looking for an application security tool. WhiteSource is a software solution that enables agile open source security and license compl...
See all answers
What do you like most about Mend.io?
The best feature is that the Mend R&D team does their due diligence for all the vulnerabilities. In case they observe any important or critical vulnerabilities, such as the Log4j-related vulner...
See all answers
Is SonarQube the best tool for static analysis?
I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have a look...
See all answers
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
See all answers
How would you decide between Coverity and Sonarqube?
We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing rem...
See all answers
 

Comparisons

Black Duck vs Mend.io Logo
Black Duck vs Mend.io
Compared 15% of the time
Snyk vs Mend.io Logo
Snyk vs Mend.io
Compared 9% of the time
Veracode vs Mend.io Logo
Veracode vs Mend.io
Compared 8% of the time
JFrog Xray vs Mend.io Logo
JFrog Xray vs Mend.io
Compared 6% of the time
Checkmarx One vs Mend.io Logo
Checkmarx One vs Mend.io
Compared 6% of the time
More Mend.io Competitors
Checkmarx One vs SonarQube Server (formerly SonarQube) Logo
Checkmarx One vs SonarQube Server (formerly SonarQube)
Compared 16% of the time
Coverity vs SonarQube Server (formerly SonarQube) Logo
Coverity vs SonarQube Server (formerly SonarQube)
Compared 12% of the time
SonarQube Cloud (formerly SonarCloud) vs SonarQube Server (formerly SonarQube) Logo
SonarQube Cloud (formerly SonarCloud) vs SonarQube Server (formerly SonarQube)
Compared 12% of the time
GitHub Advanced Security vs SonarQube Server (formerly SonarQube) Logo
GitHub Advanced Security vs SonarQube Server (formerly SonarQube)
Compared 10% of the time
OWASP Zap vs SonarQube Server (formerly SonarQube) Logo
OWASP Zap vs SonarQube Server (formerly SonarQube)
Compared 3% of the time
More SonarQube Server (formerly SonarQube) Competitors
 

Product Reports

Buyer's Guide
Mend.io
December 2024
Mend.io reportDownload Mend.io product report
Buyer's Guide
SonarQube Server (formerly SonarQube)
November 2024
SonarQube Server (formerly SonarQube) reportDownload SonarQube Server (formerly SonarQube) product report
 

Also Known As

WhiteSource, Mend SCA, Mend.io Supply Chain Defender, Mend SAST
Sonar
 

Learn More

Mend.io
Sonar
 

Interactive Demo

Demo not available
Mend.io
Sonar
 

Overview

Mend.io is a software composition analysis tool that secures what developers create. The solution provides an automated reduction of the software attack surface, reduces developer burdens, and accelerates app delivery. Mend.io provides open-source analysis with its in-house and other multiple sources of software vulnerabilities. In addition, the solution offers license and policy violation alerts, has great pipeline integration, and, since it is a SaaS (software as a service), it doesn’t require you to physically maintain servers or data centers for any implementation. Not only does Mend.io reduce enterprise application security risk, it also helps developers meet deadlines faster.

Mend.io Features

Mend.io has many valuable key features. Some of the most useful ones include:

  • Vulnerability analysis
  • Automated remediation
  • Seamless integration
  • Business prioritization
  • Limitless scalability
  • Intuitive interface
  • Language support
  • Integration
  • Continuous monitoring
  • Remediation suggestions
  • Customization

Mend.io Benefits

There are many benefits to implementing Mend.io. Some of the biggest advantages the solution offers include:

  • Easy to use: The Mend.io platform is very user-friendly and easy to set up.
  • Third-party libraries: The solution eases the process of keeping track of all the used third-party dependencies within a product. It not only scans for the pure occurrence (also transitively) but also takes care of licenses and vulnerabilities.
  • Static code analysis: With Mend.io’s static code analysis, you can quickly identify security weaknesses in custom code across desktop, web, and mobile applications.
  • Broad support: Mend.io provides 27 different programming languages and various programming frameworks.
  • Easy integration: Mend.io makes integration very easy with existing DevOps environments and CI/CD pipelines so developers don’t need to manually configure or trigger the scan.
  • Ultra-fast scanning engine: The solution’s scanning engine generates results up to ten times faster than legacy SAST solutions.
  • Unified developer experience: Mend.io has a unified developer experience inside the code repository that shows side-by-side security alerts and remediation suggestions for custom code and open-source code.

Reviews from Real Users

Below are some reviews and helpful feedback written by PeerSpot users currently using the Mend.io solution.

Jeffrey H., System Manager of Cloud Engineering at Common Spirit, says, “Finding vulnerabilities is pretty easy. Mend.io (formerly WhiteSource) does a great job of that and we had quite a few when we first put this in place. Mend.io does a very good job of finding the open-source, checking the versions, and making sure they're secure. They notify us of critical high, medium, and low impacts, and if anything is wrong. We find the product very easy to use and we use it as a core part of our strategy for scanning product code moving toward release.”

PeerSpot reviewer Ben D., Head of Software Engineering at a legal firm, mentions, “The way WhiteSource scans the code is great. It’s easy to identify and remediate open source vulnerabilities using this solution. WhiteSource helped reduce our mean time to resolution since we adopted the product. In terms of integration, it's pretty easy.”

An IT Service Manager at a wholesaler/distributor comments, “Mend.io provides threat detection and an excellent UI in a highly stable solution, with outstanding technical support.”

Another reviewer, Kevin D., Intramural OfficialIntramural at Northeastern University, states, "The vulnerability analysis is the best aspect of the solution."

SonarQube Server enhances code quality and security via static code analysis. It detects vulnerabilities, improves standards, and reduces technical debt, integrating into CI/CD pipelines.

SonarQube Server is a comprehensive tool for enhancing code quality and security. It offers static code analysis to identify vulnerabilities, improve coding standards, and reduce technical debt. By integrating into CI/CD pipelines, it provides automated checks for adherence to best practices. Organizations use it for code inspection, security testing, and compliance, ensuring development environments with better maintainability and fewer issues.

What are the key features of SonarQube Server?
  • Support for 20+ languages: Extensive programming language support suitable for diverse coding environments.
  • Custom coding rules: Allows for tailored rule sets to match specific coding standards.
  • Flexible quality gates: Define criteria for code acceptance at various intervals.
  • CI/CD integration: Seamless integration with Continuous Integration/Continuous Deployment tools.
  • Rich interface: User-friendly dashboard with detailed visual insights.
What benefits should users expect from SonarQube Server?
  • Improved code quality: Enhanced analysis contributes to fewer bugs and improved coding practices.
  • Security enhancements: Identifies and mitigates security vulnerabilities pre-emptively.
  • Maintainability: Reduces technical debt, yielding long-term development efficiency.
  • Customizable: Flexibility in configuration aligns with specific project needs.

Many industries implement SonarQube Server to uphold coding standards, maintain security protocols, and streamline their software development lifecycle. In sectors like finance and healthcare, adhering to regulations and ensuring reliable software is critical, making SonarQube Server invaluable. It is often integrated into CI/CD pipelines, ensuring that code changes meet set standards before deployment. This approach enhances productivity and maintains compliance with industry-specific requirements.

 

Sample Customers

Microsoft, Autodesk, NCR, Target, IBM, vodafone, Siemens, GE digital, KPMG, LivePerson, Jack Henry and Associates
Information Not Available
Buyer's Guide
Mend.io vs. SonarQube Server (formerly SonarQube)
December 2024
Free Report: Mend.io vs. SonarQube Server (formerly SonarQube)
Find out what your peers are saying about Mend.io vs. SonarQube Server (formerly SonarQube) and other solutions. Updated: December 2024.
DOWNLOAD NOW
824,053 professionals have used our research since 2012.
See our Mend.io vs. SonarQube Server (formerly SonarQube) report.
See our list of best Application Security Tools vendors.

We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.