Try our new research platform with insights from 80,000+ expert users

Mend.io vs SonarQube Server (formerly SonarQube) comparison

Mend.io and Sonar are both solutions in the Application Security Tools category. Mend.io is ranked #17 with an average rating of 9.0, while Sonar is ranked #1 with an average rating of 8.2. Mend.io holds a 3.3% mindshare in AS, compared to Sonar’s 26.7% mindshare. Additionally, 96% of Mend.io users are willing to recommend the solution, compared to 81% of Sonar users who would recommend it.
Mend.io
Read 29 Mend.io reviews
  • 8,259 Views
  • 4,894 Comparison Views
96% willing to recommend
SonarQube Server (formerly ...
Read 113 SonarQube Server (formerly SonarQube) reviews
  • 43,481 Views
  • 35,347 Comparison Views
81% willing to recommend
 

Comparison Buyer's Guide

Download the report
Executive SummaryUpdated on Oct 30, 2024

SonarQube Server and Mend.io are leading software solutions in the code quality and security vulnerability management space. While SonarQube offers broad programming language support and some advanced features, Mend.io has a stronger focus on discovering security vulnerabilities and managing open-source licenses.

Features:SonarQube Server provides wide support for over 20 programming languages, making it versatile for various development environments. It also includes custom coding rules and unit tests for enhanced code quality checks. Its integration capabilities with different CVS systems boost its adaptability. Mend.io excels in security vulnerability detection, offering automated analysis capacities that accurately identify potential security risks. Its focus on open-source license compliance is also a significant feature, ensuring software projects stay within legal boundaries. The automated reporting functions enhance its usability in maintaining application security.

Room for Improvement:SonarQube Server can benefit from enhanced security scanning and broader programming language support. Configuration complexity and performance issues in newer versions need addressing. The dashboard could be more streamlined, and integration capabilities expanded. Mend.io could improve in UI/UX and reporting. Increasing the number of languages supported in its vulnerability detection efforts would widen its applicability. Moreover, faster scanning and report generation times are desired to increase efficiency.

Ease of Deployment and Customer Service:SonarQube Server offers deployment flexibility across hybrid and on-premises environments, though its deployment process can sometimes be complex and require technical expertise. The open-source community is supportive; however, official technical assistance is limited without a paid plan. Mend.io provides straightforward deployment across cloud environments, both public and private. Its customer service is well-rated, showing efficiency in technical support, and ensuring ease of use in different deployment scenarios.

Pricing and ROI:SonarQube Server's open-source version presents a cost-effective solution, though enterprise features might be costly. It remains popular for its ROI in managing code quality with its community edition. Mend.io is positioned as a premium product with higher pricing, reflecting its superior vulnerability management and integration features. Despite higher costs, it is justified by delivering a significant ROI in mitigating security risks and optimizing development workflows.

DOWNLOAD THE COMPLETE REPORT
To learn more, read our detailed Mend.io vs. SonarQube Server (formerly SonarQube) Report (Updated: October 2024).
Buyer's Guide
Mend.io vs. SonarQube Server (formerly SonarQube)
October 2024
Download the complete report
Helped 814,528 peers since 2012
 

Categories and Ranking

Mend.io
Ranking in Application Security Tools
17th
Average Rating
8.4
Number of Reviews
29
Ranking in other categories
Software Composition Analysis (SCA) (7th), Static Code Analysis (4th), Software Supply Chain Security (2nd)
SonarQube Server (formerly ...
Ranking in Application Security Tools
1st
Average Rating
8.0
Number of Reviews
113
Ranking in other categories
Static Application Security Testing (SAST) (1st), Software Development Analytics (1st)
 

Mindshare comparison

As of November 2024, in the Application Security Tools category, the mindshare of Mend.io is 3.3%, down from 4.0% compared to the previous year. The mindshare of SonarQube Server (formerly SonarQube) is 26.7%, down from 27.7% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Application Security Tools
 

Q&A Highlights

NC
Nov 07, 2021
How does WhiteSource compare with SonarQube?
Red Hat Ceph does well in simplifying storage integration by replacing the need for numerous storage solutions. This solution allows for multiple copies of replicated and coded pools to be kept, easy replacement of failed hard drives, and easy replacement of scaled-out nodes. Red Hat Ceph continues working even when there are failures. We experienced some stability issues when we went beyond the default factor, which is 3. We found that the rebalancing and recovery processes can be a bit slow. Red Hat Ceph can be pretty complex to deploy and has a very big learning curve. MinIO is software-defined, runs in industry-standard hardware, and is an open-source solution. The retrieval of objects with MinIO is significantly better than many of the other solutions we considered. We found deployment to be very simple and even with numerous updates, MinIO ran seamlessly - we experienced no downtime. MinIO is amazing with regard to processing speed, volume, and accessibility to data. It can store large amounts of data, and you can retrieve, load, and transform the data quickly. MinIO offers both a browser interface and a command interface, which we found very useful. MinIO is lacking in a few documentation and monitoring tools that other solutions provide, though. It would be a better and more flexible solution if you could use an uneven disk structure. It would also be great to include some sort of graphical representation of data, like size and data type. Conclusion: We were looking for a high-performance object storage system that would work well with enterprise systems. We found that MinIO offered the stability and scalability in addition to the ability to deploy on-premise, in the cloud, or hybrid options most suitable for our needs.
See all answers
 

Featured Reviews

Jeffrey Harker - PeerSpot reviewer
May 12, 2022
Easy to use, great for finding vulnerabilities, and simple to set up
Finding vulnerabilities is pretty easy. Mend (formerly WhiteSource) does a great job of that and we had quite a few when we first put this in place. Governance up until that time had been manual and when we tried to do manual governance of a large codebase, our chances of success were pretty minimal. Mend (formerly WhiteSource) does a very good job of finding the open-source, checking the versions, and making sure they're secure. They notify us of critical high, medium, and low impacts, and if anything is wrong. We find the product very easy to use and we use it as a core part of our strategy for scanning product code moving toward release. We use Mend (formerly WhiteSource) Smart Fix. I’d say pretty much everything in Mend (formerly WhiteSource) is easy to use. We really don't have too much difficulty using the product at all. I've implemented other scanners and tools and had much more trouble with those products than we've ever had with Mend (formerly WhiteSource). That’s extremely important. It's hard to sell to some of these teams to put any level of overhead on top of their product development efforts and the fact that Mend (formerly WhiteSource) is as easy as it is to use is a critical aspect of adoption here. It scores very highly on that scale. Mend (formerly WhiteSource) Smart Fix helps our developers fix vulnerable transitive dependencies. It's all very helpful to our development community. First of all, we're able to find that there are issues. Second of all, we're able to figure out very quickly what needs to be done to remediate the issues. Mend (formerly WhiteSource) helped reduce our mean time to resolution since adopting it. A lot of it is process improvement and technical aspects that can tell us how to go about remediating the issues. We get that out of Mend (formerly WhiteSource). Making the developers aware that these issues are there and insisting they be corrected and making the effort to do that visibly is very valuable to us. Overall, Mend (formerly WhiteSource) helped dramatically reduce the number of open-source software vulnerabilities running in our production at any given point in time. I won't give metrics, however, it's fair to say that our state before and after Mend (formerly WhiteSource) is dramatically different and moved in a positive direction. Mend's ability to integrate our developer's existing workflows, including their IDE repository and CI is good. Azure DevOps is really important. That's what the pipelines are. That's a very important piece of the entire puzzle. If this was just an external scanner where periodically we'd go through and scan our repos and give them a report, we’d do that with pen testing products, for example, for security testing. The problem is, by the time they get those reports, they've already shipped the code to multiple environments and it's too late to stop the train. With these features being baked into the pipelines like this, they know immediately. As a result, we're able to quickly take action to remediate findings.
Read full review
Wang Dayong - PeerSpot reviewer
May 10, 2023
Easy to integrate and has a plug-in that supports both C and C++ languages
We use the product to review our software codes. We have integrated the product to review our new delivery code When we deliver a code, the solution scans the code and reports whether the code has bugs or any other vulnerability issues. Thus the solution helps us identify issues and improve the…
Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The license management of WhiteSource was at a good level. As compared to other tools that I have used, its functionality for the licenses for the code libraries was quite good. Its UI was also fine."
"The vulnerability analysis is the best aspect of the solution."
"Our dev team uses the fix suggestions feature to quickly find the best path for remediation."
"I am the organizational deployment administrator for this tool, and I, along with other users in our company, especially the security team, appreciate the solution for several reasons. The UI is excellent, and scanning for security threats fits well into our workflow."
"We set the solution up and enabled it and we had everything running pretty quickly."
"Mend has reduced our open-source software vulnerabilities and helped us remediate issues quickly. My company's policy is to ensure that vulnerabilities are fixed before it gets to production."
"We use a lot of open sources with a variety of containers, and the different open sources come with different licenses. Some come with dual licenses, some are risky and some are not. All our three use cases are equally important to us and we found WhiteSource handles them decently."
"It gives us full visibility into what we're using, what needs to be updated, and what's vulnerable, which helps us make better decisions."
More Mend.io pros
"When comparing other static code analysis tools, SonarQube has fewer false-positive issues being reported. They have a lot of support for different tech stacks. It covers the entire developer community which includes Salesforce or it could be the regular Java.net project. It has actually sufficed all the needs in one tool for static code analysis."
"I follow Quality Gate's graduation model within organization, and it is extremely helpful for me to benchmark products."
"Apart from the security point of view, I like that it makes it easy to detect code smells and other issues in terms of code quality and standards."
"It automatically scans for code, detects vulnerabilities, and generates daily reports."
"Issue Explanations: Documentation with detailed samples. Helps in growing technical knowledge and re-writing logic to conforming solutions."
"The solution offers a very good community edition."
"We advise all of our developers to have this solution in place."
"The solution has a wide variety of features and an open-source community that you are able to learn Java, JavaScript, or any other programing language."
More SonarQube Server (formerly SonarQube) pros
 

Cons

"The UI is not that friendly and you need to learn how to navigate easily."
"WhiteSource Prioritize should be expanded to cover more than Java and JavaScript."
"If anything, I would spend more time making this more user-friendly, better documenting the CLI, and adding more examples to help expand the current documentation."
"I would like to have an additional compliance pack. Currently, it does not have anything for the CIS framework or the NIST framework. If we directly run a scan, and it is under the CIS framework, we can directly tell the auditor that this product is now CIS compliant."
"Needs better ACL and more role definitions. This product could be used by large organisations and it definitely needs a better role/action model."
"Some detected libraries do not specify a location of where in the source they were matched from, which is something that should be enhanced to enable quicker troubleshooting."
"Mend lets you create custom policies. They're not too complicated to set up, but it would be helpful if they had some preconfigured policies to match what we have in Azure DevOps. That would save us a lot of time. It's tedious to configure the policies manually, and I lack the capacity to do it right now. Other products have preconfigured packs and templates, and Mend doesn't."
"The only thing that I don't find support for on Mend Prioritize is C++."
More Mend.io cons
"The documentation is not clear and it needs to be updated."
"We had some issues where the Quality Gate check sometimes gets stuck and it is unclear."
"The tool needs to be more compatible with C/C++ language"
"We found a solution with dynamic testing, and are looking to find a solution that can be used for both types of testing."
"When we have a thousand products published over it, we expect it to be more efficient in terms of serving requests from the browser."
"Dynamic scanning is missing and there are some issues with security scanning."
"The pricing could be reduced a bit. It's a little expensive."
"SonarQube's detail in the security could be improved. It may be helpful to have additional details, with regards to Oracle PL/SQL. For example, it's neither as built nor as thorough as Java. For now, this is the only additional feature I would like to see."
More SonarQube Server (formerly SonarQube) cons
 

Pricing and Cost Advice

"Its pricing model is per developer. It depends on the number of developers in the company. The license is for a minimum of 20 developers. So, even if you are a small startup with less than 10 developers, you have to buy a license for 20 developers on a yearly subscription, which makes it quite expensive for startup customers. I provide consultation to startup accelerators. They're small at the beginning, and only once they grow to 20 developers, they can afford this tool. As a result, WhiteSource is missing this target audience. Their licensing is not flexible."
"Mend is costly but not overly expensive. The license was quite expensive this year, but we managed to negotiate the price down to the same as last year. At the same time, it's a good value. We're getting what we're paying for and still not using all the features. We could probably get more out of the tool and make it more valuable. At the moment, we don't have the capacity to do that."
"We always negotiate for the best price possible, and as far as I know, Mend has done an excellent job with their pricing. Our management is happy with the pricing, which has led to renewals."
"We are paying a lot of money to use WhiteSource. In our company, it is not easy to argue that it is worth the price. ​"
"Pricing and licensing are comparable to other tools. When we started, it was less than our existing solution. I can't go into specifics, but it isn't cheap."
"The version that we are using, WhiteSource Bolt, is a free integration with Azure DevOps."
"WhiteSource is much more affordable than Veracode."
"When comparing the price of WhiteSource to the competition it is priced well. The cost for 50 users is approximately $18,000 annually."
More Mend.io pricing and cost advice
"The beauty of this solution is the free open-source version is capable enough in doing pretty much what an enterprise-level version can do."
"It's an open-source solution, with no additional costs."
"We use the solution free of cost."
"Compared to similar solutions, SonarQube was more accessible to us and had more benefits, with regards to size of the code base and supported languages. Apart from the Enterprise licensing fee, there are no additional costs."
"We are using the open-source community version, but there are enterprise licenses available."
"The licence is standard open source licensing"
"As a user and a consumer of this solution, it can be pricey for my company to support and use, even though there are many benefits. For this reason, we use the free version. In the future, as our product cycles develop and evolve at a more steady pace, we hope to invest in the licensing for this tool."
"I am satisfied with the pricing."
More SonarQube Server (formerly SonarQube) pricing and cost advice
report
See which vendors are best for you
Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
See recommendations
814,528 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
18%
Computer Software Company
16%
Manufacturing Company
12%
Insurance Company
5%
Financial Services Firm
17%
Computer Software Company
15%
Manufacturing Company
13%
Government
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

How does WhiteSource compare with SonarQube?
Red Hat Ceph does well in simplifying storage integration by replacing the need for numerous storage solutions. This solution allows for multiple copies of replicated and coded pools to be kept, ea...
See all answers
How does WhiteSource compare with Black Duck?
We researched Black Duck but ultimately chose WhiteSource when looking for an application security tool. WhiteSource is a software solution that enables agile open source security and license compl...
See all answers
What do you like most about Mend.io?
The best feature is that the Mend R&D team does their due diligence for all the vulnerabilities. In case they observe any important or critical vulnerabilities, such as the Log4j-related vulner...
See all answers
Is SonarQube the best tool for static analysis?
I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have a look...
See all answers
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
See all answers
How would you decide between Coverity and Sonarqube?
We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing rem...
See all answers
 

Comparisons

Black Duck vs Mend.io Logo
Black Duck vs Mend.io
Compared 15% of the time
Snyk vs Mend.io Logo
Snyk vs Mend.io
Compared 9% of the time
Veracode vs Mend.io Logo
Veracode vs Mend.io
Compared 8% of the time
Checkmarx One vs Mend.io Logo
Checkmarx One vs Mend.io
Compared 6% of the time
JFrog Xray vs Mend.io Logo
JFrog Xray vs Mend.io
Compared 6% of the time
More Mend.io Competitors
Checkmarx One vs SonarQube Server (formerly SonarQube) Logo
Checkmarx One vs SonarQube Server (formerly SonarQube)
Compared 17% of the time
Coverity vs SonarQube Server (formerly SonarQube) Logo
Coverity vs SonarQube Server (formerly SonarQube)
Compared 12% of the time
SonarQube Cloud (formerly SonarCloud) vs SonarQube Server (formerly SonarQube) Logo
SonarQube Cloud (formerly SonarCloud) vs SonarQube Server (formerly SonarQube)
Compared 12% of the time
GitHub Advanced Security vs SonarQube Server (formerly SonarQube) Logo
GitHub Advanced Security vs SonarQube Server (formerly SonarQube)
Compared 9% of the time
Fortify on Demand vs SonarQube Server (formerly SonarQube) Logo
Fortify on Demand vs SonarQube Server (formerly SonarQube)
Compared 3% of the time
More SonarQube Server (formerly SonarQube) Competitors
 

Product Reports

Buyer's Guide
Mend.io
October 2024
Mend.io reportDownload Mend.io product report
Buyer's Guide
SonarQube Server (formerly SonarQube)
October 2024
SonarQube Server (formerly SonarQube) reportDownload SonarQube Server (formerly SonarQube) product report
 

Also Known As

WhiteSource, Mend SCA, Mend.io Supply Chain Defender, Mend SAST
Sonar
 

Learn More

Mend.io
Sonar
 

Interactive Demo

Demo not available
Mend.io
Sonar
 

Overview

Mend.io is a software composition analysis tool that secures what developers create. The solution provides an automated reduction of the software attack surface, reduces developer burdens, and accelerates app delivery. Mend.io provides open-source analysis with its in-house and other multiple sources of software vulnerabilities. In addition, the solution offers license and policy violation alerts, has great pipeline integration, and, since it is a SaaS (software as a service), it doesn’t require you to physically maintain servers or data centers for any implementation. Not only does Mend.io reduce enterprise application security risk, it also helps developers meet deadlines faster.

Mend.io Features

Mend.io has many valuable key features. Some of the most useful ones include:

  • Vulnerability analysis
  • Automated remediation
  • Seamless integration
  • Business prioritization
  • Limitless scalability
  • Intuitive interface
  • Language support
  • Integration
  • Continuous monitoring
  • Remediation suggestions
  • Customization

Mend.io Benefits

There are many benefits to implementing Mend.io. Some of the biggest advantages the solution offers include:

  • Easy to use: The Mend.io platform is very user-friendly and easy to set up.
  • Third-party libraries: The solution eases the process of keeping track of all the used third-party dependencies within a product. It not only scans for the pure occurrence (also transitively) but also takes care of licenses and vulnerabilities.
  • Static code analysis: With Mend.io’s static code analysis, you can quickly identify security weaknesses in custom code across desktop, web, and mobile applications.
  • Broad support: Mend.io provides 27 different programming languages and various programming frameworks.
  • Easy integration: Mend.io makes integration very easy with existing DevOps environments and CI/CD pipelines so developers don’t need to manually configure or trigger the scan.
  • Ultra-fast scanning engine: The solution’s scanning engine generates results up to ten times faster than legacy SAST solutions.
  • Unified developer experience: Mend.io has a unified developer experience inside the code repository that shows side-by-side security alerts and remediation suggestions for custom code and open-source code.

Reviews from Real Users

Below are some reviews and helpful feedback written by PeerSpot users currently using the Mend.io solution.

Jeffrey H., System Manager of Cloud Engineering at Common Spirit, says, “Finding vulnerabilities is pretty easy. Mend.io (formerly WhiteSource) does a great job of that and we had quite a few when we first put this in place. Mend.io does a very good job of finding the open-source, checking the versions, and making sure they're secure. They notify us of critical high, medium, and low impacts, and if anything is wrong. We find the product very easy to use and we use it as a core part of our strategy for scanning product code moving toward release.”

PeerSpot reviewer Ben D., Head of Software Engineering at a legal firm, mentions, “The way WhiteSource scans the code is great. It’s easy to identify and remediate open source vulnerabilities using this solution. WhiteSource helped reduce our mean time to resolution since we adopted the product. In terms of integration, it's pretty easy.”

An IT Service Manager at a wholesaler/distributor comments, “Mend.io provides threat detection and an excellent UI in a highly stable solution, with outstanding technical support.”

Another reviewer, Kevin D., Intramural OfficialIntramural at Northeastern University, states, "The vulnerability analysis is the best aspect of the solution."

SonarQube Server enhances code quality and security via static code analysis. It detects vulnerabilities, improves standards, and reduces technical debt, integrating into CI/CD pipelines.

SonarQube Server is a comprehensive tool for enhancing code quality and security. It offers static code analysis to identify vulnerabilities, improve coding standards, and reduce technical debt. By integrating into CI/CD pipelines, it provides automated checks for adherence to best practices. Organizations use it for code inspection, security testing, and compliance, ensuring development environments with better maintainability and fewer issues.

What are the key features of SonarQube Server?
  • Support for 20+ languages: Extensive programming language support suitable for diverse coding environments.
  • Custom coding rules: Allows for tailored rule sets to match specific coding standards.
  • Flexible quality gates: Define criteria for code acceptance at various intervals.
  • CI/CD integration: Seamless integration with Continuous Integration/Continuous Deployment tools.
  • Rich interface: User-friendly dashboard with detailed visual insights.
What benefits should users expect from SonarQube Server?
  • Improved code quality: Enhanced analysis contributes to fewer bugs and improved coding practices.
  • Security enhancements: Identifies and mitigates security vulnerabilities pre-emptively.
  • Maintainability: Reduces technical debt, yielding long-term development efficiency.
  • Customizable: Flexibility in configuration aligns with specific project needs.

Many industries implement SonarQube Server to uphold coding standards, maintain security protocols, and streamline their software development lifecycle. In sectors like finance and healthcare, adhering to regulations and ensuring reliable software is critical, making SonarQube Server invaluable. It is often integrated into CI/CD pipelines, ensuring that code changes meet set standards before deployment. This approach enhances productivity and maintains compliance with industry-specific requirements.

 

Sample Customers

Microsoft, Autodesk, NCR, Target, IBM, vodafone, Siemens, GE digital, KPMG, LivePerson, Jack Henry and Associates
Information Not Available
Buyer's Guide
Mend.io vs. SonarQube Server (formerly SonarQube)
October 2024
Free Report: Mend.io vs. SonarQube Server (formerly SonarQube)
Find out what your peers are saying about Mend.io vs. SonarQube Server (formerly SonarQube) and other solutions. Updated: October 2024.
DOWNLOAD NOW
814,528 professionals have used our research since 2012.
See our Mend.io vs. SonarQube Server (formerly SonarQube) report.
See our list of best Application Security Tools vendors.

We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.