Try our new research platform with insights from 80,000+ expert users

Mend.io vs SonarQube Server (formerly SonarQube) comparison

Mend.io and Sonar are both solutions in the Application Security Tools category. Mend.io is ranked #17 with an average rating of 9.0, while Sonar is ranked #1 with an average rating of 8.2. Mend.io holds a 3.4% mindshare in AS, compared to Sonar’s 26.7% mindshare. Additionally, 96% of Mend.io users are willing to recommend the solution, compared to 81% of Sonar users who would recommend it.
Mend.io
Read 30 Mend.io reviews
  • 7,253 Views
  • 4,365 Comparison Views
96% willing to recommend
SonarQube Server (formerly ...
Read 113 SonarQube Server (formerly SonarQube) reviews
  • 40,107 Views
  • 32,629 Comparison Views
81% willing to recommend
 

Comparison Buyer's Guide

Download the report
Executive SummaryUpdated on Oct 30, 2024

SonarQube Server and Mend.io are leading software solutions in the code quality and security vulnerability management space. While SonarQube offers broad programming language support and some advanced features, Mend.io has a stronger focus on discovering security vulnerabilities and managing open-source licenses.

Features:SonarQube Server provides wide support for over 20 programming languages, making it versatile for various development environments. It also includes custom coding rules and unit tests for enhanced code quality checks. Its integration capabilities with different CVS systems boost its adaptability. Mend.io excels in security vulnerability detection, offering automated analysis capacities that accurately identify potential security risks. Its focus on open-source license compliance is also a significant feature, ensuring software projects stay within legal boundaries. The automated reporting functions enhance its usability in maintaining application security.

Room for Improvement:SonarQube Server can benefit from enhanced security scanning and broader programming language support. Configuration complexity and performance issues in newer versions need addressing. The dashboard could be more streamlined, and integration capabilities expanded. Mend.io could improve in UI/UX and reporting. Increasing the number of languages supported in its vulnerability detection efforts would widen its applicability. Moreover, faster scanning and report generation times are desired to increase efficiency.

Ease of Deployment and Customer Service:SonarQube Server offers deployment flexibility across hybrid and on-premises environments, though its deployment process can sometimes be complex and require technical expertise. The open-source community is supportive; however, official technical assistance is limited without a paid plan. Mend.io provides straightforward deployment across cloud environments, both public and private. Its customer service is well-rated, showing efficiency in technical support, and ensuring ease of use in different deployment scenarios.

Pricing and ROI:SonarQube Server's open-source version presents a cost-effective solution, though enterprise features might be costly. It remains popular for its ROI in managing code quality with its community edition. Mend.io is positioned as a premium product with higher pricing, reflecting its superior vulnerability management and integration features. Despite higher costs, it is justified by delivering a significant ROI in mitigating security risks and optimizing development workflows.

DOWNLOAD THE COMPLETE REPORT
To learn more, read our detailed Mend.io vs. SonarQube Server (formerly SonarQube) Report (Updated: December 2024).
Buyer's Guide
Mend.io vs. SonarQube Server (formerly SonarQube)
December 2024
Download the complete report
Helped 824,052 peers since 2012
 

Categories and Ranking

Mend.io
Ranking in Application Security Tools
17th
Average Rating
8.4
Reviews Sentiment
7.3
Number of Reviews
30
Ranking in other categories
Software Composition Analysis (SCA) (7th), Static Code Analysis (4th), Software Supply Chain Security (2nd)
SonarQube Server (formerly ...
Ranking in Application Security Tools
1st
Average Rating
8.0
Reviews Sentiment
7.5
Number of Reviews
113
Ranking in other categories
Static Application Security Testing (SAST) (1st), Software Development Analytics (1st)
 

Mindshare comparison

As of December 2024, in the Application Security Tools category, the mindshare of Mend.io is 3.4%, down from 3.9% compared to the previous year. The mindshare of SonarQube Server (formerly SonarQube) is 26.7%, down from 27.4% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Application Security Tools
 

Q&A Highlights

NC
Nov 07, 2021
How does WhiteSource compare with SonarQube?
Red Hat Ceph does well in simplifying storage integration by replacing the need for numerous storage solutions. This solution allows for multiple copies of replicated and coded pools to be kept, easy replacement of failed hard drives, and easy replacement of scaled-out nodes. Red Hat Ceph continues working even when there are failures. We experienced some stability issues when we went beyond the default factor, which is 3. We found that the rebalancing and recovery processes can be a bit slow. Red Hat Ceph can be pretty complex to deploy and has a very big learning curve. MinIO is software-defined, runs in industry-standard hardware, and is an open-source solution. The retrieval of objects with MinIO is significantly better than many of the other solutions we considered. We found deployment to be very simple and even with numerous updates, MinIO ran seamlessly - we experienced no downtime. MinIO is amazing with regard to processing speed, volume, and accessibility to data. It can store large amounts of data, and you can retrieve, load, and transform the data quickly. MinIO offers both a browser interface and a command interface, which we found very useful. MinIO is lacking in a few documentation and monitoring tools that other solutions provide, though. It would be a better and more flexible solution if you could use an uneven disk structure. It would also be great to include some sort of graphical representation of data, like size and data type. Conclusion: We were looking for a high-performance object storage system that would work well with enterprise systems. We found that MinIO offered the stability and scalability in addition to the ability to deploy on-premise, in the cloud, or hybrid options most suitable for our needs.
See all answers
 

Featured Reviews

meetharoon - PeerSpot reviewer
Enables smooth management of vulnerabilities and promotes a shift towards a culture of security
We have witnessed Mend.io for its high stability, consistently living up to our expectations in terms of performance and reliability. Our developers have reported very few issues and almost minimal to zero downtime, which is a critical factor for our organization to rely on Mend SCA to secure our applications. We didn't experience any major issues in the stability of the product. This level of dependability is crucial for our hundreds of development teams that need to maintain continuous integration and deployment processes without interruptions. We realize the solution's architecture is designed to support a wide range of use cases, making it suitable for organizations of varying sizes and complexities. As a SaaS (Software as a Service) offering, Mend.io eliminates the need for physical server management, which further contributes to its stability. Users can access the platform without worrying about hardware failures or maintenance issues that can affect on-premises solutions. Moreover, Mend.io's integration capabilities with existing workflows—including IDEs, repositories, and CI/CD pipelines—enhance its stability by providing a seamless user experience. This integration allows teams to incorporate security scanning into their development processes without significant disruptions, which is often a challenge with less stable solutions. Feedback from our developers and architects highlights the tool's effectiveness in reducing open-source software vulnerabilities while maintaining a streamlined development lifecycle. Our organization have experienced improved code quality and faster incident response times as a result of using Mend.io. The platform's intuitive dashboard and management views are also praised by our developers for their usability, contributing to a positive user experience. In short, Mend.io stands out as a dependable and reliable solution in the realm of software composition analysis. Its high stability, combined with robust integration capabilities and user-friendly features, makes it an excellent choice for organizations seeking to enhance their security posture while minimizing operational disruptions.
Read full review
Wang Dayong - PeerSpot reviewer
Easy to integrate and has a plug-in that supports both C and C++ languages
The product provides false reports sometimes. It also fails to understand the context of the code. It reports that a line of code has issues without considering its relation with the previous line. The product should improve the report quality. While it asks us to improve the code quality, it would be good if it also suggests how to improve the quality.
Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The most valuable feature is the unified JAR to scan for all langs (wss-scanner jar)."
"The most valuable features are the reporting, customizing libraries "In-house, White list, license selection", comparing the products/projects, and License & Copyright resolution."
"The inventory management as well as the ability to identify security vulnerabilities has been the most valuable for our business."
"The vulnerability analysis is the best aspect of the solution."
"WhiteSource is unique in the scanning of open-source licenses. Additionally, the vulnerabilities aspect of the solution is a benefit. We don't use WhiteSource in the whole organization, but we use it for some projects. There we receive a sense of the vulnerabilities of the open-source components, which improves our security work. The reports are automated which is useful."
"The best feature is that the Mend R&D team does their due diligence for all the vulnerabilities. In case they observe any important or critical vulnerabilities, such as the Log4j-related vulnerability, we usually get a dedicated email from our R&D team saying that this particular vulnerability has been exploited in the world, and we should definitely check our project for this and take corrective actions."
"The overall support that we receive is pretty good. ​"
"The most valuable feature is the inventory, where it compiles a list of all of the third-party libraries that we have on our estate."
More Mend.io pros
"Strong code evaluation for budget-minded clients."
"Offers multi-programming language support"
"Integrate it into the developers' workbench so that they can bench check their code against what will be done in the server-based audit version."
"Before you even compile, it can catch known vulnerability issues or patterns."
"We can create a Quality Gate in order to fail Jenkins jobs where the code coverage is lower than the set percentage."
"The solution can verify vulnerabilities, code smells, and hotspots. It makes the software more secure and it helps make a junior or novice developer sharper."
"One of the most valuable features of SonarQube is its ability to detect code quality during development. There are rules that define various technologies—Java, C#, Python, everything—and these rules declare the coding standards and code quality. With SonarQube, everything is detectable during the time of development and continuous integration, which is an advantage. SonarQube also has a Quality Gate, where the code should reach 85%. Below that, the code cannot be promoted to a further environment, it should be in a development environment only. So the checks are there, and SonarQube will provide that increase. It also provides suggestions on how the code can be fixed and methods of going about this, without allowing hackers to exploit the code. Another valuable feature is that it is tightly integrated with third-party tools. For example, we can see the SonarQube metrics in Bitbucket, the code repository. Once I raise the full request, the developer, team lead, or even the delivery lead can see the code quality metrics of the deliverable so that they can make a decision. SonarQube will also cover all of the top OWASP vulnerabilities, however it doesn't have penetration testing or hacker testing. We use other tools, like Checkmarx, to do penetration testing from the outside."
"It automatically scans for code, detects vulnerabilities, and generates daily reports."
More SonarQube Server (formerly SonarQube) pros
 

Cons

"AI integration in code security tools like Mend.io is still in its early stages and relatively immature."
"At times, the latency of getting items out of the findings after they're remediated is higher than it should be."
"The turnaround time for upgrading databases for this tool as well as the accuracy could be improved."
"The initial setup could be simplified."
"The only thing that I don't find support for on Mend Prioritize is C++."
"We specifically use this solution within our CICD pipelines in Azure DevOps, and we would like to have a gate so that if the score falls below a certain value then we can block the pipeline from running."
"On the reporting side, they could make some improvements. They are making the reports better and better, but sometimes it takes a lot of time to generate a report for our entire organization."
"It should support multiple SBOM formats to be able to integrate with old industry standards."
More Mend.io cons
"The solution is a bit lacking on the security side, in terms of finding and identifying vulnerabilities."
"SonarQube could improve its static application security testing as per the industry standard."
"The learning curve can be fairly steep at first, but then, it's not an entry-level type of application. It's not like an introduction to C programming. You should know not just C programming and how to make projects but also how to apply its findings to the bigger picture. I've had users who said that they wish it was easier to understand how to configure, but I don't know if that's doable because what it's doing is a very complicated thing. I don't know if it is possible to make a complicated thing trivially simple."
"The pricing could be reduced a bit. It's a little expensive."
"SonarQube could improve by adding automatic creation of tasks after scanning and more support for the Czech language."
"Monitoring is a feature that can be improved in the next version."
"The exporting capabilities could be improved. Currently, exporting is fully dependent on the SonarQube environment."
"There are sometimes security breaches in our code, which aren't be caught by SonarQube. In the security area, SonarCube has to improve. It needs to better compete with other products."
More SonarQube Server (formerly SonarQube) cons
 

Pricing and Cost Advice

"When comparing the price of WhiteSource to the competition it is priced well. The cost for 50 users is approximately $18,000 annually."
"Mend is costly but not overly expensive. The license was quite expensive this year, but we managed to negotiate the price down to the same as last year. At the same time, it's a good value. We're getting what we're paying for and still not using all the features. We could probably get more out of the tool and make it more valuable. At the moment, we don't have the capacity to do that."
"The solution involves a yearly licensing fee."
"Over the last two years, they have tried to add more and more features to their license packages, but the price is a little bit high, comparatively."
"Its pricing model is per developer. It depends on the number of developers in the company. The license is for a minimum of 20 developers. So, even if you are a small startup with less than 10 developers, you have to buy a license for 20 developers on a yearly subscription, which makes it quite expensive for startup customers. I provide consultation to startup accelerators. They're small at the beginning, and only once they grow to 20 developers, they can afford this tool. As a result, WhiteSource is missing this target audience. Their licensing is not flexible."
"WhiteSource is much more affordable than Veracode."
"Pricing and licensing are comparable to other tools. When we started, it was less than our existing solution. I can't go into specifics, but it isn't cheap."
"It is fairly priced."
More Mend.io pricing and cost advice
"I am satisfied with the pricing."
"SonarQube is a fairly affordable solution for a larger scale if you have a specific role or specific department for secure code."
"It's an open-source solution, with no additional costs."
"We are using the open-source community version, but there are enterprise licenses available."
"The costs for this application, for the kind of job it does, are pretty decent."
"We're using their free Community Edition version."
"The free version of SonarQube does everything that we need it to."
"We have a license with 125,000 lines of code. We did not purchase a lot of lines but it is specific to our code environment."
More SonarQube Server (formerly SonarQube) pricing and cost advice
report
See which vendors are best for you
Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
See recommendations
824,052 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
17%
Computer Software Company
16%
Manufacturing Company
12%
Energy/Utilities Company
5%
Financial Services Firm
17%
Computer Software Company
15%
Manufacturing Company
13%
Government
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

How does WhiteSource compare with SonarQube?
Red Hat Ceph does well in simplifying storage integration by replacing the need for numerous storage solutions. This solution allows for multiple copies of replicated and coded pools to be kept, ea...
See all answers
How does WhiteSource compare with Black Duck?
We researched Black Duck but ultimately chose WhiteSource when looking for an application security tool. WhiteSource is a software solution that enables agile open source security and license compl...
See all answers
What do you like most about Mend.io?
The best feature is that the Mend R&D team does their due diligence for all the vulnerabilities. In case they observe any important or critical vulnerabilities, such as the Log4j-related vulner...
See all answers
Is SonarQube the best tool for static analysis?
I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have a look...
See all answers
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
See all answers
How would you decide between Coverity and Sonarqube?
We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing rem...
See all answers
 

Comparisons

Black Duck vs Mend.io Logo
Black Duck vs Mend.io
Compared 15% of the time
Snyk vs Mend.io Logo
Snyk vs Mend.io
Compared 9% of the time
Veracode vs Mend.io Logo
Veracode vs Mend.io
Compared 8% of the time
JFrog Xray vs Mend.io Logo
JFrog Xray vs Mend.io
Compared 6% of the time
Checkmarx One vs Mend.io Logo
Checkmarx One vs Mend.io
Compared 6% of the time
More Mend.io Competitors
Checkmarx One vs SonarQube Server (formerly SonarQube) Logo
Checkmarx One vs SonarQube Server (formerly SonarQube)
Compared 16% of the time
Coverity vs SonarQube Server (formerly SonarQube) Logo
Coverity vs SonarQube Server (formerly SonarQube)
Compared 12% of the time
SonarQube Cloud (formerly SonarCloud) vs SonarQube Server (formerly SonarQube) Logo
SonarQube Cloud (formerly SonarCloud) vs SonarQube Server (formerly SonarQube)
Compared 12% of the time
GitHub Advanced Security vs SonarQube Server (formerly SonarQube) Logo
GitHub Advanced Security vs SonarQube Server (formerly SonarQube)
Compared 10% of the time
OWASP Zap vs SonarQube Server (formerly SonarQube) Logo
OWASP Zap vs SonarQube Server (formerly SonarQube)
Compared 3% of the time
More SonarQube Server (formerly SonarQube) Competitors
 

Product Reports

Buyer's Guide
Mend.io
December 2024
Mend.io reportDownload Mend.io product report
Buyer's Guide
SonarQube Server (formerly SonarQube)
November 2024
SonarQube Server (formerly SonarQube) reportDownload SonarQube Server (formerly SonarQube) product report
 

Also Known As

WhiteSource, Mend SCA, Mend.io Supply Chain Defender, Mend SAST
Sonar
 

Learn More

Mend.io
Sonar
 

Interactive Demo

Demo not available
Mend.io
Sonar
 

Overview

Mend.io is a software composition analysis tool that secures what developers create. The solution provides an automated reduction of the software attack surface, reduces developer burdens, and accelerates app delivery. Mend.io provides open-source analysis with its in-house and other multiple sources of software vulnerabilities. In addition, the solution offers license and policy violation alerts, has great pipeline integration, and, since it is a SaaS (software as a service), it doesn’t require you to physically maintain servers or data centers for any implementation. Not only does Mend.io reduce enterprise application security risk, it also helps developers meet deadlines faster.

Mend.io Features

Mend.io has many valuable key features. Some of the most useful ones include:

  • Vulnerability analysis
  • Automated remediation
  • Seamless integration
  • Business prioritization
  • Limitless scalability
  • Intuitive interface
  • Language support
  • Integration
  • Continuous monitoring
  • Remediation suggestions
  • Customization

Mend.io Benefits

There are many benefits to implementing Mend.io. Some of the biggest advantages the solution offers include:

  • Easy to use: The Mend.io platform is very user-friendly and easy to set up.
  • Third-party libraries: The solution eases the process of keeping track of all the used third-party dependencies within a product. It not only scans for the pure occurrence (also transitively) but also takes care of licenses and vulnerabilities.
  • Static code analysis: With Mend.io’s static code analysis, you can quickly identify security weaknesses in custom code across desktop, web, and mobile applications.
  • Broad support: Mend.io provides 27 different programming languages and various programming frameworks.
  • Easy integration: Mend.io makes integration very easy with existing DevOps environments and CI/CD pipelines so developers don’t need to manually configure or trigger the scan.
  • Ultra-fast scanning engine: The solution’s scanning engine generates results up to ten times faster than legacy SAST solutions.
  • Unified developer experience: Mend.io has a unified developer experience inside the code repository that shows side-by-side security alerts and remediation suggestions for custom code and open-source code.

Reviews from Real Users

Below are some reviews and helpful feedback written by PeerSpot users currently using the Mend.io solution.

Jeffrey H., System Manager of Cloud Engineering at Common Spirit, says, “Finding vulnerabilities is pretty easy. Mend.io (formerly WhiteSource) does a great job of that and we had quite a few when we first put this in place. Mend.io does a very good job of finding the open-source, checking the versions, and making sure they're secure. They notify us of critical high, medium, and low impacts, and if anything is wrong. We find the product very easy to use and we use it as a core part of our strategy for scanning product code moving toward release.”

PeerSpot reviewer Ben D., Head of Software Engineering at a legal firm, mentions, “The way WhiteSource scans the code is great. It’s easy to identify and remediate open source vulnerabilities using this solution. WhiteSource helped reduce our mean time to resolution since we adopted the product. In terms of integration, it's pretty easy.”

An IT Service Manager at a wholesaler/distributor comments, “Mend.io provides threat detection and an excellent UI in a highly stable solution, with outstanding technical support.”

Another reviewer, Kevin D., Intramural OfficialIntramural at Northeastern University, states, "The vulnerability analysis is the best aspect of the solution."

SonarQube Server enhances code quality and security via static code analysis. It detects vulnerabilities, improves standards, and reduces technical debt, integrating into CI/CD pipelines.

SonarQube Server is a comprehensive tool for enhancing code quality and security. It offers static code analysis to identify vulnerabilities, improve coding standards, and reduce technical debt. By integrating into CI/CD pipelines, it provides automated checks for adherence to best practices. Organizations use it for code inspection, security testing, and compliance, ensuring development environments with better maintainability and fewer issues.

What are the key features of SonarQube Server?
  • Support for 20+ languages: Extensive programming language support suitable for diverse coding environments.
  • Custom coding rules: Allows for tailored rule sets to match specific coding standards.
  • Flexible quality gates: Define criteria for code acceptance at various intervals.
  • CI/CD integration: Seamless integration with Continuous Integration/Continuous Deployment tools.
  • Rich interface: User-friendly dashboard with detailed visual insights.
What benefits should users expect from SonarQube Server?
  • Improved code quality: Enhanced analysis contributes to fewer bugs and improved coding practices.
  • Security enhancements: Identifies and mitigates security vulnerabilities pre-emptively.
  • Maintainability: Reduces technical debt, yielding long-term development efficiency.
  • Customizable: Flexibility in configuration aligns with specific project needs.

Many industries implement SonarQube Server to uphold coding standards, maintain security protocols, and streamline their software development lifecycle. In sectors like finance and healthcare, adhering to regulations and ensuring reliable software is critical, making SonarQube Server invaluable. It is often integrated into CI/CD pipelines, ensuring that code changes meet set standards before deployment. This approach enhances productivity and maintains compliance with industry-specific requirements.

 

Sample Customers

Microsoft, Autodesk, NCR, Target, IBM, vodafone, Siemens, GE digital, KPMG, LivePerson, Jack Henry and Associates
Information Not Available
Buyer's Guide
Mend.io vs. SonarQube Server (formerly SonarQube)
December 2024
Free Report: Mend.io vs. SonarQube Server (formerly SonarQube)
Find out what your peers are saying about Mend.io vs. SonarQube Server (formerly SonarQube) and other solutions. Updated: December 2024.
DOWNLOAD NOW
824,052 professionals have used our research since 2012.
See our Mend.io vs. SonarQube Server (formerly SonarQube) report.
See our list of best Application Security Tools vendors.

We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.