We are using Mend to detect and fix vulnerabilities in our products and we also use it to deliver security reports when we are releasing our products.
Release Manager at a tech vendor with 501-1,000 employees
Automation, such as automated pull requests, saves us significant time
Pros and Cons
- "What is very nice is that the product is very easy to set up. When you want to implement Mend.io, it just takes a few minutes to create your organization, create your products, and scan them. It's really convenient to have Mend scanning your products in less than one hour."
- "On the reporting side, they could make some improvements. They are making the reports better and better, but sometimes it takes a lot of time to generate a report for our entire organization."
What is our primary use case?
How has it helped my organization?
Since we moved to Mend.io, a long time ago, everything has been fully automated and we are saving a lot of time. When it comes to MTTR, we are saving three to four weeks of work over the course of a year. We release our product multiple times a year and we have to check everything in terms of licensing, et cetera.
Mend also has a lot of automation, such as raising pull requests on your code to implement updates. That's a pretty significant gain for our company, not having to manage that anymore.
In addition, since we started using Mend.io, we have been able to deliver products without any high CVEs. For medium CVEs, it's up to the team developing the product if they want to remove all of them or only the critical issues. We have four or five products and Mend.io detects between 20 and 25 high CVEs per month. We solve them because the solution is detecting them.
What is most valuable?
What is very nice is that the product is very easy to set up. When you want to implement Mend.io, it just takes a few minutes to create your organization, create your products, and scan them. It's really convenient to have Mend scanning your products in less than one hour.
They also have a lot of integrations with different Git providers, like GitHub, GitLab, and Bitbucket.
It also has a nice tool we can use with the command line. We have continuous integration, and with the command line, we can scan everything without using the user interface. The command line is great. They have a lot of tools and plug-ins for your IDEs to automate scans. Using the command line, the Unified Agent, you can do a bunch of automated operations.
Thanks to the integration we put in place, it's super easy to identify and remediate open-source vulnerabilities, because on every commit of the software we trigger a Mend.io scan. We know, within five minutes, if the new version of the product is impacted by a CVE. If it is, we receive an email, an alert, so that the developers can fix the code.
What needs improvement?
On the reporting side, they could make some improvements. They are making the reports better and better, but sometimes it takes a lot of time to generate a report for our entire organization.
They also need to provide customizable reports. As a customer, I would like to create my own reports by selecting the relevant columns and data and saving these reports. That way, people in our organization could go to the Mend UI and generate these reports. That feature is not available.
One other area where they could improve would be implementing a version number between the product and projects. In some tools, you can manage the version. Today, in Mend.io, I have to create one product for every version (such as 7.1, 7.2, and 7.3). Many are requesting that Mend provide a version number field.
The last issue is the UI. They have been trying to improve the UI for many years. It has been taking a long time. It would be really nice to have a nice, modern UI so that developers could say to their managers, "Wow, it's new, it's nice, it works well, and it's fast."
Buyer's Guide
Mend.io
November 2024
Learn what your peers think about Mend.io. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,406 professionals have used our research since 2012.
For how long have I used the solution?
We have been customers of Mend.io for almost seven years.
What do I think about the stability of the solution?
It's a stable solution.
One year ago there were some issues due to some database problems. The SaaS application was not available for a few hours, over the course of a week. But it only happened one time since we started using them.
What do I think about the scalability of the solution?
It's very scalable, because we are not doing a lot of scanning every day, maybe 200 per day, and we don't have any issues with the scan performance.
We have three departments using the solution. One team is using GitHub, another team is using Gitlab, and the third team uses Bitbucket and we have integration with these three Git providers. We are running pipelines in Jenkins, Codefresh, and GitLab CI/CD, and we scan the code in all three environments. We have people in France, the UK, the US, and Singapore, a total of 250 users.
How are customer service and support?
The support is great but I haven't had to use them in a long time. But it's very efficient. I also have a nice customer support manager, so I know if I have an urgent ticket to open, I open it through the main support portal and then I can contact my CSM to ask him to work with me. A few hours or a day later, someone is working on my ticket.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
Before Mend.io, we had a manual process. That means we were tracking all the licensees and copyrights manually. We also tried using an open-source tool to detect vulnerabilities and fix them, but it did not work very well. It was consuming a lot of time on my team.
How was the initial setup?
The setup was very straightforward. It took only a few minutes to be able to scan the first project. Because we had 40 or 50 projects to scan, it took about a week to set up everything.
The deployment was done by me with some help from IT.
Because we are using the SaaS solution, we don't have to upgrade the main tools. Regarding the Unified Agent, we try to upgrade a few times a year so that we are using the latest version. Overall, the maintenance is very low. We don't spend much time on it.
What was our ROI?
In terms of resources, we are saving 15 percent of our time when remediating issues. And for our company, there is a big financial gain because people can work on multiple projects. And most importantly, we know we are not delivering products with high CVEs, which makes it safer for our customers.
What's my experience with pricing, setup cost, and licensing?
We were one of their biggest customers seven years ago, so we are paying a really good price. Over the last two years, they have tried to add more and more features to their license packages, but the price is a little bit high, comparatively. We are able to do a lot of things with the product, but I can see the price growing and growing and it may be a little bit too expensive now.
I really recommend Mend.io. It's a great company. Rami Sass is the CEO and you can ask him questions. They do everything to make their customers comfortable using their solutions.
Which other solutions did I evaluate?
We evaluated Black Duck and Snyk. We went with Mend, not because of pricing—we were willing to pay the right price for the right tool—nor for the features. It was for the ability to track all the copyrights when using an open-source dependency. That means we wanted all the copyrights for all the tools contributing to a given open-source dependency. Mend.io was the only tool that could do that.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
IT Service Manager at a wholesaler/distributor with 51-200 employees
Provides threat detection and an excellent UI in a highly stable solution, with outstanding technical support
Pros and Cons
- "I am the organizational deployment administrator for this tool, and I, along with other users in our company, especially the security team, appreciate the solution for several reasons. The UI is excellent, and scanning for security threats fits well into our workflow."
- "We have been looking at how we could improve the automation to human involvement ratio from 60:40 to 70:30, or even potentially 80:20, as there is room for improvement here. We are discussing this internally and with Mend; they are very accommodating to us. We think they openly receive our feedback and do their best to implement our thoughts into the roadmap."
What is our primary use case?
We use open-source libraries or software in projects across our company. We conducted an internal study regarding the legalities, security, vulnerabilities, and license compliance, which is when we decided to implement and deploy Mend. It automates the software composition analysis, which is vital when we want to use third-party and open-source software.
We have a total of around 1000 projects running in Mend; some of those are being trialed and may be withdrawn, and others will go on to the production stage. We have between 300 and 400 end users, primarily integrators and fewer admins and approvers.
How has it helped my organization?
The tool is now a mandatory part of our organization to use as a benchmark, giving us a technical advantage. When we acquire other companies, we look to determine if Mend is applicable to them and bring them into our culture of using the solution where possible. We can leverage it for financial benefits when implemented and used to scan on the technical front. We consider Mend a permanent integration with our company for the foreseeable future, so we decided to reinvest in the solution by renewing our contract twice up to this point.
What is most valuable?
I am the organizational deployment administrator for this tool, and I, along with other users in our company, especially the security team, appreciate the solution for several reasons. The UI is excellent, and scanning for security threats fits well into our workflow.
The solution is also highly valuable to our Intellectual Property Councils, because as a company that uses open-source software, we need to be aware of intellectual properties, code violations, and adherence to our regulations when we include such software. There are, of course, areas for improvement, but it has become mandatory within our organization to run scans using Mend as part of our workflows.
We don't always use WhiteSource SmartFix, and that depends on the recommendations provided by the solution's analysis. On occasion, we have challenged those recommendations, so for us, the software is not entirely a decision-making tool but a tool that assists us in making decisions. Therefore, there is still a human component in the process, and there is always an admin or approver to accept or reject the recommendation. There have been instances where smart fixes were challenged due to a lack of compatibility with project requirements. For example, the solution recommends a version of PostgreSQL, but the decision is made on the product level to go with a different version because it has better integration with the specific product requirements. However, I would say that SmartFix increases our decision-making effectiveness and successfully alerts us. As a leading lighting company, some product decisions must adhere to strict requirements, which require human involvement in the decision-making process.
Initially, the product didn't save us time but required us to spend more time. Many of our processes require a manual component, so we can't entirely rely on automated processes. Therefore, when we run Mend scans on our projects, around 60% of the software development life cycle is sped up, while the remaining 40% requires human intervention. Per our IP Councils, automation does not help us beyond a certain point, and manual intervention is required. If 60% of a project can be streamlined via automation, that certainly saves us time.
I would say that Mend certainly helps us detect and reduce vulnerabilities. We bring in the solution at the very beginning of a project, so we build early and often and detect vulnerabilities early. This is a significant contributor to our projects' success.
Integration using the unified agent and other methodologies has been at the forefront of our deployment. The plugins have been merged into the unified agent approach. The integration methodologies have worked wonders for our CICD pipelines and workflows, and each project team can decide whether to run scans pre or post-build.
What needs improvement?
We have been looking at how we could improve the automation to human involvement ratio from 60:40 to 70:30, or even potentially 80:20, as there is room for improvement here. We are discussing this internally and with Mend; they are very accommodating to us. We think they openly receive our feedback and do their best to implement our thoughts into the roadmap.
I consider scan reports to be another area for improvement, but this is also an area of improvement for user management on our end. We need to train end users on how to deal with alerts and the best approach to take for new projects.
We have weekly meetings with Mend and encourage all users who integrate the solution into their product life cycle to attend. This has been very useful, as these technical meetings assist our staff in the best use practices and improving their interpretation of reports, which allows us to leverage the product to our greatest advantage. We are also able to ask for solutions adaptations to suit our requirements, as we produce hardware as a company, not virtual products.
For how long have I used the solution?
We have been using the solution for almost five years.
What do I think about the stability of the solution?
The solution is highly stable; we had downtime on one occasion for two hours, which was scheduled. Aside from that, I haven't seen any downtime or performance issues, so in terms of stability, I rate the product very highly because we can depend on it.
What do I think about the scalability of the solution?
The solution is scalable, and scalability is vital for such an integral piece of software. Software development scenarios can change fast, requiring support for new languages and apps, so we constantly learn and communicate with Mend to fulfil our fluid requirements and adapt to changes within our environment.
How are customer service and support?
I'm delighted with the technical support, especially as someone involved in the deployment. Technical support has been highly responsive to bugs or errors, helping us mitigate or fix them quickly. It was easy to interpret their technical guidance, which made my job much more manageable. I'm very satisfied and would rate them highly.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We did not use any other solution.
How was the initial setup?
The deployment was mixed; there's always a window in which we are required to adapt to a tool. This solution isn't an out-of-the-box kind of model. There was some fine-tuning involved in the deployment according to our needs and specific projects, which is expected but somewhat challenging nonetheless.
The key staff involved in the deployment included me as the deployment manager, a customer success manager from Mend, a leading member of our IP Council, and the security advisers for each product. Once the deployment strategy is decided, the IP Council and security team take a back seat, and I work closely with the product architects moving forward. Deployment, fine-tuning, and getting the scans up and running takes two to two and a half days maximum per product. Ultimately, five or six key staff are involved in the solution's deployment, configuration, and maintenance.
What was our ROI?
We have seen an ROI for our projects, and our project managers are happy. This could still be improved, however.
What's my experience with pricing, setup cost, and licensing?
We always negotiate for the best price possible, and as far as I know, Mend has done an excellent job with their pricing. Our management is happy with the pricing, which has led to renewals.
Which other solutions did I evaluate?
We evaluated Black Duck, but it has several limitations that drove us toward choosing Mend. Black Duck is very expensive, and we require a SaaS solution to ensure the privacy of our source code, and they couldn't provide that. Therefore, our team decided to choose the more affordable and secure product.
What other advice do I have?
I would rate the solution a nine out of ten.
As a deployment admin, I would say the solution is straightforward to deploy, and deployment is simply the beginning of the process. Then comes the discipline of running scans along the life cycle of a project and deciding to accept or ignore the yielded alerts. This isn't a daily process, but it's an integral part of every project's workflow, and we have successfully made this an embedded part of our product development. Over time, our users have realized the advantages of using this software and appreciate the deployment.
Our staff must be open to change, especially when adapting to alerts and violations yielded by scans. Every scanned report has its interpretations and challenges, which is where input from the Intellectual Property team and Mend's technical team comes in. They support us throughout the product development process and help us calibrate our interpretations of reports. This gives us a clear picture of whether we are legally and technically conforming to our project and company requirements.
I'm a deployment manager, so I don't know if the merge confidence feature is used, as I'm not involved in projects throughout the entire development cycle. Some teams may be using it, but I can't say with confidence.
We use the SaaS version of the solution, which provides full compliance when it comes to privacy. At no point can Mend view our source code, and we have a complete legal understanding with them.
We currently don't use any other products in conjunction with the SCA product because we are at the beginning of our exposure to these tools. We are in the process of evaluating the tools, and we have a relatively elaborate process. It's also essential to consider different tools fairly by comparing like with like and having consistent parameters for comparison. That process can take some time and requires some patience. These kinds of evaluations should not be rushed, and it's okay to take weeks or even months to determine if a new tool can be a commercial and technical success within an organization.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
Mend.io
November 2024
Learn what your peers think about Mend.io. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,406 professionals have used our research since 2012.
Senior Lead Software Engineer at a tech services company with 10,001+ employees
Integrates well with Azure DevOps, stable, and affordable
Pros and Cons
- "The results and the dashboard they provide are good."
- "I would like to see the static analysis included with the open-source version."
What is most valuable?
The integration with Azure DevOps was good.
The results and the dashboard they provide are good.
It was pretty straightforward for me.
What needs improvement?
I would like to see the static analysis included with the open-source version. That would be good.
For how long have I used the solution?
I used the trial version of WhiteSource for a month. We chose to work with Veracode instead.
What do I think about the stability of the solution?
It's was pretty stable. I don't have any complaints about the stability of WhiteSource.
How are customer service and technical support?
I did not have any contact with the technical support. I did not have any issues in the time that I used this solution.
What's my experience with pricing, setup cost, and licensing?
It was approximately $2,000 per year or per month, I don't recall exactly.
When compared with Veracode, Veracode was very very expensive. It was approximately $200,000.00 per year for the whole Suite.
WhiteSource is much more affordable than Veracode.
Which other solutions did I evaluate?
We are evaluating Veracode.
What other advice do I have?
It was pretty good. I would rate WhiteSource an eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Architect/Developer at a insurance company with 5,001-10,000 employees
Useful report automation, beneficial reports, but report triggered operation halting needed
Pros and Cons
- "WhiteSource is unique in the scanning of open-source licenses. Additionally, the vulnerabilities aspect of the solution is a benefit. We don't use WhiteSource in the whole organization, but we use it for some projects. There we receive a sense of the vulnerabilities of the open-source components, which improves our security work. The reports are automated which is useful."
- "WhiteSource only produces a report, which is nice to look at. However, you have to check that report every week, to see if something was found that you don't want. It would be great if the build that's generating a report would fail if it finds a very important vulnerability, for instance."
What is our primary use case?
We use WhiteSource for scanning open source libraries called SCA and both the vulnerabilities and open source licenses. We deployed WhiteSource with Azure DevOps.
What is most valuable?
WhiteSource is unique in the scanning of open-source licenses. Additionally, the vulnerabilities aspect of the solution is a benefit. We don't use WhiteSource in the whole organization, but we use it for some projects. There we receive a sense of the vulnerabilities of the open-source components, which improves our security work. The reports are automated which is useful.
What needs improvement?
WhiteSource only produces a report, which is nice to look at. However, you have to check that report every week, to see if something was found that you don't want. It would be great if the build that's generating a report would fail if it finds a very important vulnerability, for instance.
For how long have I used the solution?
I have been using WhiteSource for a few years.
What do I think about the stability of the solution?
WhiteSource is a stable solution.
What do I think about the scalability of the solution?
We have approximately 20 people using this solution in my organization.
How are customer service and support?
I have not used technical support.
Which solution did I use previously and why did I switch?
I have previously used other solutions, such as OWASP Dependency-Check, Snyk open-source, and CheckMark
How was the initial setup?
The initial setup of WhiteSource is straightforward.
What about the implementation team?
We did the deployment of the solution ourselves. We used one person for the deployment.
What was our ROI?
We have received a return on investment.
What's my experience with pricing, setup cost, and licensing?
WhiteSource is a free solution to use.
Which other solutions did I evaluate?
We evaluated other solutions before choosing WhiteSource. We ended up choosing WhiteSource because of some of its unique features.
What other advice do I have?
I rate WhiteSource a seven out of ten.
Which deployment model are you using for this solution?
Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Co Founder at a consumer goods company with 11-50 employees
Provides full visibility and gives us peace of mind working with open-source libraries
Pros and Cons
- "It gives us full visibility into what we're using, what needs to be updated, and what's vulnerable, which helps us make better decisions."
- "WhiteSource Prioritize should be expanded to cover more than Java and JavaScript."
What is our primary use case?
We needed a tool to ensure that we are not using vulnerable libraries or open-source libraries with a copyleft license. We integrated WhiteSource with our repositories and CI server and set up automated policies to reject copyleft licensed libraries because our legal department doesn't allow them. We also have it open Jira issues automatically when a vulnerable library is detected and assign it to an engineer so we can shorten our response time to vulnerabilities detected in our applications. It integrates nicely with our existing workflow.
How has it helped my organization?
The best thing is that it changed the mindset of our developers. They are now more aware and proactive when it comes to the security risks in open source vulnerabilities and the need to update packages from time to time.
It gives us full visibility into what we're using, what needs to be updated, and what's vulnerable, which helps us make better decisions.
The WhiteSource prioritization feature provides us with the greatest value as it has cut down the number of security alerts by about 90%. It is only relevant for Java and JS for now, but we understand more is yet to come. This has saved us a lot of time.
What is most valuable?
WhiteSource is very accurate and covers all of our languages (including C++).
WhiteSource Prioritize is amazing. If we are using a vulnerable library, it shows us if we are actually using the vulnerable method or not. This saves us a lot of time that we can instead invest in other projects.
It also does a great job of automating many activities we used to do manually. Now the system does it for us and it generates a great security dashboard that shows us whether our remediation velocity is improving or not.
What needs improvement?
WhiteSource Prioritize should be expanded to cover more than Java and JavaScript.
We are currently using WhiteSource Prioritize for Java and it cuts our vulnerability alerts by almost 90%. However, Prioritize doesn't cover python or other languages at this point and our developers are required to deal with many open source security alerts. The problem is that now our developers are aware that most open source security alerts are not impacting the security of their applications and it's harder to get their cooperation. We are waiting for WhiteSource to announce support ifor Python and other languages.
For how long have I used the solution?
We have been using WhiteSource for almost a year.
What do I think about the stability of the solution?
From my experience, WhiteSource is pretty solid.
How are customer service and technical support?
We had a problem with a new library that their engine didn't process. I wrote them an email and got a response within an hour. Two days later they added it to their system.
They provide accurate results and our customer success manager is great.
No complaints so far.
Which other solutions did I evaluate?
We tested Black Duck as well but detected quite a lot of false positives.
What other advice do I have?
The good thing is that their product just keeps getting better. They are very attentive to their customers.
All in all, if you care about security, this product is a must. We all love open source, but I was always afraid of the headache in handling all the licensing/updates/vulnerabilities. The peace of mind we have now is a total game-changer.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
VP R&D at a tech services company with 11-50 employees
Easy open-source vulnerability checking has streamlined our software security process
Pros and Cons
- "For us, the most valuable tool was open-source licensing analysis."
- "If anything, I would spend more time making this more user-friendly, better documenting the CLI, and adding more examples to help expand the current documentation."
What is our primary use case?
We use WhiteSource to monitor our open-source usage. Specifically to avoid legal issues with open-source licensing, which may deter potential buyers or investors. Additionally, we analysed the code for security vulnerabilities.
We found the effective vulnerabilities report very useful since it lowered the number of actual defects found in the product and saved us a lot of work. Our environment is made of micro-services running in Kubernetes using NodeJS and Typescript for the backend, and AngularJS for the frontend. We use MongoDB, Redis, RabbitMQ, and ELK.
How has it helped my organization?
WhiteSource allowed us to minimize our exposure to open-source vulnerabilities with ease. Aside from identifying the out-dated or compromised packages really easily, it allows us to actually see which vulnerabilities are effectively relevant for us. In this case, it saved us *A LOT* of refactors and redesigns of code, which would have been considered vulnerable otherwise.
We integrated WhiteSource into our build system to ensure we keep our code secure and don't introduce new problems as we go. This allows us to have more predictability into the work process as security now becomes a constant work-in-progress instead of a major bulk of work every now and then.
What is most valuable?
For us, the most valuable tool was open-source licensing analysis. Although we don't use it on a weekly basis, when we needed to produce a reliable analysis of our open-source licensing exposure, we found it very very effective. Considering the alternatives, which were to analyse manually, WhiteSource saved us a ton of work that we really needed to complete in a short time. It would have involved finding all the different packages, be them in package.json files or analyse the docker images, and then find their effective license, which in itself is not a simple task.
What needs improvement?
The agent usage was not as smooth as the online experience. It lacks in terms of documentation and the errors and warnings it produces are not always very clear. We were able to get it up and running in a short while by getting help from support, which was very approachable and reliable.
If anything, I would spend more time making this more user-friendly, better documenting the CLI, and adding more examples to help expand the current documentation.
I would also like to get better integration with Google Docs.
For how long have I used the solution?
We have been using WhiteSource for a few months.
Which solution did I use previously and why did I switch?
We did not use another solution prior to this one.
Which other solutions did I evaluate?
We did not evaluate other options.
What other advice do I have?
Overall, this is a great product.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Works at a tech vendor with 1,001-5,000 employees
Vulnerability and license alerts help us stay compliant with software releases
Pros and Cons
- "Attribution and license due diligence reports help us with aggregating the necessary data that we, in turn, have to provide to satisfy the various licenses copyright and component usage disclosures in our software."
- "Some detected libraries do not specify a location of where in the source they were matched from, which is something that should be enhanced to enable quicker troubleshooting."
What is our primary use case?
Our primary use for WhiteSource is security and license risk detection in open-source, third-party libraries and components. We run scans from multiple source control and build systems (TFS, ADO, Jenkins, ...). Some of our scans are automated, while others are done manually with the unified file agent in offline mode scan, and then the resulting "wsjson" file is uploaded to the WS SaaS portal.
How has it helped my organization?
We moved from Black Duck to WhiteSource as it was a more modern and scalable solution, with better integration support to various build and source environments. The ease of running scans and getting results quickly enables our developers to address issues quicker.
What is most valuable?
The most valuable features of this solution are:
- The vulnerability and license alerts are the main purposes of us utilizing this tool. We don't want to ship software and mistakenly include a GPL component. Similarly, we want to stay up to date on all vulnerabilities in third-party libraries so we can take action if our software solutions are impacted.
- Implementing policies is helpful because it's great when certain "no-nos" can be codified as policies and auto-rejected.
- Attribution and license due diligence reports help us with aggregating the necessary data that we, in turn, have to provide to satisfy the various licenses copyright and component usage disclosures in our software.
What needs improvement?
Places in need of improvement are:
- Some detected libraries do not specify a location of where in the source they were matched from, which is something that should be enhanced to enable quicker troubleshooting.
- Manual uploads of "wsjson" files can only be done by a global admin. Product administrators should be given this right for uploading files to their products/projects.
- Better support for proxies is needed when running the unified file agent behind a proxy. It can be made to work, but the Java proxy config and cert trust for MitM traffic inspection are very painful to set up.
For how long have I used the solution?
We have been using WhiteSource for two years.
What do I think about the stability of the solution?
In our two years of usage, there has been a negligible amount of downtime. We have, however, experienced occasional issues with certain features of the offer that created some friction and grumblings from our devs using the portal, but those have typically been resolved fairly quickly.
What do I think about the scalability of the solution?
This is a SaaS offering that has so far taken everything we have thrown at it (150+ products, with multiple projects in each). Certain reports that aggregate data globally could take a while to churn, but well within acceptable time-frames.
How are customer service and technical support?
Responses are quick; TS works hard to resolve issues quickly.
Which solution did I use previously and why did I switch?
Prior to this solution, we used Black Duck. As of two years ago, when we made the switch, WhiteSource's UI was more modern, the SaaS solution more scalable, and the integration capabilities far superior. The detection accuracy between the two was quite similar.
How was the initial setup?
Setting up the tool for automated usage is very straightforward. Follow the documentation carefully and you will likely be fully up and running in between 15 and 60 mins.
What about the implementation team?
We implemented this solution using our in-house team.
What's my experience with pricing, setup cost, and licensing?
Pricing is competitive.
Which other solutions did I evaluate?
Which deployment model are you using for this solution?
Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Technical Architect at Dwr Cymru Welsh Water
Helpful for compiling a list of our third-party libraries, but it needs a quality gate function
Pros and Cons
- "The most valuable feature is the inventory, where it compiles a list of all of the third-party libraries that we have on our estate."
- "We specifically use this solution within our CICD pipelines in Azure DevOps, and we would like to have a gate so that if the score falls below a certain value then we can block the pipeline from running."
What is our primary use case?
Our primary use for WhiteSource Bolt is to gain visibility over third-party libraries in order to perform vulnerability assessments and take care of licensing issues.
We are using this solution within our Microsoft Azure tenants. Essentially, we are using it in a private cloud.
What is most valuable?
The most valuable feature is the inventory, where it compiles a list of all of the third-party libraries that we have on our estate. This helps us quite a bit.
What needs improvement?
We specifically use this solution within our CICD pipelines in Azure DevOps, and we would like to have a gate so that if the score falls below a certain value then we can block the pipeline from running. This would give us some sort of automated assurance. This is probably the feature that we'd most like to see.
For how long have I used the solution?
We have been using this solution for about eight months.
What do I think about the stability of the solution?
Generally, the stability is pretty good. The only thing we have noticed in the past couple of weeks is that it's been quite slow at times. We are reaching out to them over the issue.
What do I think about the scalability of the solution?
We haven't deployed it on a massive scale so we may not be able to judge the scalability. We run through perhaps ten deployments in a day, and we have not seen any issues.
We use this for anything that gets deployed, which is every pipeline that we run through our CICD.
How are customer service and technical support?
I haven't needed to engage with technical support for this solution.
Which solution did I use previously and why did I switch?
For this use case, we did not use another solution prior to this one.
How was the initial setup?
Given that it is a cloud-based solution, it is really easy. The deployment takes a couple of minutes.
What's my experience with pricing, setup cost, and licensing?
The version that we are using, WhiteSource Bolt, is a free integration with Azure DevOps.
Which other solutions did I evaluate?
We are still evaluating at the moment, and have not officially adopted WhiteSource as of yet.
What other advice do I have?
For anybody who is researching this type of solution, my suggestion is to try them first. We tried quite a few of the various toolings available, and some of them are just not workable. They're very different on paper, so you have to use them to really compare them.
I would rate this solution a seven out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Mend.io Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2024
Product Categories
Software Composition Analysis (SCA) Application Security Tools Static Code Analysis Software Supply Chain SecurityPopular Comparisons
Veracode
GitLab
Snyk
Black Duck
Sonatype Lifecycle
JFrog Xray
FOSSA
CAST Highlight
Checkmarx Software Composition Analysis
Polaris Software Integrity Platform
Semgrep
Sonatype Repository Firewall
Apiiro
Cycode
ShiftLeft
Buyer's Guide
Download our free Mend.io Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- How does Camunda Platform compare with Apache Airflow?
- How does WhiteSource compare with SonarQube?
- How does WhiteSource compare with Black Duck?
- What tools do you rely on for building a DevSecOps pipeline?
- What alternatives are there for Fortify WebInspect and Fortify SCA?
- What is the best way to track open-source license compatibility?
- Why is Software Composition Analysis (SCA) important for companies?
- Differences between Black Duck & Veracode
- What SCA solution do you recommend?
- Is there an SCA solution that finds and fixes vulnerabilities?