We performed a comparison between WhiteSource and SonarQube based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: SonarQube comes out on top in this comparison. It is high performing and user-friendly. In addition, it is less expensive than WhiteSource.
"The overall support that we receive is pretty good. "
"The results and the dashboard they provide are good."
"The vulnerability analysis is the best aspect of the solution."
"We use a lot of open sources with a variety of containers, and the different open sources come with different licenses. Some come with dual licenses, some are risky and some are not. All our three use cases are equally important to us and we found WhiteSource handles them decently."
"What is very nice is that the product is very easy to set up. When you want to implement Mend.io, it just takes a few minutes to create your organization, create your products, and scan them. It's really convenient to have Mend scanning your products in less than one hour."
"The most valuable features are the reporting, customizing libraries "In-house, White list, license selection", comparing the products/projects, and License & Copyright resolution."
"The best feature is that the Mend R&D team does their due diligence for all the vulnerabilities. In case they observe any important or critical vulnerabilities, such as the Log4j-related vulnerability, we usually get a dedicated email from our R&D team saying that this particular vulnerability has been exploited in the world, and we should definitely check our project for this and take corrective actions."
"The solution boasts a broad range of features and covers much of what an ideal SCA tool should."
"All the features of the solution are quite good."
"We can create a Quality Gate in order to fail Jenkins jobs where the code coverage is lower than the set percentage."
"It assists during the development with SonarLint and helps the developer to change his approach or rather improve his coding pattern or style. That's one advantage I've seen. Another advantage is that we can customize the rules."
"The most valuable function is its usability."
"SonarQube is good for checking and maintaining code quality."
"The most valuable features are the dashboard reports and the ease of integrating it with Jenkins."
"It automatically scans for code, detects vulnerabilities, and generates daily reports."
"We have worked with the support from SonarQube and we have had good experiences."
"Needs better ACL and more role definitions. This product could be used by large organisations and it definitely needs a better role/action model."
"The solution lacks the code snippet part."
"It would be nice to have a better way to realize its full potential and translate it within the UI or during onboarding."
"The UI is not that friendly and you need to learn how to navigate easily."
"Mend lets you create custom policies. They're not too complicated to set up, but it would be helpful if they had some preconfigured policies to match what we have in Azure DevOps. That would save us a lot of time. It's tedious to configure the policies manually, and I lack the capacity to do it right now. Other products have preconfigured packs and templates, and Mend doesn't."
"On the reporting side, they could make some improvements. They are making the reports better and better, but sometimes it takes a lot of time to generate a report for our entire organization."
"We specifically use this solution within our CICD pipelines in Azure DevOps, and we would like to have a gate so that if the score falls below a certain value then we can block the pipeline from running."
"I would like to have an additional compliance pack. Currently, it does not have anything for the CIS framework or the NIST framework. If we directly run a scan, and it is under the CIS framework, we can directly tell the auditor that this product is now CIS compliant."
"The solution could improve by having better-consulting services."
"The pricing could be reduced a bit. It's a little expensive."
"In terms of what can be improved, the areas that need more attention in the solution are its architecture and development."
"This solution finds issues that are similar to what is found by Checkmarx, and it would be nice if the overlap could be eliminated."
"I would like to see dynamic code analysis in the next version of the software."
"SonarQube needs to improve its support model. They do not work 24/7, and they do not provide weekend support in case things go wrong. They only have a standard 8:00 am to 5:00 pm support model in which you have to raise a support ticket and wait. The support model is not effective for premium customers."
"Monitoring is a feature that can be improved in the next version."
"We could use some team support, but since we are using the community version, it's not available."
Mend.io is ranked 13th in Application Security Tools with 29 reviews while SonarQube is ranked 1st in Application Security Tools with 112 reviews. Mend.io is rated 8.4, while SonarQube is rated 8.0. The top reviewer of Mend.io writes "Easy to use, great for finding vulnerabilities, and simple to set up". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Mend.io is most compared with Black Duck, Veracode, Snyk, Checkmarx One and JFrog Xray, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Veracode and OWASP Zap. See our Mend.io vs. SonarQube report.
See our list of best Application Security Tools vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.