We performed a comparison between WhiteSource and SonarQube based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: SonarQube comes out on top in this comparison. It is high performing and user-friendly. In addition, it is less expensive than WhiteSource.
"It gives us full visibility into what we're using, what needs to be updated, and what's vulnerable, which helps us make better decisions."
"WhiteSource helped reduce our mean time to resolution since the adoption of the product."
"The most valuable feature is the inventory, where it compiles a list of all of the third-party libraries that we have on our estate."
"We can take some measures to improve things, replace a library, or update a library which was too old or showed severe bugs."
"The best feature is that the Mend R&D team does their due diligence for all the vulnerabilities. In case they observe any important or critical vulnerabilities, such as the Log4j-related vulnerability, we usually get a dedicated email from our R&D team saying that this particular vulnerability has been exploited in the world, and we should definitely check our project for this and take corrective actions."
"The license management of WhiteSource was at a good level. As compared to other tools that I have used, its functionality for the licenses for the code libraries was quite good. Its UI was also fine."
"The inventory management as well as the ability to identify security vulnerabilities has been the most valuable for our business."
"The dashboard view and the management view are most valuable."
"SonarQube: Recording of issues over a period of time, with an indication of the addition in the new issues or the reduction of existing issues (which were fixed)."
"Some of the most valuable features have been the latest up-to-date of the OWASP, the monitoring, the reporting, and the ease of use with the IDE plugins, in terms of integration."
"It provides you with many features, as it does with the premium model, but there are still extra features that can be purchased if needed."
"We've configured it to run on each commit, providing feedback on our software quality. ]"
"The SonarQube dashboard looks great."
"I like that it has a better dashboard compared to Clockwork. It's also stable."
"SonarQube is one of the more popular solutions because it supports 29 languages."
"All the features of the solution are quite good."
"I rated the solution an eight out of ten because WhiteSource hasn't built in a couple of features that we would have loved to use and they say they're on their roadmap. I'm hoping that they'll be able to build and deliver in 2022."
"They're working on a UI refresh. That's probably been one of the pain points for us as it feels like a really old application."
"On the reporting side, they could make some improvements. They are making the reports better and better, but sometimes it takes a lot of time to generate a report for our entire organization."
"The dashboard UI and UX are problematic."
"Mend supports most of the common package managers, but it doesn't support some that we use. I would appreciate it if they can quickly make these changes to add new package managers when necessary."
"We specifically use this solution within our CICD pipelines in Azure DevOps, and we would like to have a gate so that if the score falls below a certain value then we can block the pipeline from running."
"WhiteSource needs improvement in the scanning of the containers and images with distinguishing the layers."
"If anything, I would spend more time making this more user-friendly, better documenting the CLI, and adding more examples to help expand the current documentation."
"I would like to see dynamic code analysis in the next version of the software."
"It should be user-friendly."
"I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production."
"There is need for support for the additional languages and ease of use in adding new rules for detecting issues."
"The security in SonarQube could be better."
"Lacks sufficient visibility and documentation."
"Their dashboarding is very limited. They can improve their dashboards for multiple areas, such as security review, maintainability, etc. They have all this information, so they should publish all this information on the dashboard so that the users can view the summary and then analyze it further. This is something that I would like to see in the next version."
"I would like to see SonarQube implement a good amount of improvements to the product's security features. Another aspect of SonarQube that could be improved is the search functionality."
Mend.io is ranked 5th in Application Security Tools with 29 reviews while SonarQube is ranked 1st in Application Security Tools with 110 reviews. Mend.io is rated 8.4, while SonarQube is rated 8.0. The top reviewer of Mend.io writes "Easy to use, great for finding vulnerabilities, and simple to set up". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Mend.io is most compared with Black Duck, Snyk, Veracode, Checkmarx One and JFrog Xray, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Veracode and OWASP Zap. See our Mend.io vs. SonarQube report.
See our list of best Application Security Tools vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.