GitHub is a project management and code sharing platform that allows users to share their codes with others and...
Software Advice offers objective, independent research and verified user reviews. We may earn a referral fee when you visit a vendor through our links.
Learn more
About WhiteSource
WhiteSource is the leading solution for agile open source security and license compliance management.
It integrates with your development environments and DevOps pipeline to detect open source libraries with security or compliance issues in real-time.
WhiteSource doesn’t only alert on issues, it also provides actionable, validated remediation paths to enable quick resolution and automated policy enforcement to speed up time-to-fix. It also helps you focus on what matters by prioritizing remediation based on whether your code is actually using a vulnerable method or not, and guaranteeing zero false positives.
WhiteSource offers support for over 200 programming languages, and continuous tracking of multiple open source vulnerabilities databases including the NVD, security advisories, peer-reviewed vulnerability knowledge bases and open source projects issue trackers.
WhiteSource pricing
WhiteSource has a free version and offers a free trial. WhiteSource paid version starts at USD 4,000.00.
Starting Price:
USD 4,000.00
Free Version:
Yes
Free trial:
Yes
Alternatives to WhiteSource
SonarQube is a self-managed open-source platform that helps developers create code devoid of quality and vulnerability...
Snyk is an application security and testing platform designed to help businesses find, prioritize and remediate...
GitLab is a cloud-based project management platform that allows software developers to develop and manage codes...
Neptune DXP is a low-code app development platform that gives IT departments the right tools to build the apps they...
Jira Software is a business process management tool used by agile teams to plan, track and release software. Jira...
WhiteSource Reviews
Feature rating
5 reviews of 7
View all reviews
Mo
- Industry: Legal Services
- Company size: 501–1,000 Employees
- Used Weekly for 2+ years
-
Review Source
4
Reviewed on 07/12/2022
Good supplement to other SAST tools for "shift left" security.
Pros
Easy integration with Azure DevOps and Mend for Github and the fact that you can run as a task during the pipeline but you don't have to see the output from a CLI since they provide a tab on the pipeline run to see a good report on used libraries and vulnerabilities.
Cons
Other tools have auto fixing which is not a need but good to have. Auto-fixing is not always "auto" and might need review which doesn't make it a big con.
Elyes
- Industry: Information Technology & Services
- Company size: 1,001–5,000 Employees
- Used Monthly for 6-12 months
-
Review Source
5
Reviewed on 07/12/2021
WhiteSource Review
Pros
WhiteSource give you the ability to scan open source packages within your source code.
The ability to integrate it with Azure pipelines is a huge plus
Cons
Duplicated result for same packages and within the same project
Don
- Used for 1-5 months
-
Review Source
2
Reviewed on 07/06/2018
Tons of false positives, prepare to spend hours fixing it manually
After much manual configuration, a nicely formatted output that looks reputable. I could have just made my own in excel a lot faster.
Pros
Fast, quick reviews of your code. They do a good job of putting all the relevant reports and dashboards in front of you quickly. Once you manually fix everything, it can look really good.
Cons
The false positives are awful. I had to spend hours and hours manually fixing everything it mis-identified - dozens of libraries and thousands of source files. If you use a library not in its database... too bad. You can make a support request and wait for them to enter it for you, whenever they get around to it.
The search is pretty awful. There is some kind of syntax to using it but when I asked our account rep, she couldn't give me any documentation on it. You will frequently see results like "openssl-v0_9_8" in your search, but if you type "openssl" it will vanish and not come up. Don't ever both trying to search for a version, it doesn't work. This results in a lot of time scrolling through very large lists. Naming schemes are random and follow no established pattern.
For a good half of all libraries, they have not assigned a license. Guess who gets to go google search them all? You, the user! Isn't the point of this tool to help me identify the licensing?
UI navigation is challenging. Back button will take you to a different place than you were almost every time. You'll love the dashboard... because you have to go back to it roughly every 5 minutes and start over.
No great system for notes/todos/reminders. When you have to fix 60 libraries, it's hard to remember what you want to do with each one.
Udi
-
Review Source
5
Reviewed on 10/11/2015
FOSS lifecycle management with Whitesource
Using Whitesource to manage the process of analysing FOSS for a large product with hundreds of opensource dependencies.
Makes life much easier and helps you cover all dependencies much more accurately.
Some processes are still a bit course (though improved dramatically over the past 18 months)
Refresh performance might be a bit slow when there are very large dependency lists.
Best product out there for FOSS lifecycle management
John McIntire
-
Review Source
5
Reviewed on 28/05/2013
Easy to use. Saves tons of time.
We used to document it all manually. Now its done easily and effectively. Not to mention that we missed many things, so with this we were able to fix some small issues before they become big issues....
Pros
easy
inexpensive
very comprehensive
no more hassle
