Mend.io Reviews

Our primary use for WhiteSource Bolt is to gain visibility over third-party libraries in order to perform vulnerability assessments and take care of licensing issues.

We are using this solution within our Microsoft Azure tenants. Essentially, we are using it in a private cloud.

The most valuable feature is the inventory, where it compiles a list of all of the third-party libraries that we have on our estate. This helps us quite a bit.

We specifically use this solution within our CICD pipelines in Azure DevOps, and we would like to have a gate so that if the score falls below a certain value then we can block the pipeline from running. This would give us some sort of automated assurance. This is probably the feature that we'd most like to see.

Generally, the stability is pretty good. The only thing we have noticed in the past couple of weeks is that it's been quite slow at times. We are reaching out to them over the issue.

We haven't deployed it on a massive scale so we may not be able to judge the scalability. We run through perhaps ten deployments in a day, and we have not seen any issues.

We use this for anything that gets deployed, which is every pipeline that we run through our CICD.

I haven't needed to engage with technical support for this solution.

For this use case, we did not use another solution prior to this one.

Given that it is a cloud-based solution, it is really easy. The deployment takes a couple of minutes.

The version that we are using, WhiteSource Bolt, is a free integration with Azure DevOps.

We are still evaluating at the moment, and have not officially adopted WhiteSource as of yet.

For anybody who is researching this type of solution, my suggestion is to try them first. We tried quite a few of the various toolings available, and some of them are just not workable. They're very different on paper, so you have to use them to really compare them.

I would rate this solution a seven out of ten.

Our primary use is to find all the third-party libraries and open source libraries which are hidden in the software, such that no third-party libraries are forgotten.

1. To get an overview of all these third-party components.
2. To get some information from WhiteSource about which licenses are behind the third-party tool, and what implications these might have for us.

We find licenses together with WhiteSource which are associated with a certain library, then we get a classification of the license. This is with respect to criticality and vulnerability, so we could take action and improve some things, or replace a third-party library which seems to be too risky for us to use on legal grounds. Then, we can take some measures to improve things, replace a library, or update a library which was too old or showed severe bugs, etc.

Several dashboards. The licenses dashboard, which gives me an overview of all the licenses used in our software. For example, right at the moment, there are several hundreds of licenses used. The licenses dashboard and release management dashboard along with reports (like risk, vulnerabilities, high severity, bug alerts, etc.).

Every product has room for improvement, including WhiteSource. The stability of the product is web-based. We are obliged to use the Internet Explorer, and from time-to-time I get messages which tells me that I do not have the rights to use WhiteSource, which is obviously wrong. I also suggested it to WhiteSource, and they told me that WhiteSource only works reliably for Firefox and Chrome. This has some room for improvement for me. Make the product available in a very stable way for other web browsers. 

From time to time, the dashboards don't display the full content that I expect. It seems that licenses are not shown nor are products are shown in full detail. I am just missing things at times. This might be due to the Internet Explorer issue, and if I am not using the right web browser, then maybe it does not work correctly. 

From time-to-time, it seems in Internet Explorer, which we use here in our company, the product is not stable in all cases. I get wrong error messages, and it seems that WhiteSource does not display all the contents that should be there. 

It is good enough. We can live with it in this situation. Though maybe it would be much better if we used Chrome or Firefox.

The picture that I have of it is that it is not yet a fully 100% stable software. This is the impression that I have. It is not 100% stable and reliable, but it is good enough that we can work with it.

We have only six software projects included right now. Altogether, we have several hundred third-party open source components. With this amount of objects displayed in the dashboards, it is working pretty well. I cannot say anything which goes beyond that amount. 

From time-to-time, I have the impression that if it is a long list (e.g., if I have several hundreds of entries in a list), that this list might somehow get a little bit difficult to handle with the scroll bar in finding things. This could be improved, in regards to handling a lot of data. It seems a little bit limited.

We have tech calls with WhiteSource on a regular basis, about every four weeks. 

The customer success manager, who is responsible for us, works with us pretty well. Every several weeks, we have a phone call, then we try to move one step forward to improve things, and so on. 

The overall support that we receive is pretty good. 

We did not use anything before WhiteSource. 

It was not that easy, but easy enough to go ahead. 

From time-to-time, we get some hints from the support on how to work with it. The dashboard is pretty good, so one can easily find things that they are looking for. However, the topic search, it is very complex and complicated to get a qualified picture of all these licenses. I know that there are online resources for us which we can take into account, but taking everything together, it still remains quite complicated for us to work with it.

Up until now, we were convinced that the return of investment was not really the case. However, we will see if maybe we get enough benefit out of the tool that we can argue internally that it is really worth using it.

When using WhiteSource, you cannot really be sure what the ROI is. It is an indication, a hint, that maybe you should look at these licenses or those licenses. However, maybe it has not found everything. Nobody can guarantee that we now have the complete picture. It is maybe an improved picture on all this third-party open-source stuff, but maybe it is also not the complete picture.

We are paying a lot of money to use WhiteSource. In our company, it is not easy to argue that it is worth the price. 

We did evaluate another tool along with WhiteSource, but we decided to take WhiteSource. There was this other tool, Black Duck, but we decided to work with WhiteSource.

However, we have not fully evaluated this tool. It seemed too complicated for us, so at a certain point, we just decided to work with WhiteSource further on.

I recommend using WhiteSource to other companies if they are in a similar situation that we are. If they are having real problems in dealing with all these open source licenses, then it is a good approach to use WhiteSource and get a handle of the whole topic. 

I do recommend it.

To prevent shipping commercial or GPL libraries, we scan our repositories.

Scanning/collecting third-party libraries and classifying license types. In this way we ensure our third-party software policy is followed and that we’re not using “forbidden” libraries.

Better ACL and more role definitions. This product could be used by large organisations but it definitely needs a better role/action model.

Right now (in my understanding) there are roles for WhiteSource Admin and Members and Product Admins and Members.

Here are some suggestions:

• When you create a new product “A” (for example)  then automatically create the user groups A-Admin, A-Members, A-Alerts and A-Approvers. In that way you just need to assign users.
• Have a new role “Product Status Updates”,  because I don’t want all product admins to receive the status or to have all who get the status as product admins.
• Have a new role “WhiteSource Status Updates” - I want to have different groups to be admins or to receive a status report.
• Have a new role “Audit” to receive audits.

One to three years.

No issues, it's working really well.

No issues so far.

Eight out of 10. Always responsive.

We were using editors or Wiki to keep that information, but obviously it was not updated.

It wasn’t too complex because you have different options for integrating your repositories, from a simple directory scan to a complex plug-in. We decided to begin with the simplest one and adopt new integrations step by step.

Pricing / licensing model changed during last year so I don’t have an opinion here yet.

I evaluated Black Duck.

It’s important to define guidelines and best practices regarding how to use the product internally; who defines what? Who accesses what? 

Best way to integrate my GitHub repo, my Maven project, etc.

With WhiteSource, we have been able to automate the scan of our Open Source dependencies. Before, it was a 50% automated in-house solution.

• Open Source dependencies scan
• Common Vulnerabilities and Exposures (CVE) detection
• Useful license and copyright reports.
• Dashboards to manage the risk by product or by organisation.

We are using a lot of Open Source components to develop our products. WhiteSource is the perfect tool to manage the Open Source governance. All our continuous integration stack is using WhiteSource to scan our dependencies (Maven, NPM, Docker).

Next, we are integrating the WhiteSource reports in our products (in a legal-notices folder) to store all the copyright and licensing information. WhiteSource replaced a painful and complex in-house solution, now it's fully automated.

Notifications could be improved. Everything else is OK.

If one of our products is using a dependency with a black-listed license (LGPL, for example) we like to notify the developer who added this dependency. And we use the same notification if you try to use a component with no license or no copyright information.

No issues.

No issues.

Customer Service:

A nine out of 10. They are really reactive when we have a question.

Technical Support:

A nine out of 10. They are really reactive when we have a question.

We were using an in-house solution based on some Maven plugins. The process was not fully-automated. We were looking for a fully-automated solution.

Really straightforward. The first scan was ready in 30 minutes.

My team (release engineering) implemented WhiteSource for our company.

We are really happy to use WhiteSource. A lot of time has been saved and the results are more accurate.

The setup cost is cheap. For our company, we received a good price to manage unlimited products and versions.

We did a comparison with Black Duck, but WhiteSource was better at managing the Open Source stuff.

We are a happy customer.