We just raised a $30M Series A: Read our story
Cancel
You must select at least 2 products to compare!
Veracode Logo
63,090 views|34,507 comparisons
SonarQube Logo
90,271 views|74,084 comparisons
WhiteSource Logo
19,292 views|15,214 comparisons
Comparison Summary
Question: How does WhiteSource compare with SonarQube?
Answer: Red Hat Ceph does well in simplifying storage integration by replacing the need for numerous storage solutions. This solution allows for multiple copies of replicated and coded pools to be kept, easy replacement of failed hard drives, and easy replacement of scaled-out nodes. Red Hat Ceph continues working even when there are failures. We experienced some stability issues when we went beyond the default factor, which is 3. We found that the rebalancing and recovery processes can be a bit slow. Red Hat Ceph can be pretty complex to deploy and has a very big learning curve. MinIO is software-defined, runs in industry-standard hardware, and is an open-source solution. The retrieval of objects with MinIO is significantly better than many of the other solutions we considered. We found deployment to be very simple and even with numerous updates, MinIO ran seamlessly - we experienced no downtime. MinIO is amazing with regard to processing speed, volume, and accessibility to data. It can store large amounts of data, and you can retrieve, load, and transform the data quickly. MinIO offers both a browser interface and a command interface, which we found very useful. MinIO is lacking in a few documentation and monitoring tools that other solutions provide, though. It would be a better and more flexible solution if you could use an uneven disk structure. It would also be great to include some sort of graphical representation of data, like size and data type. Conclusion: We were looking for a high-performance object storage system that would work well with enterprise systems. We found that MinIO offered the stability and scalability in addition to the ability to deploy on-premise, in the cloud, or hybrid options most suitable for our needs.
Featured Review
Find out what your peers are saying about SonarQube vs. WhiteSource and other solutions. Updated: November 2021.
552,305 professionals have used our research since 2012.
Quotes From Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros
"It is easy to use for us developers. It supports so many languages: C#, .NET Core, .NET Framework, and it even scans some of our JavaScript. You just need the extension to upload the files and the reports are generated with so much detail.""Another feature of Veracode is that they provide e-learning, but the e-learning is not basic, rather it is quite advanced... in the e-learning you can check into best practices for developing code and how to prevent improper management of some component of the code that could lead to a vulnerability. The e-learning that Veracode provides is an extremely good tool.""The solution's ability to prevent vulnerable code from going into production is perfectly fine. It delivers, at least for the reports that we have been checking on Java and JavaScript. It has reported things that were helpful.""There is a single area on the dashboard where you can get a full view of all of the tests and the results from everything. There is a nice, very simple graphic that shows you the types of vulnerabilities that were found, their severity, the scoring, and in what part of the code they were found. All the details are together in one place.""Veracode provides guidance for fixing vulnerabilities. It enables developers to write secure code from the start by pointing them to the problematic line of code, and saying, "This function/method has security vulnerabilities," then suggests alternatives to fix it. Then, we adopt their suggestions of the tool. By implementing it in the right way, we can fix the issue. For example, if the tool has found a method where it copied one piece of memory into another piece of memory in the code. The tool points to problematic methods with the vulnerability and provides ways to code it more securely. By adopting their suggestions, we are fixing this vulnerability.""Good static analysis and dynamic analysis.""In terms of secure development, the SAST scan is very useful because we are able to identify security flaws in the code base itself, for the application.""There are quite a few features that are very reliable, like the newly launched Veracode Pipelines Scan, which is pretty awesome. It supports the synchronous pipeline pretty well. We been using it out of the Jira plugin, and that is fantastic."

More Veracode Pros »

"SonarQube is a fantastic tool which saves us precious time.""It helps our developers work more efficiently as we can identify things in a code prior to it being pushed to where it needs to go.""The solution can verify vulnerabilities, code smells, and hotspots. It makes the software more secure and it helps make a junior or novice developer sharper.""I like that it helps us maintain our work quality and code security.""It provides the security that is required from a solution for financial businesses.""I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla.""The most valuable features are the analysis and detection of issues within the application code.""The stability is good."

More SonarQube Pros »

"The reporting capability gives us the option to generate an open-source license report in a single click, which gets all copyright and license information, including dependencies.""With the fix suggestions feature, not only do you get the specific trace back to where the vulnerability is within your code, but you also get fix suggestions.""The solution is scalable.""Our dev team uses the fix suggestions feature to quickly find the best path for remediation.""For us, the most valuable tool was open-source licensing analysis.""The license management of WhiteSource was at a good level. As compared to other tools that I have used, its functionality for the licenses for the code libraries was quite good. Its UI was also fine.""The solution boasts a broad range of features and covers much of what an ideal SCA tool should.""It gives us full visibility into what we're using, what needs to be updated, and what's vulnerable, which helps us make better decisions."

More WhiteSource Pros »

Cons
"I would like to see them provide more content in the developer training section. This field is really changing each day and there are flaws that are detected each day. Some sort of regular updates to the learning would help.""The ideal situation in terms of putting the results in front of the developers would be with Veracode integration into the developer environment (IDE). They do have a plugin, which we've used in the past, but we were not as positive about it.""The product has issues with scanning.""The feature that allows me to read which mitigation answer was submitted, and to approve it, requires me to use do so in different screens. That makes it a little bit more complicated because I have to read and then I have to go back and make sure it falls under the same number ID number. That part is a little bit complicated from my perspective, because that's what I use the most.""It needs better controls to include/exclude specific sections when creating a report that can be shared externally with customers and prospects.""Sometimes the scans are not done quickly, but the solutions that it provides are really good. The quality is high, but the analysis is not done extremely quickly.""The pricing for qualified startups such as Neo4j could be improved.""The policies you have, where you can tune the findings you get, don't allow you not to file tickets about certain findings. It will always report the findings, even if you know you're not that concerned about a library writing to a system log, for example. It will keep raising them, even though you may have a ticket about it. The integration will keep updating the ticket every time the scan runs."

More Veracode Cons »

"I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production.""It does not provide deeper scanning of vulnerabilities in an application, on a live session. This is something we are not happy about. Maybe the reason for that is we are running the community edition currently, but other editions may improve on that aspect.""One thing to improve would be the integration. There is a steep learning curve to get it integrated.""There are times that we have the database crash. However, this might be an issue with how we have configured it and not a software issue. Apart from this, I do not see any issues with the solution.""In the next release, I would like to have notifications because now, it is a bit difficult. I think that's a feature which we could add there and it would benefit the users as well. For every full request, they should be able to see their bugs or vulnerability directly on the surface.""There needs to be a shareable reporting piece or something we can click and generate easily.""If you don't have any experience with the configuration or how to configure the files, it can be complicated.""We did have some trouble with the LDAP integration for the console."

More SonarQube Cons »

"The dashboard UI and UX are problematic.""The solution lacks the code snippet part.""The initial setup could be simplified.""We have ended our relationship with WhiteSource. We were using an agent that we built in the pipeline so that you can scan the projects during build time. But unfortunately, that agent didn't work at all. We have more than 500 projects, and it doubled or tripled the build time. For other projects, we had the failure of the builds without any known reason. It was not usable at all. We spent maybe one year working on the issues to try to make it work, but it didn't in the end. We should be able to integrate it with ID and Shift Left so that the developers are able to see the scan results without waiting for the build to fail.""It would be nice to have a better way to realize its full potential and translate it within the UI or during onboarding.""The UI is not that friendly and you need to learn how to navigate easily.""It would be good if it can do dynamic code analysis. It is not necessarily in that space, but it can do more because we have too many tools. Their partner relationship support is a little bit confusing. They haven't really streamlined the support process when we buy through a reseller. They should improve their process.""Some detected libraries do not specify a location of where in the source they were matched from, which is something that should be enhanced to enable quicker troubleshooting."

More WhiteSource Cons »

Pricing and Cost Advice
"Licensing cost is on a yearly basis and there are no additional costs, the pricing is straightforward.""The pricing is really fair compared to a lot of other tools on the market.""Veracode is one of the more expensive solutions in the market, but it is worth the expense because of the eLearning and the security consultations; everything is included in the license.""For the value we get out of it, coupled with the live defect review sessions, we find it an effective value for the money. We are a larger organization.""Veracode is expensive. Some of its products are expensive. I don't think it's way more expensive than its competitors. The dynamic is definitely worth it, as I think it's cheaper than the competitors. The static scan is a little bit more expensive, around 20 percent more expensive. The manual pen test is more expensive, but it is an expensive service because it's a manual pen test and we also do retests. I don't think it is way more expensive than the competitors, but it's about 15 to 20 percent more expensive.""It is very reasonably priced compared to what we were paying our previous vendor. For the same price, we are getting much more value and reducing our AppSec costs from 40 to 50 percent.""If I compare the pricing with other software tools, then it is quite competitive. Whatever the price is, they have always given us a good discount.""We use this product per project rather than per developer... Your development model will really determine what the best fit is for you in terms of licensing, because of the project-based licensing. If you do a few projects, that's more attractive. If you have a large number of developers, that would also make the product a little more attractive."

More Veracode Pricing and Cost Advice »

"We pay €10 per month for this solution, which is good. It provides a good value for money.""This solution is free.""I use the full trial version of SonarQube.""It's a bit expensive for us. The currency rate of the dollar is a problem but it may be fine for other countries.""The price of the solution could be reduced.""The solution has a free version and a license version. The license is priced reasonably, the cost of hiring one programmer is more expensive than the solution.""I think comparing the product to competitors it should be less expensive.""Can try developer version for 14 days on the free trial."

More SonarQube Pricing and Cost Advice »

"The solution involves a yearly licensing fee.""As we were using an SaaS-based service, the solution must be scalable, although my understanding is that this is based on the licensing model one is using.""Pricing is competitive.""WhiteSource is much more affordable than Veracode."

More WhiteSource Pricing and Cost Advice »

report
Use our free recommendation engine to learn which Application Security solutions are best for your needs.
552,305 professionals have used our research since 2012.
Questions from the Community
Top Answer: SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis… more »
Top Answer: The visibility into application status helps reduce risk exposure for our software. Today, any findings provided by the… more »
Top Answer: Veracode is very, very expensive, one of the most expensive security scanning tools available. We pay an annual license… more »
Top Answer: I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which… more »
Top Answer: We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security… more »
Top Answer: Snyk does a great job identifying and reducing vulnerabilities. This solution is fully automated and monitors 24/7 to… more »
Top Answer: Red Hat Ceph does well in simplifying storage integration by replacing the need for numerous storage solutions. This… more »
Top Answer: We researched Black Duck but ultimately chose WhiteSource when looking for an application security tool. WhiteSource is… more »
Top Answer: The license management of WhiteSource was at a good level. As compared to other tools that I have used, its… more »
Comparisons
Also Known As
Sonar
Learn More
Overview

Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.

SonarQube is the leading tool for continuously inspecting Code Quality and Code Security, and guiding development teams during code reviews. SonarQube provides clear remediation guidance for 27 languages so developers can understand and fix issues, and so teams can deliver better and safer software. SonarQube integrates into your workflow to provide the right feedback at the right time: in-IDE with SonarLint, in pull requests, and in SonarQube itself. With over 225,000 deployments helping small development teams and global organizations, SonarQube provides the means for teams and companies around the world to own and impact their Code Quality and Code Security.

The leading solution for agile open source security and license compliance management, WhiteSource integrates with the DevOps pipeline to detect vulnerable open source libraries in real-time.

It provides remediation paths and policy automation to speed up time-to-fix. It also prioritizes vulnerability alerts based on usage analysis.

We support over 200 programming languages and offer the widest vulnerability database aggregating information from dozens of peer-reviewed, respected sources.

Offer
Keep your software secure

Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.

Learn more about SonarQube
Learn more about WhiteSource
Sample Customers
State of Missouri, Rekner
Bank of America, Siemens, Cognizant, Thales, Cisco, eBay
Microsoft, Autodesk, NCR, Comcast, Nokia, Forgerock, indeed.com, GE digital, KPMG, LivePerson, Jack Henry and Associates
Top Industries
REVIEWERS
Financial Services Firm30%
Computer Software Company12%
Insurance Company9%
Healthcare Company7%
VISITORS READING REVIEWS
Computer Software Company30%
Comms Service Provider16%
Financial Services Firm10%
Manufacturing Company6%
REVIEWERS
Computer Software Company24%
Financial Services Firm20%
Comms Service Provider10%
Manufacturing Company8%
VISITORS READING REVIEWS
Computer Software Company28%
Comms Service Provider17%
Financial Services Firm12%
Manufacturing Company7%
REVIEWERS
Computer Software Company33%
Media Company11%
Energy/Utilities Company11%
Consumer Goods Company11%
VISITORS READING REVIEWS
Computer Software Company35%
Comms Service Provider19%
Financial Services Firm7%
Manufacturing Company5%
Company Size
REVIEWERS
Small Business24%
Midsize Enterprise25%
Large Enterprise51%
VISITORS READING REVIEWS
Small Business24%
Midsize Enterprise31%
Large Enterprise45%
REVIEWERS
Small Business28%
Midsize Enterprise18%
Large Enterprise53%
VISITORS READING REVIEWS
Small Business29%
Midsize Enterprise19%
Large Enterprise52%
REVIEWERS
Small Business33%
Midsize Enterprise7%
Large Enterprise60%
VISITORS READING REVIEWS
Small Business17%
Midsize Enterprise10%
Large Enterprise72%
Find out what your peers are saying about SonarQube vs. WhiteSource and other solutions. Updated: November 2021.
552,305 professionals have used our research since 2012.

SonarQube is ranked 1st in Application Security with 46 reviews while WhiteSource is ranked 8th in Application Security with 13 reviews. SonarQube is rated 8.0, while WhiteSource is rated 8.4. The top reviewer of SonarQube writes "This is a very capable analysis tool for development projects but the free version has limitations". On the other hand, the top reviewer of WhiteSource writes "Policy automation and automatic fix suggestions help us to save time in finding and solving problems". SonarQube is most compared with Checkmarx, Coverity, Sonatype Nexus Lifecycle, Micro Focus Fortify on Demand and Snyk, whereas WhiteSource is most compared with Black Duck, Snyk, Sonatype Nexus Lifecycle, Checkmarx and Micro Focus Fortify on Demand. See our SonarQube vs. WhiteSource report.

See our list of best Application Security vendors.

We monitor all Application Security reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.