Open Source Management Comparison

Inventory Generation

Move Up

The first step in monitoring your open source security vulnerabilities and license compliance issues, is detecting which open source components are in your software.

Therefore, gaining an accurate report of the open source components in your software, including all dependencies, is essential.

WhiteSource

Integrates with your build within minutes, to detect all open source components, including transitive dependencies, based on actual usage and not by what's manifested.

Detects both binary and source code, covering over 20 binary and source languages.

Continuously updating database of over 3M open source components and 70 million open source files.

On-premise, hosted (cloud) or SAAS.

Code Scanners

Scans your code to detect code snippets, which match open source snippets contained in their database.

Often require manual review to filter out high volume of false positives. This can take between a few days to weeks.

Code scanning is done periodically, typically before a major release. Therefore, any components integrated after the last scan go undetected.

On-premise only.

Other Continuous Tools

All tools detect open source components in your build, based on actual usage. Some also detect open source components in repositories.

Majority of tools support only binary code.

On-premise or hosted (cloud).

Manual

Inaccurate due to the complexity of dependencies tracking and human error.

A waste fo your developers' valuable time on processes that can be easily and inxepensively automated.

Read More

Vulnerabilities Identification

Move Up

Hundreds of open source security vulnerabilities are reported every year. Thankfully, the open source community is quick to respond with remediation for over 80% of them.

The open source community is a bazaar, where vulnerabilities are reported to a variety of sources. Therefore, matching between vulnerabilities and the open source components in your software is a challenge.

With hackers starting to understand that a single open source vulnerability can translate into many victims, the ability to find and fix security vulnerabilities quickly has never been more important.

WhiteSource

Sources vulnerabilities from multiple databases: the NVD, a dozen security advisories, GitHub issue tracker and open source projects’ bug trackers.

Our database contains over 180,000 security vulnerabilities and counting.

Proprietary algorithm which guarantees zero false positives, by matching vulnerabilities with the impacted components’ specific version.

Alerts in real-time when adding a vulnerable component or when a vulnerability is discovered in one of your components.

Continuously monitors the inventory of a product’s last build, enabling you to detect security issues even post-release.

Provides remediation suggestions on how to fix security vulnerabilities.

Code Scanners

Most solutions track only the NVD.

The vulnerability database of our leading competitor contains over 76,000 security vulnerabilities, based on their latest report.

Can only detect vulnerabilities known at the time of the last scan.

High percentage of false positives that waste your teams’ time.

Other Continuous Tools

Most solutions track only the NVD. One solution also sources the VulnDB, which is based on the now abandoned OSVDB.

The vulnerability database of our leading competitor contains over 76,000 security vulnerabilities, based on their latest report.

Volume of false positives and misses varies significantly between vendors.

Manual

It’s near impossible to manually detect vulnerable components, due to the way vulnerabilities are reported.

OWASP’s dependency checker can help for a limited number of languages, with average accuracy.

Read More

License Risk Management

Move Up

Open source license risk assessment is no longer only needed during due diligence processes like M&A and IPO. It’s gradually becoming the norm before each software release. Therefore, to keep pace with continuous deployment, legal counsels need an automated solution for managing open source license compliance issues.

With the increasing number of open source licenses, multiple license versions and the staggering amount of published code with no open source license, it’s becoming ever more challenging to accurately track the open source licenses in your software.

WhiteSource

Displays the licenses of all components and their dependencies, per organization, application or project. If more than one license is found, all detected licenses are displayed.

Full risk analysis per license.

Generate reports (due diligence reports with license references, license distribution per project etc.) within minutes, based on the last build.

Automates the collation and publication of notices required for deployment.

Code Scanners

Displays licenses of all open source components per organization, application or project, but with a high volume of false positives.

Generates due diligence reports with license references. The process is not fully automated and is accurate only for the time of the last scan.

Other Continuous Tools

Many vendors focus on security aspects while offering limited license risk assessment capabilities.

All vendors offering license tracking can produce due diligence reports with license references.

Volume of false positives and misses varies significantly between vendors.

Few vendors automate the collation and publication of notices, while the degree of automation offered varies significantly.

Manual

Manually tracking license usage is complex and contains manually research and report of open source license information, including all dependencies’ licenses.

FOSSology scans file headers and detects text from open source licenses using a variety of heuristics. It’s only able to read source code, and offers limited automation. It provides zero false positives, but many misses.

Read More

Automation & Policies

Move Up

In the world of CI/CD, automation is king. Therefore, an automated open source management solution is essential. After all, manual processes are simply unable to detect security, compliance and quality issues in real-time.

Automation increases your accuracy, control and efficiency, allowing your developers to focus on coding as opposed to admin procedures.

WhiteSource

Offers a wide range of native plugins to enable full automation, including failing the build upon policy violation.

Policies can be based on any combination of metadata parameters like license type, vulnerability severity, quality rating and more and can be automatically enforced at multiple stages of the SDLC.

REST APIs are available, providing users full control and flexibility to control the product as per their specific requirements.

Code Scanners

Doesn’t integrate with your CI/CD processes.

Some vendors track your system post scan, updating your inventory and detecting problematic components. However, tracking is based on error-prone manual tracking.

Policies can be defined to detect problematic components post scan, but they’re not automatically or continuously enforced.

Other Continuous Tools

Majority of vendors offer native plugins for the most common CI servers. Build tools and repository integration varies between vendors.

Policies are usually enforced upon build, but the level of enforcement differs between vendors.

Majority of solutions offer command line tools, which limits your automation capability.

Manual

Not possible.

Read More

Shift Left Capabilities

Move Up

Shift left is about integrating testing into the earliest stages of your software development process, allowing you to detect issues when they’re easier and less expensive to fix. Studies have shown that vulnerabilities and severe bugs detected in early development cost approx. 90% less to fix, compared to issues discovered in pre-release or post-deployment.

By detecting problematic open source components before adding them to your repositories/build or even downloading, you can avoid most open source security and quality issues.

WhiteSource

Offers the selection tool, a browser’s plugin, which enables developers to see full analysis of individual components, while browsing online repositories (GitHub, MavenCentral etc.). It allows them to choose components that meet their organization’s policies and achieves high adoption rates among developers, as it seamlessly integrates with their native environment (internet browser).

Provides a quality score in the selection tool for each version, to help developers avoid using low-quality components. The quality score is determined by aggregating bug rating, fix rating and version activity.

Native plugins to repositories, build tools and CI servers, enable detection of problematic components as soon as they’re added to your SDLC. The plugins facilitate blocking of components that don’t meet your company’s policies.

Code Scanners

Code scanners cannot integrate with your CI/CD processes, and can only analyze a single point in time (i.e. time of last scan).

Some vendors offer a directory of open source projects with license, security and quality information. This has achieved low adoption rates, as it requires developers to change their coding practices.

Other Continuous Tools

Integration offerings vary between vendors. You'll need to compare the relevant offerings of each vendor in relation to your repositories, build tools and CI servers.

There are no tools on the market which allow your developers to block the usage of problematic components during the evaluation stage.

Manual

You cannot identify problematic components in real-time with manual processes.

Read More