FAQ

 

What is WhiteSource?

WhiteSource offers an agile approach to open source management.
WhiteSource  is a  SaaS solution that integrates with your build process and audits your open source licenses, security andmore every time you run your build.
With an extensive Knowledge Base of over 3 million open source projects, we’re able to provide you real time alerts whenever a developer adds a problematic component or when new security vulnerability is discovered. Our product also enables you to download comprehensive, accurate and updated reports at any given time to be shared with your management, legal or sales teams.

 

How does your product work?

Our plugins integrate with you build process and calculate the digital signature for all your components without ever scanning your code. It then sends the information about your open code components (and only that) to the WhiteSource server which matches all components and dependencies to WhiteSource knowledge base, of over 3 million open source projects. An immediate up-to-date report is generated identifying all components and issues detected. It does that every time you run your build.

Does WhiteSource work with all languages and build tools?

WhiteSource supports all common programming languages and build tools/servers.
Please check out the 12 programming languages that we support on our languages page and the 15 build agents we offer on our plugins page.
If you are looking for a plugin for a system which is not on this list, let us know and we’ll make it happen.

I can’t find a plugin for my build tool/server. Does that mean you cannot support?

WhiteSource offers a file system agent which support all languages independently from your build tools or CI server. The file system agent is a command line tool that looks for open source components in any arbitrary folder and all its sub-folders (recursive).

How does your pricing work?

We charge per product. Our definition of a product is identical to yours. All software you package as a commercial product falls into a single product that we charge for. For example, a web application would be considered a “product” and so would a mobile app.
Each product comes with 2 seats (or more). A seat is an account on the WhiteSource service (i.e. how many concurrent access to WhiteSource service you need). Developers don’t normally need a seat, only the person in charge of Open Source management.

Is my code secure with your cloud-based service?

Yes. Your proprietary code is never sent to the WhiteSource cloud. Your WhiteSource plugin identifies your open source components and only sends a signature to WhiteSource. WhiteSource is hosted at Amazon Web Services (AWS) and is SAS 70 certified.

Do you offer an on-premise option?

WhiteSource is a cloud-based service, but we also offer an on-premise option, if necessary. It’s important to emphasize that we do not scan your code.

If you don’t upload my code, how can you identify code snippets that my developers copied from open source?

This is where we differ from traditional scanner-based solutions. We don’t identify code snippets. Rather, we identify open source components through their libraries when they’re introduced to a project. Detecting code snippets, this usually happens later in the process when issues are tougher and more expensive to deal with, is laborious and wrought with false positives.

I track my open source manually – why do I need WhiteSource?

The problem with manual reporting is that manual reporting depends on perfect compliance and we all know that humans are not perfect beings and we don’t always get everything right. That’s particularly true on development projects, especially when you’re trying to move faster than ever and you’re trying to innovate.

Currently, your developers need to research every open source library they import, including sub-components and document the components they’ve used. Most companies also appoint one of their project managers or team leaders as open source ‘owner’ and have them manually report all the dependencies and verify all licenses. Why waste their time if you can do it automatically for a lower cost with perfect accuracy?

I audit my code with a code scanner – why do I need WhiteSource?

Code scanning technology emerged at 2001, before agile became the mainstream. WhiteSource offers an agile approach to open source management.
Code scanning suffers from three key shortcomings:

Scanning is done periodically, usually pre-release. Finding an issue at that point is extremely expensive due to the complexity of replacing components and the risk of meeting the release timeline. WhiteSource audits your code every time you run your build, therefore enabling you to fix issues earlier in the process when it is easier and less expensive.

Scanning your code is a long and time-consuming process. In almost all cases, a scan results in thousands of potential matches, most of which are false positive, and take a lot of time to sift through. It wastes a lot of your developer’s time to separate the wheat from the chaff.

Scanners are naturally complex. They require on-premise installation and considerable customization. That means training your developers and making them devote a substantial part of their time to mastering the scanner and the process.
Any other questions? Contact us!