FAQ

 

What is WhiteSource?

WhiteSource offers an agile approach to open source management.
WhiteSource is a SaaS solution that integrates with your build process and audits your open source licenses, security andmore every time you run your build.
With an extensive Knowledge Base of over 3 million open source projects, we’re able to provide you real time alerts whenever a developer adds a problematic component or when a new security vulnerability is discovered. Our product also enables you to download comprehensive, accurate and updated reports at any given time to be shared with your management, legal or sales teams.

 

How does your product work?

Our plugins integrate with your build process and calculate the digital signature for all your components without ever scanning your code. It then sends the information about your open code components (and only that) to the WhiteSource server which matches all components and dependencies to WhiteSource knowledge base, of over 3 million open source projects. An immediate up-to-date report is generated identifying all components and issues detected. It does that every time you run your build.

 

Does WhiteSource work with all languages and build tools?

WhiteSource supports all common programming languages and build tools/servers.
Please check out the 23 programming languages that we support on our languages page and the 23 build agents we offer on our plugins page.
If you are looking for a plugin for a system which is not on this list, let us know and we’ll make it happen.

 

I can’t find a plugin for my build tool/server. Does that mean you cannot support?

WhiteSource offers a file system agent which support all languages independently from your build tools or CI server. The file system agent is a command line tool that looks for open source components in any arbitrary folder and all its sub-folders (recursive).

 

How does your pricing work?

We charge by the number of contributing developers. A contributing developer is a person, employee or a contractor that develops, maintains, or works in connection with any software application that is being scanned or monitored by WhiteSource.

 

Is my code secure with your cloud-based service?

Yes. Your proprietary code is never sent to the WhiteSource cloud. Your WhiteSource plugin identifies your open source components and only sends a signature to WhiteSource. WhiteSource is hosted at Amazon Web Services (AWS) and is SOC certified.

 

Do you offer an on-premise option?

WhiteSource is a cloud-based service, but we also offer an on-premise option, if necessary. It’s important to emphasize that we do not scan your code.

 

If you don’t upload my code, how can you identify code snippets that my developers copied from open source?

This is where we differ from traditional scanner-based solutions. We don’t identify code snippets. Rather, we identify open source components through their libraries when they’re introduced to a project. Detecting code snippets, this usually happens later in the process when issues are tougher and more expensive to deal with, is laborious and wrought with false positives.

 

I track my open source manually – why do I need WhiteSource?

The problem with manual reporting is that manual reporting depends on perfect compliance and we all know that humans are not perfect beings and we don’t always get everything right. That’s particularly true on development projects, especially when you’re trying to move faster than ever and you’re trying to innovate.

Currently, your developers need to research every open source library they import, including sub-components and document the components they’ve used. Most companies also appoint one of their project managers or team leaders as open source ‘owner’ and have them manually report all the dependencies and verify all licenses. Why waste their time if you can do it automatically for a lower cost with perfect accuracy?

 

I audit my code with a code scanner – why do I need WhiteSource?

Code scanning technology emerged at 2001, before agile became the mainstream. WhiteSource offers an agile approach to open source management.
Code scanning suffers from three key shortcomings:

Scanning is done periodically, usually pre-release. Finding an issue at that point is extremely expensive due to the complexity of replacing components and the risk of meeting the release timeline. WhiteSource audits your code every time you run your build, therefore enabling you to fix issues earlier in the process when it is easier and less expensive.

Scanning your code is a long and time-consuming process. In almost all cases, a scan results in thousands of potential matches, most of which are false positive, and take a lot of time to sift through. It wastes a lot of your developer’s time to separate the wheat from the chaff.

Scanners are naturally complex. They require on-premise installation and considerable customization. That means training your developers and making them devote a substantial part of their time to mastering the scanner and the process.

 

Is WhiteSource ISO27001 certified?
Yes, WhiteSource is ISO27001 certified.

 

Any other questions? Contact us!