ProGet vs. Mend.io

(formerly WhiteSource)

Learn why ProGet is better fit for modern OSS Risk Management

Both Mend.io (WhiteSource) and ProGet can be used for Open-Source Security and License Compliance, but ProGet’s modern, package-based design is a far superior (and less expensive) solution.

ProGet is a package and container repository that tracks usage of open-source packages and blocks of vulnerable and noncompliant packages .

Mend.io an open source inventory tracking tool. It does not host packages nor containers, and uses an older, binary-based approach to determine open-source usage.

Mend’s Approach to OSS Risk Management

WhiteSource (now Mend) was originally designed as an Open-Source inventorying tool for large, Java-based enterprise applications. The primary use case was license tracking and vulnerability detection was later added.

Mend’s technological approach is sorely dated; it was built for an era that predates open-source package managers like NuGet and npm, SBOM standards like Cyclone DX, and CVE-based vulnerability databases.

Like landlines and mp3 players in the era of smartphones, Mend’s platform is awkward in the era of open-source packages. It simply doesn’t solve the problem in the way modern software developers expect.

Mend Does Not “Understand” Packages

Although packages are now ubiquitous for managing libraries, Mend’s platform does not read package metadata. Instead, it checks a file’s SHA1-based hash against their massive, proprietary database to determine if a particular file is an open-source library.

Before public repositories like NuGet.org, npmjsorg, and PyPi.org, centralized all open-source libraries, this approach made sense. But these repositories don’t publish SHA1 for their libraries. This means that Mend needs to maintain a massive online database that’s essentially a replica of public repositories.

Their database needs to monitor public repositories for new packages, download each and every single package, and then analyze each and every file within that package.

It’s a lot to keep up with, and it’s an extraordinarily complex way to identify an open source library. It’s led to several predictable problems.

Top Three User-Reported Issues

A lot of ProGet users are former White Source customers; the main reasons they switched were:

Packages not detected; Mend did not “understand” the hash of a library file that was on npmjs.org, likely because it was too new of a package
Missing vulnerabilities; despite being listed on NuGet.org, Mend did not not detect or report a vulnerability
Incorrect license agreements; Mend misreported several license agreements in NuGet packages

ProGet’s modern, package-based approach means that these are non-issues.

Simpler Solution, Significant Cost Savings

Like a smartphone without apps, ProGet’s package-based approach wouldn’t have made sense twenty years ago. But packages are ubiquitous, and every open-source library is available on trusted public repositories like NuGet.org, npmjs.org, and PyPi.org.

ProGet is a private package repository and “understands” packages very well. This translates to a significantly simpler product architecture, and ultimately lets us price ProGet much less than Mend.

ProGet’s Approach to OSS Risk Management

ProGet is first-and-foremost a private package and container repository. It was designed to curate open-source packages from public repositories and host private, proprietary packages.

By using ProGet as “proxy” and host for your libraries in ProGet, you can centrally manage all of the risks associated with Open Source software.

ProGet automatically scans packages for license and vulnerabilities

ProGet automatically discovers vulnerabilities, license agreements in packages, and block package usage by automatically assessing vulnerabilities based on the CVE Score or your team’s manual assessment as well as packages with unwanted licenses (such as GPL-3) so that developers don’t accidentally incorporate them into a new project.

Analyze active releases for new vulnernabilities or unwanted licenses

Projects and Releases in ProGet let you track the open-source and third-party components (packages) that your organization uses, and help you identify issues like vulnerabilities, license violations, and missing packages.

Analyze Docker like analyze packages

ProGet scans vulnerability and license in Docker like it does to packages. Manage Docker in Simple GUI

Generate SBOM for traceability and compliance

ProGet makes it easy to generate Software Bills of Materials from your projects at build/CI time. ProGet will then continuously scan packages and releases for vulnerability, license, and missing packages even after packages or containers are deployed to production.