ProGet vs.

(formerly WhiteSource)

Learn why ProGet is better fit for modern OSS Risk Management

Both (WhiteSource) and ProGet can be used for Open-Source Security and License Compliance, but ProGet’s modern, package-based design is a far superior (and less expensive) solution.

ProGet is a package and container repository that tracks usage of open-source packages and blocks of vulnerable and noncompliant packages . an open source inventory tracking tool. It does not host packages nor containers, and uses an older, binary-based approach to determine open-source usage.

Mend’s Approach to OSS Risk Management

WhiteSource (now Mend) was originally designed as an Open-Source inventorying tool for large, Java-based enterprise applications. The primary use case was license tracking and vulnerability detection was later added.

Mend’s technological approach is sorely dated; it was built for an era that predates open-source package managers like NuGet and npm, SBOM standards like Cyclone DX, and CVE-based vulnerability databases.

Like landlines and mp3 players in the era of smartphones, Mend’s platform is awkward in the era of open-source packages. It simply doesn’t solve the problem in the way modern software developers expect.

Mend Does Not “Understand” Packages

Although packages are now ubiquitous for managing libraries, Mend’s platform does not read package metadata. Instead, it checks a file’s SHA1-based hash against their massive, proprietary database to determine if a particular file is an open-source library.

Before public repositories like, npmjsorg, and, centralized all open-source libraries, this approach made sense. But these repositories don’t publish SHA1 for their libraries. This means that Mend needs to maintain a massive online database that’s essentially a replica of public repositories.

Their database needs to monitor public repositories for new packages, download each and every single package, and then analyze each and every file within that package.

It’s a lot to keep up with, and it’s an extraordinarily complex way to identify an open source library. It’s led to several predictable problems.

Top Three User-Reported Issues

A lot of ProGet users are former White Source customers; the main reasons they switched were:

  1. Packages not detected; Mend did not “understand” the hash of a library file that was on, likely because it was too new of a package
  2. Missing vulnerabilities; despite being listed on, Mend did not not detect or report a vulnerability
  3. Incorrect license agreements; Mend misreported several license agreements in NuGet packages

ProGet’s modern, package-based approach means that these are non-issues.

Simpler Solution, Significant Cost Savings

Like a smartphone without apps, ProGet’s package-based approach wouldn’t have made sense twenty years ago. But packages are ubiquitous, and every open-source library is available on trusted public repositories like,, and

ProGet is a private package repository and “understands” packages very well. This translates to a significantly simpler product architecture, and ultimately lets us price ProGet much less than Mend.

ProGet’s Approach to OSS Risk Management

ProGet is first-and-foremost a private package and container repository. It was designed to curate open-source packages from public repositories and host private, proprietary packages.

By using ProGet as “proxy” and host for your libraries in ProGet, you can centrally manage all of the risks associated with Open Source software.

ProGet automatically scans packages for license and vulnerabilities

ProGet automatically discovers vulnerabilities, license agreements in packages, and block package usage by automatically assessing vulnerabilities based on the CVE Score or your team’s manual assessment as well as packages with unwanted licenses (such as GPL-3) so that developers don’t accidentally incorporate them into a new project.

Analyze active releases for new vulnernabilities or unwanted licenses

Projects and Releases in ProGet let you track the open-source and third-party components (packages) that your organization uses, and help you identify issues like vulnerabilities, license violations, and missing packages.

Analyze Docker like analyze packages

ProGet scans vulnerability and license in Docker like it does to packages. Manage Docker in Simple GUI

Generate SBOM for traceability and compliance

ProGet makes it easy to generate Software Bills of Materials from your projects at build/CI time. ProGet will then continuously scan packages and releases for vulnerability, license, and missing packages even after packages or containers are deployed to production.  

  • ProGet Projects and Releases
  • ProGet Vulnerability Central (PGVC)
  • ProGet Vulnerability Configuration

ProGet is designed to be self-managed 

Mend is designed as a cloud-first solution, and doesn’t have a great support and ease of configuration for self-managed version of them. 

Easy Installation with Inedo Hub

ProGet can be installed and upgraded quickly and easily using the Inedo Hub or a Docker container. Rolling back (downgrading) is just as easy.