Try our new research platform with insights from 80,000+ expert users

Sonatype Lifecycle pros and cons

Vendor: Sonatype

4.2 out of 5

43 reviews
89% willing to recommend

454 followers

Pros & Cons summary

Sonatype Lifecycle integrates seamlessly with tools like Jenkins and GitHub, enhancing automation and efficiency. It provides real-time updates on vulnerabilities, supports tailored policy enforcement, and continuous monitoring for security. However, challenges include version retention at Maven Central, limited plugin support beyond Jenkins, compatibility issues with reporting formats, and unclear transitive dependencies. Integration across teams poses organizational challenges. Despite this, its extensive database ensures accurate threat identification and resolution.

Buyer's Guide

Get pricing advice, tips, use cases and valuable features from real users of this product.

Prominent pros & cons

PROS

Sonatype Lifecycle excels in its seamless integration with popular development tools like Jenkins and GitHub, enhancing efficiency in build processes.

Its security features proactively block the use of insecure open-source libraries and suggest secure alternatives, significantly mitigating potential security risks.

The Continuous Monitoring feature allows ongoing assessment of platform security, ensuring that vulnerabilities are managed as they are discovered.

Vulnerability detection capabilities are notably accurate, enabling teams to address and remediate security issues swiftly and effectively.

Sonatype Lifecycle provides extensive data on vulnerabilities, merging various sources and proprietary research, which aids in faster and more informed decision-making regarding security issues.

CONS

Sonatype Lifecycle faces challenges with dependency management issues, particularly involving transitive dependencies and outdated versions on Maven Central.

Limited language support and shallow integration for non-Java languages are areas for improvement.

The tool struggles with providing smooth integration with certain CI/CD solutions, such as TeamCity and Azure DevOps.

There are inconsistencies in feature offerings across different components within Sonatype Lifecycle.

Documentation and supporting resources need enhancement to help users comprehend analytical reports and dashboards for better understanding.

Sonatype Lifecycle Pros review quotes

RV

Ricardo Van Den Broek

Software Architect at a tech vendor with 11-50 employees

Mar 19, 2020

With the plugin for our IDE that Sonatype provides, we can check whether a library has security, quality, or licensing issues very easily. Which is nice because Googling for this stuff can be a bit cumbersome. By checking it before code is even committed, we save ourselves from getting notifications.

Read full review

EK

Security Team Lead at Tyro Payments Ltd

Mar 6, 2019

It scans and gives you a low false-positive count... The reason we picked Lifecycle over the other products is, while the other products were flagging stuff too, they were flagging things that were incorrect. Nexus has low false-positive results, which give us a high confidence factor.

Read full review

ME

Michael Esmeraldo

Sr. Enterprise Architect at MIB Group, Inc.

Mar 3, 2020

Some of the more profound features include the REST APIs. We tend to make use of those a lot. They also have a plugin for our CI/CD; we use Jenkins to do continuous integration, and it makes our pipeline build a lot more streamlined. It integrates with Jenkins very well.

Read full review

Sonatype Lifecycle

Free Report: Sonatype Lifecycle Reviews and More

Learn what your peers think about Sonatype Lifecycle. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.

816,406 professionals have used our research since 2012.

AA

Sr cyber analyst at a energy/utilities company with 10,001+ employees

Oct 26, 2023

Automating the Jenkins plugins and the build title is a big plus.

Read full review

AA

Sr cyber analyst at a energy/utilities company with 10,001+ employees

Dec 29, 2023

I like Fortify Software Security Center or Fortify SSC. This tool is installed on each developer's machine, but Fortify Software Security Center combines everything. We can meet there as security professionals and developers. The developers scan their code and publish the results there. We can then look at them from a security perspective and see whether they fixed the issues. We can agree on whether something is a false positive and make decisions.

Read full review

reviewer1535436

Senior Architect at a insurance company with 1,001-5,000 employees

Mar 19, 2021

We really like the Nexus Firewall. There are increasing threats from npm, rogue components, and we've been able to leverage protection there. We also really like being able to know which of our apps has known vulnerabilities.

Read full review

LH

ConfigManag73548

Configuration Manager at a wellness & fitness company with 1-10 employees

Jul 8, 2019

The grandfathering mode allows us to add legacy applications which we know we're not going to change or refactor for some time. New developments can be scanned separately and we can obviously resolve those vulnerabilities where there are new applications developed. The grandfathering is a good way to separate what can be factored now, versus long-term technical debt.

Read full review

SS

Shubham Shrivastava

Engineering Tools and Platform Manager at BT - British Telecom

Sep 2, 2021

Its engine itself is most valuable in terms of the way it calculates and decides whether a security vulnerability exists or not. That's the most important thing. Its security is also pretty good, and its listing about the severities is also good.

Read full review

reviewer2317233

Vice President, Cybersecurity at Fiserv

Dec 29, 2023

The Software Security Center, which is often overlooked, stands out as the most effective feature.

Read full review

AB

Enterprise Infrastrcture Architect at Qrypt

Jul 20, 2020

When I started to install the Nexus products and started to integrate them into our development cycle, it helped us construct or fill out our development process in general. The build stage is a really good template for us and it helped establish a structure that we could build our whole continuous integration and development process around. Now our git repos are tagged for different build stages data, staging, and for release. That aligns with the Nexus Lifecycle build stages.

Read full review

Show 10 more reviews (out of 42)

Sonatype Lifecycle Cons review quotes

RV

Ricardo Van Den Broek

Software Architect at a tech vendor with 11-50 employees

Mar 19, 2020

One of the things that we specifically did ask for is support for transitive dependencies. Sometimes a dependency that we define in our POM file for a certain library will be dependent on other stuff and we will pull that stuff in, then you get a cascade of libraries that are pulled in. This caused confusing to us at first, because we would see a component that would have security ticket or security notification on it and wonder "Where is this coming in from?" Because when we checked what we defined as our dependencies it's not there. It didn't take us too long effort to realize that it was a transitive dependency pulled in by something else, but the question then remains "Which dependency is doing that?"

Read full review

EK

Security Team Lead at Tyro Payments Ltd

Mar 6, 2019

We created the Wiki page for each team showing an overview of their outstanding security issues because the Lifecycle reporting interface isn't as intuitive. It is good for people on my team who use it quite often. But for a tech engineer who doesn't interact with it regularly, it's quite confusing.

Read full review

ME

Michael Esmeraldo

Sr. Enterprise Architect at MIB Group, Inc.

Mar 3, 2020

Some of the APIs are just REST APIs and I would like to see more of the functionality in the plugin side of the world. For example, with the RESTful API I can actually delete or move an artifact from one Nexus repository to another. I can't do that with the pipeline API, as of yet. I'd like to see a bit more functionality on that side.

Read full review

Sonatype Lifecycle

Free Report: Sonatype Lifecycle Reviews and More

Learn what your peers think about Sonatype Lifecycle. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.

816,406 professionals have used our research since 2012.

AA

Sr cyber analyst at a energy/utilities company with 10,001+ employees

Oct 26, 2023

Fortify Static Code Analyzer has a bit of a learning curve, and I don't find it particularly helpful in narrowing down the vulnerabilities we should prioritize.

Read full review

AA

Sr cyber analyst at a energy/utilities company with 10,001+ employees

Dec 29, 2023

It can be tricky if you want to exclude some files from scanning. For instance, if you do not want to scan and push testing files to Fortify Software Security Center, that is tricky with some IDEs, such as IntelliJ. We found that there is an Exclude feature that is not working. We reported that to them for future fixing. It needs some work on the plugins to make them consistent across IDEs and make them easier.

Read full review

reviewer1535436

Senior Architect at a insurance company with 1,001-5,000 employees

Mar 19, 2021

Overall it's good, but it would be good for our JavaScript front-end developers to have that IDE integration for their libraries. Right now, they don't, and I'm told by my Sonatype support rep that I need to submit an idea, from which they will submit a feature request. I was told it was already in the pipeline, so that was one strike against sales.

Read full review

LH

ConfigManag73548

Configuration Manager at a wellness & fitness company with 1-10 employees

Jul 8, 2019

If they had a more comprehensive online tutorial base, both for admin and developers, that would help. It would be good if they actually ran through some scenarios, regarding what happens if I do pick up a vulnerability. How do I fork out into the various decisions? If the vulnerability is not of a severe nature, can I just go ahead with it until it becomes severe? This is important because, obviously, business demands certain deliverables to be ready at a certain time.

Read full review

SS

Shubham Shrivastava

Engineering Tools and Platform Manager at BT - British Telecom

Sep 2, 2021

One area of improvement, about which I have spoken to the Sonatype architect a while ago, is related to the installation. We still have an installation on Linux machines. The installation should move to EKS or Kubernetes so that we can do rollover updates, and we don't have to take the service down. My primary focus is to have at least triple line availability of my tools, which gives me a very small window to update my tools, including IQ. Not having them on Kubernetes means that every time we are performing an upgrade, there is downtime. It impacts the 0.1% allocated downtime that we are allowed to have, which becomes a challenge. So, if there is Kubernetes installation, it would be much easier. That's one thing that definitely needs to be improved.

Read full review

reviewer2317233

Vice President, Cybersecurity at Fiserv

Dec 29, 2023

Fortify's software security center needs a design refresh.

Read full review

AB

Enterprise Infrastrcture Architect at Qrypt

Jul 20, 2020

They're working on the high-quality data with Conan. For Conan applications, when it was first deployed to Nexus IQ, it would scan one file type for dependencies. We don't use that method in Conan, we use another file type, which is an acceptable method in Conan, and they didn't have support for that other file type. I think they didn't even know about it because they aren't super familiar with Conan yet. I informed them that there's this other file type that they could scan for dependencies, and that's what they added functionality for.

Read full review

Show 10 more reviews (out of 42)

Product Categories

Product Categories

Software Composition Analysis (SCA)

Application Security Tools

Software Supply Chain Security

Popular Comparisons

Popular Comparisons

Veracode vs Sonatype Lifecycle

GitLab vs Sonatype Lifecycle

Snyk vs Sonatype Lifecycle

Black Duck vs Sonatype Lifecycle

Mend.io vs Sonatype Lifecycle

JFrog Xray vs Sonatype Lifecycle

FOSSA vs Sonatype Lifecycle

CAST Highlight vs Sonatype Lifecycle

Checkmarx Software Composition Analysis vs Sonatype Lifecycle

Sonatype Repository Firewall vs Sonatype Lifecycle

Debricked Security vs Sonatype Lifecycle

Sentinel SCA vs Sonatype Lifecycle

Arnica vs Sonatype Lifecycle

See all alternatives

Product Categories

Product Categories

Software Composition Analysis (SCA)

Application Security Tools

Software Supply Chain Security

Popular Comparisons

Popular Comparisons

Veracode vs Sonatype Lifecycle

GitLab vs Sonatype Lifecycle

Snyk vs Sonatype Lifecycle

Black Duck vs Sonatype Lifecycle

Mend.io vs Sonatype Lifecycle

JFrog Xray vs Sonatype Lifecycle

FOSSA vs Sonatype Lifecycle

CAST Highlight vs Sonatype Lifecycle

Checkmarx Software Composition Analysis vs Sonatype Lifecycle

Sonatype Repository Firewall vs Sonatype Lifecycle

Debricked Security vs Sonatype Lifecycle

Sentinel SCA vs Sonatype Lifecycle

Arnica vs Sonatype Lifecycle

See all alternatives

Related questions

310

How does Sonatype Nexus Lifecycle compare with SonarQube?

172

What tools do you rely on for building a DevSecOps pipeline?

107

What alternatives are there for Fortify WebInspect and Fortify SCA?

78

What is the best way to track open-source license compatibility?

25

Why is Software Composition Analysis (SCA) important for companies?

207

Differences between Black Duck & Veracode

30

What SCA solution do you recommend?

9

Is there an SCA solution that finds and fixes vulnerabilities?

16

Can I get SCA in my IDE?

49

How long does SCA scanning take?