Sonatype Lifecycle Reviews

We're using Sonatype Nexus Lifecycle to scan for vulnerabilities in our continuous integration and deployment pipelines. We're also using the solution as part of our IDEs for developer support.

Due to the sheer amount of vulnerabilities and the fact that my company is still working on eliminating all vulnerabilities, it's still too early for me to say what I like most about Sonatype Nexus Lifecycle. Still, one of the best functions of the product is the guidance it gives in finding which components or applications have vulnerabilities.

For example, my team had a vulnerability or a CVE connected to Apache last week. My team couldn't find which applications had the vulnerability initially, but using Sonatype Nexus Lifecycle helped. My team deployed new versions on that same day and successfully eliminated the vulnerabilities, so right now, the best feature of Sonatype Nexus Lifecycle is finding which applications have vulnerabilities.

It could be because I need to learn more about Sonatype Nexus Lifecycle, but as a leader, if I want to analyze the vulnerability situation and how it is and the forecast, I'd like to look at the reports and understand what the results mean. It's been challenging for me to understand the reports and dashboards on Sonatype Nexus Lifecycle, so I'll need to take a course or watch some YouTube tutorials about the product. If Sonatype Nexus Lifecycle has documentation that could help me properly analyze the vulnerability situation and what the graphs mean, then that would be helpful.

I need help understanding what each graph is showing, and it seems my company is the worst, based on the chart. Still, I need clarification, so if there were some documentation, a more extensive knowledge base, or a question mark icon you could hover over that would explain what each data on the graph means, that would make Sonatype Nexus Lifecycle better.

I've been using Sonatype Nexus Lifecycle for almost a year.

Sonatype Nexus Lifecycle is a very stable tool; my team hasn't had any issues with it. My company had a significant outage two or three weeks ago, so all storage was lost. Still, in just a short while, Sonatype Nexus Lifecycle was up again, which makes Sonatype Nexus Lifecycle a very good tool.

We haven't scaled Sonatype Nexus Lifecycle yet.

We've just been using Sonatype Nexus Lifecycle, so we can't evaluate its technical support for now.

Sonatype Nexus Lifecycle was the first tool we used with dependency scanning functionality, though we used other vulnerability scanning tools such as Docker and Trivy before Sonatype Nexus Lifecycle. We also scanned for vulnerability in images with Harbor. Sonatype Nexus Lifecycle is the only tool we've used for scanning dependencies.

The initial setup for Sonatype Nexus Lifecycle was straightforward.

We deployed the Sonatype Nexus Lifecycle in-house. We learned how to install and use the product.

We've seen ROI from Sonatype Nexus Lifecycle, mainly connected to the number of attacks. For example, we've calculated the number of hours our employees put into analyzing a vulnerability and looking for that vulnerability in the different components. We saw that the main benefit of using Sonatype Nexus Lifecycle is quickly finding which components have vulnerabilities. As a result, two to three employees save on a week's work because that's how long it takes to look through all the different components with vulnerabilities.

Vulnerabilities could also cause a significant outage or complete data loss, which comes at a high price. Sonatype Nexus Lifecycle could help prevent that or help eliminate the risks. Hence, there's ROI from the tool, but we still need to evaluate the data fully.

In comparison with other tools, Sonatype Nexus Lifecycle could be more expensive. Still, at the same time, my company prioritizes security, so the pricing for Sonatype Nexus Lifecycle hasn't been an issue.

If IT security weren't at the top of the list for my company, somebody would have raised the question about cost and how Sonatype Nexus Lifecycle is in terms of ROI. So far, there's been no question about the price. The cost of Sonatype Nexus Lifecycle hasn't been a problem so far.

My company pays for the license yearly, plus technical support.

We started evaluating four different tools about this time last year, from November to December, and we chose Sonatype Nexus Lifecycle. We were deciding between Snyk and Sonatype Nexus Lifecycle. Still, Snyk lacked support for all our technologies and didn't have the same IDE support available in Sonatype Nexus Lifecycle, so we went with Sonatype Nexus Lifecycle.

We used Sonatype Nexus Lifecycle during the first quarter, from January to February, to establish the tool in our organization and set it up. We then made a training plan and, from March to April, rolled the Sonatype Nexus Lifecycle out to all the teams, but the different teams also had to build their pipelines, so there have been delays from May to the present. We've been pushing them to adjust their pipelines and still helping them.

My company is currently using the latest version of Sonatype Nexus Lifecycle.

About fifty IT department employees use Sonatype Nexus Lifecycle in my small company.

There's no plan to increase the usage of Sonatype Nexus Lifecycle. Its rollout is complete, and only the development teams use the tool within the company.

My rating for Sonatype Nexus Lifecycle is eight out of ten because it does its job, and my team hasn't had any problems with it.

I'd recommend Sonatype Nexus Lifecycle to others.

My company is a Sonatype Nexus Lifecycle customer or end-user.

Sonatype Nexus Lifecycle is mainly used for checking vulnerabilities. For example, the unit test coverage and code quality, including vulnerability code smells.

The most valuable features of the Sonatype Nexus Lifecycle are the evaluation of the unit test coverage, vulnerability scanning, duplicate code lines, code smells, and unnecessary loops. 

Sonatype Nexus Lifecycle can improve by having a feature to automatically detect vulnerabilities. Additionally, if it could automatically push the dependencies or create notifications it would be beneficial.

I have been using Sonatype Nexus Lifecycle for approximately three years.

Sonatype Nexus Lifecycle is a stable solution.

The scalability of the Sonatype Nexus Lifecycle is good. We have not had any issues.

We have 2,000 engineering people using this solution, such as developers, SRE, and QE.

The amount of maintenance Sonatype Nexus Lifecycle needs depends on the competency of the people doing it. It is not very complex to do but it is difficult to find competent work in the area. If the person is competent then the maintenance is not a problem and is straightforward.

I rate Sonatype Nexus Lifecycle an eight out of ten.

We use this product for scanning containers and binary artifacts, and to scan for vulnerabilities. It's provides a software composition analysis mainly for application security. I'm the lead member of technical staff and we are customers of Sonatype. 

The most valuable feature for me is vulnerability detection accuracy.

The main drawback of this product is that it's not an SaaS solution and they really need to build a complete SaaS product. Although the vulnerability detection accuracy is good, the solution is quite weak when it comes to remediation accuracy which is not good. They are currently sorting by component versions and the sorting algorithm is not correct, it requires a proper tool. 

I've been using this solution for four years. 

We are unable to scale sufficiently because everything needs to be installed on our local premises. This is really a solution for small to medium-sized organizations. Every new server requires the installation of a new database. We currently have around 400 users doing a variety of jobs and scalability is the biggest issue we have.

The customer support could be improved. Their response time is quite slow and it can take a long time to deploy new features. 

Neutral

The initial setup is too complex because it's not a cloud service.

Compared to other solutions I've seen, the main issue with Lifecycle is that it doesn't have an on-cloud option.

I can recommend this solution but they need to do some work at their end, particularly with regard to cluster maintenance, scalability, and the fact that it's only available on-prem.

I rate this solution five out of 10. 

We use Nexus Lifecycle to check our third-party libraries for vulnerabilities. 
There are also different application teams that use Nexus Lifecycle to configure our product. I'm one of those product users, so I can only talk about it from the perspective of my product. 

The team managing Nexus Lifecycle reported that their internal libraries were not being identified, so they have asked Sonatype's technical team to include that in the upcoming version.

We have been using Nexus Lifecycle for about a year and a half.

Nexus Lifecycle is stable. 

Nexus Lifecycle scales to the level we need. It's working fine.

Sonatype support is quite responsive. When we needed something, we could reach out and set up a meeting. They provide the best support possible.

Setting up Nexus Lifecycle is simple.

We evaluated Veracode, and we evaluated Black Duck, as well. The marketing team from Sonatype was more responsive and followed up on the progress during the proof of concept, so that was one reason we chose Lifecycle, but the features are almost exactly the same across products.

I rate Nexus Lifecycle eight out of 10.