We use Nexus Lifecycle to check our third-party libraries for vulnerabilities.
There are also different application teams that use Nexus Lifecycle to configure our product. I'm one of those product users, so I can only talk about it from the perspective of my product.
Technical Manager at a financial services firm with 1,001-5,000 employees
Their customer service is more responsive and hands-on than competitors
Pros and Cons
- "Sonatype support is quite responsive. When we needed something, we could reach out and set up a meeting. They provide the best support possible."
- "The team managing Nexus Lifecycle reported that their internal libraries were not being identified, so they have asked Sonatype's technical team to include that in the upcoming version."
What is our primary use case?
What needs improvement?
The team managing Nexus Lifecycle reported that their internal libraries were not being identified, so they have asked Sonatype's technical team to include that in the upcoming version.
For how long have I used the solution?
We have been using Nexus Lifecycle for about a year and a half.
What do I think about the stability of the solution?
Nexus Lifecycle is stable.
Buyer's Guide
Sonatype Lifecycle
November 2024
Learn what your peers think about Sonatype Lifecycle. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
824,067 professionals have used our research since 2012.
What do I think about the scalability of the solution?
Nexus Lifecycle scales to the level we need. It's working fine.
How are customer service and support?
Sonatype support is quite responsive. When we needed something, we could reach out and set up a meeting. They provide the best support possible.
How was the initial setup?
Setting up Nexus Lifecycle is simple.
Which other solutions did I evaluate?
We evaluated Veracode, and we evaluated Black Duck, as well. The marketing team from Sonatype was more responsive and followed up on the progress during the proof of concept, so that was one reason we chose Lifecycle, but the features are almost exactly the same across products.
What other advice do I have?
I rate Nexus Lifecycle eight out of 10.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
DevOps Engineer at a tech vendor with 51-200 employees
We no longer have to write or maintain scripts, but important features are still missing
Pros and Cons
- "The REST API is the most useful for us because it allows us to drive it remotely and, ideally, to automate it."
- "We do not use it for more because it is still too immature, not quite "finished." It is missing important features for making it a daily tool. It's not complete, from my point of view..."
- "It's the right kind of tool and going in the right direction, but it really needs to be more code-driven and oriented to be scaled at the developer level."
What is our primary use case?
We have many use cases. Our main use case is focused on Nexus Repository and a little bit on Nexus IQ, including Lifecycle. The basic use case is storing Maven, Java, JavaScript, and other kinds of artifacts. For some years now we have implemented more complex solutions to manage releases and staging. Since Nexus Repository introduced that feature for free and natively, we moved to the feature provided for managing release staging.
How has it helped my organization?
It has only improved things very little because, for now, we use the reports from IQ to improve the libraries, but it doesn't yet have enough coverage.
It has helped to enforce open-source intelligence and policies across our software development lifecycle, mainly by automating controls that we had put in place before. It has helped to enforce things. It has blocked some open-source components or, more accurately, raised warnings about them. It's not a blocker in our system because, for now, it's only implemented as an informative system.
The solution has also improved the time it takes to release secure apps to market. We have been able to replace homemade scripts, which took a few hours to create, by very much simpler workflows provided natively by Nexus, which are working in a few minutes, or tens of minutes. It has saved us about 40 percent, in terms of time. But more than the duration, it's helpful that we don't have to maintain or make scripts. That's the most important thing.
It has improved developer productivity and accuracy. That happened a long time ago because we have been using it for so long, but as soon as we deployed the Nexus solution in the company, people didn't need to locally build a lot of stuff. So we were much more easily able to work together, to collaborate, and consume other teams' products. That was a long time ago, but it was definitely an important step.
What is most valuable?
The REST API is the most useful for us because it allows us to drive it remotely and, ideally, to automate it.
We have worked a lot on the configuration of its capabilities. This is something very new in Nexus and not fully supported. But that's one of the aspects we are the most interested in.
And we like the ability to analyze the libraries. There are a lot of filters to output the available libraries for our development people and our continuous integration.
The solution integrates well with our existing DevOps tools. It's mainly a Maven plugin, and the REST API provides the compliance where we have everything in a giant tool.
What needs improvement?
We do not use it for more because it is still too immature, not quite "finished." It is missing important features for making it a daily tool. It's not complete, from my point of view. All the Lifecycle tools are not yet finished and usable in production. We are using it in production, but it's not fulfilling all our needs. It's not yet finalized.
It's the right kind of tool and going in the right direction, but it really needs to be more code-driven and oriented to be scaled at the developer level. Nowadays, developers need to be autonomous, so we need to be able to supply them tooling and then everything should be orchestrated around the principle of GitHubs. That is really important in IQ because developers will want to make changes and they need things very quickly. Everything should be driven by that but that is not yet the case. The features are interesting but the way those features are configured and tuned is not quite there yet.
There is room for improvement in the way it is managed, having code-driven configuration, and automation. It needs not to be an old-style tool. Today, a computer tool must be usable in many ways: as a client for developers, as a webpage and reporting tool for managers, and as an automated blocker for continuous integration. It must have a REST API and it must have many features that make it usable in many ways. Currently, that's not the case.
One thing I can say that is very positive is that it is much better than the other tools. But regarding usage, it's not perfect. It's missing everything around the tuning and usage.
For how long have I used the solution?
We have been using Nexus Repository, version 2, for about 10 years or so. We switched to the Nexus 3 a little bit more than one year ago, along with Nexus Lifecycle.
What do I think about the stability of the solution?
Nexus 3 is not yet stable enough. IQ is perfectly stable. We have not had any stability issues with it.
What do I think about the scalability of the solution?
It is currently not scalable. While we haven't encountered a scalability issue regarding Nexus IQ directly, but for maintenance and configuring there is a scalability issue because developers need to make modifications and reports. And those modifications must follow our workflow model, things like a code review and evaluation by a manager. Currently, this is not possible. They cannot make a request for changes in the software. There is no solution to contribute changes and that is a scalability issue. That is with respect to Nexus Lifecycle.
With Nexus Repository, we had a lot of scalability issues with version 2. With the new version 3, we tried to set up a certain type of architecture but it is not available. So scalability is an issue regarding the load, not the amount of data. We have been using Nexus software for 10 years now with very big storage and that is not an issue. But when the number of users increases, that's an issue. We are an open-source company, so we have many consumers of our artifacts, and that means there can be a heavy load on the projects.
Which solution did I use previously and why did I switch?
Twelve years ago we tried other solutions, like Artifactory. But we quickly moved to Nexus. We may change the solution in the next month or year. It's a possibility. It depends on the pricing and whether the solution provides HA.
The main purpose of using the IQ solution was to have an efficient solution to spot and block security risks. We tested and compared a lot of solutions and found that IQ was the best and the most evolved. But a lot of it is not completed, it's still a prototype, from my point of view. That means it cannot yet be used exactly the way it is marketed. There are some features that are missing. But compared to other products on the market, it appeared to be the most accurate one.
How was the initial setup?
My team was responsible for setting up the whole system. It was complex in the end because the way we wanted to set it up was not yet defined. It was not designed to be used the way we want to use it.
For IQ, the deployment only took a few days, but it's not usable yet. We set it but we are not really using it as we wanted to. For Nexus Repository, it took many months and many issues are not resolved yet. The fact is that IQ is not very useful without the repository.
Internally, we had a deployment plan, but a lot of those requirements were not met by Sonatype and we have had to work with support to make it work. But there are still remaining issues.
What about the implementation team?
Sonatype assisted us with the initial setup and their help was average. It was pretty good most of the time, but sometimes it was not because we were outside of their defined environment. I feel that they are a little bit behind in this field, that they are missing modern requirements. So their support was pretty good, but not enough.
Which other solutions did I evaluate?
We evaluated Artifactory by JFrog. It also seemed very good, very similar. The other solutions we tried were not as good. Nexus and Artifactory were the finalists.
At the time, the UI was a difference between them, but that is not true anymore. The two are very similar now. The integration with development tools was very important; the ability to implement GitHubs, and so on. The fact of being open-source is very important to us; being able to contribute to and look at the code for reliability and quality.
What other advice do I have?
My advice would be to look at your needs and the features the solution provides. In the last version they released, we were a little bit disappointed by the difference between the marketing and the reality. The product was not yet finished compared to how it was described. Aside from this bad aspect, it's mainly about good practices and looking at common, standard practices. Start with the basics and common stuff and try to evolve it eventually and change some things. Don't try doing something too much complex at the beginning.
The tool's default policies and the policy engine seem pretty good. We have been using it for so long that we are using our own policies. Regarding Lifecycle, we have not gone far enough with it to have a real opinion on it, although it looks consistent.
In terms of its integrations into developer tooling like IDEs, Git repos, and automated pull requests, we have not used it enough. It is a little bit too soon for us. It's a goal, but we want it to be done in a transparent way through the automation. It's not used yet because all of the developers are free to choose the tools they use, the IDEs, and only a few people are looking at this kind of stuff.
Internally, we have about 50 developers for Nexus Repository. We have five to 10 specialists for the Nexus IQ. We don't know many customers there are for Nexus Repository in our public sphere.
It is used across the whole company. It's a central tool and most people in the company cannot work without it. Everybody uses it either directly or indirectly or by proxy. Some people use it without knowing it, but all the technical people in the company are using it, so around 150 depend on it.
For deployment and maintenance of the solution there have been three people on my team doing this, but that was not the only responsibility of the team and they were not enough. We spent a lot of time setting up automation, including maintenance and deployment, and that made it scalable for three people in maintenance. We had to work on this. It was not provided natively, but now three people are enough.
I would rate IQ at six out of ten. That's very good compared to other products on the market.
Which deployment model are you using for this solution?
On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
Sonatype Lifecycle
November 2024
Learn what your peers think about Sonatype Lifecycle. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
824,067 professionals have used our research since 2012.
Automation Technical Lead at a tech vendor with 10,001+ employees
Useful duplicate code discovery, effective vulnerability scanning, and reliable
Pros and Cons
- "The most valuable features of the Sonatype Nexus Lifecycle are the evaluation of the unit test coverage, vulnerability scanning, duplicate code lines, code smells, and unnecessary loops."
- "Sonatype Nexus Lifecycle can improve by having a feature to automatically detect vulnerabilities. Additionally, if it could automatically push the dependencies or create notifications it would be beneficial."
What is our primary use case?
Sonatype Nexus Lifecycle is mainly used for checking vulnerabilities. For example, the unit test coverage and code quality, including vulnerability code smells.
What is most valuable?
The most valuable features of the Sonatype Nexus Lifecycle are the evaluation of the unit test coverage, vulnerability scanning, duplicate code lines, code smells, and unnecessary loops.
What needs improvement?
Sonatype Nexus Lifecycle can improve by having a feature to automatically detect vulnerabilities. Additionally, if it could automatically push the dependencies or create notifications it would be beneficial.
For how long have I used the solution?
I have been using Sonatype Nexus Lifecycle for approximately three years.
What do I think about the stability of the solution?
Sonatype Nexus Lifecycle is a stable solution.
What do I think about the scalability of the solution?
The scalability of the Sonatype Nexus Lifecycle is good. We have not had any issues.
We have 2,000 engineering people using this solution, such as developers, SRE, and QE.
What about the implementation team?
The amount of maintenance Sonatype Nexus Lifecycle needs depends on the competency of the people doing it. It is not very complex to do but it is difficult to find competent work in the area. If the person is competent then the maintenance is not a problem and is straightforward.
What other advice do I have?
I rate Sonatype Nexus Lifecycle an eight out of ten.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Sonatype Lifecycle Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2024
Product Categories
Software Composition Analysis (SCA) Application Security Tools Software Supply Chain SecurityPopular Comparisons
Veracode
Black Duck
JFrog Xray
CAST Highlight
Checkmarx Software Composition Analysis
ReversingLabs
Sonatype Repository Firewall
Debricked Security
Sentinel SCA
Buyer's Guide
Download our free Sonatype Lifecycle Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- How does Sonatype Nexus Lifecycle compare with SonarQube?
- What tools do you rely on for building a DevSecOps pipeline?
- What alternatives are there for Fortify WebInspect and Fortify SCA?
- What is the best way to track open-source license compatibility?
- How long does SCA scanning take?
- Why is Software Composition Analysis (SCA) important for companies?
- Differences between Black Duck & Veracode
- What SCA solution do you recommend?
- Is there an SCA solution that finds and fixes vulnerabilities?
- Can I get SCA in my IDE?
s/GitHubs/GitOps
Read "GitOps", not "GitHubs", as described in https://www.cloudbees.com/gito... and https://www.weave.works/techno...
The idea is to work with code everywhere, with Git (indeed GitHub) as a central underlying technology. Not only managing the infrastructure as code but also the application configuration and content.
Two examples here: contribute configuration changes from the code such as new repositories, contribute rule changes from the code such as blacklist libraries. That allows to perform GitHub Pull Request, Code Review and Merge following the modern workflows the developers are used to, and then control the same way the deployment to production.
That is distributing and scaling the responsibilities (and abilities!) to the relevant people and teams, with full security, audit, automation and unique source of truth from end to end.