IT Central Station is now PeerSpot: Here's why

SonarQube vs Sonatype Nexus Lifecycle comparison

Cancel
You must select at least 2 products to compare!
Veracode Logo
49,629 views|28,481 comparisons
Sonar Logo
87,178 views|71,809 comparisons
Sonatype Logo
24,368 views|14,402 comparisons
Executive Summary
Updated on March 21, 2022

We performed a comparison between SonarQube and Sonatype Nexus Lifecycle based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.

  • Ease of Deployment: Reviewers of SonarQube say the deployment was straightforward. Reviewers of Sonatype Nexus Lifecycle say the software was straightforward for the most part, but was slightly technical.
  • Features: Reviewers of SonarQube were happy with the software's stability and friendly UI but felt it needed more security scanning features.

    Reviewers of Sonatype Nexus Lifecycle felt the scanning capability was extremely valuable, and it had great reporting features, but thought it needed to be more code-driven as a software.

  • Pricing: Users of SonarQube said that the licensing fees are pricey. Reviewers of Sonatype Nexus Lifecycle had mixed reviews; some said the price was reasonable, while others felt it was extremely costly.
  • Service and Support: Most reviewers of SonarQube say they are using the free version of the software, which doesn’t come with support, but those who have paid support are happy with the level of support. Users of Sonatype Nexus Lifecycle found the support extremely helpful and quick in their response time.
  • ROI: Both SonarQube and Sonatype Nexus Lifecycle reviewers remarked that they saw ROI, but it wasn’t quantifiable; they noticed that their teams saved time and that developer productivity increased.

Comparison Results: Based on the parameters we compared, SonarQube and Sonatype Nexus Lifecycle seem to have a similar rating among users regarding ease of deployment, pricing, service and support, and ROI. In terms of features, users of SonarQube felt more scanning features were needed, while users of Sonatype Nexus Lifecycle felt the software needed to be more code-driven.

To learn more, read our detailed SonarQube vs. Sonatype Nexus Lifecycle report (Updated: July 2022).
Buyer's Guide
SonarQube vs. Sonatype Nexus Lifecycle
July 2022
Find out what your peers are saying about SonarQube vs. Sonatype Nexus Lifecycle and other solutions. Updated: July 2022.
622,063 professionals have used our research since 2012.
Featured Review
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"Another feature of Veracode is that they provide e-learning, but the e-learning is not basic, rather it is quite advanced... in the e-learning you can check into best practices for developing code and how to prevent improper management of some component of the code that could lead to a vulnerability. The e-learning that Veracode provides is an extremely good tool.""There are quite a few features that are very reliable, like the newly launched Veracode Pipelines Scan, which is pretty awesome. It supports the synchronous pipeline pretty well. We been using it out of the Jira plugin, and that is fantastic.""It is SaaS hosted. That makes it very convenient to use. There is no initial time needed to set up an application. Scanning is a matter of minutes. You just log in, create an application profile, associate a security configuration, and that's about it. It takes 10 minutes to start. The lack of initial lead time or initial overhead to get going is the primary advantage.""The Veracode technical support is very good. They are responsive and very knowledgeable.""In terms of secure development, the SAST scan is very useful because we are able to identify security flaws in the code base itself, for the application.""Their dashboard is really good, overall. In my opinion, it's one of the best in the market, and I say that because we have used other service providers.""The centralized view of different testing types helps reduce our risk exposure. The development teams have the freedom to choose their own libraries and languages. What happens is sometimes developers feel like a particular library is okay to use, then they will start using it, developing some functionality around it. However, as per our mandate, for every new repository that gets added and scanned, a report gets published. Based on that report, we decide if we can continue. In the past, we have found, by mistake, some developers have used copyleft licenses, which are a bit risky to use. We immediately replace these with more permissive, open-source licenses, so we are safe in the end.""The policy reporting for ensuring compliance with industry standards and regulations is pretty comprehensive, especially around PCI. If you do the static analysis, the dynamic analysis, and then a manual penetration test, it aggregates all of these results into one report. And then they create a PCI-specific report around it which helps to illustrate how the application adheres to different standards."

More Veracode Pros →

"One of the most valuable features of SonarQube is its ability to detect code quality during development. There are rules that define various technologies—Java, C#, Python, everything—and these rules declare the coding standards and code quality. With SonarQube, everything is detectable during the time of development and continuous integration, which is an advantage. SonarQube also has a Quality Gate, where the code should reach 85%. Below that, the code cannot be promoted to a further environment, it should be in a development environment only. So the checks are there, and SonarQube will provide that increase. It also provides suggestions on how the code can be fixed and methods of going about this, without allowing hackers to exploit the code. Another valuable feature is that it is tightly integrated with third-party tools. For example, we can see the SonarQube metrics in Bitbucket, the code repository. Once I raise the full request, the developer, team lead, or even the delivery lead can see the code quality metrics of the deliverable so that they can make a decision. SonarQube will also cover all of the top OWASP vulnerabilities, however it doesn't have penetration testing or hacker testing. We use other tools, like Checkmarx, to do penetration testing from the outside.""This solution has the capability to analyze source code in almost all the languages in the market.""The code coverage feature is very good.""Using SonarQube benefits us because we are able to avoid the inclusion of malware in our applications.""SonarQube is good in terms of code review and to report on basic vulnerabilities in your applications.""The fact that the solution does security scanning is valuable.""I like that it's easy to navigate not just in terms of code findings but you can actually see them in the context of your source code because it gives you a copy of your code with the items that it found and highlights them. You can see it directly in your code, so you can easily go back and make the corrections in the code. It basically finds the problems for you and tells you where they are.""The product has a friendly UI that is easy to use and understand."

More SonarQube Pros →

"The quality or the profiles that you can set are most valuable. The remediation of issues that you can do and how the information is offered is also valuable.""The most important features of the Sonatype Nexus Lifecycle are the vulnerability reports.""Its engine itself is most valuable in terms of the way it calculates and decides whether a security vulnerability exists or not. That's the most important thing. Its security is also pretty good, and its listing about the severities is also good.""Vulnerability detection accuracy is good.""We really like the Nexus Firewall. There are increasing threats from npm, rogue components, and we've been able to leverage protection there. We also really like being able to know which of our apps has known vulnerabilities.""Lifecycle lets developers see any vulnerabilities or AGPL license issues associated with code in the early stages of development. The nice thing is that it's built into the ID so that they can see all versions of a specific code.""The value I get from IQ Server is that I get information on real business risks. Is something compliant, are we using the proper license?""Sonatype support is quite responsive. When we needed something, we could reach out and set up a meeting. They provide the best support possible."

More Sonatype Nexus Lifecycle Pros →

Cons
"If Veracode was more diversified, as far as the number of platforms and the number of applications it could do in our favor, we would be using it even more. But there are a number of platforms it doesn't support. For example, I know they support C+, .NET, and Java, but there are certain platforms they don't support and that was disappointing.""The static analysis is prone to a lot of false positives. But that's how it is with most static analysis tools... Also, the static analysis can sometimes take a little while. The time that it takes to do a scan should be improved.""The ideal situation in terms of putting the results in front of the developers would be with Veracode integration into the developer environment (IDE). They do have a plugin, which we've used in the past, but we were not as positive about it.""Veracode has plenty of data. The problem is the information on the dashboards of Veracode, as the user interface is not great. It's not immediately usable. Most of the time, the best way to use it is to just create issues and put them in JIRA... But if I were a startup, and only had products with a good user interface, I wouldn't use Veracode because the UI is very dated.""The training lab is not very user-friendly and takes a long time to set up.""Sometimes the scans are not done quickly, but the solutions that it provides are really good. The quality is high, but the analysis is not done extremely quickly.""The triage indicator was kind of hard to find. It's a very small arrow and I had no idea it was there.""We tried to create an automatic scanning process for Veracode and integrate it into our billing process, but it was easier to adopt it to repositories based on GIT. Until now, our source control repository was Azure DevOps Server (Microsoft TFS) to managing our resources. This was not something that they supported. It took us some sessions together before we successfully implemented it."

More Veracode Cons →

"There is no automation. You need to put the code there and test. You then pull the results and put them back in the development environment. There is no integration with the development environment. We would like it to be integrated with our development environment, which is basically the CI/CD pipeline or the IDE that we have.""You may need to purchase add-ons to get the useability you desire.""SonarQube could be improved with more dynamic testing—basically, now, it's a static code analysis scan. For example, when the developer writes the code and does the corresponding unit test, he can cover functional and non-functional. So the SonarQube could be improved by helping to execute unit tests and test dynamically, using various parameters, and to help detect any vulnerabilities. Currently, it'll just give the test case and say whether it passes or fails—it won't give you any other input or dynamic testing. They could use artificial intelligence to build a feature that would help developers identify and fix issues in the early stages, which would help us deliver the product and reduce costs. Another area with room for improvement is in regard to automating things, since the process currently needs to be done manually.""I like that it has a better dashboard compared to Clockwork. It's also stable.""The learning curve can be fairly steep at first, but then, it's not an entry-level type of application. It's not like an introduction to C programming. You should know not just C programming and how to make projects but also how to apply its findings to the bigger picture. I've had users who said that they wish it was easier to understand how to configure, but I don't know if that's doable because what it's doing is a very complicated thing. I don't know if it is possible to make a complicated thing trivially simple.""A little bit more emphasis on security and a bit more security scanning features would be nice.""Code security scanning could be improved.""There are sometimes security breaches in our code, which aren't be caught by SonarQube. In the security area, SonarCube has to improve. It needs to better compete with other products."

More SonarQube Cons →

"Overall it's good, but it would be good for our JavaScript front-end developers to have that IDE integration for their libraries. Right now, they don't, and I'm told by my Sonatype support rep that I need to submit an idea, from which they will submit a feature request. I was told it was already in the pipeline, so that was one strike against sales.""One area of improvement, about which I have spoken to the Sonatype architect a while ago, is related to the installation. We still have an installation on Linux machines. The installation should move to EKS or Kubernetes so that we can do rollover updates, and we don't have to take the service down. My primary focus is to have at least triple line availability of my tools, which gives me a very small window to update my tools, including IQ. Not having them on Kubernetes means that every time we are performing an upgrade, there is downtime. It impacts the 0.1% allocated downtime that we are allowed to have, which becomes a challenge. So, if there is Kubernetes installation, it would be much easier. That's one thing that definitely needs to be improved.""In the beginning, we sometimes struggle to access the customer environment. The customer must issue the required certificates because many customers use cell phone certificates, and Sonatype needs a valid CA certificate.""Sonatype Nexus Lifecycle can improve the functionality. Some functionalities are missing from the UI that could be accessed using the API but they are not available. For example, seeing more than the 100 first reports or, seeing your comments when you process a waiver for a vulnerability or a violation.""We got a lot of annotations for certain libraries when it comes to Java, but my feeling, and the feeling of a colleague as well, is that we don't get as many for critical libraries when it comes to .NET, as if most of them are really fine... It would be good if Sonatype would check the status of annotations for .NET packages.""The team managing Nexus Lifecycle reported that their internal libraries were not being identified, so they have asked Sonatype's technical team to include that in the upcoming version.""Nexus Lifecycle is multiple products. One drawback I've noticed is that there are some differences in the features between the products within Lifecycle. They need to maintain the same structure, but there are some slight differences.""The user interface needs to be improved. It is slow for us. We use Nexus IQ mostly via APIs. We don't use the interface that much, but when we use it, certain areas are just unresponsive or very slow to load. So, performance-wise, the UI is not fast enough for us, but we don't use it that much anyway."

More Sonatype Nexus Lifecycle Cons →

Pricing and Cost Advice
  • "I don't really know about the pricing, but I'd say it's worth whatever Veracode is charging, because the solution is that good."
  • "Veracode's price is high. I would like them to better optimize their pricing."
  • "If I compare the pricing with other software tools, then it is quite competitive. Whatever the price is, they have always given us a good discount."
  • "Veracode is expensive. Some of its products are expensive. I don't think it's way more expensive than its competitors. The dynamic is definitely worth it, as I think it's cheaper than the competitors. The static scan is a little bit more expensive, around 20 percent more expensive. The manual pen test is more expensive, but it is an expensive service because it's a manual pen test and we also do retests. I don't think it is way more expensive than the competitors, but it's about 15 to 20 percent more expensive."
  • "We use this product per project rather than per developer... Your development model will really determine what the best fit is for you in terms of licensing, because of the project-based licensing. If you do a few projects, that's more attractive. If you have a large number of developers, that would also make the product a little more attractive."
  • "The pricing is really fair compared to a lot of other tools on the market."
  • "It is very reasonably priced compared to what we were paying our previous vendor. For the same price, we are getting much more value and reducing our AppSec costs from 40 to 50 percent."
  • "Veracode is one of the more expensive solutions in the market, but it is worth the expense because of the eLearning and the security consultations; everything is included in the license."
  • More Veracode Pricing and Cost Advice →

  • "We are using the open-source version, which is available free of cost."
  • "There is both a free and licensed version. The free version has limitations on development languages and support."
  • "For the Community edition, there is no extra cost. It's totally free. The Enterprise edition, Data Center edition, and Developer edition are the paid versions."
  • "We are using the open-source community version, but there are enterprise licenses available."
  • "SonarQube is an open-source product that can be used free of charge."
  • "I am satisfied with the pricing."
  • "Can try developer version for 14 days on the free trial."
  • "It's a bit expensive for us. The currency rate of the dollar is a problem but it may be fine for other countries."
  • More SonarQube Pricing and Cost Advice →

  • "Cost is a drawback. It's somewhat costly."
  • "It's expensive, but you get what you pay for. There were no problems with the base license and how they do it. It was transparent. You don't have to worry. You can scan to your heart's delight."
  • "Given the number of users we have, it is one of the most expensive tools in our portfolio, which includes some real heavy-duty tools such as GitLab, Jira, etc. It is definitely a bit on the expensive side, and the ambiguity in how the licenses are calculated adds to the cost as well. If there is a better understanding of how the licenses are being calculated, there would be a better agreement between the two parties, and the cost might also be a little less. There is no extra cost from Sonatype. There is an operational cost on the BT side in terms of resources, etc."
  • "There are additional costs in commercial offerings for add-ons such as Nexus Container or IDE Advanced Toolkit. They come with additional fees or licenses."
  • More Sonatype Nexus Lifecycle Pricing and Cost Advice →

    report
    Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
    622,063 professionals have used our research since 2012.
    Questions from the Community
    Top Answer:SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis… more »
    Top Answer:Veracode's technical support is great. They assigned us a TAM and once a week, we have a brief engagement with the TAM… more »
    Top Answer:Veracode recently introduced some pricing based on microservices. This model gives us a lot of flexibility in being able… more »
    Top Answer:I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which… more »
    Top Answer:We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security… more »
    Top Answer:Snyk does a great job identifying and reducing vulnerabilities. This solution is fully automated and monitors 24/7 to… more »
    Top Answer:We like the data that Sonatype Nexus Lifecycle consistently delivers. This solution helps us in fixing and understanding… more »
    Top Answer:The component piece, where you can analyze the component, is the most valuable. You can pull the component up and you… more »
    Top Answer:I'm not familiar with the pricing in detail, but I believe it was pretty reasonably priced, compared to the market.
    Comparisons
    Also Known As
    Sonar
    Nexus Lifecycle
    Learn More
    Overview

    Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.

    SonarQube is the leading tool for continuously inspecting Code Quality and Code Security, and guiding development teams during code reviews. SonarQube provides clear remediation guidance for 27 languages so developers can understand and fix issues, and so teams can deliver better and safer software. SonarQube integrates into your workflow to provide the right feedback at the right time: in-IDE with SonarLint, in pull requests, and in SonarQube itself. With over 225,000 deployments helping small development teams and global organizations, SonarQube provides the means for teams and companies around the world to own and impact their Code Quality and Code Security.

    Sonatype Nexus Lifecycle is an open-source security and dependency management software that uses only one tool to automatically find open-source vulnerabilities at every stage of the System Development Life Cycle (SDLC). Users can now minimize security vulnerabilities, permitting organizations to enhance development workflow. Sonatype Nexus Lifecycle gives the user complete control over their software supply chain, allowing them to regain wasted time fighting risks in the SDLC. In addition, this software unifies the ability to define rules, actions, and policies that work best for your organizations and teams.

    Sonatype Nexus Lifecycle allows users to help their teams discover threats before an attack has the chance to take place by examining a database of known vulnerabilities. With continuous monitoring at every stage of the development life cycle, Sonatype Nexus Lifecycle enables teams to build secure software. The solution allows users to utilize a complete automated solution within their existing workflows. Once a potential threat is identified, the solution’s policies will automatically rectify it.

    Benefits of Open-source Security Monitoring

    As cybersecurity attacks are on the rise, organizations are at constant risk for data breaches. Managing your software supply chain gets trickier as your organization grows, leaving many vulnerabilities exposed. With easily accessible source code that can be modified and shared freely, open-source monitoring gives users complete transparency. A community of professionals can inspect open-source code to ensure fewer bugs, and any open-source dependency vulnerability will be detected and fixed rapidly. Users can use open-source security monitoring to avoid attacks through automatic detection of potential threats and rectification immediately and automatically.

    Reviews from Real Users

    Sonatype Nexus Lifecycle software receives high praise from users for many reasons. Among them are the abilities to identify and rectify vulnerabilities at every stage of the SDLC, help with open-source governance, and minimize risk.

    Michael E., senior enterprise architect at MIB Group, says "Some of the more profound features include the REST APIs. We tend to make use of those a lot. They also have a plugin for our CI/CD.”

    R.S., senior architect at a insurance company, notes “Specifically features that have been good include:

    • the email notifications
    • the API, which has been good to work with for reporting, because we have some downstream reporting requirements
    • that it's been really user-friendly to work with.”

    "Its engine itself is most valuable in terms of the way it calculates and decides whether a security vulnerability exists or not. That's the most important thing. Its security is also pretty good, and its listing about the severities is also good," says Subham S., engineering tools and platform manager at BT - British Telecom.

    Offer
    Keep your software secure

    Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.

    Learn more about SonarQube
    Learn more about Sonatype Nexus Lifecycle
    Sample Customers
    State of Missouri, Rekner
    Bank of America, Siemens, Cognizant, Thales, Cisco, eBay
    Genome.One, Blackboard, Crediterform, Crosskey, Intuit, Progress Software, Qualys, Liberty Mutual Insurance
    Top Industries
    REVIEWERS
    Financial Services Firm31%
    Insurance Company11%
    Computer Software Company11%
    Healthcare Company7%
    VISITORS READING REVIEWS
    Computer Software Company26%
    Comms Service Provider14%
    Financial Services Firm12%
    Manufacturing Company7%
    REVIEWERS
    Computer Software Company22%
    Financial Services Firm21%
    Comms Service Provider10%
    Manufacturing Company7%
    VISITORS READING REVIEWS
    Computer Software Company24%
    Comms Service Provider15%
    Financial Services Firm14%
    Manufacturing Company8%
    REVIEWERS
    Financial Services Firm35%
    Insurance Company15%
    Manufacturing Company12%
    Computer Software Company12%
    VISITORS READING REVIEWS
    Computer Software Company23%
    Financial Services Firm22%
    Comms Service Provider10%
    Government7%
    Company Size
    REVIEWERS
    Small Business24%
    Midsize Enterprise27%
    Large Enterprise49%
    VISITORS READING REVIEWS
    Small Business16%
    Midsize Enterprise14%
    Large Enterprise70%
    REVIEWERS
    Small Business26%
    Midsize Enterprise17%
    Large Enterprise56%
    VISITORS READING REVIEWS
    Small Business14%
    Midsize Enterprise14%
    Large Enterprise72%
    REVIEWERS
    Small Business26%
    Midsize Enterprise15%
    Large Enterprise59%
    VISITORS READING REVIEWS
    Small Business14%
    Midsize Enterprise12%
    Large Enterprise74%
    Buyer's Guide
    SonarQube vs. Sonatype Nexus Lifecycle
    July 2022
    Find out what your peers are saying about SonarQube vs. Sonatype Nexus Lifecycle and other solutions. Updated: July 2022.
    622,063 professionals have used our research since 2012.

    SonarQube is ranked 1st in Application Security Tools with 59 reviews while Sonatype Nexus Lifecycle is ranked 8th in Application Security Tools with 9 reviews. SonarQube is rated 8.0, while Sonatype Nexus Lifecycle is rated 8.0. The top reviewer of SonarQube writes "Open-source, stable, and finds the problems for you and tells you where they are". On the other hand, the top reviewer of Sonatype Nexus Lifecycle writes "Helps us drive down our technical debt due to components with known issues". SonarQube is most compared with Checkmarx, Coverity, Snyk, Micro Focus Fortify on Demand and Mend, whereas Sonatype Nexus Lifecycle is most compared with Snyk, Black Duck, GitLab, Mend and Fortify Application Defender. See our SonarQube vs. Sonatype Nexus Lifecycle report.

    See our list of best Application Security Tools vendors.

    We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.