IT Central Station is now PeerSpot: Here's why
  • Home
  • SonarQube vs. Sonatype Nexus Lifecycle

SonarQube vs Sonatype Nexus Lifecycle comparison

Cancel
You must select at least 2 products to compare!
Veracode Logo

Veracode

Read 24 Veracode reviews
49,629 views|28,481 comparisons
Sonar Logo

SonarQube

Read 59 SonarQube reviews
87,178 views|71,809 comparisons
Sonatype Logo

Sonatype Nexus Lifecycle

Read 9 Sonatype Nexus Lifecycle reviews
24,368 views|14,402 comparisons
Executive Summary
Updated on March 21, 2022

We performed a comparison between SonarQube and Sonatype Nexus Lifecycle based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.

  • Ease of Deployment: Reviewers of SonarQube say the deployment was straightforward. Reviewers of Sonatype Nexus Lifecycle say the software was straightforward for the most part, but was slightly technical.
  • Features: Reviewers of SonarQube were happy with the software's stability and friendly UI but felt it needed more security scanning features.

    Reviewers of Sonatype Nexus Lifecycle felt the scanning capability was extremely valuable, and it had great reporting features, but thought it needed to be more code-driven as a software.

  • Pricing: Users of SonarQube said that the licensing fees are pricey. Reviewers of Sonatype Nexus Lifecycle had mixed reviews; some said the price was reasonable, while others felt it was extremely costly.
  • Service and Support: Most reviewers of SonarQube say they are using the free version of the software, which doesn’t come with support, but those who have paid support are happy with the level of support. Users of Sonatype Nexus Lifecycle found the support extremely helpful and quick in their response time.
  • ROI: Both SonarQube and Sonatype Nexus Lifecycle reviewers remarked that they saw ROI, but it wasn’t quantifiable; they noticed that their teams saved time and that developer productivity increased.

Comparison Results: Based on the parameters we compared, SonarQube and Sonatype Nexus Lifecycle seem to have a similar rating among users regarding ease of deployment, pricing, service and support, and ROI. In terms of features, users of SonarQube felt more scanning features were needed, while users of Sonatype Nexus Lifecycle felt the software needed to be more code-driven.

To learn more, read our detailed SonarQube vs. Sonatype Nexus Lifecycle report (Updated: July 2022).
Buyer's Guide
SonarQube vs. Sonatype Nexus Lifecycle
July 2022
Free Report: SonarQube vs. Sonatype Nexus Lifecycle
Find out what your peers are saying about SonarQube vs. Sonatype Nexus Lifecycle and other solutions. Updated: July 2022.
DOWNLOAD NOW
621,593 professionals have used our research since 2012.
Featured Review
Chris Sawyer
Gives us peace of mind regarding our website's security environment
It gives us peace of mind regarding what our website's security environment looks like. It provides that quality check to make sure that we have as... Read more →
Anonymous User
Effective vulnerability scanning, good support, and simple setup
Ingmar Vis
Improves the overall hygiene of the source code and is helpful for code security and remediation of issues
It improves the overall hygiene of the source code. We have a lot of scans going on every day. They are in the thousands. If high critical... Read more →
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"It's comprehensive from a feature standpoint.""Their dashboard is really good, overall. In my opinion, it's one of the best in the market, and I say that because we have used other service providers.""You can easily integrate it with Azure DevOps. This is an added value because we work with Azure DevOps. Veracode is natively supported and we don't have to work with APIs.""There are quite a few features that are very reliable, like the newly launched Veracode Pipelines Scan, which is pretty awesome. It supports the synchronous pipeline pretty well. We been using it out of the Jira plugin, and that is fantastic.""The visibility into application status helps reduce risk exposure for our software. Today, any findings provided by the DAST are reviewed by the developers and we have internal processes in place to correct those findings before there can be a release. So it absolutely does prevent us from releasing weak code.""In terms of secure development, the SAST scan is very useful because we are able to identify security flaws in the code base itself, for the application.""It is easy to use for us developers. It supports so many languages: C#, .NET Core, .NET Framework, and it even scans some of our JavaScript. You just need the extension to upload the files and the reports are generated with so much detail.""It is SaaS hosted. That makes it very convenient to use. There is no initial time needed to set up an application. Scanning is a matter of minutes. You just log in, create an application profile, associate a security configuration, and that's about it. It takes 10 minutes to start. The lack of initial lead time or initial overhead to get going is the primary advantage."

More Veracode Pros →

"SonarQube is useful for controlling all of our Azure task tracking and scanning.""Some of the most valuable features have been the latest up-to-date of the OWASP, the monitoring, the reporting, and the ease of use with the IDE plugins, in terms of integration.""SonarQube is a fantastic tool which saves us precious time.""When comparing other static code analysis tools, SonarQube has fewer false-positive issues being reported. They have a lot of support for different tech stacks. It covers the entire developer community which includes Salesforce or it could be the regular Java.net project. It has actually sufficed all the needs in one tool for static code analysis.""It is working fine. It provides a good value for money.""We use this solution for qualitative coding. We make use of the SonarLint plugin as well as the dashboard.""This solution has the capability to analyze source code in almost all the languages in the market.""It's a great product. If you are in a hurry and just want to focus on the functional requirements of any kind of project, SonarQube is highly helpful. It enables the developers to code securely. SonarQube has a Community edition, which is open source and free. There are also three proprietary or paid versions: Enterprise edition, Data Center edition, and Developer edition."

More SonarQube Pros →

"The quality or the profiles that you can set are most valuable. The remediation of issues that you can do and how the information is offered is also valuable.""We really like the Nexus Firewall. There are increasing threats from npm, rogue components, and we've been able to leverage protection there. We also really like being able to know which of our apps has known vulnerabilities.""Lifecycle lets developers see any vulnerabilities or AGPL license issues associated with code in the early stages of development. The nice thing is that it's built into the ID so that they can see all versions of a specific code.""Its engine itself is most valuable in terms of the way it calculates and decides whether a security vulnerability exists or not. That's the most important thing. Its security is also pretty good, and its listing about the severities is also good.""The integrations into developer tooling are quite nice. I have the integration for Eclipse and for Visual Studio. Colleagues are using the Javascript IDE from JetBrains called WebStorm and there is an integration for that from Nexus Lifecycle. I have not heard about anything that is not working. It's also quite easy to integrate it. You just need to set up a project or an app and then you just make the connection in all the tools you're using.""Sonatype support is quite responsive. When we needed something, we could reach out and set up a meeting. They provide the best support possible.""The most important features of the Sonatype Nexus Lifecycle are the vulnerability reports.""Vulnerability detection accuracy is good."

More Sonatype Nexus Lifecycle Pros →

Cons
"I would ask Veracode to be a lot more engaged with the customer and set up live sessions where they force the customer to engage with Veracode's technical team. Veracode could show them a repo, how they should do things, this is what these results mean, here is a dashboard, here's the interpretation, here's where you find the results.""The solution could improve the Dynamic Analysis Security Testing(DAST).""If Veracode was more diversified, as far as the number of platforms and the number of applications it could do in our favor, we would be using it even more. But there are a number of platforms it doesn't support. For example, I know they support C+, .NET, and Java, but there are certain platforms they don't support and that was disappointing.""The feature that allows me to read which mitigation answer was submitted, and to approve it, requires me to use do so in different screens. That makes it a little bit more complicated because I have to read and then I have to go back and make sure it falls under the same number ID number. That part is a little bit complicated from my perspective, because that's what I use the most.""Third-party library scanning would be very useful to have. When I was researching this a year ago, there was not a third-party library scan available. This would be a nice feature to have because we are now running through some assessments and finding out which tool can do it since this information needs to be captured. Since Veracode is a security solution, this should be related.""I think if they could improve the operations around accepted vulnerabilities, we would see improvements in our productivity.""There is much to be desired of UI and user experience. The UI is very slow. With every click, it just takes a lot of time for the pages to load. We have seen this consistently since getting this solution. The UI and UX are very disjointed.""When it comes to the speed of the pipeline scan, one of the things we have found with Veracode is that it's very fast with Java-based applications but a bit slow with C/C++ based applications. So we have implemented the pipeline scan only for Java-based applications not for the C/C++ applications."

More Veracode Cons →

"The interface could be a little better and should be enhanced.""The software testing tool capability could improve. It does not always integrate well. You have to use a specific plugin and the plugin does not always go in Apple's applications.""We did have some trouble with the LDAP integration for the console.""From a reporting perspective, we sometimes have problems interpreting the vulnerability scan reports. For example, if it finds a possible threat, our analysts have to manually check the provided reports, and sometimes we have issues getting all the data needed to properly verify if it's accurate or not.""The exporting capabilities could be improved. Currently, exporting is fully dependent on the SonarQube environment.""Code security could be better. They are already focusing on it, but I see a lot of improvement opportunities over there. I can see a lot of false positives in terms of security. They need to make the tests more accurate so that the false positives are not detected so frequently. It would also help if they provided us with an installer.""The documentation is not clear and it needs to be updated.""Their dashboarding is very limited. They can improve their dashboards for multiple areas, such as security review, maintainability, etc. They have all this information, so they should publish all this information on the dashboard so that the users can view the summary and then analyze it further. This is something that I would like to see in the next version."

More SonarQube Cons →

"We got a lot of annotations for certain libraries when it comes to Java, but my feeling, and the feeling of a colleague as well, is that we don't get as many for critical libraries when it comes to .NET, as if most of them are really fine... It would be good if Sonatype would check the status of annotations for .NET packages.""The team managing Nexus Lifecycle reported that their internal libraries were not being identified, so they have asked Sonatype's technical team to include that in the upcoming version.""Overall it's good, but it would be good for our JavaScript front-end developers to have that IDE integration for their libraries. Right now, they don't, and I'm told by my Sonatype support rep that I need to submit an idea, from which they will submit a feature request. I was told it was already in the pipeline, so that was one strike against sales.""Sonatype Nexus Lifecycle can improve the functionality. Some functionalities are missing from the UI that could be accessed using the API but they are not available. For example, seeing more than the 100 first reports or, seeing your comments when you process a waiver for a vulnerability or a violation.""In the beginning, we sometimes struggle to access the customer environment. The customer must issue the required certificates because many customers use cell phone certificates, and Sonatype needs a valid CA certificate.""The solution is not an SaaS product.""Nexus Lifecycle is multiple products. One drawback I've noticed is that there are some differences in the features between the products within Lifecycle. They need to maintain the same structure, but there are some slight differences.""The user interface needs to be improved. It is slow for us. We use Nexus IQ mostly via APIs. We don't use the interface that much, but when we use it, certain areas are just unresponsive or very slow to load. So, performance-wise, the UI is not fast enough for us, but we don't use it that much anyway."

More Sonatype Nexus Lifecycle Cons →

Pricing and Cost Advice
  • "I don't really know about the pricing, but I'd say it's worth whatever Veracode is charging, because the solution is that good."
  • "Veracode's price is high. I would like them to better optimize their pricing."
  • "If I compare the pricing with other software tools, then it is quite competitive. Whatever the price is, they have always given us a good discount."
  • "Veracode is expensive. Some of its products are expensive. I don't think it's way more expensive than its competitors. The dynamic is definitely worth it, as I think it's cheaper than the competitors. The static scan is a little bit more expensive, around 20 percent more expensive. The manual pen test is more expensive, but it is an expensive service because it's a manual pen test and we also do retests. I don't think it is way more expensive than the competitors, but it's about 15 to 20 percent more expensive."
  • "We use this product per project rather than per developer... Your development model will really determine what the best fit is for you in terms of licensing, because of the project-based licensing. If you do a few projects, that's more attractive. If you have a large number of developers, that would also make the product a little more attractive."
  • "The pricing is really fair compared to a lot of other tools on the market."
  • "It is very reasonably priced compared to what we were paying our previous vendor. For the same price, we are getting much more value and reducing our AppSec costs from 40 to 50 percent."
  • "Veracode is one of the more expensive solutions in the market, but it is worth the expense because of the eLearning and the security consultations; everything is included in the license."

    • More Veracode Pricing and Cost Advice →

  • "We are using the open-source version, which is available free of cost."
  • "There is both a free and licensed version. The free version has limitations on development languages and support."
  • "For the Community edition, there is no extra cost. It's totally free. The Enterprise edition, Data Center edition, and Developer edition are the paid versions."
  • "We are using the open-source community version, but there are enterprise licenses available."
  • "SonarQube is an open-source product that can be used free of charge."
  • "I am satisfied with the pricing."
  • "Can try developer version for 14 days on the free trial."
  • "It's a bit expensive for us. The currency rate of the dollar is a problem but it may be fine for other countries."

    • More SonarQube Pricing and Cost Advice →

  • "Cost is a drawback. It's somewhat costly."
  • "It's expensive, but you get what you pay for. There were no problems with the base license and how they do it. It was transparent. You don't have to worry. You can scan to your heart's delight."
  • "Given the number of users we have, it is one of the most expensive tools in our portfolio, which includes some real heavy-duty tools such as GitLab, Jira, etc. It is definitely a bit on the expensive side, and the ambiguity in how the licenses are calculated adds to the cost as well. If there is a better understanding of how the licenses are being calculated, there would be a better agreement between the two parties, and the cost might also be a little less. There is no extra cost from Sonatype. There is an operational cost on the BT side in terms of resources, etc."
  • "There are additional costs in commercial offerings for add-ons such as Nexus Container or IDE Advanced Toolkit. They come with additional fees or licenses."

    • More Sonatype Nexus Lifecycle Pricing and Cost Advice →

    report
    See Which Vendors Are Best For You
    Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
    See Recommendations
    621,593 professionals have used our research since 2012.
    Questions from the Community
    Which gives you more for your money - SonarQube or Veracode?
    Top Answer:SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis… more »
    Read all 6 answers   →
    What do you like most about Veracode?
    Top Answer:Veracode's technical support is great. They assigned us a TAM and once a week, we have a brief engagement with the TAM… more »
    Read all 64 answers   →
    What is your experience regarding pricing and costs for Veracode?
    Top Answer:Veracode recently introduced some pricing based on microservices. This model gives us a lot of flexibility in being able… more »
    Read all 41 answers   →
    Is SonarQube the best tool for static analysis?
    Top Answer:I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which… more »
    Read all 10 answers   →
    How would you decide between Coverity and Sonarqube?
    Top Answer:We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security… more »
    How does Snyk compare with SonarQube?
    Top Answer:Snyk does a great job identifying and reducing vulnerabilities. This solution is fully automated and monitors 24/7 to… more »
    How does Sonatype Nexus Lifecycle compare with SonarQube?
    Top Answer:We like the data that Sonatype Nexus Lifecycle consistently delivers. This solution helps us in fixing and understanding… more »
    What do you like most about Sonatype Nexus Lifecycle?
    Top Answer:The component piece, where you can analyze the component, is the most valuable. You can pull the component up and you… more »
    Read all 21 answers   →
    What is your experience regarding pricing and costs for Sonatype Nexus Li...
    Top Answer:I'm not familiar with the pricing in detail, but I believe it was pretty reasonably priced, compared to the market.
    Read all 14 answers   →
    Comparisons
    Also Known As
    Sonar
    Nexus Lifecycle
    Learn More
    Veracode
    Sonar
    Sonatype
    Overview

    Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.

    SonarQube is the leading tool for continuously inspecting Code Quality and Code Security, and guiding development teams during code reviews. SonarQube provides clear remediation guidance for 27 languages so developers can understand and fix issues, and so teams can deliver better and safer software. SonarQube integrates into your workflow to provide the right feedback at the right time: in-IDE with SonarLint, in pull requests, and in SonarQube itself. With over 225,000 deployments helping small development teams and global organizations, SonarQube provides the means for teams and companies around the world to own and impact their Code Quality and Code Security.

    Sonatype Nexus Lifecycle is an open-source security and dependency management software that uses only one tool to automatically find open-source vulnerabilities at every stage of the System Development Life Cycle (SDLC). Users can now minimize security vulnerabilities, permitting organizations to enhance development workflow. Sonatype Nexus Lifecycle gives the user complete control over their software supply chain, allowing them to regain wasted time fighting risks in the SDLC. In addition, this software unifies the ability to define rules, actions, and policies that work best for your organizations and teams.

    Sonatype Nexus Lifecycle allows users to help their teams discover threats before an attack has the chance to take place by examining a database of known vulnerabilities. With continuous monitoring at every stage of the development life cycle, Sonatype Nexus Lifecycle enables teams to build secure software. The solution allows users to utilize a complete automated solution within their existing workflows. Once a potential threat is identified, the solution’s policies will automatically rectify it.

    Benefits of Open-source Security Monitoring

    As cybersecurity attacks are on the rise, organizations are at constant risk for data breaches. Managing your software supply chain gets trickier as your organization grows, leaving many vulnerabilities exposed. With easily accessible source code that can be modified and shared freely, open-source monitoring gives users complete transparency. A community of professionals can inspect open-source code to ensure fewer bugs, and any open-source dependency vulnerability will be detected and fixed rapidly. Users can use open-source security monitoring to avoid attacks through automatic detection of potential threats and rectification immediately and automatically.

    Reviews from Real Users

    Sonatype Nexus Lifecycle software receives high praise from users for many reasons. Among them are the abilities to identify and rectify vulnerabilities at every stage of the SDLC, help with open-source governance, and minimize risk.

    Michael E., senior enterprise architect at MIB Group, says "Some of the more profound features include the REST APIs. We tend to make use of those a lot. They also have a plugin for our CI/CD.”

    R.S., senior architect at a insurance company, notes “Specifically features that have been good include:

    • the email notifications
    • the API, which has been good to work with for reporting, because we have some downstream reporting requirements
    • that it's been really user-friendly to work with.”

    "Its engine itself is most valuable in terms of the way it calculates and decides whether a security vulnerability exists or not. That's the most important thing. Its security is also pretty good, and its listing about the severities is also good," says Subham S., engineering tools and platform manager at BT - British Telecom.

    Offer
    Keep your software secure
    Find out more

    Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.

    Learn more about SonarQube
    Learn More
    Learn more about Sonatype Nexus Lifecycle
    Learn More
    Sample Customers
    State of Missouri, Rekner
    Bank of America, Siemens, Cognizant, Thales, Cisco, eBay
    Genome.One, Blackboard, Crediterform, Crosskey, Intuit, Progress Software, Qualys, Liberty Mutual Insurance
    Top Industries
    REVIEWERS
    Financial Services Firm31%
    Insurance Company11%
    Computer Software Company11%
    Healthcare Company7%
    VISITORS READING REVIEWS
    Computer Software Company26%
    Comms Service Provider14%
    Financial Services Firm12%
    Manufacturing Company7%
    REVIEWERS
    Computer Software Company22%
    Financial Services Firm21%
    Comms Service Provider10%
    Manufacturing Company7%
    VISITORS READING REVIEWS
    Computer Software Company24%
    Comms Service Provider15%
    Financial Services Firm14%
    Manufacturing Company8%
    REVIEWERS
    Financial Services Firm35%
    Insurance Company15%
    Manufacturing Company12%
    Computer Software Company12%
    VISITORS READING REVIEWS
    Computer Software Company23%
    Financial Services Firm22%
    Comms Service Provider10%
    Government7%
    Company Size
    REVIEWERS
    Small Business24%
    Midsize Enterprise27%
    Large Enterprise49%
    VISITORS READING REVIEWS
    Small Business16%
    Midsize Enterprise14%
    Large Enterprise70%
    REVIEWERS
    Small Business26%
    Midsize Enterprise17%
    Large Enterprise56%
    VISITORS READING REVIEWS
    Small Business14%
    Midsize Enterprise14%
    Large Enterprise72%
    REVIEWERS
    Small Business26%
    Midsize Enterprise15%
    Large Enterprise59%
    VISITORS READING REVIEWS
    Small Business14%
    Midsize Enterprise12%
    Large Enterprise74%
    Buyer's Guide
    SonarQube vs. Sonatype Nexus Lifecycle
    July 2022
    Free Report: SonarQube vs. Sonatype Nexus Lifecycle
    Find out what your peers are saying about SonarQube vs. Sonatype Nexus Lifecycle and other solutions. Updated: July 2022.
    DOWNLOAD NOW
    621,593 professionals have used our research since 2012.

    SonarQube is ranked 1st in Application Security Tools with 59 reviews while Sonatype Nexus Lifecycle is ranked 8th in Application Security Tools with 9 reviews. SonarQube is rated 8.0, while Sonatype Nexus Lifecycle is rated 8.0. The top reviewer of SonarQube writes "Open-source, stable, and finds the problems for you and tells you where they are". On the other hand, the top reviewer of Sonatype Nexus Lifecycle writes "Helps us drive down our technical debt due to components with known issues". SonarQube is most compared with Checkmarx, Coverity, Snyk, Micro Focus Fortify on Demand and Mend, whereas Sonatype Nexus Lifecycle is most compared with Snyk, Black Duck, GitLab, Mend and Fortify Application Defender. See our SonarQube vs. Sonatype Nexus Lifecycle report.

    See our list of best Application Security Tools vendors.

    We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.