We changed our name from IT Central Station: Here's why

Sonatype Nexus Lifecycle vs Veracode Software Composition Analysis comparison

Cancel
You must select at least 2 products to compare!
Featured Review
Find out what your peers are saying about Sonatype Nexus Lifecycle vs. Veracode Software Composition Analysis and other solutions. Updated: January 2022.
564,643 professionals have used our research since 2012.
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"For us, it's seeing not only the licensing and security vulnerabilities but also seeing the age of the open-sources included within our software. That allows us to take proactive steps to make sure we're updating the software to versions that are regularly maintained and that don't have any vulnerabilities.""The quality or the profiles that you can set are most valuable. The remediation of issues that you can do and how the information is offered is also valuable.""The component piece, where you can analyze the component, is the most valuable. You can pull the component up and you can look at what versions are bad, what versions are clean, and what versions haven't been reported on yet. You can make decisions based off of that, in terms of where you want to go. I like that it puts all that information right there in a window for you.""We really like the Nexus Firewall. There are increasing threats from npm, rogue components, and we've been able to leverage protection there. We also really like being able to know which of our apps has known vulnerabilities.""The report part is quite easy to read. The report part is very important to us because that is how we communicate to our security officer and the security committee. Therefore, we need to have a complete report that we can generate and pass onto them for review.""When I started to install the Nexus products and started to integrate them into our development cycle, it helped us construct or fill out our development process in general. The build stage is a really good template for us and it helped establish a structure that we could build our whole continuous integration and development process around. Now our git repos are tagged for different build stages data, staging, and for release. That aligns with the Nexus Lifecycle build stages.""Some of the more profound features include the REST APIs. We tend to make use of those a lot. They also have a plugin for our CI/CD; we use Jenkins to do continuous integration, and it makes our pipeline build a lot more streamlined. It integrates with Jenkins very well.""The REST API is the most useful for us because it allows us to drive it remotely and, ideally, to automate it."

More Sonatype Nexus Lifecycle Pros →

"Within SCA, there is an extremely valuable feature called vulnerable methods. It is able to determine within a vulnerable library which methods are vulnerable. That is very valuable, because in the vast majority of cases where a library is vulnerable, none of the vulnerable methods are actually used by the code. So, if we want to prioritize the way open source libraries are updated when a library is found vulnerable, then we want to prioritize the libraries which have vulnerable methods used within the code.""The solution is stable. we've never had any issues surrounding its stability.""This is a great tool for learning about potential vulnerabilities in code.""Considering that in my project, we are mostly using Software Composition Analysis as a part of Static Code Analysis, for me, the main part is reporting and highlighting necessary vulnerabilities. Veracode platform has a rather good database of different vulnerabilities in different libraries and different sources. So, finding vulnerabilities in third-party libraries is the main feature of Software Composition Analysis that we use. It is the most important feature for us.""The dependency graph visualization provides the ability to see nested dependencies within libraries for pinpointing vulnerabilities.""The most valuable feature is the dynamic application security testing.""For use cases where our company buys a product with the source code, but only the final executables or the binaries, only Veracode is able to work on that type of tool.""The article scanning is excellent."

More Veracode Software Composition Analysis Pros →

Cons
"The biggest thing that I have run into, which there are ways around, is being able to easily access the auditing data from a third-party tool; being able to pull all of that into one place in a cohesive manner where you can report off of that. We've had a little bit of a challenge with that. There are a number of things available to work with, to help with that in the tool, but we just haven't explored them yet.""We use Azure DevOps as our application lifecycle management tool. It doesn't integrate with that as well as it does with other tools at the moment, but I think there's work being done to address that. In terms of IDEs, it integrates well. We would like to integrate it into our Azure cloud deployment but the integration with Azure Active Directory isn't quite as slick as we would like it to be. We have to do some workarounds for that at the moment.""Nexus Lifecycle is multiple products. One drawback I've noticed is that there are some differences in the features between the products within Lifecycle. They need to maintain the same structure, but there are some slight differences.""One thing that I would like to give feedback on is to scan the binary code. It's very difficult to find. It's under organization and policies where there are action buttons that are not very obvious. I think for people who are using it and are not integrated into it, it is not easy to find the button to load the binary and do the scan. This is if there is no existing, continuous integration process, which I believe most people have, but some users don't have this at the moment. This is the most important function of the Nexus IQ, so I expect it should be right on the dashboard where you can apply your binary and do a quick scan. Right now, it's hidden inside organization and policies. If you select the organization, then you can see in the top corner that there is a manual action which you can approve. There are multiple steps to reach that important function that we need. When we were initially looking at the dashboard, we looked for it and couldn't find it. So, we called our coworker who set up the server and they told us it's not on the dashboard.""We do not use it for more because it is still too immature, not quite "finished." It is missing important features for making it a daily tool. It's not complete, from my point of view...""It's the right kind of tool and going in the right direction, but it really needs to be more code-driven and oriented to be scaled at the developer level.""One area of improvement, about which I have spoken to the Sonatype architect a while ago, is related to the installation. We still have an installation on Linux machines. The installation should move to EKS or Kubernetes so that we can do rollover updates, and we don't have to take the service down. My primary focus is to have at least triple line availability of my tools, which gives me a very small window to update my tools, including IQ. Not having them on Kubernetes means that every time we are performing an upgrade, there is downtime. It impacts the 0.1% allocated downtime that we are allowed to have, which becomes a challenge. So, if there is Kubernetes installation, it would be much easier. That's one thing that definitely needs to be improved.""We got a lot of annotations for certain libraries when it comes to Java, but my feeling, and the feeling of a colleague as well, is that we don't get as many for critical libraries when it comes to .NET, as if most of them are really fine... It would be good if Sonatype would check the status of annotations for .NET packages."

More Sonatype Nexus Lifecycle Cons →

"The scanning could be improved, because some scans take a bit of time.""The documentation is poor and the technical support isn't helpful.""The results of agent-based software composition analysis are not connected to policy scanning. So, for me, the only thing that Veracode can improve in Software Composition Analysis is to connect it with the policy scan because, at present, it is a bit inconvenient for those in our organization who use agent-based Software Composition Analysis. In the end, they need to make a static scan with all those libraries in order to receive that report. If Veracode implemented a connection between agent-based static scan and static scanning itself, it would be great because it would lead to fewer operations in order to prepare release documentation and release reporting from Veracode. We recently had a conversation with Veracode about it.""There were some additional manual steps or work involved that we should not have needed to do.""There is room for improvement in the speed of the system. Sometimes, the servers are very busy and slow... Also, the integration with SonarQube is very weak, so we had to implement a custom solution to extend it.""A high number of false positives are reported and this should be reduced.""The cost of the solution is a little bit expensive. Expensive in the sense that there was a hundred percent increase in cost from last year to this year, which is certainly not justified.""The JIRA integration automation aspect of it could be improved significantly. We want to have a way to create tickets that are going to allow people to work through those flaws that we're finding. We don't want people to feel like they're missing out on something or that they're not following directions in the right way."

More Veracode Software Composition Analysis Cons →

Pricing and Cost Advice
  • "The license fee may be a bit harder for startups to justify. But it will save you a headache later as well as peace of mind. Additionally, it shows your own customers that you value security stuff and will protect yourselves from any licensing issues, which is good marketing too."
  • "In addition to the license fee for IQ Server, you have to factor in some running costs. We use AWS, so we spun up an additional VM to run this. If the database is RDS that adds a little bit extra too. Of course someone could run it on a pre-existing VM or physical server to reduce costs. I should add that compared to the license fee, the running costs are so minimal they had no effect on our decision to use IQ Server."
  • "Pricing is decent. It's not horrible. It's middle-of-the-road, as far as our ranking goes. They're a little bit more but that's also because they provide more."
  • "Lifecycle, to the best of my recollection, had the best pricing compared with other solutions."
  • "Cost is a drawback. It's somewhat costly."
  • "It's expensive, but you get what you pay for. There were no problems with the base license and how they do it. It was transparent. You don't have to worry. You can scan to your heart's delight."
  • "Given the number of users we have, it is one of the most expensive tools in our portfolio, which includes some real heavy-duty tools such as GitLab, Jira, etc. It is definitely a bit on the expensive side, and the ambiguity in how the licenses are calculated adds to the cost as well. If there is a better understanding of how the licenses are being calculated, there would be a better agreement between the two parties, and the cost might also be a little less. There is no extra cost from Sonatype. There is an operational cost on the BT side in terms of resources, etc."
  • "There are additional costs in commercial offerings for add-ons such as Nexus Container or IDE Advanced Toolkit. They come with additional fees or licenses."
  • More Sonatype Nexus Lifecycle Pricing and Cost Advice →

  • "Without getting too specific, I'd say the average yearly cost is around $50,000. The costs include licensing and maintenance support."
  • "The Veracode price model is based on application profiles, which is how you package your components for scanning."
  • "Compared to other similar products, the licensing and pricing are definitely competitive. If you see Checkmarx as the market leader, then we are talking about Veracode being a fraction of the cost. You also have to consider your hidden costs: you need a team to maintain it, a server, and resources. From that point of view, Veracode is great because the cost is really a fraction of many competitors."
  • "It's too expensive for the European market. That is why, in a big bank with 400 applications, we are able to use it only for 10 of them. But the other solutions are also expensive, so it wasn't a differentiator."
  • More Veracode Software Composition Analysis Pricing and Cost Advice →

    report
    Use our free recommendation engine to learn which Software Composition Analysis (SCA) solutions are best for your needs.
    564,643 professionals have used our research since 2012.
    Questions from the Community
    Top Answer: 
    We like the data that Sonatype Nexus Lifecycle consistently delivers. This solution helps us in fixing and understanding the issues a lot quicker. The policy engine allows you to set up different… more »
    Top Answer: 
    The quality or the profiles that you can set are most valuable. The remediation of issues that you can do and how the information is offered is also valuable.
    Top Answer: 
    There are additional costs in commercial offerings for add-ons such as Nexus Container or IDE Advanced Toolkit. They come with additional fees or licenses.
    Top Answer: 
    The solution's ability to help create secure software is very valuable. We're a zero-trust networking company so we want to have the ability to say that we're practicing security seriously. Having… more »
    Top Answer: 
    The thing that I'll go back to is when one of my mentors said to me "Evan, security is a critical aspect of any organization. People don't always believe in it. And the best way to sell it is to… more »
    Top Answer: 
    The JIRA integration automation aspect of it could be improved significantly. We want to have a way to create tickets that are going to allow people to work through those flaws that we're finding. We… more »
    Ranking
    Views
    23,885
    Comparisons
    13,468
    Reviews
    17
    Average Words per Review
    1,910
    Rating
    8.6
    Views
    3,726
    Comparisons
    2,718
    Reviews
    11
    Average Words per Review
    1,257
    Rating
    8.2
    Comparisons
    Also Known As
    Nexus Lifecycle
    Veracode SCA, SourceClear
    Learn More
    Overview

    Nexus Lifecycle gives you full control over your software supply chain and allows you to define rules, actions, and policies that work best for your organization and teams.

    Veracode Software Composition detects open source vulnerabilities in the software development process with higher accuracy. Veracode SCA reduces false positives by prioritizing vulnerabilities in the execution path of the application. Its proprietary database contains significantly more vulnerabilities than the NVD because it datamines pull requests, bug reports, and release notes. It also looks for vulnerabilities in dependencies several layers deep. Veracode SCA is part of a comprehensive DevSecOps solution that covers multiple assessment types, enables developers, and helps organizations achieve AppSec governance.

    Offer
    Learn more about Sonatype Nexus Lifecycle
    Learn more about Veracode Software Composition Analysis
    Sample Customers
    Genome.One, Blackboard, Crediterform, Crosskey, Intuit, Progress Software, Qualys, Liberty Mutual Insurance
    Blue Prism, Advantasure, Automation Anywhere, Cox Automotive
    Top Industries
    REVIEWERS
    Financial Services Firm33%
    Insurance Company17%
    Manufacturing Company13%
    Computer Software Company8%
    VISITORS READING REVIEWS
    Computer Software Company26%
    Financial Services Firm18%
    Comms Service Provider13%
    Government6%
    VISITORS READING REVIEWS
    Computer Software Company34%
    Comms Service Provider12%
    Financial Services Firm11%
    Insurance Company5%
    Company Size
    REVIEWERS
    Small Business27%
    Midsize Enterprise17%
    Large Enterprise57%
    VISITORS READING REVIEWS
    Small Business30%
    Midsize Enterprise18%
    Large Enterprise51%
    REVIEWERS
    Small Business50%
    Midsize Enterprise17%
    Large Enterprise33%
    VISITORS READING REVIEWS
    Small Business50%
    Midsize Enterprise12%
    Large Enterprise38%
    Find out what your peers are saying about Sonatype Nexus Lifecycle vs. Veracode Software Composition Analysis and other solutions. Updated: January 2022.
    564,643 professionals have used our research since 2012.

    Sonatype Nexus Lifecycle is ranked 1st in Software Composition Analysis (SCA) with 17 reviews while Veracode Software Composition Analysis is ranked 7th in Software Composition Analysis (SCA) with 11 reviews. Sonatype Nexus Lifecycle is rated 8.6, while Veracode Software Composition Analysis is rated 8.2. The top reviewer of Sonatype Nexus Lifecycle writes "Checks our libraries for security and licensing issues". On the other hand, the top reviewer of Veracode Software Composition Analysis writes "The scanning process helps to significantly improve our standards and best practices". Sonatype Nexus Lifecycle is most compared with SonarQube, Black Duck, WhiteSource, JFrog Xray and Qualys Web Application Scanning, whereas Veracode Software Composition Analysis is most compared with Black Duck, Snyk, JFrog Xray, WhiteSource and FOSSA. See our Sonatype Nexus Lifecycle vs. Veracode Software Composition Analysis report.

    See our list of best Software Composition Analysis (SCA) vendors.

    We monitor all Software Composition Analysis (SCA) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.