Try our new research platform with insights from 80,000+ expert users

Sonatype Lifecycle pros and cons

Vendor: Sonatype

4.2 out of 5

48 reviews
90% willing to recommend

Pros & Cons summary

Sonatype Lifecycle offers accurate vulnerability assessments with low false-positives, enhancing trust. Its proprietary data and research aid in swift issue resolution. The policy application across applications, including legacy support, facilitates effective vulnerability management. Seamless integration with developer tools allows vulnerability insights directly in IDEs. While comprehensive open-source library scanning is a strength, reporting is unintuitive, documentation is lacking, language support is limited, Azure integration is subpar, and transitive dependencies need better handling.

Buyer's Guide

Get pricing advice, tips, use cases and valuable features from real users of this product.

Prominent pros & cons

PROS

Nexus Lifecycle offers low false-positive results, providing a high confidence factor in vulnerability detection.

The system allows defining and applying policies selectively across applications, enhancing security management.

Integration with developer tooling and IDEs like Eclipse, Visual Studio, and WebStorm streamlines the development process.

Proprietary data on vulnerabilities combines various sources and research, offering concise explanations and aiding quick resolution.

Continuous monitoring and proactive alerts ensure developers stay informed about library security status, optimizing open-source use.

CONS

Sonatype Lifecycle reporting interfaces can be confusing for infrequent users, prompting the creation of Wiki pages for clarity.

A wider range of language support is necessary; current offerings are mainly Java-centric.

Server space issues arise with Nexus Repository due to ongoing build artifact additions without adequate space notifications.

Better integration with Azure DevOps and Azure Active Directory is needed, with current workarounds proving insufficient.

Clarification on transitive dependencies is required, as they cause confusion when unexpected libraries are pulled in.

Sonatype Lifecycle Pros review quotes

MK

Systems Analyst at Thrivent Financial for Lutherans

Feb 19, 2019

Among its valuable features, it's easy to handle and easy configure, it's user-friendly, and it's easy to map and integrate.

Read full review

CC

DevSecOps at a financial services firm with 10,001+ employees

Feb 19, 2019

When developers are consuming open-source libraries from the internet, it's able to automatically block the ones that are insecure. And it has the ability to make suggestions on the ones they should be using instead.

Read full review

Software Architect Sales Systems at SV Informatik GmbH

Feb 24, 2019

The most valuable feature is that I get a quick overview of the libraries that are included in the application, and the issues that are connected with them. I can quickly understand which problems there are from a security point of view or from a licensing point of view. It's quick and very exact.

Read full review

Sonatype Lifecycle

Free Report: Sonatype Lifecycle Reviews and More

Learn what your peers think about Sonatype Lifecycle. Get advice and tips from experienced pros sharing their opinions. Updated: February 2026.

884,732 professionals have used our research since 2012.

EK

Security Team Lead at Tyro Payments Ltd

Mar 6, 2019

It scans and gives you a low false-positive count... The reason we picked Lifecycle over the other products is, while the other products were flagging stuff too, they were flagging things that were incorrect. Nexus has low false-positive results, which give us a high confidence factor.

Read full review

GO

Lead IT Security Architect at a transportation company with 10,001+ employees

Mar 26, 2019

The application onboarding and policy grandfathering features are good and the solution integrates well with our existing DevOps tools.

Read full review

Java Development Manager at a government with 10,001+ employees

Jun 27, 2019

The way we can define policies and apply those policies selectively across the different applications is valuable. We can define a separate policy for public-facing applications and a separate policy for the internal applications. That is cool.

Read full review

RW

Russell Webster

VP and Sr. Manager at a financial services firm with 1,001-5,000 employees

Apr 27, 2020

The data quality is really good. They've got some of the best in the industry as far as that is concerned. As a result, it helps us to resolve problems faster. The visibility of the data, as well as their features that allow us to query and search - and even use it in the development IDE - allow us to remediate and find things faster.

Read full review

LH

ConfigManag73548

Configuration Manager at a wellness & fitness company with 1-10 employees

Jul 8, 2019

The grandfathering mode allows us to add legacy applications which we know we're not going to change or refactor for some time. New developments can be scanned separately and we can obviously resolve those vulnerabilities where there are new applications developed. The grandfathering is a good way to separate what can be factored now, versus long-term technical debt.

Read full review

SL

Sebastian Lawrence

Solutions Delivery Lead at a financial services firm with 201-500 employees

Aug 21, 2019

The dashboard is usable and gives us clear visibility into what is happening. It also has a very cool feature, which allows us to see the clean version available to be downloaded. Therefore, it is very easy to go and trace which version of the component does not have any issues. The dashboard can be practical, as well. It can wave a particular version of a Java file or component. It can even grandfather certain components, because in a real world scenarios we cannot always take the time to go and update something because it's not backward compatible. Having these features make it a lot easier to use and more practical. It allows us to apply the security, without having an all or nothing approach.

Read full review

reviewer1268016

IT Security Manager at a insurance company with 1,001-5,000 employees

Jan 19, 2020

The key feature for Nexus Lifecycle is the proprietary data they have on vulnerabilities. The way that they combine all the different sources and also their own research into one concise article that clearly explains what the problem is. Most of the time, and even if you do notice that you have a problem, the public information available is pretty weak. So, if we want to assess if a problem applies to our product, it's really hard. We need to invest a lot of time digging into the problem. This work is basically done by Sonatype for us. The data that it delivers helps us with fixing or understanding the issue a lot quicker than without it.

Read full review

Show 10 more reviews (out of 47)

Sonatype Lifecycle Cons review quotes

MK

Systems Analyst at Thrivent Financial for Lutherans

Feb 19, 2019

Sometimes we face difficulties with Maven Central... if I'm using the 1.0.0 version, after one or two years, the 1.0.0 version will be gone from Maven Central but our team will still be using that 1.0.0 version to build. When they do builds, it won't build completely because that version is gone from Maven Central. There is a difference in our Sonatype Maven Central.

Read full review

CC

DevSecOps at a financial services firm with 10,001+ employees

Feb 19, 2019

They could do with making more plugins for the more common integration engines out there. Right now, it supports automation engine by Jenkins but it doesn't fully support something like TeamCity.

Read full review

Software Architect Sales Systems at SV Informatik GmbH

Feb 24, 2019

If there is something which is not in Maven Central, sometimes it is difficult to get the right information because it's not found.

Read full review

Sonatype Lifecycle

Free Report: Sonatype Lifecycle Reviews and More

Learn what your peers think about Sonatype Lifecycle. Get advice and tips from experienced pros sharing their opinions. Updated: February 2026.

884,732 professionals have used our research since 2012.

EK

Security Team Lead at Tyro Payments Ltd

Mar 6, 2019

We created the Wiki page for each team showing an overview of their outstanding security issues because the Lifecycle reporting interface isn't as intuitive. It is good for people on my team who use it quite often. But for a tech engineer who doesn't interact with it regularly, it's quite confusing.

Read full review

GO

Lead IT Security Architect at a transportation company with 10,001+ employees

Mar 26, 2019

The biggest thing is getting it put uniformly across all the different teams. It's more of a process issue. The process needs to be thought out about how it's going to be used, what kind of training there will be, how it's going to be socialized, and how it's going to be rolled out and controlled, enterprise-wide. That's probably more of a challenge than the technology itself.

Read full review

Java Development Manager at a government with 10,001+ employees

Jun 27, 2019

Since Nexus Repository just keeps on adding the .jar artifacts whenever there is a build, whenever an application is going up, there is always a space issue on the server. That is one of the things that we are looking for Nexus to notify us about: if it is running out of space.

Read full review

RW

Russell Webster

VP and Sr. Manager at a financial services firm with 1,001-5,000 employees

Apr 27, 2020

As far as the relationship of, and ease of finding the relationships between, libraries and applications across the whole enterprise goes, it still does that. They could make that a little smoother, although right now it's still pretty good.

Read full review

LH

ConfigManag73548

Configuration Manager at a wellness & fitness company with 1-10 employees

Jul 8, 2019

If they had a more comprehensive online tutorial base, both for admin and developers, that would help. It would be good if they actually ran through some scenarios, regarding what happens if I do pick up a vulnerability. How do I fork out into the various decisions? If the vulnerability is not of a severe nature, can I just go ahead with it until it becomes severe? This is important because, obviously, business demands certain deliverables to be ready at a certain time.

Read full review

SL

Sebastian Lawrence

Solutions Delivery Lead at a financial services firm with 201-500 employees

Aug 21, 2019

We use Griddle a lot for integrating into our local builds with the IDE, which is another built system. There is not a lot of support for it nor published modules that can be readily used. So, we had to create our own. No Griddle plugins have been released.

Read full review

reviewer1268016

IT Security Manager at a insurance company with 1,001-5,000 employees

Jan 19, 2020

The GUI is simple, so it's easy to use. It started as great to use, but for larger scale companies, it also comes with some limitations. This is why we tried to move to more of an API approach. So, the GUI could use some improvements potentially.

Read full review

Show 10 more reviews (out of 47)

Related questions

74

How does Sonatype Nexus Lifecycle compare with SonarQube?

36

What tools do you rely on for building a DevSecOps pipeline?

34

What alternatives are there for Fortify WebInspect and Fortify SCA?

29

What is the best way to track open-source license compatibility?

60

How long does SCA scanning take?

242

Why is Software Composition Analysis (SCA) important for companies?

40

Differences between Black Duck & Veracode

38

What SCA solution do you recommend?

37

Is there an SCA solution that finds and fixes vulnerabilities?

48

Can I get SCA in my IDE?