Coming October 25: PeerSpot Awards will be announced! Learn more

Sonatype Nexus Lifecycle OverviewUNIXBusinessApplication

Sonatype Nexus Lifecycle is #2 ranked solution in top Software Composition Analysis (SCA) tools and #4 ranked solution in application security solutions. PeerSpot users give Sonatype Nexus Lifecycle an average rating of 8.0 out of 10. Sonatype Nexus Lifecycle is most commonly compared to SonarQube: Sonatype Nexus Lifecycle vs SonarQube. Sonatype Nexus Lifecycle is popular among the large enterprise segment, accounting for 75% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a financial services firm, accounting for 26% of all views.
Sonatype Nexus Lifecycle Buyer's Guide

Download the Sonatype Nexus Lifecycle Buyer's Guide including reviews and more. Updated: September 2022

What is Sonatype Nexus Lifecycle?

Sonatype Nexus Lifecycle is an open-source security and dependency management software that uses only one tool to automatically find open-source vulnerabilities at every stage of the System Development Life Cycle (SDLC). Users can now minimize security vulnerabilities, permitting organizations to enhance development workflow. Sonatype Nexus Lifecycle gives the user complete control over their software supply chain, allowing them to regain wasted time fighting risks in the SDLC. In addition, this software unifies the ability to define rules, actions, and policies that work best for your organizations and teams.

Sonatype Nexus Lifecycle allows users to help their teams discover threats before an attack has the chance to take place by examining a database of known vulnerabilities. With continuous monitoring at every stage of the development life cycle, Sonatype Nexus Lifecycle enables teams to build secure software. The solution allows users to utilize a complete automated solution within their existing workflows. Once a potential threat is identified, the solution’s policies will automatically rectify it.

Benefits of Open-source Security Monitoring

As cybersecurity attacks are on the rise, organizations are at constant risk for data breaches. Managing your software supply chain gets trickier as your organization grows, leaving many vulnerabilities exposed. With easily accessible source code that can be modified and shared freely, open-source monitoring gives users complete transparency. A community of professionals can inspect open-source code to ensure fewer bugs, and any open-source dependency vulnerability will be detected and fixed rapidly. Users can use open-source security monitoring to avoid attacks through automatic detection of potential threats and rectification immediately and automatically.

Reviews from Real Users

Sonatype Nexus Lifecycle software receives high praise from users for many reasons. Among them are the abilities to identify and rectify vulnerabilities at every stage of the SDLC, help with open-source governance, and minimize risk.

Michael E., senior enterprise architect at MIB Group, says "Some of the more profound features include the REST APIs. We tend to make use of those a lot. They also have a plugin for our CI/CD.”

R.S., senior architect at a insurance company, notes “Specifically features that have been good include:

• the email notifications
• the API, which has been good to work with for reporting, because we have some downstream reporting requirements
• that it's been really user-friendly to work with.”

"Its engine itself is most valuable in terms of the way it calculates and decides whether a security vulnerability exists or not. That's the most important thing. Its security is also pretty good, and its listing about the severities is also good," says Subham S., engineering tools and platform manager at BT - British Telecom.

Sonatype Nexus Lifecycle was previously known as Nexus Lifecycle.

Sonatype Nexus Lifecycle Customers

Genome.One, Blackboard, Crediterform, Crosskey, Intuit, Progress Software, Qualys, Liberty Mutual Insurance

Sonatype Nexus Lifecycle Video

Sonatype Nexus Lifecycle Pricing Advice

What users are saying about Sonatype Nexus Lifecycle pricing:
  • "It's expensive, but you get what you pay for. There were no problems with the base license and how they do it. It was transparent. You don't have to worry. You can scan to your heart's delight."
  • "Given the number of users we have, it is one of the most expensive tools in our portfolio, which includes some real heavy-duty tools such as GitLab, Jira, etc. It is definitely a bit on the expensive side, and the ambiguity in how the licenses are calculated adds to the cost as well. If there is a better understanding of how the licenses are being calculated, there would be a better agreement between the two parties, and the cost might also be a little less. There is no extra cost from Sonatype. There is an operational cost on the BT side in terms of resources, etc."
  • "Cost is a drawback. It's somewhat costly."
  • "There are additional costs in commercial offerings for add-ons such as Nexus Container or IDE Advanced Toolkit. They come with additional fees or licenses."
  • Sonatype Nexus Lifecycle Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Senior Architect at a insurance company with 1,001-5,000 employees
    Real User
    Top 20
    Helps us drive down our technical debt due to components with known issues
    Pros and Cons
    • "We really like the Nexus Firewall. There are increasing threats from npm, rogue components, and we've been able to leverage protection there. We also really like being able to know which of our apps has known vulnerabilities."
    • "Overall it's good, but it would be good for our JavaScript front-end developers to have that IDE integration for their libraries. Right now, they don't, and I'm told by my Sonatype support rep that I need to submit an idea, from which they will submit a feature request. I was told it was already in the pipeline, so that was one strike against sales."

    What is our primary use case?

    We use Nexus as a local repository of both JavaScript and Java components, and we're starting to look at Python. We also connected up to the Nexus Firewall, so that new components that are proxied are looked at to see if they have malicious components or if they are components without vulnerabilities. We're able to establish policies about whether we want to allow those or quarantine them. 

    Our main use case for IQ Server is to scan software builds for components with existing vulnerabilities and malicious components. We're working to drive down our technical debt due to components with known issues, and it's been helpful. We're still expanding the program to different software languages. We started with Java and then extended the JavaScript. We want to extend to Python, but we're not quite there yet. We don't have too many Python users, so that's less of a priority.

    How has it helped my organization?

    It's been pretty good. I'm the one who has to un-quarantine things, but the false-positive rate is not too bad, or else I'd be doing that all day. From that point of view it's been good.

    The solution enables us to manage and secure the component part of our software supply chain. That is done between the policies, their data, and configuring. You have to make sure everybody's actually pointing to the repo. We started talking about blocking public repos from within the networks, so that would force people to go through the solution, but we haven't quite gotten there yet. However, we have definitely have a lot of people going through the repo. We can see how many components are cached and how many are quarantined. We have definitely had 1,000 or more components quarantined during our use of the product. That's all technical debt we would have accrued if we hadn't been using it.

    What is most valuable?

    We really like the Nexus Firewall. There are increasing threats from npm, rogue components, and we've been able to leverage protection there. We also really like being able to know which of our apps has known vulnerabilities. 

    Specifically features that have been good include

    • the email notifications
    • the API, which has been good to work with for reporting, because we have some downstream reporting requirements
    • that it's been really user-friendly to work with.

    Generally speaking, the configuration of all the tools is pretty good; the admin screens are good.

    We have been able to use the API for some Excel-based reports to compare how many of our application deployments were covered by scans, and to do charts on that. That has been good and worked really well.

    The default policies are also good. We deviated a little bit from those, but we have mostly used them, and they have been good. They provide us with the flexibility that we need and probably more flexibility than we need.

    It has brought open source intelligence and policy enforcement across our SDLC. We have policies and SLAs that say, for example, critical findings have to be fixed within 90 days, and "high" findings have to be fixed within 120 days. That's tracked and reported on. We use the API to do some downstream reporting into some executive dashboards and when executives see red and orange they don't like it, and things get done. We've also made it part of our standards to say no components with existing vulnerabilities. Enforcing those standards is integrated into our software development life cycle.

    Sonatype also blocks undesirable open source components. That is also done through policies that you can set, and configuration of the repo.

    What needs improvement?

    The integration is one sore spot, because when we first bought the tool they said JavaScript wasn't really part of the IDE integration, but it was on the roadmap. I followed up on that, and they said, "Oh, you can submit an idea on our idea site to have that added." The sales team said it was already in the pipeline, but it was actually not in the pipeline. 

    Overall it's good, but it would be good for our JavaScript front-end developers to have that IDE integration for their libraries. Right now, they don't, and I'm told by my Sonatype support rep that I need to submit an idea, from which they will submit a feature request. I was told it was already in the pipeline, so that was one strike against sales. Everything else has been pretty good.

    Also, when Nexus Firewall blocks a component, it doesn't really give us a message that tells us where to go; at least it doesn't in our setup. I have to tell all the users, "Here's the URL where you can go to look up why Firewall is blocking your stuff. And that is odd because when it finishes a scan, the scan results give you the URL. But when you get blocked by Firewall, it doesn't give you the URL where you can go look that up. You can definitely work around that, but it's a bit strange. It's almost like something they forgot to include.

    Buyer's Guide
    Sonatype Nexus Lifecycle
    September 2022
    Learn what your peers think about Sonatype Nexus Lifecycle. Get advice and tips from experienced pros sharing their opinions. Updated: September 2022.
    634,775 professionals have used our research since 2012.

    For how long have I used the solution?

    I've been using Sonatype Nexus Lifecycle since October of 2019.

    What do I think about the stability of the solution?

    We've only had the server go down one time in about two years, so that's good.

    What do I think about the scalability of the solution?

    The scalability is fine, as far as I can tell. We only have so many developers, and haven't really grown our development teams at all in the past few years. We have about 200 users of Sonatype who are either developers or application security or myself as senior architect. We haven't had problems with capacity, but we haven't had to scale it.

    It does seem to scale okay for adding new software artifacts, because we continue to add more stuff to it.

    How are customer service and support?

    Overall, tech support is good.

    When submitting a support ticket, I've seen other vendors basically regurgitate what the tool is saying, instead of actually looking at what I'm trying to say. Sonatype has done a good job of at least saying, "Yeah, we looked at this pull request on this open source component, and this is where we're seeing something. I have even had to coordinate a discussion between an open source maintainer, Spring Pivotal, and Sonatype, to let them hash out who's right.

    Which solution did I use previously and why did I switch?

    We used OWASP Dependency-Check. It's a good resource for security standards and, occasionally, free tools, and it was a good command-line checker. It matched heuristically, so it would find a lot of false positives. It got us started and gave us an idea of how much debt we had, so it was useful. It just required a lot of tuning to weed out false positives.

    How was the initial setup?

    They have good documentation about how to configure things and get it set up, and it's easy to find what you're looking for, generally speaking. I found the setup to be pretty straightforward. I had to spearhead that effort, solo, and get it socialized out to all the teams. Most people seemed to be able to configure it pretty well without a lot of hand-holding. The rollout went really well.

    We run it on our own Windows box. It's a little tricky to get it to run as a Windows service, but they have instructions for it and we finally figured out how to get that working. I think they intend for it to be run on Linux, but it's Java, so it runs on either. It's running fine on Windows.

    I just used the online documentation and did it all myself. It took about three months to roll it out.

    What was our ROI?

    How do you prove that you've not gotten hacked because of the tool? We've definitely gotten better visibility into how we're using older components and when we need to migrate away from them. We're much better positioned now to keep things patched and if there's another Struts 2, armageddon-type vulnerability in a library we use, we'll be much quicker to get on it.

    It's like any security tool. How do you know that the door lock paid for itself? You really don't know who would have knocked your door down. But once our developers get more used to the tool over time and we get the technical debt driven down, they will be more productive in terms of making sure the libraries are up to date.

    In the meantime, when they're onboarding and trying to figure it out, it's going to slow them down a little bit, to get oriented. If they're dealing with a legacy of technical debt and there are a lot of things that have to be fixed, because nobody has updated an internet app in 10 years, it's not going to make them more productive. But if you're willing to pay down that technical debt, it's totally worth it, but it's hard to quantify. But if you consider keeping your apps up to date as productivity then it helps with productivity.

    What's my experience with pricing, setup cost, and licensing?

    It's expensive, but you get what you pay for. There were no problems with the base license and how they do it. It was transparent. You don't have to worry. You can scan to your heart's delight. They're pretty much based on co-contributing developers, so if you have auditors or AppSec, that doesn't count against your total.

    We're not using their Advanced Development Pack because it costs more money. That is a sore spot. We're not using the Infrastructure as Code Pack or the Advanced Legal Pack because there hasn't really been a lot of appetite to use the DLC mode. That's a criticism I have of Sonatype. I understand they want to get paid, everybody does, but they're adding new features to the product as add-on purchases, as opposed to just improving the product. You pay for a subscription to the product. If we had bought a permanent license and we weren't paying a subscription, I could see it working that way. But I don't like the fact that we pay a subscription but we're not getting these features because they want to charge more for these packs.

    I have told them that. I have said, "I don't like this model. We're paying you guys a lot of money already. Why are we having to be quoted to pay even more?" Maybe our subscription only pays for the data and the support, and if so, that's fine, but they weren't very transparent. They're saying, "Hey, we're going to be developing new features and capabilities, but they're going to cost more." As far as vendors go they're a good vendor, but this is one thing that they started doing that I don't like.

    I don't like the whole "pack" mentality they've got going now. "We're going to come up with cool new features, dangle them in front of you, and then say, 'Hey, we know you're already paying a bunch of money per year for a sub, but you're going to have to pay more if you want this.'" It rubs me the wrong way.

    They only started coming out with these packs in the past year or so. I'll say, "I wish the product did this," and they'll say, "Oh, we're working on a pack to do that, but it'll cost money." I had to move mountains to get the money to pay for the base product. It's not cheap. I don't know if they think we've got a money printing machine hiding in the back, but we don't.

    Which other solutions did I evaluate?

    The solution's data quality is good. It's a lot better than what we had before, which was OWASP Dependency-Check. That was okay, but just okay. Sonatype seems to have higher fidelity, but there have been times when I've had to reach out and say, "Hey, is this a false positive? It seems a little off." Sonatype's data research team seems pretty good. It's good data, for sure, but they're also willing to accept feedback on it, and that's good too.

    If we can't afford Sonatype in 2025, we might go back to OWASP.

    We briefly used SourceClear. We didn't use it very long. It wasn't very good. It seemed that the quality of data wasn't as good. There were no IDE integrations and more false positives. It was totally cloud-based. I'm not sure if the guys who set it up configured it correctly, and that might not be their fault. But we had a lot of issues with it breaking builds and just not working correctly. The reliability and uptime wasn't good. But the biggest problem was probably that they charged per scan, as opposed to per app or per developer. You couldn't really scale to let your developers scan locally without worrying about blowing your budget. The whole licensing model for SourceClear was bad.

    What other advice do I have?

    Make sure you know what packs you're getting with your buy. They also tried to sell some sort of training about how to customize policies, training that they didn't include in the original estimate. So make sure whether your quote includes packs or not and whether you need training for an administrator or whether they'll be able to self-serve from the documentation. It was like we were in the checkout line and then they asked, "Would you also like this training?" instead of including it in the original estimate. It's annoying. If that is part of the package, let us know how much it costs up front, in our estimate, and we'll decide. Don't try to bolt it on midway through the purchase process, which is what they did.

    Depending on how old your code set is, brace yourself. You're going to have to figure out a way to report on the stuff. You're going to have to figure out a way to socialize the value, and you're going to have to constantly answer questions about, "How should I fix this?" My advice would be to make sure you have a champion who not only knows how to administer the tool, but who knows enough about software development to help provide guidance about how to remediate issues. I feel that if I didn't have both of those skill sets, this would have been a complete flop, just another tool rotting on the shelf.

    When it comes to data quality, occasionally it helps us solve problems faster, but sometimes it creates confusion because their data team tries to monitor above and beyond the National Vulnerability Database. Occasionally you get conflicting messages between that and what Sonatype is saying. They're trying to go above and beyond and say things like, "Hey, the bulletin says it's version four or five, but we see it's in version three." But it can get a little confusing when the maintainers don't agree with Sonatype. It's not Sonatype's fault. They're trying to cover for the maintainers not being really thorough with their notifications. 

    But when they come into conflict, it is confusing for the end-user because you're trying to figure out, "Well, what do I really need to do here?" But overall, most of it is really straightforward. The technology can be confusing, but that's software libraries and their features. All that stuff can be confusing, period. But that's not because of how it's communicated, rather it's because it's complicated technology. For example, the vulnerability might be talking about the second-tier cache and that's something I've never even heard of, so I have to go research it. But generally, their communication is effective.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    Shubham Shrivastava - PeerSpot reviewer
    Engineering Tools and Platform Manager at BT - British Telecom
    Real User
    Top 20
    Integrates easily and finds all vulnerabilities and categorizes them pretty nicely
    Pros and Cons
    • "Its engine itself is most valuable in terms of the way it calculates and decides whether a security vulnerability exists or not. That's the most important thing. Its security is also pretty good, and its listing about the severities is also good."
    • "One area of improvement, about which I have spoken to the Sonatype architect a while ago, is related to the installation. We still have an installation on Linux machines. The installation should move to EKS or Kubernetes so that we can do rollover updates, and we don't have to take the service down. My primary focus is to have at least triple line availability of my tools, which gives me a very small window to update my tools, including IQ. Not having them on Kubernetes means that every time we are performing an upgrade, there is downtime. It impacts the 0.1% allocated downtime that we are allowed to have, which becomes a challenge. So, if there is Kubernetes installation, it would be much easier. That's one thing that definitely needs to be improved."

    What is our primary use case?

    We basically use it for open-source vulnerability. It is completely on-premise as of now, but we will be exploring other options.

    How has it helped my organization?

    IQ Server is part of BT's central DevOps platform, which is basically the entire DevOps CI/CD platform. IQ Server is a part of it covering the security vulnerability area. We have also made it available for our developers as a plugin on IDE. These integrations are good, simplistic, and straightforward. It is easy to integrate with IQ Server and easy to fetch those results while being built and push them onto a Jenkins board. My impression of such integrations has been quite good. I have heard good reviews from my engineers about how the plugins that are there work on IDE.

    It basically helps us in identifying open-source vulnerabilities. This is the only tool we have in our portfolio that does this. There are no alternatives. So, it is quite critical for us. Whatever strength Nexus IQ has is the strength that BT has against any open-source vulnerabilities that might exist in our code.

    The data that IQ generates around the vulnerabilities and the way it is distributed across different severities is definitely helpful. It does tell us what decision to make in terms of what should be skipped and what should be worked upon. So, there are absolutely no issues there.

    We use both Nexus Repository and Lifecycle, and every open-source dependency after being approved across gets added onto our central repository from which developers can access anything. When they are requesting an open-source component, product, or DLL, it has to go through the IQ scan before it can be added to the repo. Basically, in BT, at the first door itself, we try to keep all vulnerabilities away. Of course, there would be scenarios where you make a change and approve something, but the DLL becomes vulnerable. In later stages also, it can get flagged very easily. The flag reaches the repo very soon, and an automated system removes it or disables it from developers being able to use it. That's the perfect example of integration, and how we are forcing these policies so that we stay as good as we can.

    We are using Lifecycle in our software supply chain. It is a part of our platform, and any software that we create has to pass through the platform, So, it is a part of our software supply chain. 

    What is most valuable?

    Its engine itself is most valuable in terms of the way it calculates and decides whether a security vulnerability exists or not. That's the most important thing. Its security is also pretty good, and its listing about the severities is also good.

    The plugins that are there on the editor are also valuable. Engineers don't have to wait for the entire pipeline to go in and show some results. While they are writing code, it can stop them from writing something that might end up as a security vulnerability.

    Its default policies and the policy engine are quite good. So far, we haven't found anything that went through IQ but wasn't caught. We are quite happy with it. The policy engine pretty much provides the flexibility that we need. I haven't seen a case where any of my customers came in and said that they don't have a certain policy in place for IQ, or they wanted to change or remove any policies. At times, they wanted to suppress warnings or altogether skip them if possible, but it doesn't happen or is required very often. 

    What needs improvement?

    One area of improvement, about which I have spoken to the Sonatype architect a while ago, is related to the installation. We still have an installation on Linux machines. The installation should move to EKS or Kubernetes so that we can do rollover updates, and we don't have to take the service down. My primary focus is to have at least triple line availability of my tools, which gives me a very small window to update my tools, including IQ. Not having them on Kubernetes means that every time we are performing an upgrade, there is downtime. It impacts the 0.1% allocated downtime that we are allowed to have, which becomes a challenge. So, if there is Kubernetes installation, it would be much easier. That's one thing that definitely needs to be improved.

    Some of our engineers came from outside of BT, and there are some features that they are used to from rival products, but they are currently not there in Sonatype IQ. For example, Snyk has a feature to stop a particular check-in from happening at the merge stage in case something is different or wrong. This feature is still in the development phase in IQ. Such a feature would be handy in IQ.

    Another area where Nexus can severely improve is the licensing model. I am not worried about the licensing cost, but the way they calculate the number of licenses being used needs to be improved. They have been quite ambiguous in terms of how they calculate who is using Nexus or IQ, and this ambiguity has not been good. At times, we think we have a certain number of customers, but Sonatype says that it is not true, and we have some other number. They haven't been able to explain very well how they calculate that number, which has been a challenge for us.

    For how long have I used the solution?

    BT has been using Nexus solutions for almost three years. I myself have been associated with Nexus for two years since I joined BT.

    What do I think about the stability of the solution?

    IQ Server is quite stable. I get a report from my team about the availability of my tools, and IQ Server stands pretty great. Its stability is 99.99% for sure. 

    Repo has had some challenges with our setup. I'm not sure if that has to do with Repo itself or our own infrastructure. There have been some challenges, but there is nothing noticeable. So, overall, they have been quite good. The only thing is that whenever we have to update the tool, there has to be mandatory downtime, which I would like to avoid with something like a Kubernetes-based system.

    What do I think about the scalability of the solution?

    I haven't faced any challenges in the scalability of Nexus solutions. We have gone from pretty minimal usage to pretty high usage, and I haven't seen any challenges. It is good. It is not similar to some of the other tools that I have where scalability has been an issue.

    We have around 3,000 to 4,000 engineers who use Repo daily. We have around 1,000 to 2,000 users who use IQ Server. Our usage is moderate. It is not extremely heavy. As compared to the other tools that are being used by around 30,000 engineers, the usage of Nexus is not heavy. It is moderate.

    How are customer service and technical support?

    My team works more closely with them, but I do get feedback from them. I have worked with their architect, Sola, multiple times, and I can easily rate him a nine out of 10. He has been pretty good. The architecture that he provided has been crystal clear around what we have here in BT. Whenever there was a problem with Nexus Repo, he came to the rescue. He understood what the problem was and could fairly quickly implement it. It provided more help than support. We were trying to scale Nexus to a certain extent, and he was able to assist us quite well. The only area where I felt I did not get what I needed was related to licensing. They have been quite ambiguous in terms of how they calculate the number of licenses, and even he couldn't clearly tell me how the calculations are done. Other than that, he has been fantastic.

    How was the initial setup?

    Its initial setup was done by someone who is retired now. He did it five or six months before I joined.

    For its maintenance, we have a team of three people. We have one SME and two support engineers who are dedicatedly there for Nexus and any services that we do through Nexus.

    What was our ROI?

    Our ROI is moderate. It has definitely helped us in avoiding a lot of security miscues., but the adoption of IQ hasn't been as much as I would have liked. It has nothing to do with Sonatype. It has more to do with BT's culture and BT's engineers adopting it.

    What's my experience with pricing, setup cost, and licensing?

    Given the number of users we have, it is one of the most expensive tools in our portfolio, which includes some real heavy-duty tools such as GitLab, Jira, etc. It is definitely a bit on the expensive side, and the ambiguity in how the licenses are calculated adds to the cost as well. If there is a better understanding of how the licenses are being calculated, there would be a better agreement between the two parties, and the cost might also be a little less. 

    There is no extra cost from Sonatype. There is an operational cost on the BT side in terms of resources, etc.

    Which other solutions did I evaluate?

    We have evaluated Snyk but not for the same capabilities that IQ has. We didn't evaluate Snyk for open-source vulnerabilities. We evaluated it for container security, Infrastructure as Code security, and other aspects. Snyk does OSS as well, but we are not looking at OSS as a solution offering from Snyk at this time. We are doing a pilot with Snyk to see how they can do other things.

    In terms of the open-source vulnerability checks, Snyk has a few more features around stopping mergers to happen and stopping check-ins to happen with integration with Git. This is not something that we have evaluated. It came as feedback from our engineers.

    What other advice do I have?

    It is quite easy to integrate across the tooling board, but that it does lack a couple of modern and shiny features. It does a pretty good job around the core things of open-source vulnerability check, and it categorizes vulnerabilities pretty nicely. To anybody who wants to use Nexus, I would advise seeing how they can create a bit of a scalable and multi-instance model between IQ and Repo so that they can save on some of the update time that I have to go through.

    It has delayed some of the deployments across our supply chain, which is not necessarily a bad thing because delay is only in the case it identifies any issues. One of the challenges in terms of adoption has been that not everybody wants to know how bad their code is. It has been a challenge to make more and more people adopt Nexus IQ, but the quality has definitely improved for those who have onboarded it. There is no doubt about that.

    In terms of the reduction in the time taken to release secure apps to market, it doesn't improve the time if you look at a small picture and a single pipeline or component. It reduces time if you look at the larger picture in terms of how many cycles would have been there if you had identified a security vulnerability in the final environment rather than the earlier environment. In such a scenario, it saves time. It doesn't save time in making the code reach production quicker, but it saves time with fewer cycles happening between the development code and the production code. If I go completely by the test count or the engineering count of around 2,000 folks, there is definitely a saving of around 4,000 to 5,000 hours every quarter.

    It has not increased the level of productivity for our developers because that's not why we are using Nexus. It has definitely reduced the number of cycles between the production code and the development code.

    We don't use the Nexus Container feature. We have a different container that is our own instance. It is a strategic instance for BT that is owned by our own team.

    Nexus definitely has been a key component in our portfolio. The big lesson that I have learned from using Nexus is that there are a lot of open-source libraries that are considered okay in a common area. A lot of times, we identified a library that almost everybody considers okay to use but then realized its vulnerability. So, one of the lessons is that you have to be vigilant all the time with what you are using inside your code.

    I would rate it an eight out of 10, and that's quite good. I have deducted two points. One of them is related to the licensing model, which should not be that ambiguous. Another one is related to becoming more forward-looking and supporting modern products such as Kubernetes or EKS. The demand of the hour is to have our services up for more than four-nines or five-nines. 

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    Buyer's Guide
    Sonatype Nexus Lifecycle
    September 2022
    Learn what your peers think about Sonatype Nexus Lifecycle. Get advice and tips from experienced pros sharing their opinions. Updated: September 2022.
    634,775 professionals have used our research since 2012.
    Finto Thomas - PeerSpot reviewer
    Information Security Program Preparer / Architect at Alef Education
    Real User
    Top 20
    Gives our teams visibility into copyright and security risks in our code
    Pros and Cons
    • "The value I get from IQ Server is that I get information on real business risks. Is something compliant, are we using the proper license?"
    • "Nexus Lifecycle is multiple products. One drawback I've noticed is that there are some differences in the features between the products within Lifecycle. They need to maintain the same structure, but there are some slight differences."

    What is our primary use case?

    We are in the education industry, but we are a developer-based company. We heavily use lots of public libraries. We use Sonatype Nexus Lifecycle mainly for protecting us from vulnerabilities and license copyright issues. We heavily depend on its database.

    It's a hybrid. We have our on-premises instance for our internal security. With Sonatype itself, we use the cloud service, but we have a few modules on-premises, such as IQ Server and the report server. We have deployed those modules on AWS. As a company, we use cloud services 100 percent.

    How has it helped my organization?

    We have started rolling out to each of our feature teams and so far we have rolled it out to about 30 percent, but we can already see the benefit. It gives our teams easy visibility into the risk inside our code. "Risk" in this case can be copyright, more along the lines of compliance, and security itself, such as vulnerabilities.

    From the legal and security perspectives, we have a huge concern about what we use in our product and our platform. Before using Sonatype we had a huge business risk. Since bringing in Sonatype, we have visibility for both the legal and security teams. It enables us to maintain the quality from the third-party libraries.

    We follow the CI/CD methodology and Sonatype's impact is really huge because we are able to meet our continuous integration in the DevOps pipeline. The speed of that flow is noticeable. The impact is on both development and operations, together. The integration with the CI/CD pipeline is easy.

    What is most valuable?

    From the integration perspective, it is easy to use, out-of-the-box. The GUI is not complex.

    I mainly use two modules, the report server and IQ Server. The value I get from IQ Server is that I get information on real business risks. Is something compliant, are we using the proper license?

    With IQ Server we are currently running the default policy. We started deploying six months back and our main objectives were identifying any bad licenses in our library or product, and whether we are using any critically vulnerable assets. We have stuck with the default policies and they are giving us huge visibility and, as a result, we are putting a lot of effort into remediation.

    In terms of the data quality and the database they have for open source, I'm impressed. For our requirements, the data we get seems to be updated well when it comes to license-type and vulnerabilities.

    The solution also blocks undesirable open source components from entering our development lifecycle. We use it for controlling third-party libraries.

    What needs improvement?

    Nexus Lifecycle is multiple products. One drawback I've noticed is that there are some differences in the features between the products within Lifecycle. They need to maintain the same structure, but there are some slight differences.

    Other than that, the tool is very user-friendly and gives the right reports to the right teams.

    For how long have I used the solution?

    We have been using Sonatype Nexus Lifecycle for about the last six months.

    What do I think about the stability of the solution?

    Until now, we haven't faced any challenges on the stability front. If there's a challenge, if something is down, we definitely get a direct alert. We are happy with the stability part. Both the software and the infrastructure are good.

    What do I think about the scalability of the solution?

    There are two aspects to the solution's scalability. The infrastructure scalability is the first part, and that is good. The second part is the developer and the licensing front. When we started the program, we had 60 developers but we now have double that number. There's flexibility on both the infra and the licensing. That is good, as of now.

    How are customer service and technical support?

    When it comes to cultural adoption, when we put something new in the DevOps pipeline, the positive side is that we have a dedicated professional support team and there is a dedicated person. I'm on the security side, I'm not a developer. So the challenge for me is that when I go to the developers, they have a different language. That support person is always there to support me and I'm very happy with that support and the way they handle us as a customer. I can go to the development team or the department and say that, "If we need any support, let me know." I know that dedicated support person will be there for us. That's very much appreciated. That model is actually helping me to push our development teams to get into this new integration. The support model, with a dedicated person, is very useful.

    We have frequent meetings with the person who manages the team, and our dedicated support person from Sonatype. If there's a new update it's like we have permanent support. They help us to update.

    I would rate their support at nine out of 10.

    Which solution did I use previously and why did I switch?

    We were using Sonatype open source, the repository server, for a long time, as a free edition and as a PoC. That's why we picked Sonatype Nexus Lifecycle. 

    Before that, we were using a different solution for a period of time. We jumped to Sonatype from our previous solution because it had a limitation on the modules. If I go for a multiple module integration, there is additional cost, whereas with Sonatype, they bundle licenses. There's no limitation. I can go for any number of integrations. That's the reason we switched to Sonatype.

    How was the initial setup?

    The initial setup was triggered from a template in the cloud, so it was easily set up.

    With this implementation, the challenge is awareness. We have 14 development teams, but when we started the program there were 10. The number of development teams continues to increase and they use different tools and techniques in the CI/CD. From my side, in security, the idea is to make them aware. This would be the same whether the product was Sonatype or something else. Making them aware has been a very big challenge for me, to onboard them and make the product effective.

    So the initial, technical deployment is easy, but to make it effective, we have had to bring that awareness into focus and do repeated training.

    The initial deployment took one or two days, taking into account the infrastructure requirements in AWS. But that's not the issue. We deployed the server, but if nobody's using it there's no value from it. The value comes from being able to integrate all the developers. The dedicated support person was very useful in helping me create that awareness and value from it.

    We use a lot of tools in our CI/CD, so the initial month was more of a feasibility test and proof of concept which was validated with multiple scenarios. Then we started onboarding teams, one per month. We work with the Agile methodology in two-week sprints. Each team picked the integration per its own Agile sprint timeline, based on the product owner's priorities. Within the two-week sprint for a given team, we are able to do a full integration for that team. But within those two weeks, if you look at the real effort, it would be a maximum of about two days, including troubleshooting. We have covered 30 to 40 percent of our teams so far. Within the next three to four months we may be able to complete the process and cover 100 percent.

    What was our ROI?

    When I started with Sonatype six months back, I knew that I wanted to do 10 integrations. When I started integrating with a development team, and getting them more usability, I understood the reality was not 10, it was actually 100. When I ran with another vendor, even though I started with a small price, when I looked at the total cost of ownership or the return on investment, it was totally different. With Sonatype there is definitely a return on investment in the number of integrations and the personal support. In that sense, there has been a lot of value. 

    In addition, the bundled licensing is a huge difference and provides flexibility. We are not limited by the number of integrations, like in other products. We have flexibility and scalability. For us, the return of investment or value is huge, when it comes to the licensing model.

    What's my experience with pricing, setup cost, and licensing?

    Cost is a drawback. It's somewhat costly.

    Which other solutions did I evaluate?

    As part of the procurement process in Alef, we have to do a minimum three-product evaluation. We evaluated Sonatype, a different solution, and there were two more in the pipeline. Based on that evaluation, technical and other, Sonatype came into the picture. 

    The competing solution was actually cheaper, no doubt, but when we looked at the overall picture, the total cost of ownership after one year of integration, we understood it would be less with Sonatype, even though the initial price was less with the other products.

    If you're going to be scaling and growing quickly, in a way you cannot predict, the Sonatype licensing model and feature set are definitely good.

    What other advice do I have?

    Look at the scenario of the total cost after one year, not the initial stage. When we looked into the initial stage costs, there were vendors that cost less. But when you come to the integrations and real scenarios, that bill goes up. We had to clearly evaluate, not only the initial moment, but one year or two years down the line and consider the total cost of ownership.

    Also, be sure to properly utilize the engineer allocated to your site to help support the developers.

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    Product Owner Secure Coding at a financial services firm with 10,001+ employees
    Real User
    Top 20
    Improves the overall hygiene of the source code and is helpful for code security and remediation of issues
    Pros and Cons
    • "The quality or the profiles that you can set are most valuable. The remediation of issues that you can do and how the information is offered is also valuable."
    • "The user interface needs to be improved. It is slow for us. We use Nexus IQ mostly via APIs. We don't use the interface that much, but when we use it, certain areas are just unresponsive or very slow to load. So, performance-wise, the UI is not fast enough for us, but we don't use it that much anyway."

    What is our primary use case?

    We use it in the pipeline. So, software development is done in a pipeline in automated steps. One of those steps is Quality Assurance for which we use, amongst others, Sonatype, and this is done automatically. Based upon the outcome of this scan, the software product can proceed to the next step, or its blocks need to be rebuilt with updates.

    We are using Nexus IQ Server 114, and we're about to upgrade to 122.

    How has it helped my organization?

    It improves the overall hygiene of the source code. We have a lot of scans going on every day. They are in the thousands. If high critical vulnerabilities are detected, of course, that is good. It is already proving its value to us down the line because these vulnerabilities do not reach production.

    Data quality helps us solve problems faster. We get the info on what's vulnerable, and most of the time, we get advice for an upgraded version that can be implemented right away. That's very valuable.

    It brought open-source intelligence and policy enforcement across our SDLC. It is the tool that we use for open-source scanning and third-party dependency scanning. So, it brings a lot of value to us from that perspective. 50% of the code that we use is open-source. So, it is important to scan it for all kinds of vulnerabilities. It is very powerful, and it brings a lot of security to us. It can block undesirable open-source components from entering our development life-cycle.

    It secures the software supply chain because it scans the packages that we get from our vendors, but we don't use it to secure our pipelines or steps in the build process. The build process itself is not secured by Nexus IQ.

    It improves the overall health and security of the software supply chain. Anything that is detected can be blocked.

    What is most valuable?

    The quality or the profiles that you can set are most valuable. The remediation of issues that you can do and how the information is offered is also valuable.

    Its integration with our tool landscape is very valuable. It is the interaction with account management and technical consultants.

    The default policies and the policy engine are very good. Most of what we have is the default. It is also possible to create your own policies and custom rules, but we only do that for a handful of exceptions. We are very pleased with the default policies and settings. It provides us the flexibility we need because we can use it in our own customized settings. It is flexible enough for us to work with.

    What needs improvement?

    The user interface needs to be improved. It is slow for us. We use Nexus IQ mostly via APIs. We don't use the interface that much, but when we use it, certain areas are just unresponsive or very slow to load. So, performance-wise, the UI is not fast enough for us, but we don't use it that much anyway.

    For how long have I used the solution?

    I have been using this solution for about five years. It was being used prior to me engaging with it. So, it was already there.

    What do I think about the stability of the solution?

    It is very stable. There are no complaints. It is good in terms of availability.

    What do I think about the scalability of the solution?

    We don't need to scale it. At this moment, it is right-sized for us. So, I don't see any scalability going on right now. We do self-hosting on our own internal platform. The resources that are available are not scalable, so to say. They are right-sized.

    We have between 750 and 1,250 users. The developers are the biggest part. We also have our operations support team that deals with upgrades, patch management, installation, and the Infra stuff. There are about 10 people. They don't only work on Nexus IQ, of course, but that's part of their job. There is also the security team, which is my team. It has about 10 people. We use Nexus IQ for all kinds of security review activities. We also have five metrics people who use these tools to gather metrics. They also use Nexus IQ.

    How are customer service and technical support?

    I have contacted them, and I would rate them a seven out of 10. Like every big company that you contact for support, you can get people who are well aware of your situation or less aware. Depending on who you get at the support desk, you might get immediate feedback or the right answer, or you might be going back and forth to get the right information. You don't have a single contact person for all your support, so the quality can change based on who you talk to.

    Which solution did I use previously and why did I switch?

    Our company didn't use any other solution.

    How was the initial setup?

    We have a team of about 10 people for upgrading the tool, patching the tool, migrating XIQ from our own platform to a public cloud platform, and creating system rules and policies.

    What was our ROI?

    For Nexus IQ, I have not seen any research that has been done for ROI. I am aware of other tools but not Nexus IQ.

    What's my experience with pricing, setup cost, and licensing?

    There are additional costs in commercial offerings for add-ons such as Nexus Container or IDE Advanced Toolkit. They come with additional fees or licenses. 

    Which other solutions did I evaluate?

    We always explore other tools. For every tool that we have, we constantly look at what's available. Every couple of years, we do an evaluation to see if there are replacements that are better suited to our needs. Our requirements might change over time. Our entire circumstance might also change from being on-premise to a fully-cloud company, where we might need to fulfill different types of needs. So, of course, we explore what are the best options for us. We stayed with Nexus IQ because they're a pleasant company to work with, and they offer a good product. 

    What other advice do I have?

    I would advise making sure that your developers are aware of why you are going to scan the source codes for vulnerabilities. An awareness training or awareness program on open-source vulnerabilities goes hand in hand with implementing such a tool because the tool is there to enforce policies, etc. If your community developer knows how to build secure software and how to look at open-source, it will drastically reduce the findings in the tool and create a healthy software landscape. So, awareness of secure coding principles should accompany the installation of such a tool.

    Although we are very familiar with the concepts and the topics, we don't make use of integration with IDEs. We do not support automated pull requests yet. It would take time for us to implement, and there are other things that we are busy with. It would depend on how things proceed. We also don't use Nexus Container. 

    It has not improved the time to release secure apps to market. It has also not increased developer productivity. In the short term, it decreases developer productivity because they have to fix stuff that otherwise would go undetected. So, productivity is hampered if you are confronted with vulnerabilities that you need to fix. Therefore, being more secure in the short term doesn't make you more productive. If you are aware of why you need to look at certain things, it can bring productivity in the long term.

    The biggest lesson that we have learned from using Nexus IQ is that with open-source, so many things can go wrong. Most of the vulnerabilities that you have in your software are due to the bad usage of open-source components.

    I would rate this solution an eight out of 10.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    Katrin Schenker - PeerSpot reviewer
    Software Engineer at a manufacturing company with 10,001+ employees
    Real User
    Top 20
    Automated process for downloading open source libraries has significantly decreased developer workload
    Pros and Cons
    • "The integrations into developer tooling are quite nice. I have the integration for Eclipse and for Visual Studio. Colleagues are using the Javascript IDE from JetBrains called WebStorm and there is an integration for that from Nexus Lifecycle. I have not heard about anything that is not working. It's also quite easy to integrate it. You just need to set up a project or an app and then you just make the connection in all the tools you're using."
    • "We got a lot of annotations for certain libraries when it comes to Java, but my feeling, and the feeling of a colleague as well, is that we don't get as many for critical libraries when it comes to .NET, as if most of them are really fine... It would be good if Sonatype would check the status of annotations for .NET packages."

    What is our primary use case?

    We use it for checking our open source libraries for Java and .NET. I think they also have Python and R that some of my colleagues are using. And on the other side, of course, we also have the proxy to only download the open source libraries for our internet software development that are free of vulnerabilities and security issues.

    It's deployed on-prem. We have internal servers.

    How has it helped my organization?

    Before we had Nexus Lifecycle, our software developers needed to clear each download from open source libraries. That meant they needed to scan the library on a separate PC, and then they would integrate it into their solutions, but it would be local and not available for the other developers. Now, we have an automatic process for downloading open source libraries, and this has removed a huge effort for all of our software developers. That is the big advantage, that we have an automated software development pipeline, which is something we did not have before. All of our developers are happy to have the solution.

    Another benefit is connected to the fact that we also have applications we host for external users and those users can obtain a very good report about which external, open source libraries we are using, and their security status. 

    What is most valuable?

    We get email notifications if a certain library has a security issue, like Log4j. We are informed very early and we can check into it and act on it. This is the most valuable feature.

    Also, the integrations into developer tooling are quite nice. I have the integration for Eclipse and for Visual Studio. Colleagues are using the Javascript IDE from JetBrains called WebStorm and there is an integration for that from Nexus Lifecycle as well. I have not heard about anything that is not working. It's also quite easy to integrate it. You just need to set up a project or an app and then you just make the connection in all the tools you're using.

    We have also set up certain organizations for our company, within the Nexus tool, such as groups or departments. Within these groups, we have the different applications they're working with. This is a structure that Sonatype recommended we implement.

    What needs improvement?

    We got a lot of annotations for certain libraries when it comes to Java, but my feeling, and the feeling of a colleague as well, is that we don't get as many for critical libraries when it comes to .NET, as if most of them are really fine. It's true that we have more Java applications than .NET, but the number of our applications in the .NET area will increase. Again, it's just an impression, but it seems that the annotations for .NET are not the same as for Java. It would be good if Sonatype would check the status of annotations for .NET packages.

    Again, I note that we are just starting to use an open source library from NuGet for the .NET area, while we have been using it for Java for several years and we are using more packages. For .NET, it's evolving. But my impression is that annotations are more focused on Java, and that in .NET we just do not see as many security issues as in Java. It could be fine, but maybe Sopatype started with Java and then expanded the portfolio to .NET and to other languages. This is something which could be further checked.

    It could also be the fact that we have had Java applications for around 20 years, using open source libraries. When you go to the newer versions, you need to check and test. Whereas the .NET applications are evolving and are using open source libraries, and the .NET side is really new for our organization.

    For how long have I used the solution?

    I have been using Sonatype Nexus Lifecycle for around one year.

    What do I think about the stability of the solution?

    The stability is fine. I have not struggled with it. The solution is working, it's available. But this is something I can't tell you much about it because the server infrastructure and installation are done by our infrastructure team. I'm not sure if they are struggling with availability of the services.

    What do I think about the scalability of the solution?

    The scalability, currently, is fine, because the performance is fine. It was important to have a structure at the beginning, a way to set up different departments and groups. Now, if we have a new group that will use IQ Server or Nexus Lifecycle, we can just add it and it will be managed by the department. That makes it really good and scalable.

    Nexus was a pilot, where some of my colleagues were using it but now it has spread to our whole organization and more colleagues are using it.

    How are customer service and support?

    An evaluation of Sonatype's technical support is more a question for our infrastructure team.

    We did have some workshops with Sonatype about using Nexus Lifecycle and IQ Server, and they were quite nice. They made presentations and we could ask our questions. There is also the offer to have workshops about new topics, but I can't say much about the really technical questions.

    However, from my point of view, the communication with Sonatype is really good. They take care of our requests and issues and answer them.

    Which solution did I use previously and why did I switch?

    This is the first solution we're using. We had a Nexus repository for several years, and we added Nexus Lifecycle on top in the last one to two years. Before, we would just manually download libraries and clear them by checking the download status. It was a manual task and now it's automated.

    How was the initial setup?

    I wasn't involved in the server installation. From my point of view, the deployment was quite easy. The servers were set up—a test instance and a production instance. In the test instance, we can play around and see if everything is working.

    The IDE integration was quite easy because you just have to download the plugins and then set up the URL and the user and password. With Jenkins, we had to play around a little bit, but it was not that tricky. The integration is really nice because the plugins work quite well.

    What was our ROI?

    Because we have only had Lifecycle in production for around one year, it's too early to know if it has improved the time it takes us to release secure apps to market.

    But it has definitely increased developer productivity. If you manually download a package, you're not sure if it is the right package because you cannot test it. But now, we can automatically download packages. It's much more effective and more productive for each software developer using it. I would estimate we have seen a 20 percent increase in productivity.

    It's also helping our security because that is an aspect we did not check before. That is new for us and very valuable.

    What other advice do I have?

    We have internal help pages for new software developers with explanations about how they can get access to Nexus Lifecycle and how they can set up new organizations, new applications, and how the IDE integration is done.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    Flag as inappropriate
    PeerSpot user
    Chris Coetzee - PeerSpot reviewer
    Managing Director at Digalance
    Real User
    Top 20
    The solution lets developers see any vulnerabilities or AGPL license issues associated with code in the early stages of development
    Pros and Cons
    • "Lifecycle lets developers see any vulnerabilities or AGPL license issues associated with code in the early stages of development. The nice thing is that it's built into the ID so that they can see all versions of a specific code."
    • "In the beginning, we sometimes struggle to access the customer environment. The customer must issue the required certificates because many customers use cell phone certificates, and Sonatype needs a valid CA certificate."

    What is our primary use case?

    Most software innovation happens in an open-source environment, and developers generate only a small amount of code. The customers we encounter generally perform static code analysis immediately before they move code into production. If the security guys detect issues, they will send the code back into development. 

    Lifecycle integrates everything from IDE down to production. It's a unique solution that helps customers embrace open-source development because that's where the innovation is happening. At the same time, I know the code coming into my environment is clean. A lot of our customers have adopted Azure DevOps, especially on the banking side. Some parts of the solution are in the cloud, while others are on-prem.

    What is most valuable?

    Lifecycle lets developers see any vulnerabilities or AGPL license issues associated with code in the early stages of development. The nice thing is that it's built into the ID so that they can see all versions of a specific code. 

    They can see the associated risk and which version has the lowest risk. Developers can effortlessly migrate the entire project by dragging and dropping the version of the code with the lowest risk.

    What needs improvement?

    I'm not using the technology directly, and I haven't heard anything from our customer base. As far as I know, Sonatype has a unique customer engagement framework with a regular customer meet-up to go through deployment issues. They take feedback directly from the customer.

    For how long have I used the solution?

    We provide consulting, and one of our partners is the Sonatype distributor in Africa. We've been working with them for about three years.

    What do I think about the scalability of the solution?

    Our customers include some of the biggest banks in Africa. The number of Lifecycle users ranges from about 25 to 250, depending on the size of the environment.

    How was the initial setup?

    Deploying Nexus Lifecycle is straightforward. It normally takes two weeks to remotely install everything and hand it over to the customer. In the beginning, we sometimes struggle to access the customer environment. The customer must issue the required certificates because many customers use cell phone certificates, and Sonatype needs a valid CA certificate. From the partner's perspective, we only need one person to set it up, but the customers might need a few techs to provision VPN access, a server for the environment, etc.

    What's my experience with pricing, setup cost, and licensing?

    Nexus Lifecycle manager has a license for each server you deploy. You also pay a charge per user, including developers, release managers, and anybody else involved in the software development lifecycle. The price is fair for the value you get, but customers always want it cheaper.

    What other advice do I have?

    Based on my experience and feedback from the customers, I rate Sonatype Nexus Lifecycle nine out of 10.

    Which deployment model are you using for this solution?

    Hybrid Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Lead Member Of Technical Staff at a tech vendor with 10,001+ employees
    Real User
    Top 5Leaderboard
    Lacks an SaaS version and remediation accuracy is not good; good vulnerability detection accuracy
    Pros and Cons
    • "Vulnerability detection accuracy is good."
    • "The solution is not an SaaS product."

    What is our primary use case?

    We use this product for scanning containers and binary artifacts, and to scan for vulnerabilities. It's provides a software composition analysis mainly for application security. I'm the lead member of technical staff and we are customers of Sonatype. 

    What is most valuable?

    The most valuable feature for me is vulnerability detection accuracy.

    What needs improvement?

    The main drawback of this product is that it's not an SaaS solution and they really need to build a complete SaaS product. Although the vulnerability detection accuracy is good, the solution is quite weak when it comes to remediation accuracy which is not good. They are currently sorting by component versions and the sorting algorithm is not correct, it requires a proper tool. 

    For how long have I used the solution?

    I've been using this solution for four years. 

    What do I think about the scalability of the solution?

    We are unable to scale sufficiently because everything needs to be installed on our local premises. This is really a solution for small to medium-sized organizations. Every new server requires the installation of a new database. We currently have around 400 users doing a variety of jobs and scalability is the biggest issue we have.

    How are customer service and support?

    The customer support could be improved. Their response time is quite slow and it can take a long time to deploy new features. 

    How would you rate customer service and support?

    Neutral

    How was the initial setup?

    The initial setup is too complex because it's not a cloud service.

    Which other solutions did I evaluate?

    Compared to other solutions I've seen, the main issue with Lifecycle is that it doesn't have an on-cloud option.

    What other advice do I have?

    I can recommend this solution but they need to do some work at their end, particularly with regard to cluster maintenance, scalability, and the fact that it's only available on-prem.

    I rate this solution five out of 10. 

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Technical Consultant at a computer software company with 10,001+ employees
    Real User
    Useful vulnerability report, stable, and scalable
    Pros and Cons
    • "The most important features of the Sonatype Nexus Lifecycle are the vulnerability reports."
    • "Sonatype Nexus Lifecycle can improve the functionality. Some functionalities are missing from the UI that could be accessed using the API but they are not available. For example, seeing more than the 100 first reports or, seeing your comments when you process a waiver for a vulnerability or a violation."

    What is our primary use case?

    We are using Sonatype Nexus Lifecycle within our company for scanning our products with the Jenkins pipeline.

    What is most valuable?

    The most important features of the Sonatype Nexus Lifecycle are the vulnerability reports.

    What needs improvement?

    Sonatype Nexus Lifecycle can improve the functionality. Some functionalities are missing from the UI that could be accessed using the API but they are not available. For example, seeing more than the 100 first reports or, seeing your comments when you process a waiver for a vulnerability or a violation. 

    When you submit a waiver, you enter a comment, and when you need to access this comment, in the reports, you don't see it. This is a drawback.

    For how long have I used the solution?

    I have been using Sonatype Nexus Lifecycle for a short time.

    What do I think about the stability of the solution?

    I would rate the stability of Sonatype Nexus Lifecycle a seven out of ten.

    What do I think about the scalability of the solution?

    Sonatype Nexus Lifecycle 

    We have approximately 200 users using Sonatype Nexus Lifecycle in my company using this solution. They are mostly developers and security personnel.

    How are customer service and support?

    I rate the technical support from Sonatype Nexus Lifecycle a six out of ten.

    Which solution did I use previously and why did I switch?

    I have not used another similar solution previously.

    What about the implementation team?

    We have a team in our company that does the implementation of the Sonatype Nexus Lifecycle.

    What other advice do I have?

    We might increase our usage of the solution in the future, or we might move to another solution because of the issues we have had with it.

    I would recommend to others to test the functionalities of the Sonatype Nexus Lifecycle to see if it meets their use case needs.

    I rate Sonatype Nexus Lifecycle an eight out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Download our free Sonatype Nexus Lifecycle Report and get advice and tips from experienced pros sharing their opinions.
    Updated: September 2022
    Buyer's Guide
    Download our free Sonatype Nexus Lifecycle Report and get advice and tips from experienced pros sharing their opinions.