We like the data that Sonatype Nexus Lifecycle consistently delivers. This solution helps us in fixing and understanding the issues a lot quicker. The policy engine allows you to set up different types of violations according to your specific needs. It allows us to see the licensing and security vulnerabilities as well as the age of our open sources in our software. This helps us ensure we stay up to date with our software and that we don’t have any vulnerabilities.
We would really like to see Sonatype Nexus Lifecycle be more code-driven and scaled at the developer level. It really should be smoother and faster at finding the relationships between libraries and enterprises. The GUI has some limitations and could be problematic for some larger-scale companies.
SonarQube is easy to deploy and configure. It also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. It is great if you want to quickly focus on functional requirements. This solution is very easy to use and understand.
There were some security issues with our code that SonarQube did not find. Defining the quality of rules should be improved to ensure that low-performance code does not move forward to production. We would like to see better security scanning and statistical analysis from this solution.
Both of these are amazing, highly-regarded solutions. We chose Sonatype Nexus as a better fit for us. We felt that SonarQube needed multiple other products in order to function well and was lacking in some of the reporting qualities we desired. We felt that the proprietary data that Sonatype Nexus provides with regard to libraries was a great characteristic for us. We found that this solution integrates well with the other products we are using. We especially like the REST API, which we can drive remotely and automate.
Java Development Manager at a government with 10,001+ employees
Jun 27, 2019
It doesn't provide real-time notifications from the scans. We have to re-scan every time, whenever a build happens. Also, since Nexus Repository just keeps on adding the .jar artifacts whenever there is a build, whenever an application is going up, there is always a space issue on the server. That is one of the things that we are looking for Nexus to notify us about: if it is running out of space.
VP and Sr. Manager at a financial services firm with 1,001-5,000 employees
Jun 27, 2019
Overall, it's pretty good. The drill-through and search capabilities are pretty good, they're not horrible. As far as the relationship of, and ease of finding the relationships between, libraries and applications across the whole enterprise goes, it still does that. They could make that a little smoother, although right now it's still pretty good. It's taking an eight out of ten and asking it to be a ten.
PeerSpot’s crowdsourced user review platform helps technology decision-makers around the world to better connect with peers and other independent experts who provide advice without vendor bias.
Our users have ranked these solutions according to their valuable features, and discuss which features they like most and why.
You can read user reviews for the Top 5 Software Composition Analysis (SCA...