We performed a comparison between JFrog Xray and Sonatype Lifecycle based on real PeerSpot user reviews.
Find out in this report how the two Software Supply Chain Security solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."I would say that this solution has helped our organization by allowing us to automate a lot of the processes."
"JFrog Xray shows us a list of vulnerabilities that can impact our code."
"Good reporting functionalities."
"The most valuable feature of JFrog Xray is the display of the entire internal dependencies hierarchy."
"The solution is stable and reliable."
"If multiple dependencies and vulnerabilities are found in a project, JFrog Xray is intelligent enough to tell you which vulnerability to target first."
"JFrog Xray's reporting feature has a lot of options in it, including scanning."
"The value I get from IQ Server is that I get information on real business risks. Is something compliant, are we using the proper license?"
"The most important features of the Sonatype Nexus Lifecycle are the vulnerability reports."
"The policy engine is really cool. It allows you to set different types of policy violations, things such as the age of the component and the quality: Is it something that's being maintained? Those are all really great in helping get ahead of problems before they arise. You might otherwise end up with a library that's end-of-life and is not going to get any more fixes."
"Sonatype support is quite responsive. When we needed something, we could reach out and set up a meeting. They provide the best support possible."
"The most valuable features of the Sonatype Nexus Lifecycle are the evaluation of the unit test coverage, vulnerability scanning, duplicate code lines, code smells, and unnecessary loops."
"Some of the more profound features include the REST APIs. We tend to make use of those a lot. They also have a plugin for our CI/CD; we use Jenkins to do continuous integration, and it makes our pipeline build a lot more streamlined. It integrates with Jenkins very well."
"There is a feature called Continuous Monitoring. As time goes on we'll be able to know whether a platform is still secure or not because of this feature."
"The reference provided for each issue is extremely helpful."
"JFrog Xray's documentation and error logging could be improved."
"I think that the user interface should be expanded to provide customers with a better dashboard for reviewing their feedback regarding their images and the vulnerabilities that are associated with the images."
"Reporting is crucial, but it is lacking in the current tool. Every organization seeks specific data points rather than general information. Therefore, we require customized reports from the Xray tool."
"Since we have been using the solution via APIs, there are some limitations in the APIs."
"JFrog Xray does not have a dashboard."
"The speed of JFrog Xray should improve. Other solutions have better performance."
"Lacks deeper reporting, the ability to compare things."
"The solution is not an SaaS product."
"The GUI is simple, so it's easy to use. It started as great to use, but for larger scale companies, it also comes with some limitations. This is why we tried to move to more of an API approach. So, the GUI could use some improvements potentially."
"Another feature they could use is more languages. Sonatype has been mainly a Java shop because they look after Maven Central... But we've slowly been branching out to different languages. They don't cover all of them, and those that they do cover are not as in-depth as we would like them to be."
"In the beginning, we sometimes struggle to access the customer environment. The customer must issue the required certificates because many customers use cell phone certificates, and Sonatype needs a valid CA certificate."
"Fortify Static Code Analyzer has a bit of a learning curve, and I don't find it particularly helpful in narrowing down the vulnerabilities we should prioritize."
"We created the Wiki page for each team showing an overview of their outstanding security issues because the Lifecycle reporting interface isn't as intuitive. It is good for people on my team who use it quite often. But for a tech engineer who doesn't interact with it regularly, it's quite confusing."
"It's the right kind of tool and going in the right direction, but it really needs to be more code-driven and oriented to be scaled at the developer level."
"The biggest thing is getting it put uniformly across all the different teams. It's more of a process issue. The process needs to be thought out about how it's going to be used, what kind of training there will be, how it's going to be socialized, and how it's going to be rolled out and controlled, enterprise-wide. That's probably more of a challenge than the technology itself."
JFrog Xray is ranked 3rd in Software Supply Chain Security with 7 reviews while Sonatype Lifecycle is ranked 2nd in Software Supply Chain Security with 42 reviews. JFrog Xray is rated 8.2, while Sonatype Lifecycle is rated 8.4. The top reviewer of JFrog Xray writes "An intelligent solution that prioritizes which vulnerability to target first in your project". On the other hand, the top reviewer of Sonatype Lifecycle writes "Seamless to integrate and identify vulnerabilities and frees up staff time". JFrog Xray is most compared with Black Duck, Snyk, Veracode, Mend.io and Prisma Cloud by Palo Alto Networks, whereas Sonatype Lifecycle is most compared with SonarQube, Black Duck, Fortify Static Code Analyzer, GitLab and Fortify on Demand. See our JFrog Xray vs. Sonatype Lifecycle report.
See our list of best Software Supply Chain Security vendors and best Software Composition Analysis (SCA) vendors.
We monitor all Software Supply Chain Security reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.