We performed a comparison between Fortify Static Code Analyzer and Sonatype Lifecycle based on real PeerSpot user reviews.
Find out what your peers are saying about Veracode, Checkmarx, OpenText and others in Static Code Analysis."Fortify Static Code Analyzer tells us if there are any security leaks or not. If there are, then it's notifying us and does not allow us to pass the DevOps pipeline. If it is finds everything's perfect, as per our given guidelines, then it is allowing us to go ahead and start it, and we are able to deploy it."
"I like Fortify Software Security Center or Fortify SSC. This tool is installed on each developer's machine, but Fortify Software Security Center combines everything. We can meet there as security professionals and developers. The developers scan their code and publish the results there. We can then look at them from a security perspective and see whether they fixed the issues. We can agree on whether something is a false positive and make decisions."
"The reference provided for each issue is extremely helpful."
"We've found the documentation to be very good."
"It's helped us free up staff time."
"We write software, and therefore, the most valuable aspect for us is basically the code analysis part."
"I like the Fortify taxonomy as it provides us with a list of all of the vulnerabilities found. Fortify release updated rule packs quarterly, with accompanying documentation, that lets us know what new features are being released."
"The Software Security Center, which is often overlooked, stands out as the most effective feature."
"It's helped us free up staff time."
"The value I get from IQ Server is that I get information on real business risks. Is something compliant, are we using the proper license?"
"The policy engine is really cool. It allows you to set different types of policy violations, things such as the age of the component and the quality: Is it something that's being maintained? Those are all really great in helping get ahead of problems before they arise. You might otherwise end up with a library that's end-of-life and is not going to get any more fixes."
"The proxy repository is probably the most valuable feature to us because it allows us to be more proactive in our builds. We're no longer tied to saving components to our repository."
"The report part is quite easy to read. The report part is very important to us because that is how we communicate to our security officer and the security committee. Therefore, we need to have a complete report that we can generate and pass onto them for review."
"Automating the Jenkins plugins and the build title is a big plus."
"It was very easy to integrate into our build pipeline, with Jenkins and Nexus Repository as the central product."
"The application onboarding and policy grandfathering features are good and the solution integrates well with our existing DevOps tools."
"It comes with a hefty licensing fee."
"Fortify Static Code Analyzer is a good solution, but sometimes we receive false positives. If they could reduce the number of false positives it would be good."
"The product shows false positives for Python applications."
"The troubleshooting capabilities of this solution could be improved. This would reduce the number of cases that users have to submit."
"The generation of false positives should be reduced."
"Fortify Static Code Analyzer has a bit of a learning curve, and I don't find it particularly helpful in narrowing down the vulnerabilities we should prioritize."
"Not all languages are supported in Fortify."
"The pricing is a bit high."
"The user interface needs to be improved. It is slow for us. We use Nexus IQ mostly via APIs. We don't use the interface that much, but when we use it, certain areas are just unresponsive or very slow to load. So, performance-wise, the UI is not fast enough for us, but we don't use it that much anyway."
"We got a lot of annotations for certain libraries when it comes to Java, but my feeling, and the feeling of a colleague as well, is that we don't get as many for critical libraries when it comes to .NET, as if most of them are really fine... It would be good if Sonatype would check the status of annotations for .NET packages."
"It would be helpful if it had a more detailed view of what has been quarantined, for people who don't have Lifecycle licenses. Other than that, it's pretty good."
"Fortify Static Code Analyzer has a bit of a learning curve, and I don't find it particularly helpful in narrowing down the vulnerabilities we should prioritize."
"One area of improvement, about which I have spoken to the Sonatype architect a while ago, is related to the installation. We still have an installation on Linux machines. The installation should move to EKS or Kubernetes so that we can do rollover updates, and we don't have to take the service down. My primary focus is to have at least triple line availability of my tools, which gives me a very small window to update my tools, including IQ. Not having them on Kubernetes means that every time we are performing an upgrade, there is downtime. It impacts the 0.1% allocated downtime that we are allowed to have, which becomes a challenge. So, if there is Kubernetes installation, it would be much easier. That's one thing that definitely needs to be improved."
"Since Nexus Repository just keeps on adding the .jar artifacts whenever there is a build, whenever an application is going up, there is always a space issue on the server. That is one of the things that we are looking for Nexus to notify us about: if it is running out of space."
"Nexus Lifecycle is multiple products. One drawback I've noticed is that there are some differences in the features between the products within Lifecycle. They need to maintain the same structure, but there are some slight differences."
"Not all languages are supported in Fortify."
Fortify Static Code Analyzer is ranked 3rd in Static Code Analysis with 13 reviews while Sonatype Lifecycle is ranked 5th in Software Composition Analysis (SCA) with 43 reviews. Fortify Static Code Analyzer is rated 8.4, while Sonatype Lifecycle is rated 8.4. The top reviewer of Fortify Static Code Analyzer writes "Seamless to integrate and identify vulnerabilities and frees up staff time". On the other hand, the top reviewer of Sonatype Lifecycle writes "Seamless to integrate and identify vulnerabilities and frees up staff time". Fortify Static Code Analyzer is most compared with Black Duck, Snyk, Veracode, GitLab and Mend.io, whereas Sonatype Lifecycle is most compared with SonarQube, Black Duck, GitLab, Checkmarx One and Mend.io.
We monitor all Static Code Analysis reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.