Software Composition Analysis (SCA) Features

Read what people say are the most valuable features of the solutions they use.
Ryan Carrie says in a Sonatype Nexus Lifecycle review
Security Analyst at a software R&D company with 51-200 employees
I like the JIRA integration, as well as the email notifications. They allow me to see things more in real-time without having to monitor the application directly. So as new items come in, it will generate a JIRA task and it will send me an email, so I know to go in and have a look at what is being alerted. The policy engine is really cool. It allows you to set different types of policy violations, things such as the age of the component and the quality: Is it something that's being maintained? Those are all really great in helping get ahead of problems before they arise. You might otherwise end up with a library that's end-of-life and is not going to get any more fixes. This can really help you to try to get ahead of things, before you end up in a situation where you're refactoring code to remove a library. The policy engine absolutely provides the flexibility we need. We are rolling with the default policy, for the most part. We use the default policy and added on and adjusted it a little bit. But, out-of-the-box, the default policy is pretty good. The data quality is good. The vulnerabilities are very detailed and include links to get in and review the actual postings from the reporters. There have been relatively few that I would consider false positives, which is cool. I haven't played with the licensing aspect that much, so I don't have any comment on the licensing data. One of the cool things about the data that's available within the application is that you can choose your vulnerable library and you can pull up the component information and see which versions of that library are available, that don't have any listed vulnerabilities. I've found myself using that a lot this week as we are preparing for a new library upgrade push. The data quality definitely helps us to solve problems faster. I can pull up a library and see, "Okay, these versions are non-vulnerable," and raise my upgrade task. The most valuable part of the data quality is that it really helps me fit this into our risk management or our vulnerability management policy. It helps me determine: * Are we affected by this and how bad is it? * How quickly do we need to fix this? Or are we not affected? * Is there any way to leverage it? Using that data quality to perform targeted, manual testing in order to verify that something isn't a direct issue and that we can designate for upgrade for the next release means that we don't have to do any interim releases. As for automating open-source governance and minimizing risk, it does so in the sense of auditing vulnerabilities, thus far. It's still something of a reactive approach within the tool itself, but it comes in early enough in the lifecycle that it does provide those aspects. View full review »
Ricardo Van Den Broek says in a Sonatype Nexus Lifecycle review
Software Architect at a tech vendor with 11-50 employees
IQ Server also checks the overall quality of library. Often as a developer, to solve a certain programming problem we do some research online and may find suggested open source libraries that would address what we need. However, we don't always check how old it is or how maintained it is, but that is another thing that IQ Server will point out. "This version (or the whole library) you are using is like five to six years old. Maybe it's time to check if there are alternatives which are better kept up." That's another useful thing for us. We enjoy how it works together with other stuff that we have. We integrated it with Jira to keep track of things. We have it set up so it will generate tickets in Jira automatically when it finds something, then those can be added to our sprints. The quality of data seems very thorough. It compiles data from a couple of different sources. Sonatype double checks the vulnerability itself. I've seen instances where there will be a message saying something like, "According to official sources, this only occurs in version 4.2 or later, but our research team indicates that the vulnerability also exists in versions 3.x." This shows IQ Server gives you more information than what we previously would find, unless we did a lot of research and happened to stumble on that piece of information. Busy developers will usually prefer to spend the majority of their time implementing features and fixing bugs to meet customer time lines rather than indefinitely research possible vulnerabilities in a library they want to use. The information that we're getting through IQ Server makes it all easily accessible, and it's also thorough and comes with steps and descriptions of when this issue occurs for specific use cases, so it allows our developers to not lose a lot of time on research. View full review »
Wes Kanazawa says in a Sonatype Nexus Lifecycle review
Sr. DevOps Engineer at Primerica
The proxy repository is probably the most valuable feature to us because it allows us to be more proactive in our builds. We're no longer tied to saving components to our repository. The default policies are good, they're a good start. They're a great place to start when you are looking to build your own policies. We mostly use the default policies, perhaps with changes here and there. It's deceptively easy to understand. It definitely provides the flexibility we need. There's a lot more stuff that you can get into. It definitely requires training to properly use the policies. We like the integrations into developer tooling. We use the Lifecycle piece for some of our developers and it integrates easily into Eclipse and into Visual Studio code. It's a good product for that. View full review »
Product Strategy Group Director at Civica
For us, it's seeing not only the licensing and security vulnerabilities but also seeing the age of the open-sources included within our software. That allows us to take proactive steps to make sure we're updating the software to versions that are regularly maintained and that don't have any vulnerabilities. In addition, the default policies, in general, are quite good. We have adjusted slightly but we're fairly happy with the way that's set up. They provide us with the flexibility we're looking for. The data quality is pretty good. We don't have masses of false positives. There have been some areas around .NET which haven't been quite as good as some of the other areas, but we know work is being done on that. Overall, the data quality does help us solve problems faster. View full review »
reviewer1257792 says in a WhiteSource review
Co Founder at a consumer goods company with 11-50 employees
WhiteSource is very accurate and covers all of our languages (including C++). WhiteSource Prioritize is amazing. If we are using a vulnerable library, it shows us if we are actually using the vulnerable method or not. This saves us a lot of time that we can instead invest in other projects. It also does a great job of automating many activities we used to do manually. Now the system does it for us and it generates a great security dashboard that shows us whether our remediation velocity is improving or not. View full review »
SrLeadSo5b76 says in a Sonatype Nexus Lifecycle review
Sr Lead Solution Services at a financial services firm with 201-500 employees
The scanning is fantastic. The dashboard is usable and gives us clear visibility into what is happening. It also has a very cool feature, which allows us to see the clean version available to be downloaded. Therefore, it is very easy to go and trace which version of the component does not have any issues. The dashboard can be practical, as well. It can wave a particular version of a Java file or component. It can even grandfather certain components, because in a real world scenarios we cannot always take the time to go and update something because it's not backward compatible. Having these features make it a lot easier to use and more practical. It allows us to apply the security, without having an all or nothing approach. The application's onboarding and policy grandfathering features are very easy to use. Most developers who I have given access have picked it up easily. The documentation is fantastic. I've never had a reason to contact support or asked a question, as most of the answers are available. It provides all up-to-date data information on the vulnerable issues for the various components that are available. I am able to see that various versions of the application are clear. Sometimes, there is a direct reference , so we can see what the issue is and what are the workarounds, if any, that there are available. It will even suggest certain steps which could be taken to remediate the issue. This helps streamline all the information available instead of us going to multiple sources and having to correlate information. Everything is easily available in a streamline manner. It is easy to access, review, make decisions, and proceed with fixes. View full review »
Russell Webster says in a Sonatype Nexus Lifecycle review
VP and Sr. Manager at a financial services firm with 1,001-5,000 employees
Its core features are the most valuable: * protection * scanning * detection * notification of vulnerabilities. It's important for us as an enterprise to continually and dynamically protect our software development from threats and vulnerabilities, and to do that as early in the cycle as possible. Also, the onboarding process is pretty smooth and easy. We didn't feel like it was a huge problem at all. We were able to get in there and have it start scanning pretty rapidly. The data quality is really good. They've got some of the best in the industry as far as that is concerned. As a result, it helps us to resolve problems faster. The visibility of the data, as well as their features that allow us to query and search - and even use it in the development IDE - allow us to remediate and find things faster. The solution also integrated well with our existing DevOps tool. That was of critical importance to us. We built it directly into our continuous integration cycles and that's allowed us to catch things at build time, as well as stop vulnerabilities from moving downstream. View full review »
reviewer1342230 says in a Sonatype Nexus Lifecycle review
Application Development Manager at a financial services firm with 501-1,000 employees
The most valuable feature is the scanning part, then the report part, as it is quite easy to read. The report part is very important to us because that is how we communicate to our security officer and the security committee. Therefore, we need to have a complete report that we can generate and pass onto them for review. The solution’s data quality has been pretty accurate. The ones that we are focusing on now are 9 and 10. Once we adjust and scan them again, they are no longer deemed to be the same threat level, which is good. If I replaced the library with a safer one, they still complain that that's not good. So far, we're pretty happy with the quality. View full review »
Enterprise Architect at a software R&D company with 1-10 employees
The article scanning is excellent. The composition analysis and common CBEs attached to it are quite good. The solution offers a lot of really great analysis. There's lots of good data support. View full review »
Enterprise Architect, VP at a financial services firm with 501-1,000 employees
One of the best things about the solution is that I think it is kind of easy to get started using it. The pain of adoption is low. Once you got the code scanned, there is a lot of information that you have to plan time to go through and work with other teams to get things resolved or disposition. I think that it was easy to get started, but there was also definitely a learning curve in terms of people needing to understand what the reports meant and what to do about the information that they were getting. View full review »
Sr Director at a non-profit with 51-200 employees
The feature that was most valuable to us was the ability to point locally in a quorum. View full review »
Marcello Bellini says in a Sonatype Nexus Lifecycle review
IT Security Manager at a insurance company with 1,001-5,000 employees
The vulnerability description shows: * Where the problem is * An explanation of the vulnerability * The recommendation * How to fix the problem, especially if there is no possibility to close it by updating the library. Also, what is really cool is the version graph where we see the best version of which vulnerabilities to use. The integration is easy and straightforward, which is great. The integration in our development pipeline was quite easy. With the developer IDE integration, they don't have to lock into the web application to see how to remediate vulnerabilities or integrate artifacts, if they already see there is a problem. The solution's data quality is great and near perfect for our use cases in the field of Java applications and Telescript applications. This helps us solve our problems faster. If it has a critical vulnerability, this solution blocks undesirable open source components from entering our development lifecycle. They cannot be introduced. There are two possibilities when this can happen: * With configuration policy, something deployed into our staging or release environment can be blocked. * The developer has the visibility right away to block something when he introduces new components. He might already see there is a problem and can address it then. View full review »
Michael Esmeraldo says in a Sonatype Nexus Lifecycle review
Sr. Enterprise Architect at MIB Group
I won't say there aren't a ton of features, but primarily we use it as an artifact repository. Some of the more profound features include the REST APIs. We tend to make use of those a lot. They also have a plugin for our CI/CD; we use Jenkins to do continuous integration, and it makes our pipeline build a lot more streamlined. It integrates with Jenkins very well. The default policies and the policy engine provide the flexibility we need. The default policy was good enough for us. We didn't really mess with it. We left it alone because the default policy engine pretty much works for our use cases. The integrations into developer tooling work just fine. We primarily use Gradle to build our applications. We just point the URL to what we call our "public repository group" in Nexus. It's a front for everything, so it can see all of the other underlying repositories. Our developers, in their Gradle builds, just point them to this public repository and they can pull down any dependency that they need. It doesn't really integrate with our IDE. It's just simply that we use Gradle and it makes it very straightforward. Nexus blocks undesirable open-source components from entering our development lifecycle because of the IQ policy actions. We define what sort of level of risk we're willing to take. For example for "security-critical," we could just fail them across the board; we don't want anything that has a security-critical. That's something we define as a CVE security number of nine or 10. If it has a known vulnerability of nine or 10 we could even stop it from coming down from Maven Central; it's quarantined because it has a problem that we don't want to even introduce into our network. We've also created our own policy that we call an "architecture blacklist," which means we don't want certain components to be used from an architectural standpoint. For example, we don't want anybody to build anything with Struts 1. We put it on the architecture blacklist. If a component comes in and it has that tag, it fails immediately. View full review »
Julien Carsique says in a Sonatype Nexus Lifecycle review
DevOps Engineer at a tech vendor with 51-200 employees
The REST API is the most useful for us because it allows us to drive it remotely and, ideally, to automate it. We have worked a lot on the configuration of its capabilities. This is something very new in Nexus and not fully supported. But that's one of the aspects we are the most interested in. And we like the ability to analyze the libraries. There are a lot of filters to output the available libraries for our development people and our continuous integration. The solution integrates well with our existing DevOps tools. It's mainly a Maven plugin, and the REST API provides the compliance where we have everything in a giant tool. View full review »
Scott Hibbard says in a Sonatype Nexus Lifecycle review
DevOps Engineer at Guardhat
So far, the information that we're getting out of both the Nexus Lifecycle and SonarQube tools is really great. And the integration of Lifecycle is really good with Jenkins and GitHub; those work very well. We've been able to get it to work seamlessly with them so that it runs on every build that we have. That part is easy to use and we're happy with that. We're able to use Jenkins Pipeline and the integrations that are built into Gradle to incorporate that into our build process where we can have control over exactly when Nexus IQ and SonarQube analyses are run — what kinds of builds — and have them run automatically. View full review »
Associate Consultant at a comms service provider with 201-500 employees
The most valuable feature is the efficiency of the tool in finding vulnerabilities. View full review »
reviewer1268016 says in a Sonatype Nexus Lifecycle review
IT Security Manager at a insurance company with 5,001-10,000 employees
The key feature for Nexus Lifecycle is the proprietary data they have on vulnerabilities. The way that they combine all the different sources and also their own research into one concise article that clearly explains what the problem is. Most of the time, and even if you do notice that you have a problem, the public information available is pretty weak. So, if we want to assess if a problem applies to our product, it's really hard. We need to invest a lot of time digging into the problem. This work is basically done by Sonatype for us. The data that it delivers helps us with fixing or understanding the issue a lot quicker than without it. The solution integrates well with our existing DevOps tools. We have a few different ways of integrating it. The primary point is the Jenkins plugin to integrate it into the pipeline, but we also use the API to feed applications from our self-developed systems. So, the Sonatype API is very valuable to us as well. We've also experimented with IDE plugins and some other features that all look very promising. View full review »
reviewer1268112 says in a WhiteSource review
DevOps CI/CD Team Lead at a software R&D company with 10,001+ employees
The most valuable feature is the unified JAR to scan for all langs (wss-scanner jar). It helps us to scan easily and is agnostic to the technology. View full review »
Zvika-Ronen says in a Black Duck review
Technology Leader/ Open Source Compliance and Risk expert at a comms service provider with 10,001+ employees
I like the fact that the product auto analyzes components. In comparison to Protecode where you're given a suggestion and you have to manually choose the correct one, Black Duck analyzes automatically. However, there is a degree of error, possibly around 5%. View full review »
reviewer1258746 says in a Snyk review
Engineering Manager at a comms service provider with 51-200 employees
What is valuable about Snyk is its simplicity, and that's the main selling point. It's understandably also very cheap because you don't need as much account management resources to manage the relationship with the customer and that's a benefit. I also like that it's self-service, with extremely easy integration. You don't need to speak to anybody to get you off and running and they have loads of integrations with source control and cloud CI systems. They are a relatively new product so they might not have a bigger library than competitors, but it's a good product overall. They do however have the option to install Snyk on-prem, but it is much more expensive. View full review »
reviewer1261788 says in a WhiteSource review
VP R&D at a software R&D company with 51-200 employees
The policy automation on effective vulnerabilities feature had a major impact on how we address open source vulnerabilities since it focuses on effective vulnerabilities and directs you to the specific methods. Other services will give a much larger list to remediate. I believe it cuts around 80% of alerts. With the fix suggestions feature, not only do you get the specific trace back to where the vulnerability is within your code, but you also get fix suggestions. It sounds simple but I haven’t seen this capability with any other solution. This saves quite some time. There are more small things within the UI that focus on giving the quickest remediation path, and I believe this is the WhiteSource’s strongest area. View full review »
reviewer1264290 says in a WhiteSource review
Project Manager at a health, wellness and fitness company with 11-50 employees
Our use case focuses on licenses, so the most valuable feature would probably be the license reports and policies, which is why we reached out in the first place. The reporting capability gives us the option to generate an open-source license report in a single click, which gets all copyright and license information, including dependencies. We use the Policies feature to approve or reject automatically open-source licenses, according to preset company policy. With respect to ticketing, we use the JIRA integration to assign a problematic open-source library. It opens a ticket on our end and it is assigned automatically to the right owner. It saves a lot of hassle and simplifies the process internally. View full review »
Alon Michaeli says in a WhiteSource review
Founder & CEO at Data+
The most valuable features for us are: * Fix suggestions. Our dev team uses the fix suggestions feature to quickly find the best path for remediation. Before that you would have to research online for fixes, and most of the time it’s not that straightforward. * Trace analysis. Trace analysis enables our team to get the fix, including a clear path to the vulnerable method. This saves quite some time. * Open-source inventory reports. These reports are easy to manage and provide a clear view of our open-source assets. There’s also an option to create policies around that. View full review »
reviewer1255491 says in a WhiteSource review
VP R&D at a tech services company with 11-50 employees
For us, the most valuable tool was open-source licensing analysis. Although we don't use it on a weekly basis, when we needed to produce a reliable analysis of our open-source licensing exposure, we found it very very effective. Considering the alternatives, which were to analyse manually, WhiteSource saved us a ton of work that we really needed to complete in a short time. It would have involved finding all the different packages, be them in package.json files or analyse the docker images, and then find their effective license, which in itself is not a simple task. View full review »
reviewer1250697 says in a WhiteSource review
User at a tech vendor with 1,001-5,000 employees
The most valuable features of this solution are: * The vulnerability and license alerts are the main purposes of us utilizing this tool. We don't want to ship software and mistakenly include a GPL component. Similarly, we want to stay up to date on all vulnerabilities in third-party libraries so we can take action if our software solutions are impacted. * Implementing policies is helpful because it's great when certain "no-nos" can be codified as policies and auto-rejected. * Attribution and license due diligence reports help us with aggregating the necessary data that we, in turn, have to provide to satisfy the various licenses copyright and component usage disclosures in our software. View full review »