We just raised a $30M Series A: Read our story

Compare Black Duck vs. Sonatype Nexus Lifecycle

Cancel
You must select at least 2 products to compare!
Black Duck Logo
17,208 views|12,053 comparisons
Sonatype Nexus Lifecycle Logo
23,385 views|13,006 comparisons
Featured Review
Find out what your peers are saying about Black Duck vs. Sonatype Nexus Lifecycle and other solutions. Updated: November 2021.
552,305 professionals have used our research since 2012.
Quotes From Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros
"The installation is very easy.""I like the fact that the product auto analyzes components.""The solution works well on Mac products.""The knowledge base and the management system are the most valuable features of Black Duck Hub. It has a very helpful management environment. They offer an editor where we can check the discovered license, which is retrieved from their knowledge base. They have a huge knowledge base build over the years. It gives you some possibilities, such as this license with possibility A could cause a vulnerability issue or a potential breach.""The stability is okay.""The most valuable feature is the vulnerability scanning, and that it's easy to use.""Black Duck is pretty extensive in terms of the scan reserves and the vulnerability exposures. From that perspective, I'm happy with it."

More Black Duck Pros »

"When I started to install the Nexus products and started to integrate them into our development cycle, it helped us construct or fill out our development process in general. The build stage is a really good template for us and it helped establish a structure that we could build our whole continuous integration and development process around. Now our git repos are tagged for different build stages data, staging, and for release. That aligns with the Nexus Lifecycle build stages.""The proxy repository is probably the most valuable feature to us because it allows us to be more proactive in our builds. We're no longer tied to saving components to our repository.""The key feature for Nexus Lifecycle is the proprietary data they have on vulnerabilities. The way that they combine all the different sources and also their own research into one concise article that clearly explains what the problem is. Most of the time, and even if you do notice that you have a problem, the public information available is pretty weak. So, if we want to assess if a problem applies to our product, it's really hard. We need to invest a lot of time digging into the problem. This work is basically done by Sonatype for us. The data that it delivers helps us with fixing or understanding the issue a lot quicker than without it.""The REST API is the most useful for us because it allows us to drive it remotely and, ideally, to automate it.""The scanning capability is its most valuable feature, discovering vulnerable open source libraries.""With the plugin for our IDE that Sonatype provides, we can check whether a library has security, quality, or licensing issues very easily. Which is nice because Googling for this stuff can be a bit cumbersome. By checking it before code is even committed, we save ourselves from getting notifications.""The policy engine is really cool. It allows you to set different types of policy violations, things such as the age of the component and the quality: Is it something that's being maintained? Those are all really great in helping get ahead of problems before they arise. You might otherwise end up with a library that's end-of-life and is not going to get any more fixes.""The report part is quite easy to read. The report part is very important to us because that is how we communicate to our security officer and the security committee. Therefore, we need to have a complete report that we can generate and pass onto them for review."

More Sonatype Nexus Lifecycle Pros »

Cons
"The initial setup could be simplified. It was somewhat complex.""The scanner client is limited by the size of software it can handle.""We're not too sure about the extension of the firewall. It never shows up in the Hub.""It needs to be more user-friendly for developers and in general, to ensure compliance.""It is a cloud-only solution. In many cases, companies like to evaluate the software, but they're very reluctant to give you the software. It would be great if they could offer an on-prem component that could be used to scan the code and then upload the discovery results to the cloud and get all the information from there, but there is no such possibility. You have to upload the code to the Black Duck cloud system. Of course, they have a strong legal department, and they offer some configuration, but it is never enough. You have to give the code, which is a drawback. In modern designs like Snyk or FOSSA, you don't need to give the code. It requires more native integration with Coverity because they go together technically. You need both Coverity and Black Duck Hub. It would be really helpful for companies working in this space to get a combined offer from the same company. They should provide an option to buy Coverity for an additional fee. Coverity combined with Black Duck Hub will provide a one-step analysis to get everything you need and a unified report. It would be really great to be able to connect Black Duck Hub with Coverity unified reports.""Due to the fact that, with our software developer life cycle, we don't need to scan our source code every day or every week. For that reason, we find the cost is too high. We might only actually use it five to ten times a year, which makes it expensive.""We have been having some issues with the latest releases where we are not able to scan our applications with the help of Black Duck."

More Black Duck Cons »

"The GUI is simple, so it's easy to use. It started as great to use, but for larger scale companies, it also comes with some limitations. This is why we tried to move to more of an API approach. So, the GUI could use some improvements potentially.""One thing that I would like to give feedback on is to scan the binary code. It's very difficult to find. It's under organization and policies where there are action buttons that are not very obvious. I think for people who are using it and are not integrated into it, it is not easy to find the button to load the binary and do the scan. This is if there is no existing, continuous integration process, which I believe most people have, but some users don't have this at the moment. This is the most important function of the Nexus IQ, so I expect it should be right on the dashboard where you can apply your binary and do a quick scan. Right now, it's hidden inside organization and policies. If you select the organization, then you can see in the top corner that there is a manual action which you can approve. There are multiple steps to reach that important function that we need. When we were initially looking at the dashboard, we looked for it and couldn't find it. So, we called our coworker who set up the server and they told us it's not on the dashboard.""One thing that it is lacking, one thing I don't like, is that when you label something or add a status to it, you do it as an overall function, but you can't go back and isolate a library that you want to call out individually and remove a status from it. It's still lacking some functionality-type things for controlling labels and statuses. I'd like to be able to apply it across all of my apps, but then turn it off for one, and I can't do that.""It would be helpful if it had a more detailed view of what has been quarantined, for people who don't have Lifecycle licenses. Other than that, it's pretty good.""It's the right kind of tool and going in the right direction, but it really needs to be more code-driven and oriented to be scaled at the developer level.""The biggest thing that I have run into, which there are ways around, is being able to easily access the auditing data from a third-party tool; being able to pull all of that into one place in a cohesive manner where you can report off of that. We've had a little bit of a challenge with that. There are a number of things available to work with, to help with that in the tool, but we just haven't explored them yet.""We had some issues, and I think we might still have some issues, where the Sonatype Nexus Repository has integrations with IQ and SonarQube. We're getting some errors on the UI, so we've had Sonatype look into that a little bit.""They're working on the high-quality data with Conan. For Conan applications, when it was first deployed to Nexus IQ, it would scan one file type for dependencies. We don't use that method in Conan, we use another file type, which is an acceptable method in Conan, and they didn't have support for that other file type. I think they didn't even know about it because they aren't super familiar with Conan yet. I informed them that there's this other file type that they could scan for dependencies, and that's what they added functionality for."

More Sonatype Nexus Lifecycle Cons »

Pricing and Cost Advice
"Black Duck is more suitable if you require a lot of licensing compliance. For smaller organizations, WhiteSource is better because its pricing policies are not really suitable for huge organizations.""The price is quite high because the behavior of the software during the scan is similar to competing products.""The price is low. It's not an expensive solution."

More Black Duck Pricing and Cost Advice »

"It's expensive, but you get what you pay for. There were no problems with the base license and how they do it. It was transparent. You don't have to worry. You can scan to your heart's delight.""Cost is a drawback. It's somewhat costly.""The price is good. We certainly get a lot more in return. However, it's also hard to get the funds to roll out such a product for the entire firm. Therefore, pricing has been a limiting factor for us. However, it's a fair price.""The license fee may be a bit harder for startups to justify. But it will save you a headache later as well as peace of mind. Additionally, it shows your own customers that you value security stuff and will protect yourselves from any licensing issues, which is good marketing too.""Pricing is decent. It's not horrible. It's middle-of-the-road, as far as our ranking goes. They're a little bit more but that's also because they provide more.""In addition to the license fee for IQ Server, you have to factor in some running costs. We use AWS, so we spun up an additional VM to run this. If the database is RDS that adds a little bit extra too. Of course someone could run it on a pre-existing VM or physical server to reduce costs. I should add that compared to the license fee, the running costs are so minimal they had no effect on our decision to use IQ Server.""Lifecycle, to the best of my recollection, had the best pricing compared with other solutions.""Given the number of users we have, it is one of the most expensive tools in our portfolio, which includes some real heavy-duty tools such as GitLab, Jira, etc. It is definitely a bit on the expensive side, and the ambiguity in how the licenses are calculated adds to the cost as well. If there is a better understanding of how the licenses are being calculated, there would be a better agreement between the two parties, and the cost might also be a little less. There is no extra cost from Sonatype. There is an operational cost on the BT side in terms of resources, etc."

More Sonatype Nexus Lifecycle Pricing and Cost Advice »

report
Use our free recommendation engine to learn which Software Composition Analysis (SCA) solutions are best for your needs.
552,305 professionals have used our research since 2012.
Questions from the Community
Top Answer: We researched Black Duck but ultimately chose WhiteSource when looking for an application security tool. WhiteSource is a software solution that enables agile open source security and license… more »
Top Answer: Black Duck is pretty extensive in terms of the scan reserves and the vulnerability exposures. From that perspective, I'm happy with it.
Top Answer: We are not the primary team to procure this solution. My counterparts in Paris are the only ones who are aware of the pricing. We are only using a few of the licenses because they had acquired several… more »
Top Answer: We like the data that Sonatype Nexus Lifecycle consistently delivers. This solution helps us in fixing and understanding the issues a lot quicker. The policy engine allows you to set up different… more »
Top Answer: The quality or the profiles that you can set are most valuable. The remediation of issues that you can do and how the information is offered is also valuable.
Top Answer: There are additional costs in commercial offerings for add-ons such as Nexus Container or IDE Advanced Toolkit. They come with additional fees or licenses.
Ranking
Views
17,208
Comparisons
12,053
Reviews
7
Average Words per Review
645
Rating
7.6
Views
23,385
Comparisons
13,006
Reviews
17
Average Words per Review
1,910
Rating
8.6
Comparisons
Also Known As
Blackduck Hub, Black Duck Protex, Black Duck Security Checker
Nexus Lifecycle
Learn More
Overview

Black Duck is a comprehensive solution for managing security, license compliance, and code quality risks that come from the use of open source in applications and containers. Named a leader in software composition analysis (SCA) by Forrester, Black Duck gives you unmatched visibility into third-party code, enabling you to control it across your software supply chain and throughout the application life cycle.

Nexus Lifecycle gives you full control over your software supply chain and allows you to define rules, actions, and policies that work best for your organization and teams.

Offer
Learn more about Black Duck
Learn more about Sonatype Nexus Lifecycle
Sample Customers
Samsung, Siemens, ScienceLogic, Noser Engineering AG, ClickFox, Dynatrace, CopperLeaf
Genome.One, Blackboard, Crediterform, Crosskey, Intuit, Progress Software, Qualys, Liberty Mutual Insurance
Top Industries
VISITORS READING REVIEWS
Computer Software Company35%
Comms Service Provider15%
Financial Services Firm10%
Manufacturing Company9%
REVIEWERS
Financial Services Firm35%
Insurance Company17%
Manufacturing Company9%
Computer Software Company9%
VISITORS READING REVIEWS
Computer Software Company27%
Financial Services Firm18%
Comms Service Provider13%
Insurance Company6%
Company Size
REVIEWERS
Small Business38%
Large Enterprise63%
VISITORS READING REVIEWS
Small Business16%
Midsize Enterprise11%
Large Enterprise73%
REVIEWERS
Small Business28%
Midsize Enterprise17%
Large Enterprise55%
VISITORS READING REVIEWS
Small Business30%
Midsize Enterprise18%
Large Enterprise52%
Find out what your peers are saying about Black Duck vs. Sonatype Nexus Lifecycle and other solutions. Updated: November 2021.
552,305 professionals have used our research since 2012.

Black Duck is ranked 6th in Software Composition Analysis (SCA) with 7 reviews while Sonatype Nexus Lifecycle is ranked 1st in Software Composition Analysis (SCA) with 17 reviews. Black Duck is rated 7.6, while Sonatype Nexus Lifecycle is rated 8.6. The top reviewer of Black Duck writes "Auto analyzes components and supports a range of scales". On the other hand, the top reviewer of Sonatype Nexus Lifecycle writes "Checks our libraries for security and licensing issues". Black Duck is most compared with WhiteSource, Snyk, Fortify Static Code Analyzer, Veracode Software Composition Analysis and Checkmarx Software Composition Analysis, whereas Sonatype Nexus Lifecycle is most compared with SonarQube, WhiteSource, JFrog Xray, Snyk and Veracode. See our Black Duck vs. Sonatype Nexus Lifecycle report.

See our list of best Software Composition Analysis (SCA) vendors.

We monitor all Software Composition Analysis (SCA) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.