We performed a comparison between Sonatype Lifecycle and Synopsys Defensics based on real PeerSpot user reviews.
Find out what your peers are saying about Synopsys, Snyk, Veracode and others in Software Composition Analysis (SCA)."With the plugin for our IDE that Sonatype provides, we can check whether a library has security, quality, or licensing issues very easily. Which is nice because Googling for this stuff can be a bit cumbersome. By checking it before code is even committed, we save ourselves from getting notifications."
"When I started to install the Nexus products and started to integrate them into our development cycle, it helped us construct or fill out our development process in general. The build stage is a really good template for us and it helped establish a structure that we could build our whole continuous integration and development process around. Now our git repos are tagged for different build stages data, staging, and for release. That aligns with the Nexus Lifecycle build stages."
"You can really see what's happening after you've developed something."
"The application onboarding and policy grandfathering features are good and the solution integrates well with our existing DevOps tools."
"The policy engine is really cool. It allows you to set different types of policy violations, things such as the age of the component and the quality: Is it something that's being maintained? Those are all really great in helping get ahead of problems before they arise. You might otherwise end up with a library that's end-of-life and is not going to get any more fixes."
"Fortify integrates with various development environments and tools, such as IDEs (Integrated Development Environments) and CI/CD pipelines."
"I like Fortify Software Security Center or Fortify SSC. This tool is installed on each developer's machine, but Fortify Software Security Center combines everything. We can meet there as security professionals and developers. The developers scan their code and publish the results there. We can then look at them from a security perspective and see whether they fixed the issues. We can agree on whether something is a false positive and make decisions."
"Lifecycle lets developers see any vulnerabilities or AGPL license issues associated with code in the early stages of development. The nice thing is that it's built into the ID so that they can see all versions of a specific code."
"Whatever the test suit they give, it is intelligent. It will understand the protocol and it will generate the test cases based on the protocol: protocol, message sequence, protocol, message structure... Because of that, we can eliminate a lot of unwanted test cases, so we can execute the tests and complete them very quickly."
"The product is related to US usage with TLS contact fees, i.e. how more data center connections will help lower networking costs."
"We have found multiple issues in our embedded system network protocols, related to buffer overflow. We have reduced some of these issues."
"It would be helpful if it had a more detailed view of what has been quarantined, for people who don't have Lifecycle licenses. Other than that, it's pretty good."
"The team managing Nexus Lifecycle reported that their internal libraries were not being identified, so they have asked Sonatype's technical team to include that in the upcoming version."
"The reporting capability is good but I wish it was better. I sent the request to support and they raised it as an enhancement within the system. An example is filtering by version. If I have a framework that is used in all applications, but version 1 is used in 50 percent of them and version 2 in 25 percent, they will show as different libraries with different usage. But in reality, they're all using one framework."
"In the beginning, we sometimes struggle to access the customer environment. The customer must issue the required certificates because many customers use cell phone certificates, and Sonatype needs a valid CA certificate."
"If you look at NPM-based applications, JavaScript, for example, these are only checkable via the build pipeline. You cannot upload the application itself and scan it, as is possible with Java, because a file could change significantly."
"The generation of false positives should be reduced."
"Nexus Lifecycle is multiple products. One drawback I've noticed is that there are some differences in the features between the products within Lifecycle. They need to maintain the same structure, but there are some slight differences."
"We created the Wiki page for each team showing an overview of their outstanding security issues because the Lifecycle reporting interface isn't as intuitive. It is good for people on my team who use it quite often. But for a tech engineer who doesn't interact with it regularly, it's quite confusing."
"Codenomicon Defensics should be more advanced for the testing sector. It should be somewhat easy and flexible to install."
"Sometimes, when we are testing embedded devices, when we trigger the test cases, the target will crash immediately. It is very difficult for us to identify the root cause of the crash because they do not provide sophisticated tools on the target side. They cover only the client-side application... They do not have diagnostic tools for the target side. Rather, they have them but they are very minimal and not very helpful."
"It does not support the complete protocol stack. There are some IoT protocols that are not supported and new protocols that are not supported."
Earn 20 points
Sonatype Lifecycle is ranked 5th in Software Composition Analysis (SCA) with 42 reviews while Synopsys Defensics is ranked 5th in Fuzz Testing Tools. Sonatype Lifecycle is rated 8.4, while Synopsys Defensics is rated 8.6. The top reviewer of Sonatype Lifecycle writes "Seamless to integrate and identify vulnerabilities and frees up staff time". On the other hand, the top reviewer of Synopsys Defensics writes "Technical support provided protocol-specific documentation to prove that some positives were not false". Sonatype Lifecycle is most compared with SonarQube, Black Duck, Fortify Static Code Analyzer, GitLab and Checkmarx One, whereas Synopsys Defensics is most compared with SonarQube, Snyk, Fortify on Demand, Invicti and HCL AppScan.
We monitor all Software Composition Analysis (SCA) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.