We performed a comparison between Coverity and Sonatype Lifecycle based on real PeerSpot user reviews.
Find out in this report how the two Application Security Testing (AST) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."The interface of Coverity is quite good, and it is also easy to use."
"Provides software security, and helps to find potential security bugs or defects."
"I like Coverity's capability to scan codes once we push it. We don't need more time to review our colleagues' codes. Its UI is pretty straightforward."
"The product has been beneficial in logging functionality, allowing me to categorize vulnerabilities based on severity. This aids in providing updated reports on subsequent scans."
"The most valuable feature is that there were not a whole lot of false positives, at least on the codebases that I looked at."
"It's pretty stable. I rate the stability of Coverity nine out of ten."
"The most valuable feature of Coverity is that it shows examples of what is actually wrong with the code."
"It has the lowest false positives."
"The grandfathering mode allows us to add legacy applications which we know we're not going to change or refactor for some time. New developments can be scanned separately and we can obviously resolve those vulnerabilities where there are new applications developed. The grandfathering is a good way to separate what can be factored now, versus long-term technical debt."
"It's online, which means if a change is made to the Nexus database today, or within the hour, my developers will benefit instantly. The security features are discovered continuously. So if Nexus finds out that a library is no longer safe, they just have to flag it and, automatically, my developers will know."
"It scans and gives you a low false-positive count... The reason we picked Lifecycle over the other products is, while the other products were flagging stuff too, they were flagging things that were incorrect. Nexus has low false-positive results, which give us a high confidence factor."
"The policy engine is really cool. It allows you to set different types of policy violations, things such as the age of the component and the quality: Is it something that's being maintained? Those are all really great in helping get ahead of problems before they arise. You might otherwise end up with a library that's end-of-life and is not going to get any more fixes."
"Its engine itself is most valuable in terms of the way it calculates and decides whether a security vulnerability exists or not. That's the most important thing. Its security is also pretty good, and its listing about the severities is also good."
"When I started to install the Nexus products and started to integrate them into our development cycle, it helped us construct or fill out our development process in general. The build stage is a really good template for us and it helped establish a structure that we could build our whole continuous integration and development process around. Now our git repos are tagged for different build stages data, staging, and for release. That aligns with the Nexus Lifecycle build stages."
"I like Fortify Software Security Center or Fortify SSC. This tool is installed on each developer's machine, but Fortify Software Security Center combines everything. We can meet there as security professionals and developers. The developers scan their code and publish the results there. We can then look at them from a security perspective and see whether they fixed the issues. We can agree on whether something is a false positive and make decisions."
"The Software Security Center, which is often overlooked, stands out as the most effective feature."
"The tool needs to improve its reporting."
"The product should include more customization options. The analytics is not as deep as compared to SonarQube."
"The setup takes very long."
"Coverity takes a lot of time to dereference null pointers."
"We'd like it to be faster."
"They could improve the usability. For example, how you set things up, even though it's straightforward, it could be still be easier."
"The level of vulnerability that this solution covers could be improved compared to other open source tools."
"The quality of the code needs improvement."
"The generation of false positives should be reduced."
"There is room for improvement in the code analysis aspect of Sonatype Lifecycle, specifically in the area of deployment security."
"One thing that I would like to give feedback on is to scan the binary code. It's very difficult to find. It's under organization and policies where there are action buttons that are not very obvious. I think for people who are using it and are not integrated into it, it is not easy to find the button to load the binary and do the scan. This is if there is no existing, continuous integration process, which I believe most people have, but some users don't have this at the moment. This is the most important function of the Nexus IQ, so I expect it should be right on the dashboard where you can apply your binary and do a quick scan. Right now, it's hidden inside organization and policies. If you select the organization, then you can see in the top corner that there is a manual action which you can approve. There are multiple steps to reach that important function that we need. When we were initially looking at the dashboard, we looked for it and couldn't find it. So, we called our coworker who set up the server and they told us it's not on the dashboard."
"The biggest thing that I have run into, which there are ways around, is being able to easily access the auditing data from a third-party tool; being able to pull all of that into one place in a cohesive manner where you can report off of that. We've had a little bit of a challenge with that. There are a number of things available to work with, to help with that in the tool, but we just haven't explored them yet."
"Sometimes we face difficulties with Maven Central... if I'm using the 1.0.0 version, after one or two years, the 1.0.0 version will be gone from Maven Central but our team will still be using that 1.0.0 version to build. When they do builds, it won't build completely because that version is gone from Maven Central. There is a difference in our Sonatype Maven Central."
"It would be helpful if it had a more detailed view of what has been quarantined, for people who don't have Lifecycle licenses. Other than that, it's pretty good."
"We had some issues, and I think we might still have some issues, where the Sonatype Nexus Repository has integrations with IQ and SonarQube. We're getting some errors on the UI, so we've had Sonatype look into that a little bit."
"If they had a more comprehensive online tutorial base, both for admin and developers, that would help. It would be good if they actually ran through some scenarios, regarding what happens if I do pick up a vulnerability. How do I fork out into the various decisions? If the vulnerability is not of a severe nature, can I just go ahead with it until it becomes severe? This is important because, obviously, business demands certain deliverables to be ready at a certain time."
Coverity is ranked 4th in Application Security Testing (AST) with 33 reviews while Sonatype Lifecycle is ranked 5th in Software Composition Analysis (SCA) with 42 reviews. Coverity is rated 7.8, while Sonatype Lifecycle is rated 8.4. The top reviewer of Coverity writes "Best SAST tool to check software quality issues". On the other hand, the top reviewer of Sonatype Lifecycle writes "Seamless to integrate and identify vulnerabilities and frees up staff time". Coverity is most compared with SonarQube, Klocwork, Fortify on Demand, Checkmarx One and Veracode, whereas Sonatype Lifecycle is most compared with SonarQube, Black Duck, Fortify Static Code Analyzer, GitLab and Checkmarx One. See our Coverity vs. Sonatype Lifecycle report.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.