We performed a comparison between Polyspace Code Prover and Sonatype Lifecycle based on real PeerSpot user reviews.
Find out in this report how the two Application Security Tools solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."Polyspace Code Prover has made me realize it differs from other static code analysis tools because it runs the code. So it's quite distinct in that aspect."
"The outputs are very reliable."
"When we work on safety modules, it is mandatory to fulfill ISO 26262 compliance. Using Prover helps fulfill the standard on top of many other quality checks, like division by zero, data type casts, and null pointer dereferences."
"The product detects memory corruptions."
"Polyspace Code Prover is a very user-friendly tool."
"The policy engine is really cool. It allows you to set different types of policy violations, things such as the age of the component and the quality: Is it something that's being maintained? Those are all really great in helping get ahead of problems before they arise. You might otherwise end up with a library that's end-of-life and is not going to get any more fixes."
"The application onboarding and policy grandfathering features are good and the solution integrates well with our existing DevOps tools."
"For us, it's seeing not only the licensing and security vulnerabilities but also seeing the age of the open-sources included within our software. That allows us to take proactive steps to make sure we're updating the software to versions that are regularly maintained and that don't have any vulnerabilities."
"It's helped us free up staff time."
"What's really nice about that is it shows a graph of all the versions for that particular component, and it marks out the ones that have a vulnerability and the ones that don't have a vulnerability."
"The scanning capability is its most valuable feature, discovering vulnerable open source libraries."
"It's online, which means if a change is made to the Nexus database today, or within the hour, my developers will benefit instantly. The security features are discovered continuously. So if Nexus finds out that a library is no longer safe, they just have to flag it and, automatically, my developers will know."
"The REST API is the most useful for us because it allows us to drive it remotely and, ideally, to automate it."
"Using Code Prover on large applications crashes sometimes."
"The tool has some stability issues."
"One of the main disadvantages is the time it takes to initiate the first run."
"I'd like the data to be taken from any format."
"Automation could be a challenge."
"It can be tricky if you want to exclude some files from scanning. For instance, if you do not want to scan and push testing files to Fortify Software Security Center, that is tricky with some IDEs, such as IntelliJ. We found that there is an Exclude feature that is not working. We reported that to them for future fixing. It needs some work on the plugins to make them consistent across IDEs and make them easier."
"If they had a more comprehensive online tutorial base, both for admin and developers, that would help. It would be good if they actually ran through some scenarios, regarding what happens if I do pick up a vulnerability. How do I fork out into the various decisions? If the vulnerability is not of a severe nature, can I just go ahead with it until it becomes severe? This is important because, obviously, business demands certain deliverables to be ready at a certain time."
"The team managing Nexus Lifecycle reported that their internal libraries were not being identified, so they have asked Sonatype's technical team to include that in the upcoming version."
"The user interface needs to be improved. It is slow for us. We use Nexus IQ mostly via APIs. We don't use the interface that much, but when we use it, certain areas are just unresponsive or very slow to load. So, performance-wise, the UI is not fast enough for us, but we don't use it that much anyway."
"It's the right kind of tool and going in the right direction, but it really needs to be more code-driven and oriented to be scaled at the developer level."
"In the beginning, we sometimes struggle to access the customer environment. The customer must issue the required certificates because many customers use cell phone certificates, and Sonatype needs a valid CA certificate."
"One area of improvement, about which I have spoken to the Sonatype architect a while ago, is related to the installation. We still have an installation on Linux machines. The installation should move to EKS or Kubernetes so that we can do rollover updates, and we don't have to take the service down. My primary focus is to have at least triple line availability of my tools, which gives me a very small window to update my tools, including IQ. Not having them on Kubernetes means that every time we are performing an upgrade, there is downtime. It impacts the 0.1% allocated downtime that we are allowed to have, which becomes a challenge. So, if there is Kubernetes installation, it would be much easier. That's one thing that definitely needs to be improved."
"They're working on the high-quality data with Conan. For Conan applications, when it was first deployed to Nexus IQ, it would scan one file type for dependencies. We don't use that method in Conan, we use another file type, which is an acceptable method in Conan, and they didn't have support for that other file type. I think they didn't even know about it because they aren't super familiar with Conan yet. I informed them that there's this other file type that they could scan for dependencies, and that's what they added functionality for."
Polyspace Code Prover is ranked 23rd in Application Security Tools with 5 reviews while Sonatype Lifecycle is ranked 6th in Application Security Tools with 42 reviews. Polyspace Code Prover is rated 7.6, while Sonatype Lifecycle is rated 8.4. The top reviewer of Polyspace Code Prover writes "A stable solution for developing software components". On the other hand, the top reviewer of Sonatype Lifecycle writes "Seamless to integrate and identify vulnerabilities and frees up staff time". Polyspace Code Prover is most compared with SonarQube, Coverity, Klocwork, CodeSonar and Parasoft SOAtest, whereas Sonatype Lifecycle is most compared with SonarQube, Black Duck, Fortify Static Code Analyzer, GitLab and Checkmarx One. See our Polyspace Code Prover vs. Sonatype Lifecycle report.
See our list of best Application Security Tools vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.