Compare SonarQube vs. Sonatype Nexus Lifecycle

SonarQube is ranked 1st in Application Security with 18 reviews while Sonatype Nexus Lifecycle is ranked 3rd in Application Security with 22 reviews. SonarQube is rated 7.6, while Sonatype Nexus Lifecycle is rated 8.8. The top reviewer of SonarQube writes "Great birds-eye view dashboard with detailed code metrics in the drill-down". On the other hand, the top reviewer of Sonatype Nexus Lifecycle writes "Checks our libraries for security and licensing issues". SonarQube is most compared with Checkmarx, Coverity, Micro Focus Fortify on Demand, Klocwork and Kiuwan, whereas Sonatype Nexus Lifecycle is most compared with Black Duck , WhiteSource, JFrog Xray, Checkmarx and Snyk. See our SonarQube vs. Sonatype Nexus Lifecycle report.
Cancel
You must select at least 2 products to compare!
Veracode Logo
66,657 views|35,722 comparisons
SonarQube Logo
83,007 views|68,468 comparisons
Sonatype Nexus Lifecycle Logo
12,558 views|6,832 comparisons
Most Helpful Review
Find out what your peers are saying about SonarQube vs. Sonatype Nexus Lifecycle and other solutions. Updated: July 2020.
430,988 professionals have used our research since 2012.
Quotes From Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros
Veracode's cloud-based approach, coupled with the appliance that lets us use Veracode to scan internal-only web applications, has provided a seamless, always-up-to-date application security scanning solution.The source composition analysis component is great because it gives our developers some comfort in using new libraries.Integrations into our developer's IDE (Greenlight) and the DevOps Pipeline SAST / SourceClear Integrations has particularly increased our time to market and confidence.Veracode is a valuable tool in our secure SDLC process.We used it for performing security checks. We have many Java applications and Android applications. Essentially it was used for checking the security validations for compliance purposes.I have used this solution in multiple projects for vulnerability testing and finding security leaks within the code.The most valuable feature comes from the fact that it is cloud-based, and I can scale up without having to worry about any other infrastructure needs.We are using the Veracode tools to expose the engineers to the security vulnerabilities that were introduced with the new features, i.e. a lot faster or sooner in the development life cycle.

More Veracode Pros »

The most valuable features are the segregation containment and the suspension of product services.The most valuable feature is the security hotspot feature that identifies where your code is prone to have security issues.The most valuable features are code scanning and Quality Gates.Engineers have also learned from the results and have improved themselves as engineers. This will help them with their careers.The code coverage feature is very good.The most valuable features are the dashboard reports and the ease of integrating it with Jenkins.Strong code evaluation for budget-minded clients.If code coverage is a low number then that's of great value to me.

More SonarQube Pros »

When I started to install the Nexus products and started to integrate them into our development cycle, it helped us construct or fill out our development process in general. The build stage is a really good template for us and it helped establish a structure that we could build our whole continuous integration and development process around. Now our git repos are tagged for different build stages data, staging, and for release. That aligns with the Nexus Lifecycle build stages.The component piece, where you can analyze the component, is the most valuable. You can pull the component up and you can look at what versions are bad, what versions are clean, and what versions haven't been reported on yet. You can make decisions based off of that, in terms of where you want to go. I like that it puts all that information right there in a window for you.The scanning capability is its most valuable feature, discovering vulnerable open source libraries.The report part is quite easy to read. The report part is very important to us because that is how we communicate to our security officer and the security committee. Therefore, we need to have a complete report that we can generate and pass onto them for review.The policy engine is really cool. It allows you to set different types of policy violations, things such as the age of the component and the quality: Is it something that's being maintained? Those are all really great in helping get ahead of problems before they arise. You might otherwise end up with a library that's end-of-life and is not going to get any more fixes.The data quality is really good. They've got some of the best in the industry as far as that is concerned. As a result, it helps us to resolve problems faster. The visibility of the data, as well as their features that allow us to query and search - and even use it in the development IDE - allow us to remediate and find things faster.With the plugin for our IDE that Sonatype provides, we can check whether a library has security, quality, or licensing issues very easily. Which is nice because Googling for this stuff can be a bit cumbersome. By checking it before code is even committed, we save ourselves from getting notifications.It integrates well with our existing DevOp tools because we can integrate it in our build pipeline. We can also trigger our build pipeline to create warnings and let the build fail if there is a critical vulnerability that violates our policy.

More Sonatype Nexus Lifecycle Pros »

Cons
One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive.I think for us the biggest improvement would be to have an indicator when there's something wrong with a scan.Improve Mobile Application Dynamic Scanning DAST - .ipa and .apkIt needs better controls to include/exclude specific sections when creating a report that can be shared externally with customers and prospects.One of the things that we have from a reporting point of view, is that we would love to see a graphical report. If you look through a report for something that has come back from Veracode, it takes a whole lot of time to just go through all the pages of the code to figure out exactly what it says. We know certain areas don’t have the greatest security features but those are usually minor and we don’t want to see those types of notifications.Ideally, I would like better reporting that gives me a more concise and accurate description of what my pain points are, and how to get to them.I would like to see expanded coverage for supporting more platforms, frameworks, and languages.Veracode should make it easier to navigate between the solutions that they offer, i.e. between dynamic, static, and the source code analysis.

More Veracode Cons »

I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production.In the next release, I would like to have notifications because now, it is a bit difficult. I think that's a feature which we could add there and it would benefit the users as well. For every full request, they should be able to see their bugs or vulnerability directly on the surface.The reporting can be improved.If the product could assist us with fixing issues by giving us more pointers then it would help to resolve more of the warnings without such a commitment in terms of time.Although it has Sonar built into it, it is still lacking. Customization features of identifying a particular attack still need to be worked on. To give you an example: if we want to scan and do a false positive analysis, those types of features are missing. If we want to rescan something from a particular point that is a feature that is also missing. It’s in our queue. That will hopefully save a lot of time.Expression of common vulnerabilities and exposures is not always current.I don't believe you can have metrics of code quality based upon code analysis. I don't think it's possible for a computer to do it.I would like to see more options for security, beyond the basics like SQL injection.

More SonarQube Cons »

They're working on the high-quality data with Conan. For Conan applications, when it was first deployed to Nexus IQ, it would scan one file type for dependencies. We don't use that method in Conan, we use another file type, which is an acceptable method in Conan, and they didn't have support for that other file type. I think they didn't even know about it because they aren't super familiar with Conan yet. I informed them that there's this other file type that they could scan for dependencies, and that's what they added functionality for.One thing that it is lacking, one thing I don't like, is that when you label something or add a status to it, you do it as an overall function, but you can't go back and isolate a library that you want to call out individually and remove a status from it. It's still lacking some functionality-type things for controlling labels and statuses. I'd like to be able to apply it across all of my apps, but then turn it off for one, and I can't do that.The reporting capability is good but I wish it was better. I sent the request to support and they raised it as an enhancement within the system. An example is filtering by version. If I have a framework that is used in all applications, but version 1 is used in 50 percent of them and version 2 in 25 percent, they will show as different libraries with different usage. But in reality, they're all using one framework.One thing that I would like to give feedback on is to scan the binary code. It's very difficult to find. It's under organization and policies where there are action buttons that are not very obvious. I think for people who are using it and are not integrated into it, it is not easy to find the button to load the binary and do the scan. This is if there is no existing, continuous integration process, which I believe most people have, but some users don't have this at the moment. This is the most important function of the Nexus IQ, so I expect it should be right on the dashboard where you can apply your binary and do a quick scan. Right now, it's hidden inside organization and policies. If you select the organization, then you can see in the top corner that there is a manual action which you can approve. There are multiple steps to reach that important function that we need. When we were initially looking at the dashboard, we looked for it and couldn't find it. So, we called our coworker who set up the server and they told us it's not on the dashboard.The biggest thing that I have run into, which there are ways around, is being able to easily access the auditing data from a third-party tool; being able to pull all of that into one place in a cohesive manner where you can report off of that. We've had a little bit of a challenge with that. There are a number of things available to work with, to help with that in the tool, but we just haven't explored them yet.As far as the relationship of, and ease of finding the relationships between, libraries and applications across the whole enterprise goes, it still does that. They could make that a little smoother, although right now it's still pretty good.One of the things that we specifically did ask for is support for transitive dependencies. Sometimes a dependency that we define in our POM file for a certain library will be dependent on other stuff and we will pull that stuff in, then you get a cascade of libraries that are pulled in. This caused confusing to us at first, because we would see a component that would have security ticket or security notification on it and wonder "Where is this coming in from?" Because when we checked what we defined as our dependencies it's not there. It didn't take us too long effort to realize that it was a transitive dependency pulled in by something else, but the question then remains "Which dependency is doing that?"We cannot currently use the automated pull requests because we are missing the Bitbucket port. We use Bitbucket as our Git repository and automated pull requests only work with GitHub currently. So, we are missing this feature, but we have already addressed this with Sonatype.

More Sonatype Nexus Lifecycle Cons »

Pricing and Cost Advice
For the value we get out of it, coupled with the live defect review sessions, we find it an effective value for the money. We are a larger organization.They have just streamlined the licensing and they have a number of flexible options available, so overall it is quite good, albeit pricey.They just changed their pricing model two weeks ago. They went from a per-app license to a per-megabyte license. I know that the dynamic scan was $500 per app. Static analysis was about $4500 yearly. The license is only for the number of users, it doesn't matter what data you put in there. That was the old model. I do not know how the new model works.Veracode has been fair. We use their SaaS solution and it's just an annual subscription.No issues, the pricing seems reasonable.

More Veracode Pricing and Cost Advice »

The developer edition is based on cost per lines of code.I was using the Community Edition, which is available free of charge.I am satisfied with the pricing.A low cost long-term solution for non-critical situations.We are using the free, unlicensed version.The costs for this application, for the kind of job it does, are pretty decent.We're using their free Community Edition version.Some of the plugins that were previously free are not free now.

More SonarQube Pricing and Cost Advice »

Lifecycle, to the best of my recollection, had the best pricing compared with other solutions.Pricing is decent. It's not horrible. It's middle-of-the-road, as far as our ranking goes. They're a little bit more but that's also because they provide more.The license fee may be a bit harder for startups to justify. But it will save you a headache later as well as peace of mind. Additionally, it shows your own customers that you value security stuff and will protect yourselves from any licensing issues, which is good marketing too.In addition to the license fee for IQ Server, you have to factor in some running costs. We use AWS, so we spun up an additional VM to run this. If the database is RDS that adds a little bit extra too. Of course someone could run it on a pre-existing VM or physical server to reduce costs. I should add that compared to the license fee, the running costs are so minimal they had no effect on our decision to use IQ Server.Our licensing costs are on an annual basis. The Sonatype licensing model is transparent with no hidden costs or holes.The price is good. We certainly get a lot more in return. However, it's also hard to get the funds to roll out such a product for the entire firm. Therefore, pricing has been a limiting factor for us. However, it's a fair price.Pricing is comparable with some of the other products. We are happy with the pricing.We're pretty happy with the price, for what it is delivering for us and the value we're getting from it.

More Sonatype Nexus Lifecycle Pricing and Cost Advice »

report
Use our free recommendation engine to learn which Application Security solutions are best for your needs.
430,988 professionals have used our research since 2012.
Popular Comparisons
Compared 14% of the time.
Compared 5% of the time.
Compared 4% of the time.
Compared 1% of the time.
Compared 18% of the time.
Compared 11% of the time.
Compared 4% of the time.
Compared 3% of the time.
Compared 5% of the time.
Also Known As
SonarNexus Lifecycle
Learn
Veracode
SonarQube
Video Not Available
Sonatype
Overview

Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.

SonarQube is the central place to manage code quality, offering visual reporting on and across projects and enabling to replay the past to follow metrics evolution

Nexus Lifecycle gives you full control over your software supply chain and allows you to define rules, actions, and policies that work best for your organization and teams.

Offer
Learn more about Veracode
Learn more about SonarQube
Learn more about Sonatype Nexus Lifecycle
Sample Customers
State of Missouri, ReknerBank of America, Siemens, Cognizant, Thales, Cisco, eBayGenome.One, Blackboard, Crediterform, Crosskey, Intuit, Progress Software, Qualys, Liberty Mutual Insurance
Top Industries
REVIEWERS
Financial Services Firm34%
Insurance Company14%
Consumer Goods Company7%
Healthcare Company7%
VISITORS READING REVIEWS
Computer Software Company44%
Comms Service Provider12%
Media Company6%
Insurance Company5%
REVIEWERS
Financial Services Firm33%
Pharma/Biotech Company17%
Comms Service Provider11%
Agriculture6%
VISITORS READING REVIEWS
Computer Software Company42%
Comms Service Provider12%
Media Company6%
Government5%
REVIEWERS
Financial Services Firm37%
Insurance Company21%
Computer Software Company11%
Comms Service Provider5%
VISITORS READING REVIEWS
Computer Software Company37%
Comms Service Provider13%
Financial Services Firm7%
Insurance Company6%
Company Size
REVIEWERS
Small Business21%
Midsize Enterprise26%
Large Enterprise53%
VISITORS READING REVIEWS
Small Business13%
Midsize Enterprise15%
Large Enterprise72%
REVIEWERS
Small Business23%
Midsize Enterprise25%
Large Enterprise52%
VISITORS READING REVIEWS
Small Business17%
Midsize Enterprise11%
Large Enterprise72%
REVIEWERS
Small Business25%
Midsize Enterprise17%
Large Enterprise58%
VISITORS READING REVIEWS
Small Business20%
Midsize Enterprise9%
Large Enterprise71%
Find out what your peers are saying about SonarQube vs. Sonatype Nexus Lifecycle and other solutions. Updated: July 2020.
430,988 professionals have used our research since 2012.

See our list of best Application Security vendors.

We monitor all Application Security reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.