SonarQube vs. Sonatype Nexus Lifecycle

As of June 2019, SonarQube is ranked 2nd in Application Security with 21 reviews vs Sonatype Nexus Lifecycle which is ranked 6th in Application Security with 6 reviews. The top reviewer of SonarQube writes "Great birds-eye view dashboard with detailed code metrics in the drill-down". The top reviewer of Sonatype Nexus Lifecycle writes "Low false-positive count and the vulnerability-upgrade overview are key features for us". SonarQube is most compared with Veracode, Micro Focus Fortify on Demand and Checkmarx. Sonatype Nexus Lifecycle is most compared with SonarQube, Veracode Software Composition Analysis and Checkmarx. See our SonarQube vs. Sonatype Nexus Lifecycle report.
Cancel
You must select at least 2 products to compare!
Most Helpful Review
Find out what your peers are saying about SonarQube vs. Sonatype Nexus Lifecycle and other solutions. Updated: May 2019.
346,641 professionals have used our research since 2012.
Quotes From Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros
Strong code evaluation for budget-minded clients.If code coverage is a low number then that's of great value to me.SonarQube is good for checking and maintaining code quality.Using SonarQube has helped us to identify areas of technical debt to work on, resulting in better code, fewer vulnerabilities, and fewer bugs.We advise all of our developers to have this solution in place.If you want to have your code scanned and timed then this is a good tool.We have the software metrics that SonarQube gives us, which is something we did not have before. This helps us work towards aiming coding standards to empower us to move in the direction of better code quality. SonarQube provides targets and metrics for that.The most valuable function is its usability.

Read more »

The application onboarding and policy grandfathering features are good and the solution integrates well with our existing DevOps tools.It scans and gives you a low false-positive count... The reason we picked Lifecycle over the other products is, while the other products were flagging stuff too, they were flagging things that were incorrect. Nexus has low false-positive results, which give us a high confidence factor.What's really nice about that is it shows a graph of all the versions for that particular component, and it marks out the ones that have a vulnerability and the ones that don't have a vulnerability.Among its valuable features, it's easy to handle and easy configure, it's user-friendly, and it's easy to map and integrate.It has given developers the tools they need to figure out what to build with. We implemented a Slack bot using their data and engineers can query it to find good components. It's been working out very well.The most valuable feature is that I get a quick overview of the libraries that are included in the application, and the issues that are connected with them. I can quickly understand which problems there are from a security point of view or from a licensing point of view. It's quick and very exact.It was very easy to integrate into our build pipeline, with Jenkins and Nexus Repository as the central product.When developers are consuming open-source libraries from the internet, it's able to automatically block the ones that are insecure. And it has the ability to make suggestions on the ones they should be using instead.

Read more »

Cons
Expression of common vulnerabilities and exposures is not always current.I don't believe you can have metrics of code quality based upon code analysis. I don't think it's possible for a computer to do it.I would like to see more options for security, beyond the basics like SQL injection.The solution is a bit lacking on the security side, in terms of finding and identifying vulnerabilities.I would like to see dynamic code analysis in the next version of the software.The reporting is good, but I am not able to download a specific report as a PDF, so downloading reports is something that should be looked at.We've been using the Community Edition, which means that we get to use it at our leisure, and they're kind enough to literally give it to us. However, it takes a fair amount of effort to figure out how to get everything up and running. Since we didn't go with the professional paid version, we're not entitled to support. Of course that could be self-correcting if we were to make the step to buy into this and really use it. Then their technical support would be available to us to make strides for using it better.This solution finds issues that are similar to what is found by Checkmarx, and it would be nice if the overlap could be eliminated.

Read more »

The biggest thing is getting it put uniformly across all the different teams. It's more of a process issue. The process needs to be thought out about how it's going to be used, what kind of training there will be, how it's going to be socialized, and how it's going to be rolled out and controlled, enterprise-wide. That's probably more of a challenge than the technology itself.We created the Wiki page for each team showing an overview of their outstanding security issues because the Lifecycle reporting interface isn't as intuitive. It is good for people on my team who use it quite often. But for a tech engineer who doesn't interact with it regularly, it's quite confusing.Another feature they could use is more languages. Sonatype has been mainly a Java shop because they look after Maven Central... But we've slowly been branching out to different languages. They don't cover all of them, and those that they do cover are not as in-depth as we would like them to be.Sometimes we face difficulties with Maven Central... if I'm using the 1.0.0 version, after one or two years, the 1.0.0 version will be gone from Maven Central but our team will still be using that 1.0.0 version to build. When they do builds, it won't build completely because that version is gone from Maven Central. There is a difference in our Sonatype Maven Central.Application onboarding is a little bit clunky... Onboarding an application through the GUI is intuitive but it's time-consuming... It's for large organizations with many enrollments that the GUI becomes unfeasible.If there is something which is not in Maven Central, sometimes it is difficult to get the right information because it's not found.If you look at NPM-based applications, JavaScript, for example, these are only checkable via the build pipeline. You cannot upload the application itself and scan it, as is possible with Java, because a file could change significantly.They could do with making more plugins for the more common integration engines out there. Right now, it supports automation engine by Jenkins but it doesn't fully support something like TeamCity.

Read more »

Pricing and Cost Advice
A low cost long-term solution for non-critical situations.We are using the free, unlicensed version.The costs for this application, for the kind of job it does, are pretty decent.We're using their free Community Edition version.Some of the plugins that were previously free are not free now.The price point on SonarQube is good.The licence is standard open source licensingThis product is open source and very convenient.

Read more »

We're pretty happy with the price, for what it is delivering for us and the value we're getting from it.Its pricing is competitive within the market. It's not very cheap, it's not very expensive.

Read more »

report
Use our free recommendation engine to learn which Application Security solutions are best for your needs.
346,641 professionals have used our research since 2012.
Ranking
2nd
Views
58,809
Comparisons
40,153
Reviews
19
Average Words per Review
503
Avg. Rating
7.9
6th
Views
1,186
Comparisons
725
Reviews
6
Average Words per Review
1,623
Avg. Rating
8.8
Top Comparisons
Compared 26% of the time.
Compared 20% of the time.
Also Known As
SonarNexus Lifecycle
Learn
SonarQube
Video Not Available
Sonatype
Overview
SonarQube is the central place to manage code quality, offering visual reporting on and across projects and enabling to replay the past to follow metrics evolution

Nexus Lifecycle gives you full control over your software supply chain and allows you to define rules, actions, and policies that work best for your organization and teams.

Offer
Learn more about SonarQube
Learn more about Sonatype Nexus Lifecycle
Sample Customers
Bank of America, Siemens, Cognizant, Thales, Cisco, eBayGenome.One, Blackboard, Crediterform, Crosskey, Intuit, Progress Software, Qualys, Liberty Mutual Insurance
Top Industries
REVIEWERS
Financial Services Firm45%
Comms Service Provider9%
Agriculture9%
Wireless Company9%
VISITORS READING REVIEWS
Financial Services Firm27%
Retailer10%
Pharma/Biotech Company10%
Government9%
No Data Available
Company Size
REVIEWERS
Small Business27%
Midsize Enterprise23%
Large Enterprise50%
VISITORS READING REVIEWS
Small Business15%
Midsize Enterprise1%
Large Enterprise83%
No Data Available
Find out what your peers are saying about SonarQube vs. Sonatype Nexus Lifecycle and other solutions. Updated: May 2019.
346,641 professionals have used our research since 2012.
We monitor all Application Security reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.

Sign Up with Email