Sonatype Nexus Lifecycle vs. WhiteSource

As of June 2019, Sonatype Nexus Lifecycle is ranked 2nd in Software Composition Analysis with 6 reviews vs WhiteSource which is ranked 1st in Software Composition Analysis with 3 reviews. The top reviewer of Sonatype Nexus Lifecycle writes "Low false-positive count and the vulnerability-upgrade overview are key features for us". The top reviewer of WhiteSource writes "Using it, we can take some measures to improve things, replace a library, or update a library which was too old". Sonatype Nexus Lifecycle is most compared with SonarQube, Veracode Software Composition Analysis and Checkmarx. WhiteSource is most compared with Black Duck Hub, SonarQube and Veracode. See our Sonatype Nexus Lifecycle vs. WhiteSource report.
Cancel
You must select at least 2 products to compare!
Most Helpful Review
Find out what your peers are saying about Sonatype Nexus Lifecycle vs. WhiteSource and other solutions. Updated: May 2019.
348,275 professionals have used our research since 2012.
Quotes From Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros
The application onboarding and policy grandfathering features are good and the solution integrates well with our existing DevOps tools.It scans and gives you a low false-positive count... The reason we picked Lifecycle over the other products is, while the other products were flagging stuff too, they were flagging things that were incorrect. Nexus has low false-positive results, which give us a high confidence factor.What's really nice about that is it shows a graph of all the versions for that particular component, and it marks out the ones that have a vulnerability and the ones that don't have a vulnerability.Among its valuable features, it's easy to handle and easy configure, it's user-friendly, and it's easy to map and integrate.It has given developers the tools they need to figure out what to build with. We implemented a Slack bot using their data and engineers can query it to find good components. It's been working out very well.The most valuable feature is that I get a quick overview of the libraries that are included in the application, and the issues that are connected with them. I can quickly understand which problems there are from a security point of view or from a licensing point of view. It's quick and very exact.It was very easy to integrate into our build pipeline, with Jenkins and Nexus Repository as the central product.When developers are consuming open-source libraries from the internet, it's able to automatically block the ones that are insecure. And it has the ability to make suggestions on the ones they should be using instead.

Read more »

The overall support that we receive is pretty good. ​We find licenses together with WhiteSource which are associated with a certain library, then we get a classification of the license. This is with respect to criticality and vulnerability, so we could take action and improve some things, or replace a third-party library which seems to be too risky for us to use on legal grounds.We can take some measures to improve things, replace a library, or update a library which was too old or showed severe bugs.Enables scanning/collecting third-party libraries and classifying license types. In this way we ensure our third-party software policy is followed.

Read more »

Cons
The biggest thing is getting it put uniformly across all the different teams. It's more of a process issue. The process needs to be thought out about how it's going to be used, what kind of training there will be, how it's going to be socialized, and how it's going to be rolled out and controlled, enterprise-wide. That's probably more of a challenge than the technology itself.We created the Wiki page for each team showing an overview of their outstanding security issues because the Lifecycle reporting interface isn't as intuitive. It is good for people on my team who use it quite often. But for a tech engineer who doesn't interact with it regularly, it's quite confusing.Another feature they could use is more languages. Sonatype has been mainly a Java shop because they look after Maven Central... But we've slowly been branching out to different languages. They don't cover all of them, and those that they do cover are not as in-depth as we would like them to be.Sometimes we face difficulties with Maven Central... if I'm using the 1.0.0 version, after one or two years, the 1.0.0 version will be gone from Maven Central but our team will still be using that 1.0.0 version to build. When they do builds, it won't build completely because that version is gone from Maven Central. There is a difference in our Sonatype Maven Central.Application onboarding is a little bit clunky... Onboarding an application through the GUI is intuitive but it's time-consuming... It's for large organizations with many enrollments that the GUI becomes unfeasible.If there is something which is not in Maven Central, sometimes it is difficult to get the right information because it's not found.If you look at NPM-based applications, JavaScript, for example, these are only checkable via the build pipeline. You cannot upload the application itself and scan it, as is possible with Java, because a file could change significantly.They could do with making more plugins for the more common integration engines out there. Right now, it supports automation engine by Jenkins but it doesn't fully support something like TeamCity.

Read more »

Make the product available in a very stable way for other web browsers.Needs better ACL and more role definitions. This product could be used by large organisations and it definitely needs a better role/action model.

Read more »

Pricing and Cost Advice
We're pretty happy with the price, for what it is delivering for us and the value we're getting from it.Its pricing is competitive within the market. It's not very cheap, it's not very expensive.

Read more »

We are paying a lot of money to use WhiteSource. In our company, it is not easy to argue that it is worth the price. ​

Read more »

report
Use our free recommendation engine to learn which Software Composition Analysis solutions are best for your needs.
348,275 professionals have used our research since 2012.
Ranking
Views
1,186
Comparisons
725
Reviews
6
Average Words per Review
1,623
Avg. Rating
8.8
Views
5,150
Comparisons
3,516
Reviews
3
Average Words per Review
632
Avg. Rating
8.0
Top Comparisons
Compared 25% of the time.
Compared 18% of the time.
Compared 11% of the time.
Also Known As
Nexus Lifecycle
Learn
Sonatype
WhiteSource
Overview

Nexus Lifecycle gives you full control over your software supply chain and allows you to define rules, actions, and policies that work best for your organization and teams.

WhiteSource offers an agile approach to open source management.
WhiteSource is a SaaS solution that integrates with your build process and audits your open source licenses, security and more every time you run your build.

Offer
Learn more about Sonatype Nexus Lifecycle
Learn more about WhiteSource
Sample Customers
Genome.One, Blackboard, Crediterform, Crosskey, Intuit, Progress Software, Qualys, Liberty Mutual InsuranceAutodesk, Temenos, Indeed.com, GE digital, KPMG, LivePerson, Jack Henry and Associates
Find out what your peers are saying about Sonatype Nexus Lifecycle vs. WhiteSource and other solutions. Updated: May 2019.
348,275 professionals have used our research since 2012.
We monitor all Software Composition Analysis reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.

Sign Up with Email