Sonatype Nexus Lifecycle Pros and Cons

Sonatype Nexus Lifecycle Pros

Ricardo Van Den Broek
Software Architect at a tech vendor with 11-50 employees
With the plugin for our IDE that Sonatype provides, we can check whether a library has security, quality, or licensing issues very easily. Which is nice because Googling for this stuff can be a bit cumbersome. By checking it before code is even committed, we save ourselves from getting notifications.
View full review »
EdwinKwan
Security Team Lead at Tyro Payments Limited
It scans and gives you a low false-positive count... The reason we picked Lifecycle over the other products is, while the other products were flagging stuff too, they were flagging things that were incorrect. Nexus has low false-positive results, which give us a high confidence factor.
What's really nice about that is it shows a graph of all the versions for that particular component, and it marks out the ones that have a vulnerability and the ones that don't have a vulnerability.
View full review »
Michael Esmeraldo
Sr. Enterprise Architect at MIB Group
Some of the more profound features include the REST APIs. We tend to make use of those a lot. They also have a plugin for our CI/CD; we use Jenkins to do continuous integration, and it makes our pipeline build a lot more streamlined. It integrates with Jenkins very well.
View full review »
Learn what your peers think about Sonatype Nexus Lifecycle. Get advice and tips from experienced pros sharing their opinions. Updated: April 2020.
442,986 professionals have used our research since 2012.
ConfigManag73548
Configuration Manager at a health, wellness and fitness company with 5,001-10,000 employees
The grandfathering mode allows us to add legacy applications which we know we're not going to change or refactor for some time. New developments can be scanned separately and we can obviously resolve those vulnerabilities where there are new applications developed. The grandfathering is a good way to separate what can be factored now, versus long-term technical debt.
View full review »
Austin Bradley
Enterprise Infrastrcture Architect at Qrypt
When I started to install the Nexus products and started to integrate them into our development cycle, it helped us construct or fill out our development process in general. The build stage is a really good template for us and it helped establish a structure that we could build our whole continuous integration and development process around. Now our git repos are tagged for different build stages data, staging, and for release. That aligns with the Nexus Lifecycle build stages.
View full review »
Charles Chani
DevSecOps at a financial services firm with 10,001+ employees
When developers are consuming open-source libraries from the internet, it's able to automatically block the ones that are insecure. And it has the ability to make suggestions on the ones they should be using instead.
It's online, which means if a change is made to the Nexus database today, or within the hour, my developers will benefit instantly. The security features are discovered continuously. So if Nexus finds out that a library is no longer safe, they just have to flag it and, automatically, my developers will know.
There is a feature called Continuous Monitoring. As time goes on we'll be able to know whether a platform is still secure or not because of this feature.
View full review »
Julien Carsique
DevOps Engineer at a tech vendor with 51-200 employees
The REST API is the most useful for us because it allows us to drive it remotely and, ideally, to automate it.
View full review »
reviewer1381962
Application Security at a comms service provider with 1,001-5,000 employees
The component piece, where you can analyze the component, is the most valuable. You can pull the component up and you can look at what versions are bad, what versions are clean, and what versions haven't been reported on yet. You can make decisions based off of that, in terms of where you want to go. I like that it puts all that information right there in a window for you.
View full review »
Ryan Carrie
Security Analyst at a computer software company with 51-200 employees
The policy engine is really cool. It allows you to set different types of policy violations, things such as the age of the component and the quality: Is it something that's being maintained? Those are all really great in helping get ahead of problems before they arise. You might otherwise end up with a library that's end-of-life and is not going to get any more fixes.
View full review »
Russell Webster
VP and Sr. Manager at a financial services firm with 1,001-5,000 employees
The data quality is really good. They've got some of the best in the industry as far as that is concerned. As a result, it helps us to resolve problems faster. The visibility of the data, as well as their features that allow us to query and search - and even use it in the development IDE - allow us to remediate and find things faster.
View full review »

Sonatype Nexus Lifecycle Cons

Ricardo Van Den Broek
Software Architect at a tech vendor with 11-50 employees
One of the things that we specifically did ask for is support for transitive dependencies. Sometimes a dependency that we define in our POM file for a certain library will be dependent on other stuff and we will pull that stuff in, then you get a cascade of libraries that are pulled in. This caused confusing to us at first, because we would see a component that would have security ticket or security notification on it and wonder "Where is this coming in from?" Because when we checked what we defined as our dependencies it's not there. It didn't take us too long effort to realize that it was a transitive dependency pulled in by something else, but the question then remains "Which dependency is doing that?"
View full review »
EdwinKwan
Security Team Lead at Tyro Payments Limited
We created the Wiki page for each team showing an overview of their outstanding security issues because the Lifecycle reporting interface isn't as intuitive. It is good for people on my team who use it quite often. But for a tech engineer who doesn't interact with it regularly, it's quite confusing.
Another feature they could use is more languages. Sonatype has been mainly a Java shop because they look after Maven Central... But we've slowly been branching out to different languages. They don't cover all of them, and those that they do cover are not as in-depth as we would like them to be.
View full review »
Michael Esmeraldo
Sr. Enterprise Architect at MIB Group
Some of the APIs are just REST APIs and I would like to see more of the functionality in the plugin side of the world. For example, with the RESTful API I can actually delete or move an artifact from one Nexus repository to another. I can't do that with the pipeline API, as of yet. I'd like to see a bit more functionality on that side.
View full review »
Learn what your peers think about Sonatype Nexus Lifecycle. Get advice and tips from experienced pros sharing their opinions. Updated: April 2020.
442,986 professionals have used our research since 2012.
ConfigManag73548
Configuration Manager at a health, wellness and fitness company with 5,001-10,000 employees
If they had a more comprehensive online tutorial base, both for admin and developers, that would help. It would be good if they actually ran through some scenarios, regarding what happens if I do pick up a vulnerability. How do I fork out into the various decisions? If the vulnerability is not of a severe nature, can I just go ahead with it until it becomes severe? This is important because, obviously, business demands certain deliverables to be ready at a certain time.
View full review »
Austin Bradley
Enterprise Infrastrcture Architect at Qrypt
They're working on the high-quality data with Conan. For Conan applications, when it was first deployed to Nexus IQ, it would scan one file type for dependencies. We don't use that method in Conan, we use another file type, which is an acceptable method in Conan, and they didn't have support for that other file type. I think they didn't even know about it because they aren't super familiar with Conan yet. I informed them that there's this other file type that they could scan for dependencies, and that's what they added functionality for.
View full review »
Charles Chani
DevSecOps at a financial services firm with 10,001+ employees
They could do with making more plugins for the more common integration engines out there. Right now, it supports automation engine by Jenkins but it doesn't fully support something like TeamCity.
In terms of features, the reports natively come in as PDF or JSON. They should start thinking of another way to filter their reports. The reporting tool used by most enterprises, like Splunk and Elasticsearch, do not work as well with JSON.
View full review »
Julien Carsique
DevOps Engineer at a tech vendor with 51-200 employees
We do not use it for more because it is still too immature, not quite "finished." It is missing important features for making it a daily tool. It's not complete, from my point of view...
It's the right kind of tool and going in the right direction, but it really needs to be more code-driven and oriented to be scaled at the developer level.
View full review »
reviewer1381962
Application Security at a comms service provider with 1,001-5,000 employees
One thing that it is lacking, one thing I don't like, is that when you label something or add a status to it, you do it as an overall function, but you can't go back and isolate a library that you want to call out individually and remove a status from it. It's still lacking some functionality-type things for controlling labels and statuses. I'd like to be able to apply it across all of my apps, but then turn it off for one, and I can't do that.
View full review »
Ryan Carrie
Security Analyst at a computer software company with 51-200 employees
The biggest thing that I have run into, which there are ways around, is being able to easily access the auditing data from a third-party tool; being able to pull all of that into one place in a cohesive manner where you can report off of that. We've had a little bit of a challenge with that. There are a number of things available to work with, to help with that in the tool, but we just haven't explored them yet.
View full review »
Russell Webster
VP and Sr. Manager at a financial services firm with 1,001-5,000 employees
As far as the relationship of, and ease of finding the relationships between, libraries and applications across the whole enterprise goes, it still does that. They could make that a little smoother, although right now it's still pretty good.
View full review »
Learn what your peers think about Sonatype Nexus Lifecycle. Get advice and tips from experienced pros sharing their opinions. Updated: April 2020.
442,986 professionals have used our research since 2012.