Sonatype Nexus Lifecycle Reviews

Filter by:Reset all filters
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
EdwinKwan
Real User
Security Team Lead at Tyro Payments Limited
Mar 13 2019

What is most valuable?

There are two things that allow us to do what we want to and that's why we chose Nexus Lifecycle. First, it scans and gives you a low false-positive count. When we were looking for a product to solve… more»

How has it helped my organization?

One of the ways that it has helped us is that it has given us visibility into security issues. It has made us a bit more proactive in dealing with things. Before, we depended on how much news there… more»

What needs improvement?

We created a Wiki page for each team showing an overview of their outstanding security issues because the Lifecycle reporting interface isn't as intuitive. It is good for people on my team who use it… more»

What's my experience with pricing, setup cost, and licensing?

We're pretty happy with the price, for what it is delivering for us and the value we're getting from it.

What other advice do I have?

My advice is that you should definitely use it. You need to think about the rollout and to make sure you integrate it into the software development lifecycle. That's where you get the most value… more»

Which other solutions did I evaluate?

We did a PoC with a few companies and we picked Sonatype and we've been happy with them since. We looked at Black Duck, and we also look at the free version, the OWASP, a dependency checker. We also… more»
ConfigManag73548
Real User
Configuration Manager at a health, wellness and fitness company with 5,001-10,000 employees
Oct 03 2019

What is most valuable?

There are a number of features that we find valuable. The basic functionality of Sonatype is its scanning feature. Out of that, you get the reporting capability as part of… more»

How has it helped my organization?

One of the ways it has improved the way our organization functions is that it has created awareness of unlicensed, third-party dependencies and insecure vulnerabilities… more»

What needs improvement?

They have recently released some online training documentation, because we had to a lot of our own learning. If they had a more comprehensive online tutorial base, both… more»

What's my experience with pricing, setup cost, and licensing?

Our licensing is bundled. We pay a single licensing cost for both Nexus OSS and Nexus Lifecycle together. So I'm not sure what the individual costs would be. We bought… more»

Which solution did I use previously and why did I switch?

We did not have a previous solution. We brought on Nexus Lifecycle because there has been a heightened, more aggressive stance on security.

What other advice do I have?

Have a key, a defined goal because, as much as the tool is there, it isn't able to create a goal. The goal is, "We would like to improve the security of our codebase by at… more»

Which other solutions did I evaluate?

There's SonarQube which does static code analysis, but not at the level that Nexus IQ offers it. There is Artifactory, which does do Docker scanning now. One thing that… more»
Find out what your peers are saying about Sonatype Nexus Lifecycle vs. WhiteSource and other solutions. Updated: February 2020.
398,567 professionals have used our research since 2012.
Charles Chani
Real User
DevSecOps at a financial services firm with 10,001+ employees
Feb 28 2019

What is most valuable?

When developers are consuming open-source libraries from the internet, it's able to automatically block the ones that are insecure. And it has the ability to make suggestions on the ones they should… more»

How has it helped my organization?

Previously, the developers would do their work and then it would be evaluated using something called penetration testing. With the results of the penetration testing they would go back and make… more»

What needs improvement?

They could do with making more plugins for the more common integration engines out there. Right now, it supports automation engine by Jenkins but it doesn't fully support something like TeamCity… more»

Which solution did I use previously and why did I switch?

We weren't using a previous solution, we were using a different approach which was very old and which doesn't work. It was penetration testing which is very problematic. The way it worked was that an… more»

What other advice do I have?

My advice is "do it yesterday." You save yourself a lot of money. Even during one, two, or three weeks, it's going to cost you a lot of money to fix the security vulnerabilities that you are ingesting… more»

Which other solutions did I evaluate?

I think they looked at competitors but that wasn't my job. I'm familiar with the competitors. They are similar to Sonatype but, possibly, not as comprehensive. There are at least three or four other… more»
Russell Webster
Real User
VP and Sr. Manager at a financial services firm with 1,001-5,000 employees
Nov 27 2019

What is most valuable?

Its core features are the most valuable: * protection * scanning * detection * notification of vulnerabilities. It's important for us as an enterprise to continually and… more»

How has it helped my organization?

Without it we didn't have any way to detect vulnerabilities except through reactive measures. It's allowed us to be proactive in our approach to vulnerability detection… more»

What needs improvement?

Overall, it's pretty good. The drill-through and search capabilities are pretty good, they're not horrible. As far as the relationship of, and ease of finding the… more»

What's my experience with pricing, setup cost, and licensing?

Pricing is decent. It's not horrible. It's middle-of-the-road, as far as our ranking goes. They're a little bit more but that's also because they provide more. They put… more»

Which solution did I use previously and why did I switch?

We did not have a solution with this type of capabilities. We had some type of Nexus product but we layered this on top. We didn't have that capability.

What other advice do I have?

In the early stages of planning and design for rolling this out, ensure that you get all of your stakeholders involved; those who will have an input on the policy… more»

Which other solutions did I evaluate?

We looked at Artifactory as well. We went with Sonatype because it is more comprehensive, it's a market leader, has a great feature set, and support is really good. It's a… more»
Real User
Sr Lead Solution Services at a financial services firm with 201-500 employees
Aug 25 2019

What is most valuable?

The scanning is fantastic. The dashboard is usable and gives us clear visibility into what is happening. It also has a very cool feature, which allows us to see the clean version available to be downloaded. Therefore, it is very easy to go… more»

How has it helped my organization?

We have increased the digital footprint of our company over the last few, extensively. We have extensive open source development happening which depend on open source components. Using the scanning with Nexus IQ, a lower count of false… more»

What needs improvement?

We use Griddle a lot for integrating into our local builds with the IDE, which is another built system. There is not a lot of support for it nor published modules that can be readily used. So, we had to create our own. No Griddle plugins… more»

Which solution did I use previously and why did I switch?

Nexus was our first implementation.

Which other solutions did I evaluate?

We evaluated different Black Duck and WhiteSource, but chose Nexus because we felt it was the best product offered. In early 2017, Black Duck had an approach of uploading everything all at one time, then coming back later to see the report… more»
Real User
IT Security Manager at a insurance company with 5,001-10,000 employees
Jan 20 2020

What is most valuable?

The key feature for Nexus Lifecycle is the proprietary data they have on vulnerabilities. The way that they combine all the different sources and also their own research into one concise article that… more»

How has it helped my organization?

For the application onboarding, we are focusing on automating that as much as possible. Considering the amount of applications that we scan, it's probably not feasible to do all that within the GUI… more»

What needs improvement?

The GUI is simple, so it's easy to use. It started as great to use, but for larger scale companies, it also comes with some limitations. This is why we tried to move to more of an API approach. So… more»

What's my experience with pricing, setup cost, and licensing?

The price is good. We certainly get a lot more in return. However, it's also hard to get the funds to roll out such a product for the entire firm. Therefore, pricing has been a limiting factor for us… more»

What other advice do I have?

Look into the API early. Try to scan as much as possible to get an impression of your landscape before you start rolling it out, then you can easily target the teams and applications mostly needed… more»

Which other solutions did I evaluate?

I think OWASP Dependency-Check was evaluated before Nexus Lifecycle. Nexus Lifecycle was chosen primarily for the quality of its scan results.
Axel Niering
Real User
Achitekt at SV Informatik GmbH
Mar 07 2019

What is most valuable?

The most valuable feature is that I get a quick overview of the libraries that are included in the application, and the issues that are connected with them. I can quickly understand which problems… more»

How has it helped my organization?

We're still using it in a PoC and it's not as integrated as it could be so it hasn't changed too much for us right now. But of course, what we want to do is to keep safe, look at the vulnerabilities… more»

What needs improvement?

If there is something which is not in Maven Central, sometimes it is difficult to get the right information because it's not found. And if you look at NPM-based applications, JavaScript, for example… more»

What's my experience with pricing, setup cost, and licensing?

Its pricing is competitive within the market. It's not very cheap, it's not very expensive.

What other advice do I have?

Look very closely look at Nexus Lifecycle to check whether the system is a possibility in your environment. It has good data quality and good integration in our build environment. Everyone must check… more»

Which other solutions did I evaluate?

We also evaluated Black Duck. We selected Nexus because of the data quality and the ability to integrate it into our build process.
Real User
Java Development Manager at a government with 10,001+ employees
Jul 04 2019

What is most valuable?

The way we can define policies and apply those policies selectively across the different applications is valuable. We can define a separate policy for public-facing… more»

How has it helped my organization?

Before, we had open-source Nexus Repository, but with Lifecycle we have Nexus RM and IQ Server as well and we can scan .jars. In addition, we have the plugins for… more»

What needs improvement?

It doesn't provide real-time notifications from the scans. We have to re-scan every time, whenever a build happens. Also, since Nexus Repository just keeps on adding the… more»

What's my experience with pricing, setup cost, and licensing?

Pricing is comparable with some of the other products. We are happy with the pricing.

Which solution did I use previously and why did I switch?

We used the open-source version before moving to the licensed version of Sonatype.

What other advice do I have?

Their support is good. They help with understanding the environment. They helped us with the initial PoC work. Their product is configurable. We can customize the… more»

Which other solutions did I evaluate?

We didn't look at any other options. We have been using Nexus for years. We had some initial sessions with them, we did a PoC and we liked the product. We went ahead with… more»
See 2 More Sonatype Nexus Lifecycle Reviews

Articles

User Assessments By Topic About Sonatype Nexus Lifecycle

Find out what your peers are saying about Sonatype Nexus Lifecycle vs. WhiteSource and other solutions. Updated: February 2020.
398,567 professionals have used our research since 2012.

Sonatype Nexus Lifecycle Questions

What is Sonatype Nexus Lifecycle?

Nexus Lifecycle gives you full control over your software supply chain and allows you to define rules, actions, and policies that work best for your organization and teams.

Also known as
Nexus Lifecycle
Sonatype Nexus Lifecycle customers

Genome.One, Blackboard, Crediterform, Crosskey, Intuit, Progress Software, Qualys, Liberty Mutual Insurance

Highlights
When developers are consuming open-source libraries from the internet, it's able to automatically block the ones that are insecure. And it has the ability to make suggestions on the ones they should be using instead.
It's online, which means if a change is made to the Nexus database today, or within the hour, my developers will benefit instantly. The security features are discovered continuously. So if Nexus finds out that a library is no longer safe, they just have to flag it and, automatically, my developers will know.
There is a feature called Continuous Monitoring. As time goes on we'll be able to know whether a platform is still secure or not because of this feature.
The most valuable feature is that I get a quick overview of the libraries that are included in the application, and the issues that are connected with them. I can quickly understand which problems there are from a security point of view or from a licensing point of view. It's quick and very exact.
It was very easy to integrate into our build pipeline, with Jenkins and Nexus Repository as the central product.
Among its valuable features, it's easy to handle and easy configure, it's user-friendly, and it's easy to map and integrate.
It scans and gives you a low false-positive count... The reason we picked Lifecycle over the other products is, while the other products were flagging stuff too, they were flagging things that were incorrect. Nexus has low false-positive results, which give us a high confidence factor.
See more »