Sonatype Nexus Lifecycle Overview
Sonatype Nexus Lifecycle is the #1 ranked solution of our top Software Composition Analysis (SCA) tools. It is rated 4.3 out of 5 stars, and is most often compared to SonarQube: Sonatype Nexus Lifecycle vs SonarQube
What is Sonatype Nexus Lifecycle?
Nexus Lifecycle gives you full control over your software supply chain and allows you to define rules, actions, and policies that work best for your organization and teams.
Sonatype Nexus Lifecycle is also known as Nexus Lifecycle.
Sonatype Nexus Lifecycle Buyer's Guide
Download the Sonatype Nexus Lifecycle Buyer's Guide including reviews and more. Updated: April 2020
Sonatype Nexus Lifecycle Customers
Genome.One, Blackboard, Crediterform, Crosskey, Intuit, Progress Software, Qualys, Liberty Mutual Insurance
Sonatype Nexus Lifecycle Video
What users are saying about Sonatype Nexus Lifecycle pricing:
- "The license fee may be a bit harder for startups to justify. But it will save you a headache later as well as peace of mind. Additionally, it shows your own customers that you value security stuff and will protect yourselves from any licensing issues, which is good marketing too."
- "In addition to the license fee for IQ Server, you have to factor in some running costs. We use AWS, so we spun up an additional VM to run this. If the database is RDS that adds a little bit extra too. Of course someone could run it on a pre-existing VM or physical server to reduce costs. I should add that compared to the license fee, the running costs are so minimal they had no effect on our decision to use IQ Server."
- "We're pretty happy with the price, for what it is delivering for us and the value we're getting from it."
Sonatype Nexus Lifecycle Reviews
- Highest Rating
- Lowest Rating
- Review Length
Showingreviews based on the current filters.
Ricardo Van Den Broek
Software Architect at a tech vendor with 11-50 employees
Checks our libraries for security and licensing issues
Pros and Cons
- "With the plugin for our IDE that Sonatype provides, we can check whether a library has security, quality, or licensing issues very easily. Which is nice because Googling for this stuff can be a bit cumbersome. By checking it before code is even committed, we save ourselves from getting notifications."
- "One of the things that we specifically did ask for is support for transitive dependencies. Sometimes a dependency that we define in our POM file for a certain library will be dependent on other stuff and we will pull that stuff in, then you get a cascade of libraries that are pulled in. This caused confusing to us at first, because we would see a component that would have security ticket or security notification on it and wonder "Where is this coming in from?" Because when we checked what we defined as our dependencies it's not there. It didn't take us too long effort to realize that it was a transitive dependency pulled in by something else, but the question then remains "Which dependency is doing that?""
What other advice do I have?Do it as early as possible. You will have to clean up sooner or later. I remember when we fired it up it immediately found things that the last solution didn't find. This made sense after we realized that IQ Server gets continued updates and our last solution was just getting updates whenever we were able to get new hard drives sent to us. Our first scan popped up with a number of high vulnerability and security issues. At that time the Sonatype people were on a call with us to help us out setting it up. We asked them if seeing this many alerts was pretty average and they told us it was pretty…
Security Team Lead at Tyro Payments Limited
Real UserTop 20
Mar 13, 2019
Low false-positive count and the vulnerability-upgrade overview are key features for us
What is our primary use case?It's mainly used to scan for security issues in any components that we use. There are two parts to it, the license part and the security part. We use it generally for the security, but we also do have scans for the license stuff too.
Pros and Cons
- "It scans and gives you a low false-positive count... The reason we picked Lifecycle over the other products is, while the other products were flagging stuff too, they were flagging things that were incorrect. Nexus has low false-positive results, which give us a high confidence factor."
- "What's really nice about that is it shows a graph of all the versions for that particular component, and it marks out the ones that have a vulnerability and the ones that don't have a vulnerability."
- "We created the Wiki page for each team showing an overview of their outstanding security issues because the Lifecycle reporting interface isn't as intuitive. It is good for people on my team who use it quite often. But for a tech engineer who doesn't interact with it regularly, it's quite confusing."
- "Another feature they could use is more languages. Sonatype has been mainly a Java shop because they look after Maven Central... But we've slowly been branching out to different languages. They don't cover all of them, and those that they do cover are not as in-depth as we would like them to be."
What other advice do I have?My advice is that you should definitely use it. You need to think about the rollout and to make sure you integrate it into the software development lifecycle. That's where you get the most value because it provides quick feedback for developers. Be mindful of the rollout and breaking the builds. I don't think other companies that we spoke chose to break builds, but we do that and that is a sensitive topic for developers if you choose to do that. We don't use the application onboarding and policy grandfathering features at all. I suggested that to them, but the main reason we don't use them is…
Learn what your peers think about Sonatype Nexus Lifecycle. Get advice and tips from experienced pros sharing their opinions. Updated: April 2020.
448,542 professionals have used our research since 2012.
Sr. Enterprise Architect at MIB Group
Real UserTop 10
Mar 11, 2020
Provides us with ease of development, the ability to automate a lot of the build-and-deploy process
What is our primary use case?We are using the Nexus Repository Manager Pro as exactly that, as an artifact repository. We tend to store any artifact that our application teams build in the repository solution. We also use it for artifacts that we pull down from open-source libraries that we use and dependencies that come from Maven Central. We use it to proxy a few places, including JCenter. We also use it as a private Docker registry, so we have our Docker images there as well. We're on version 3.19. We also have Nexus IQ server, which wraps up within it Nexus Firewall.
Pros and Cons
- "Some of the more profound features include the REST APIs. We tend to make use of those a lot. They also have a plugin for our CI/CD; we use Jenkins to do continuous integration, and it makes our pipeline build a lot more streamlined. It integrates with Jenkins very well."
- "Some of the APIs are just REST APIs and I would like to see more of the functionality in the plugin side of the world. For example, with the RESTful API I can actually delete or move an artifact from one Nexus repository to another. I can't do that with the pipeline API, as of yet. I'd like to see a bit more functionality on that side."
What other advice do I have?Nexus Repository is a very specific product. It does very specific things. It's an artifact repository. I would suggest, if you're starting out, to start out with the open-source version and see if it meets your day-to-day needs. If it does, as you start to use it your development teams come to rely on it and it becomes one of those things that if it were to go down, all of your development would stop. So it mandates you to look at the professional version so that you get some backend support from Sonatype in the case that something should happen to it. Our company, as a whole, has about 150…
Configuration Manager at a health, wellness and fitness company with 5,001-10,000 employees
Oct 3, 2019
Interactive view provides recommendations on particular versions or licenses needed
What is our primary use case?Our primary use case is preventing major security vulnerabilities. We use it as part of build our pipeline. We have a plugin that gets scanned by Sonatype as the build runs and it scans for all third-party dependencies. We haven't yet gotten to the point where we fail a build, but we make the matrix visible so we know where we need to focus. In the coming months, we plan to actually start failing builds and preventing releases which have certain vulnerabilities, from going into production.
Pros and Cons
- "The grandfathering mode allows us to add legacy applications which we know we're not going to change or refactor for some time. New developments can be scanned separately and we can obviously resolve those vulnerabilities where there are new applications developed. The grandfathering is a good way to separate what can be factored now, versus long-term technical debt."
- "If they had a more comprehensive online tutorial base, both for admin and developers, that would help. It would be good if they actually ran through some scenarios, regarding what happens if I do pick up a vulnerability. How do I fork out into the various decisions? If the vulnerability is not of a severe nature, can I just go ahead with it until it becomes severe? This is important because, obviously, business demands certain deliverables to be ready at a certain time."
What other advice do I have?Have a key, a defined goal because, as much as the tool is there, it isn't able to create a goal. The goal is, "We would like to improve the security of our codebase by at least X percent, ensure that 90 percent of our applications, for example, going to market are secure applications." With that goal in place, I would look at purchasing the tool because it would be an immediate implementation of that strategy. We bought the tool with that idea in mind, but nothing clearly defined on a granular policy level. But that's ultimately what makes the difference, to say we are focusing on looking at…
Enterprise Infrastrcture Architect at Qrypt
Real UserTop 20
Jul 20, 2020
Has brought open-source intelligence and policy enforcement across our software development life cycle for almost all of our applications
What is our primary use case?We have a few applications that we're developing that use several different languages. The first ones we did were Python and Yum Repository applications. Recently we've started scanning C and C++ applications that use Conan Package Manager. We will soon start doing node applications with NPM. Our use case is that we primarily rely on the IQ server to ensure we don't have open source dependencies in our applications that have security vulnerabilities, and to ensure that they're not using licenses our general counsel wants us to avoid using.
Pros and Cons
- "When I started to install the Nexus products and started to integrate them into our development cycle, it helped us construct or fill out our development process in general. The build stage is a really good template for us and it helped establish a structure that we could build our whole continuous integration and development process around. Now our git repos are tagged for different build stages data, staging, and for release. That aligns with the Nexus Lifecycle build stages."
- "They're working on the high-quality data with Conan. For Conan applications, when it was first deployed to Nexus IQ, it would scan one file type for dependencies. We don't use that method in Conan, we use another file type, which is an acceptable method in Conan, and they didn't have support for that other file type. I think they didn't even know about it because they aren't super familiar with Conan yet. I informed them that there's this other file type that they could scan for dependencies, and that's what they added functionality for."
What other advice do I have?I don't have any reason to rate it less than 10 out of ten. It's been really solid, really helpful, and it will pay off hugely as we continue to expand.
DevSecOps at a financial services firm with 10,001+ employees
Real UserTop 20
Feb 28, 2019
Delivers a huge reduction in development lifecycle duration; automatically blocks insecure open-source libraries
What is our primary use case?We use it to automate DevSecOps.
Pros and Cons
- "When developers are consuming open-source libraries from the internet, it's able to automatically block the ones that are insecure. And it has the ability to make suggestions on the ones they should be using instead."
- "It's online, which means if a change is made to the Nexus database today, or within the hour, my developers will benefit instantly. The security features are discovered continuously. So if Nexus finds out that a library is no longer safe, they just have to flag it and, automatically, my developers will know."
- "There is a feature called Continuous Monitoring. As time goes on we'll be able to know whether a platform is still secure or not because of this feature."
- "They could do with making more plugins for the more common integration engines out there. Right now, it supports automation engine by Jenkins but it doesn't fully support something like TeamCity."
- "In terms of features, the reports natively come in as PDF or JSON. They should start thinking of another way to filter their reports. The reporting tool used by most enterprises, like Splunk and Elasticsearch, do not work as well with JSON."
What other advice do I have?My advice is "do it yesterday." You save yourself a lot of money. Even during one, two, or three weeks, it's going to cost you a lot of money to fix the security vulnerabilities that you are ingesting in your development lifecycle. You could be avoiding that by using a product like Lifecycle. With Lifecycle, the product itself, the intelligence is contained in the implementation called IQ Server. IQ Server has a component called Firewall. The Firewall, as the libraries are ingested into the organization, will scan each and every one of them. Depending on the policies, it's customizable as…
DevOps Engineer at a tech vendor with 51-200 employees
Mar 11, 2020
We no longer have to write or maintain scripts, but important features are still missing
Pros and Cons
- "The REST API is the most useful for us because it allows us to drive it remotely and, ideally, to automate it."
- "We do not use it for more because it is still too immature, not quite "finished." It is missing important features for making it a daily tool. It's not complete, from my point of view..."
- "It's the right kind of tool and going in the right direction, but it really needs to be more code-driven and oriented to be scaled at the developer level."
What other advice do I have?My advice would be to look at your needs and the features the solution provides. In the last version they released, we were a little bit disappointed by the difference between the marketing and the reality. The product was not yet finished compared to how it was described. Aside from this bad aspect, it's mainly about good practices and looking at common, standard practices. Start with the basics and common stuff and try to evolve it eventually and change some things. Don't try doing something too much complex at the beginning. The tool's default policies and the policy engine seem pretty…
Application Security at a comms service provider with 1,001-5,000 employees
Jul 15, 2020
Gets our developers to think about the third-party libraries they're pulling into the system, in terms of security
What is our primary use case?We have it implemented and integrated into our CI/CD pipeline, for when we do builds. Every time we do a build, Jenkins reaches out and kicks off a scan from the IQ Server. We use it to automate open source governance and minimize risk. All of our third-party libraries, everything, comes through our Nexus, which is what the IQ Server and Jenkins are hooked into. Everything being developed for our big application comes through that tool. We have Nexus Firewall on, but it's only on for the highest level of vulnerabilities. We have the firewall sitting in front to make sure we don't let anything… more »
Pros and Cons
- "The component piece, where you can analyze the component, is the most valuable. You can pull the component up and you can look at what versions are bad, what versions are clean, and what versions haven't been reported on yet. You can make decisions based off of that, in terms of where you want to go. I like that it puts all that information right there in a window for you."
- "One thing that it is lacking, one thing I don't like, is that when you label something or add a status to it, you do it as an overall function, but you can't go back and isolate a library that you want to call out individually and remove a status from it. It's still lacking some functionality-type things for controlling labels and statuses. I'd like to be able to apply it across all of my apps, but then turn it off for one, and I can't do that."
What other advice do I have?The biggest thing we've learned from using it is that, from a development point of view, we just never realized what types of badness are in those third-party libraries that we pull in and use. It has been an eye-opener as to just how bad they can be. As far as Lifecycle's integration into developer tooling like IDEs, Git Repos, etc., I don't set that up. But I have not heard of any problems from our guys, from the team that set that stuff up. I like the tool overall and would rate it at about nine out of 10. There are a few UI-type things that I don't like, that I would like to work a…
See 13 more Sonatype Nexus Lifecycle Reviews
Download our free Sonatype Nexus Lifecycle Report and get advice and tips from experienced pros sharing their opinions.
- Penetration Testing
- Code Analysis
- Primary Use Case
- Valuable Features
- Room for Improvement