Sonatype Nexus Lifecycle Room for Improvement

Security Team Lead at Tyro Payments Limited
We created a Wiki page for each team showing an overview of their outstanding security issues because the Lifecycle reporting interface isn't as intuitive. It is good for people on my team who use it quite often. But for a tech engineer who doesn't interact with it regularly, it's quite confusing. We did that because we got so many questions about it all the time. There are other areas for improvement. The most recent one - something I haven't shared with Sonatype yet but I intend to - is with the creating of defect tickets. The solution has something that is really useful, its integration with JIRA, and it creates tickets if there's an issue. What I thought would be really good was, from the moment we break builds, there is no way to track, from a management perspective, how we are doing. We are looking at creating tickets. The problem with the tickets, which is the where there is room for Sonatype to grow, is that there is no flexibility in terms of customizing the entries in the tickets. There are certain things they put in for you, they tell you what application it is, but what I'd really like to be able to do is say, "Fill in this field with the name of the application. Fill in this field with the name of the owner. Or set a due date to be X days from when it was raised. They don't allow that. They allow hard-coded values across everything in Nexus IQ. It doesn't work well because the tickets created depend on the use case. We would like to create these tickets and give them directly to the teams that have to look after them. We want to be able to assign them to the right person, based on the application that is used. " We are looking at finding ways to integrate with it because they don't have that. Another feature they could use is more languages. Sonatype has been mainly a Java shop because they look after Maven Central. And we have been mainly a Java shop in development. But we've slowly been branching out to different languages. They don't cover all of them, and those that they do cover are not as in-depth as we would like them to be. They don't have the same level of coverage as the main language, which is Java. View full review »
Configuration Manager at a health, wellness and fitness company with 5,001-10,000 employees
They have recently released some online training documentation, because we had to a lot of our own learning. If they had a more comprehensive online tutorial base, both for admin and developers, that would help. It would be good if they actually ran through some scenarios, regarding what happens if I do pick up a vulnerability. How do I fork out into the various decisions? If the vulnerability is not of a severe nature, can I just go ahead with it until it becomes severe? This is important because, obviously, business demands certain deliverables to be ready at a certain time. So, some online tutorials around the administration, around developers, on how to use the tool effectively, would be a good idea. Where we have extended is that we're using third-party Docker containers. So, we're not just using third-party libraries, but we also have third-party-type Docker containers, or containers from Docker Hub, for example. Somebody else has built the Docker image and we're using the Docker image. Scanning of security and vulnerabilities on that image, specifically, would be useful. It would be good, as we're building an image, or as we're running an image, if we could decompile that image and scan it, to look for any vulnerabilities or any areas where there's been a violation of licensing. For example, we could download a WebLogic container, which could be an infringement of licensing. It's things like that which our developers need to be mindful of. They could simply download any container from Docker Hub, without being aware of the licensing violations or the security vulnerabilities. View full review »
Charles Chani
DevSecOps at a financial services firm with 10,001+ employees
They could do with making more plugins for the more common integration engines out there. Right now, it supports automation engine by Jenkins but it doesn't fully support something like TeamCity. That's where they could make the most improvements. In terms of features, the reports natively come in as PDF or JSON. They should start thinking of another way to filter their reports. The reporting tool used by most enterprises, like Splunk and Elasticsearch, do not work as well with JSON. They should improve the reporting so that the format can be expanded. View full review »
Find out what your peers are saying about Sonatype Nexus Lifecycle vs. WhiteSource and other solutions. Updated: January 2020.
391,932 professionals have used our research since 2012.
Devin Duffy
Information Security Specialist at a financial services firm with 1,001-5,000 employees
Application onboarding is a little bit clunky. But I use their API for that, and their API is alright. Their documentation is pretty good but there was a little bit of a learning curve with it. Onboarding an application through the GUI is intuitive but it's time-consuming. By time-consuming I mean for huge, enterprise-level companies, I don't mean for a small organization. For a small organization, it's not going to be prohibitive, but it's for large organizations with many enrollments that the GUI becomes unfeasible. I would also like to see a separate repo for components that have been un-quarantined for specific teams to use. View full review »
Russell Webster
VP and Sr. Manager at a financial services firm with 1,001-5,000 employees
Overall, it's pretty good. The drill-through and search capabilities are pretty good, they're not horrible. As far as the relationship of, and ease of finding the relationships between, libraries and applications across the whole enterprise goes, it still does that. They could make that a little smoother, although right now it's still pretty good. It's taking an eight out of ten and asking it to be a ten. View full review »
Sr Lead Solution Services at a financial services firm with 201-500 employees
We use Griddle a lot for integrating into our local builds with the IDE, which is another built system. There is not a lot of support for it nor published modules that can be readily used. So, we had to create our own. No Griddle plugins have been released. One of the challenges is getting the policy correct. You need to understand when to grandfather components, then come back and do it. Currently, there's no feature in Nexus IQ which says when you grandfather a component, or behave a component. There's no feature to remind me again in two months' time, for example. I had to access a grandfather competent today because I couldn't afford to fix it because of different constraints. I might grandfather it for now, or I might leave it for now, but if there was an option to remind me in two months, or unwaive it in two months' time, that would make it seamless. That way I wouldn't have to remember that there's something to be done. It would automatically start breaking bills and automatically someone will look at it. View full review »
IT Security Manager at a insurance company with 5,001-10,000 employees
The GUI is simple, so it's easy to use. It started as great to use, but for larger scale companies, it also comes with some limitations. This is why we tried to move to more of an API approach. So, the GUI could use some improvements potentially. Something else that's a bit lacking is most of our components are not explicitly included but are transitive dependencies. We have 50 applications that all report security issues, but they all come from one central library that we built ourselves, which is also scanned by Lifecycle. So, we have 51 components, and we are not seeing that only one of them is really the one we should be targeting. What would be really great in the solution would be some dependency graphing, or at least collecting the transitive dependencies. That would help for larger scale implementations. The Success Metrics report is really focused on very specific numbers that are not interesting to us. They are for when you are much further along in the onboarding process. There is an API which allows you to retrieve the data on which the Success Metrics are based. We use this API to create our own charts, reflecting what we're looking for. View full review »
Axel Niering
Achitekt at SV Informatik GmbH
If there is something which is not in Maven Central, sometimes it is difficult to get the right information because it's not found. And if you look at NPM-based applications, JavaScript, for example, these are only checkable via the build pipeline. You cannot upload the application itself and scan it, as is possible with Java, because a file could change significantly, so the applications are not found anymore. This is something that could be improved in future. Also, I have seen in Black Duck, for example, that there is also information about exploits there are known for a given vulnerability. This is something I haven't seen or haven't found yet in Nexus Lifecycle. If there is a known exploit to a vulnerability, this could be something that is useful to know as well. View full review »
Java Development Manager at a government with 10,001+ employees
It doesn't provide real-time notifications from the scans. We have to re-scan every time, whenever a build happens. Also, since Nexus Repository just keeps on adding the .jar artifacts whenever there is a build, whenever an application is going up, there is always a space issue on the server. That is one of the things that we are looking for Nexus to notify us about: if it is running out of space. View full review »
Systems Analyst at Thrivent Financial for Lutherans
The only thing I can say is that sometimes we face difficulties with Maven Central. We are integrating everything with that, as a repository. If Maven Central changes something in its versions... For example, if I'm using the 1.0.0 version, after one or two years, the 1.0.0 version will be gone from Maven Central but our team will still be using that 1.0.0 version to build. When they do builds, it won't build completely because that version is gone from Maven Central. There is a difference in our Sonatype Maven Central. That is the only issue I have seen so far. If an old version is gone, it's not able to use it anymore. Is there any way we can keep the old versions in our local repository instead of in Maven Central? View full review »
Gus Orologas
Lead IT Security Architect at a transportation company with 10,001+ employees
Getting it integrated depends on your structure and how your DevOps teams are structured. The biggest thing is getting it used uniformly across all the different teams. It's more of a process issue. The process needs to be thought out about how it's going to be used, what kind of training there will be, and how it's going to be socialized, how it's going to be rolled out and controlled, enterprise-wide. That's probably more of a challenge than the technology itself. It's pretty simple to get up and running. It's not really an enterprise solution, like Active Directory, which you can enforce on everyone. It's something that's done through each little vertical. View full review »
Find out what your peers are saying about Sonatype Nexus Lifecycle vs. WhiteSource and other solutions. Updated: January 2020.
391,932 professionals have used our research since 2012.