2019-02-19T08:38:00Z

What is your primary use case for Sonatype Nexus Lifecycle?


How do you or your organization use this solution?

Please share with us so that your peers can learn from your experiences.

Thank you!

Guest
1919 Answers

author avatar
Top 10Real User

During the development, if there are new libraries that need to be used, then we scan them first to see if they are secure or valid. If there is a threat, can we avoid it or use alternatives. Also, before each release, it is mandatory for us to scan the code before we go to release it. It was installed at the beginning of the year, so I think we are using the latest version.

2020-05-03T06:36:00Z
author avatar
Real User

Our use case for Nexus is to monitor all of our dependencies and the main thing we're using it for is tracking vulnerabilities listed against those.

2020-04-26T06:32:00Z
author avatar
Top 5LeaderboardReal User

We develop software for our insurance systems. 80 percent of the software is used by third-party libraries, not self-developed. These third-party libraries have security vulnerabilities over time, license issues, etc. With the Sonatype Lifecycle solution, we can easily identify the most critical vulnerabilities and give developers easy-to-use tools to remediate issues.

2020-03-08T10:06:00Z
author avatar
Top 10Real User

We are using the Nexus Repository Manager Pro as exactly that, as an artifact repository. We tend to store any artifact that our application teams build in the repository solution. We also use it for artifacts that we pull down from open-source libraries that we use and dependencies that come from Maven Central. We use it to proxy a few places, including JCenter. We also use it as a private Docker registry, so we have our Docker images there as well. We're on version 3.19. We also have Nexus IQ server, which wraps up within it Nexus Firewall.

2020-03-03T08:47:00Z
author avatar
Real User

We have many use cases. Our main use case is focused on Nexus Repository and a little bit on Nexus IQ, including Lifecycle. The basic use case is storing Maven, Java, JavaScript, and other kinds of artifacts. For some years now we have implemented more complex solutions to manage releases and staging. Since Nexus Repository introduced that feature for free and natively, we moved to the feature provided for managing release staging.

2020-03-01T06:37:00Z
author avatar
Top 5LeaderboardReal User

We use the Nexus IQ Server. That is the only product that we use, though there are other affiliated products Sonatype offers which integrates with it. We use it to categorize and index all libraries used in our software. Every time that a new build is created in our CI server, Nexus IQ server will check exactly what libraries that we're using. It does this for our Java libraries, JavaScript, and other things that it finds. Then, it checks a number of things for each of those libraries. E.g., it checks the license that is being used in it. Sometimes with open source software, the license is a bit more restrictive than might be convenient for what you are doing. Maybe it doesn't allow you to make changes to the library. Or, it's free to use for nonprofits, but if you're using a product which does make a profit, then you might have to purchase a license. Therefore, it protects us from accidentally misusing open source software and is protection against legal issues. A bigger, ongoing use case is security. Sonatype checks security vulnerabilities that come up for all these libraries. Oftentimes, as a developer, you add a library that you want to use, and then you might check for security issues. Sometimes a problem comes up after your product is already live. IQ Server checks all libraries that we're using for security issues, reporting these, and allowing us to go through and see them to determine, "Is this something that we can waive?" It might be a very specific use case which doesn't actually affect us or we might have to mitigate it. Also, if a vulnerability or security issue is found in libraries later, it will send out alerts and notifications if a library is being used in our production environment, letting us know there is an issue. This allows us to address it right away, then we can make the decision, "Do we want to do a hotfix to mitigate this? Or is it something that isn't an issue in our case because we're not using it in a way that exposes the vulnerability?" This gives us peace of mind that we will be notified when these type of things occur, so we can then respond to them.

2020-03-01T06:37:00Z
author avatar
Top 5LeaderboardReal User

We're using it to change the way we do our open-source. We used to actually save our open-source and now we're moving towards a firewall approach where we are proxy to Maven repos or NPM repos, and we are using those proxies so that we can keep ourselves from pulling in known bad components at build time. We're able to be more proactive on our builds.

2020-02-27T06:23:00Z
author avatar
Top 10Real User

We have it running on the majority of our builds for all of our applications and we use Jenkins for our build system. Eventually, the goal is to incorporate this into Jenkins so that if we don't get a good enough result on both Nexus IQ and SonarQube, we'll actually fail the Jenkins build. That way we force ourselves to maintain good metrics on both of them. So Nexus IQ is making sure that we're using dependencies that don't have known vulnerabilities. And SonarQube is making sure that our code maintains a certain level of quality. Unfortunately, we haven't been able to take full advantage of Nexus. It's set up and it's working, but we haven't rolled it fully into our development process. Our builds use it, but we're not using the information from it a whole lot. The solutions are running, but we're not enforcing the results from them and, therefore, our developers aren't driven to make absolutely sure that they are going well. Hopefully, we'll get there soon.

2020-02-26T05:55:00Z
author avatar
Top 5LeaderboardReal User

We have two use cases. We're predominantly a products company and we scan our products, in a controlled way, to make sure they're not using open-source software. We want to make sure that we're licensed correctly for our products and the way they are deployed. There are also security reasons for making sure that our products aren't introducing vulnerabilities and, if they are, that we can address them. And part of our business is that we build bespoke software. Some of our customers want to make sure that the open-source software is being used correctly in the software we build for them. And, again, we want to protect that software against security vulnerabilities that might be introduced by open-source software. We also use the solution to help with open-source governance and minimize risk. When we are acquiring a new company, for example, we will automatically, as part of the due diligence on that purchase, scan their products to make sure they don't have vulnerabilities that we are not prepared to accept. So it helps us to make sure, before we make any purchase, that the target acquisition is of suitable quality, in terms of its open-source use.

2020-02-19T08:48:00Z
author avatar
Top 10Real User

At the moment, we are primarily targeting security vulnerabilities, and only those with high severity. We have it configured not to block anything at this stage. We only aim for visibility at the moment. We might eventually start blocking or failing builds, but right now, we only want to have visibility. We are still pretty early in our adoption phase. We are onboarding new applications much quicker than we are remediating issues in the existing ones.

2020-01-19T06:38:00Z
author avatar
Top 5LeaderboardReal User

Our primary use case is for the SAS testing. This is the dynamic composition analysis that we need to do. In our apps, we do a lot of bespoke development and use a lot of third-party components. Therefore, it is critical to know what number is embedded within the third-party components that we may not directly be responsible for. The main use case is for scanning and ensuring that the deployments that we are adding to our servers is as secure as we can make it. We use it for scanning alone. That is our way of mitigating risk. We just upgraded to the latest version.

2019-08-21T06:36:00Z
author avatar
Real User

Our primary use case is preventing major security vulnerabilities. We use it as part of build our pipeline. We have a plugin that gets scanned by Sonatype as the build runs and it scans for all third-party dependencies. We haven't yet gotten to the point where we fail a build, but we make the matrix visible so we know where we need to focus. In the coming months, we plan to actually start failing builds and preventing releases which have certain vulnerabilities, from going into production.

2019-07-08T07:42:00Z
author avatar
Top 5LeaderboardReal User

The Lifecycle product is for protection, and licensing vulnerabilities issues, in our build lifecycle.

2019-06-27T08:13:00Z
author avatar
Real User

We use it as a repository or manager. We store all our software application artifacts. We also use it for the vulnerabilities.

2019-06-27T06:06:00Z
author avatar
Top 20Real User

We're using it for looking at code libraries, for its automatic build process for cloud. We want to look at code libraries that have security, to make sure that there are no vulnerabilities in the code libraries that people are uploading, and we want to do that early in the process so it's not being caught at the tail end. We use it to automate open source governance and minimize risk.

2019-03-26T08:09:00Z
author avatar
Top 20Real User

It's mainly used to scan for security issues in any components that we use. There are two parts to it, the license part and the security part. We use it generally for the security, but we also do have scans for the license stuff too.

2019-03-06T07:41:00Z
author avatar
Top 20Real User

Our use case is to check and evaluate third-party libraries for vulnerabilities and licensing problems. We are integrating it into our build pipeline as well.

2019-02-24T10:18:00Z
author avatar
Top 20Real User

The solution is mainly providing security, as well as creating threshold values. In terms of dependencies, it helps us with which ones are used and which are not, which need to be kept, which do not need to be kept.

2019-02-19T08:38:00Z
author avatar
Top 20Real User

We use it to automate DevSecOps.

2019-02-19T08:38:00Z
Learn what your peers think about Sonatype Nexus Lifecycle. Get advice and tips from experienced pros sharing their opinions. Updated: April 2020.
442,283 professionals have used our research since 2012.