We are using Sonatype Nexus Lifecycle as an SCA solution. It helps us in identifying open-source vulnerabilities. We use it extensively to scan software builds for components with existing vulnerabilities and malicious components. The solution helps us manage and secure the component part of our software supply chain. It is a very easy tool to work with. The engine is designed to calculate and decide whether a security vulnerability exists or not.
I would say that some of the main advantages of using Nexus Lifecycle are:
Easy setup: The initial deployment was run from a cloud template; it was very fast and straightforward.
Reports and insights: The data that is generated around the vulnerabilities and the way it is distributed across different severities is very helpful. It guides us on what decisions to take in terms of what should be ignored and what should be worked on.
Helpful IDE: The Nexus Lifecycle editor has some very useful plugins. While developers are writing code, Sonatype can prevent them from writing something that might cause a security vulnerability.
Scalability: The solution scales well. We have gone from limited usage to very extensive usage, with no negative effect on the performance.
Stability: We haven't encountered any stability challenges, either from the software end or from the infrastructure. If there is an issue of any type, we get a direct alert.
Compliance: We have excellent visibility into both legal and security policies. The product allows us to maintain compliance for third-party libraries as well.
One disadvantage is that the price of the solution is a bit high.
Software Composition Analysis (SCA) is a crucial process that helps organizations identify, assess, and manage open source components within their software applications. With SCA tools, businesses can achieve several benefits, including identifying open source components, assessing security risks, ensuring compliance with licenses, and enhancing overall software quality.
We are using Sonatype Nexus Lifecycle as an SCA solution. It helps us in identifying open-source vulnerabilities. We use it extensively to scan software builds for components with existing vulnerabilities and malicious components. The solution helps us manage and secure the component part of our software supply chain. It is a very easy tool to work with. The engine is designed to calculate and decide whether a security vulnerability exists or not.
I would say that some of the main advantages of using Nexus Lifecycle are:
Easy setup: The initial deployment was run from a cloud template; it was very fast and straightforward.
Reports and insights: The data that is generated around the vulnerabilities and the way it is distributed across different severities is very helpful. It guides us on what decisions to take in terms of what should be ignored and what should be worked on.
Helpful IDE: The Nexus Lifecycle editor has some very useful plugins. While developers are writing code, Sonatype can prevent them from writing something that might cause a security vulnerability.
Scalability: The solution scales well. We have gone from limited usage to very extensive usage, with no negative effect on the performance.
Stability: We haven't encountered any stability challenges, either from the software end or from the infrastructure. If there is an issue of any type, we get a direct alert.
Compliance: We have excellent visibility into both legal and security policies. The product allows us to maintain compliance for third-party libraries as well.
One disadvantage is that the price of the solution is a bit high.