Sonatype Software and Solutions
VP and Sr. Manager at a financial services firm with 1,001-5,000 employees
We built it directly into our continuous integration cycles and have been able to catch things at build time
What is our primary use case?The Lifecycle product is for protection, and licensing vulnerabilities issues, in our build lifecycle.
Pros and Cons
- "The data quality is really good. They've got some of the best in the industry as far as that is concerned. As a result, it helps us to resolve problems faster. The visibility of the data, as well as their features that allow us to query and search - and even use it in the development IDE - allow us to remediate and find things faster."
- "As far as the relationship of, and ease of finding the relationships between, libraries and applications across the whole enterprise goes, it still does that. They could make that a little smoother, although right now it's still pretty good."
What other advice do I have?In the early stages of planning and design for rolling this out, ensure that you get all of your stakeholders involved; those who will have an input on the policy settings. Also, ensure you have a process and people involved to deal with the findings. Have that baked into your standard enterprise processes. Don't just turn it on and not know what to do with it.
Enables our developers to proactively select components that don't have a vulnerability or a licensing issue
What is our primary use case?We're using it to change the way we do our open-source. We used to actually save our open-source and now we're moving towards a firewall approach where we are proxy to Maven repos or NPM repos, and we are using those proxies so that we can keep ourselves from pulling in known bad components at build time. We're able to be more proactive on our builds.
Pros and Cons
- "The proxy repository is probably the most valuable feature to us because it allows us to be more proactive in our builds. We're no longer tied to saving components to our repository."
- "It would be helpful if it had a more detailed view of what has been quarantined, for people who don't have Lifecycle licenses. Other than that, it's pretty good."
What other advice do I have?My advice would be to use it as soon as you can. Get it implemented into your environment as quickly as you can because it's going to help. Once you get it, get your devs on it because they're going to thank you for it. All of our development is happening using the firewall. All our build pipelines are going through there. As far as licensed users go who can look at Nexus, we've got about 35. They range from devs to security personnel to DevOps people. All our applications are moving over to it, so that's definitely going to increase the usage. We've got about another 200 applications on the…
Ricardo Van Den Broek
Software Architect at a tech vendor with 11-50 employees
Checks our libraries for security and licensing issues
Pros and Cons
- "With the plugin for our IDE that Sonatype provides, we can check whether a library has security, quality, or licensing issues very easily. Which is nice because Googling for this stuff can be a bit cumbersome. By checking it before code is even committed, we save ourselves from getting notifications."
- "One of the things that we specifically did ask for is support for transitive dependencies. Sometimes a dependency that we define in our POM file for a certain library will be dependent on other stuff and we will pull that stuff in, then you get a cascade of libraries that are pulled in. This caused confusing to us at first, because we would see a component that would have security ticket or security notification on it and wonder "Where is this coming in from?" Because when we checked what we defined as our dependencies it's not there. It didn't take us too long effort to realize that it was a transitive dependency pulled in by something else, but the question then remains "Which dependency is doing that?""
What other advice do I have?Do it as early as possible. You will have to clean up sooner or later. I remember when we fired it up it immediately found things that the last solution didn't find. This made sense after we realized that IQ Server gets continued updates and our last solution was just getting updates whenever we were able to get new hard drives sent to us. Our first scan popped up with a number of high vulnerability and security issues. At that time the Sonatype people were on a call with us to help us out setting it up. We asked them if seeing this many alerts was pretty average and they told us it was pretty…
Security Analyst at a computer software company with 51-200 employees
Enables me to choose a vulnerable library and see versions that don't have any listed vulnerabilities
What is our primary use case?Our use case for Nexus is to monitor all of our dependencies and the main thing we're using it for is tracking vulnerabilities listed against those.
Pros and Cons
- "The policy engine is really cool. It allows you to set different types of policy violations, things such as the age of the component and the quality: Is it something that's being maintained? Those are all really great in helping get ahead of problems before they arise. You might otherwise end up with a library that's end-of-life and is not going to get any more fixes."
- "The biggest thing that I have run into, which there are ways around, is being able to easily access the auditing data from a third-party tool; being able to pull all of that into one place in a cohesive manner where you can report off of that. We've had a little bit of a challenge with that. There are a number of things available to work with, to help with that in the tool, but we just haven't explored them yet."
What other advice do I have?Take some time configuring your notifications and your JIRA integration properly, along with the policy tweaks. As you integrate and as you first deploy the tool, don't block any builds until you start to catch up on any issues that may be there. Really spend some time with that policy review and make sure it encompasses and aligns with your vulnerability management policy appropriately. It is incorporated in all of our software branches, and we keep our most recent end-of-life branch active in it just to monitor for critical issues, so we can notify the community to upgrade. We may also add…
Feb 19 2021
Sonatype Nexus Repository vs JFrog Artifactory: which one is better for Binary Repository and deployment?
I'm researching Nexus and Artifactory. Which one is the better option for a binary repository and for deployment too?
Dec 17 2020
May I know the end of life of the Sonatype Nexus Repository 3.27.0-03 and end of life of versions after this one?
If you were talking to someone whose organization is considering Sonatype Nexus Lifecycle, what would you say?
How would you rate it and why? Any other tips or advice?
How do you or your organization use this solution?
Please share with us so that your peers can learn from your experiences.
Please share with the community what you think needs improvement with Sonatype Nexus Lifecycle.
What are its weaknesses? What would you like to see changed in a future version?
What do you like most about Sonatype Nexus Lifecycle?
Thanks for sharing your thoughts with the community!
We all know it's really hard to get good pricing and cost information.
Please share what you can so you can help your peers.