Sonatype Reviews

Russell Webster
VP and Sr. Manager at a financial services firm with 1,001-5,000 employees
Real User
Top 5Leaderboard
Apr 27, 2020
We built it directly into our continuous integration cycles and have been able to catch things at build time

What is our primary use case?

The Lifecycle product is for protection, and licensing vulnerabilities issues, in our build lifecycle.

Pros and Cons

  • "The data quality is really good. They've got some of the best in the industry as far as that is concerned. As a result, it helps us to resolve problems faster. The visibility of the data, as well as their features that allow us to query and search - and even use it in the development IDE - allow us to remediate and find things faster."
  • "As far as the relationship of, and ease of finding the relationships between, libraries and applications across the whole enterprise goes, it still does that. They could make that a little smoother, although right now it's still pretty good."

What other advice do I have?

In the early stages of planning and design for rolling this out, ensure that you get all of your stakeholders involved; those who will have an input on the policy settings. Also, ensure you have a process and people involved to deal with the findings. Have that baked into your standard enterprise processes. Don't just turn it on and not know what to do with it.
Wes Kanazawa
Sr. DevOps Engineer at Primerica
Real User
Top 5Leaderboard
Mar 3, 2020
Enables our developers to proactively select components that don't have a vulnerability or a licensing issue

What is our primary use case?

We're using it to change the way we do our open-source. We used to actually save our open-source and now we're moving towards a firewall approach where we are proxy to Maven repos or NPM repos, and we are using those proxies so that we can keep ourselves from pulling in known bad components at build time. We're able to be more proactive on our builds.

Pros and Cons

  • "The proxy repository is probably the most valuable feature to us because it allows us to be more proactive in our builds. We're no longer tied to saving components to our repository."
  • "It would be helpful if it had a more detailed view of what has been quarantined, for people who don't have Lifecycle licenses. Other than that, it's pretty good."

What other advice do I have?

My advice would be to use it as soon as you can. Get it implemented into your environment as quickly as you can because it's going to help. Once you get it, get your devs on it because they're going to thank you for it. All of our development is happening using the firewall. All our build pipelines are going through there. As far as licensed users go who can look at Nexus, we've got about 35. They range from devs to security personnel to DevOps people. All our applications are moving over to it, so that's definitely going to increase the usage. We've got about another 200 applications on the…
Ricardo Van Den Broek
Software Architect at a tech vendor with 11-50 employees
Real User
Top 5Leaderboard
Mar 19, 2020
Checks our libraries for security and licensing issues

What is our primary use case?

We use the Nexus IQ Server. That is the only product that we use, though there are other affiliated products Sonatype offers which integrates with it. We use it to categorize and index all libraries used in our software. Every time that a new build is created in our CI server, Nexus IQ server will check exactly what libraries that we're using. It does this for our Java libraries, JavaScript, and other things that it finds. Then, it checks a number of things for each of those libraries. E.g., it checks the license that is being used in it. Sometimes with open source software, the license is a… more »

Pros and Cons

  • "With the plugin for our IDE that Sonatype provides, we can check whether a library has security, quality, or licensing issues very easily. Which is nice because Googling for this stuff can be a bit cumbersome. By checking it before code is even committed, we save ourselves from getting notifications."
  • "One of the things that we specifically did ask for is support for transitive dependencies. Sometimes a dependency that we define in our POM file for a certain library will be dependent on other stuff and we will pull that stuff in, then you get a cascade of libraries that are pulled in. This caused confusing to us at first, because we would see a component that would have security ticket or security notification on it and wonder "Where is this coming in from?" Because when we checked what we defined as our dependencies it's not there. It didn't take us too long effort to realize that it was a transitive dependency pulled in by something else, but the question then remains "Which dependency is doing that?""

What other advice do I have?

Do it as early as possible. You will have to clean up sooner or later. I remember when we fired it up it immediately found things that the last solution didn't find. This made sense after we realized that IQ Server gets continued updates and our last solution was just getting updates whenever we were able to get new hard drives sent to us. Our first scan popped up with a number of high vulnerability and security issues. At that time the Sonatype people were on a call with us to help us out setting it up. We asked them if seeing this many alerts was pretty average and they told us it was pretty…
Ryan Carrie
Security Analyst at a computer software company with 51-200 employees
Real User
Top 5Leaderboard
Apr 28, 2020
Enables me to choose a vulnerable library and see versions that don't have any listed vulnerabilities

What is our primary use case?

Our use case for Nexus is to monitor all of our dependencies and the main thing we're using it for is tracking vulnerabilities listed against those.

Pros and Cons

  • "The policy engine is really cool. It allows you to set different types of policy violations, things such as the age of the component and the quality: Is it something that's being maintained? Those are all really great in helping get ahead of problems before they arise. You might otherwise end up with a library that's end-of-life and is not going to get any more fixes."
  • "The biggest thing that I have run into, which there are ways around, is being able to easily access the auditing data from a third-party tool; being able to pull all of that into one place in a cohesive manner where you can report off of that. We've had a little bit of a challenge with that. There are a number of things available to work with, to help with that in the tool, but we just haven't explored them yet."

What other advice do I have?

Take some time configuring your notifications and your JIRA integration properly, along with the policy tweaks. As you integrate and as you first deploy the tool, don't block any builds until you start to catch up on any issues that may be there. Really spend some time with that policy review and make sure it encompasses and aligns with your vulnerability management policy appropriately. It is incorporated in all of our software branches, and we keep our most recent end-of-life branch active in it just to monitor for critical issues, so we can notify the community to upgrade. We may also add…

Sonatype Questions

Mike_Wu
Senior Manager, IT at cgs-cimb
Feb 19 2021

I'm researching Nexus and Artifactory. Which one is the better option for a binary repository and for deployment too?


LaddadaNadjet
User
Dec 17 2020

Hi everybody,


May I know the end of life of the Sonatype Nexus Repository 3.27.0-03 and end of life of versions after this one?


Thank you.


Best regards.

Miriam Tover
Content Specialist
IT Central Station

If you were talking to someone whose organization is considering Sonatype Nexus Lifecycle, what would you say?

How would you rate it and why? Any other tips or advice?

Miriam Tover
Content Specialist
IT Central Station

How do you or your organization use this solution?

Please share with us so that your peers can learn from your experiences.

Thank you!

Julia Frohwein
Content and Social Media Manager
IT Central Station

Please share with the community what you think needs improvement with Sonatype Nexus Lifecycle.

What are its weaknesses? What would you like to see changed in a future version?

Julia Frohwein
Content and Social Media Manager
IT Central Station

Hi Everyone,

What do you like most about Sonatype Nexus Lifecycle?

Thanks for sharing your thoughts with the community!

Miriam Tover
Content Specialist
IT Central Station

Hi,

We all know it's really hard to get good pricing and cost information.

Please share what you can so you can help your peers.