FOSSA vs. Sonatype Platform

The only issue we have had is sometimes the web app is too slow, and that causes issues with us wanting to continue to use FOSSA over going with another tool. That is the only problem. I noticed it happened more recently, but if that is solved now or will be solved, I would 100% recommend this tool to anyone!

Incentivized

For a medium to large size organization with the possibility to setup a central support team to support the governance, maintenance and implementation of the Sonatype Platform, the product suite from Sonatype is very well suited. Setting up detailed configurations requires quite some effort and deep understanding of the Sonatype Platform. Whenever needed the support teams from Sonatype are available for technical and functional support. As well the Innovate platform of Sonatype offers customers to interact on specific topics and set up customer reference calls.

• Setup of tool.
• Speed of scans.
• Automated emails with reports.

Incentivized

• Nexus firewall is a great feature enabled for all our proxy repositories which are used to download the third-party opensource packages.
• Nexus IQ is integrated with build stage to analyze the component against evaluation policy. This helps to figure out the application security standards.
• Nexus IQ is also having a feature to scan container images before it uploads to our private repository. This is great feature for container platforms.

• Interface for loading results can be slow, this is the #1 issue we have faced.
• Speed of scans could be improved.

Incentivized

• Recommendations for best Energy Consumption options based on existing BOM - e.g. replace component X with component Y to reduce CPU cycles.
• More specific recommendations regarding Open Source Licensing - not just saying "Copyleft" but the next level of analysis (it's difficult - but would save a lot of time)
• Provide specific component replacement options where no "next version" resolves a high severity vulnerability.

Incentivized

Sonatype supports more than 200 dev(s). It proves with the repository to store the artifacts. Allows for governance of open source software used by the different teams. It is used by security teams to scan for vulnerabilities in software(s) and in the deployed containers. It helps ensure code quality.

Incentivized

Never needed support but the chat and help seem forefront of the app!

Incentivized

Monthly touchpoints with Sinisa has been very valuable.

Incentivized

BlackDuck and Synk

Incentivized

Out of other products we evaluated before choosing Sonatype, the later looked far more user friendly, easy to understand and work with. This was key for us, as the tool needs to be used by many engineers that don't have security as their main focus. Having a tool that is easy to understand and work with, makes the process of evaluating open source dependencies much easier and appealing for developers.

Incentivized

• Hard to measure the ROI, but no doubt having licenses be above board is fantastic for protection of your software.
• Caused developers to make more informed decisions.

Incentivized

• Sonatype's centralized management of artifacts have made it very easy for developers to share code in an efficient manner.
• Sonatype's low false positive rate has made it easier to convince developers to remediate vulnerabilities
• Sonatype's archaic architecture has made it more expensive to manage than it could be.