Sonatype Platform Reviews and Ratings

Use Cases and Deployment Scope

We use the Sonatype Platform in the Software-Development-Process to make sure we a) are better informed on what goes live and what not and b) research what problems can be fixed how and when. Theese 2 tools help to make sure we also can add Quality-Gates to our CI/CD pipelines.

Likelihood to Recommend

- Guidance on remediation is very good

- Vulnerability detection is very good

- Support is very good

- Ability to ask PMs/POs open questions at Office Hours every month is very good

- Support for languages is lacking (TIOBE Index Top20)

- Some features are un-neededly hidden and make the usage more complex then it needs to be

Use Cases and Deployment Scope

We at HTI use Sonatype products extensively. Specially Nexus repository manager, IQ & Firewall. We have a massive scale of our users almost 40k who are using our platform (Artefcats Management). We have many complex use cases, one of them being hosting docker on Nexus. We have millions of public, private & hosted images on our platform & lot of tier0 services depend on us for their build & deployments. Any outage or slowness on docker nexus instance impacts them heavily & its huge impact on our reputation as well as business. Sonatype team is regularly helping us tune our Nexus repository manager in such a way that our service is not only highly available but optimized enough to ensure our business continues as usual. Nexus repository manager as a tool has come long way & Sonatype team ensures we as a customer get the required features & service.

Likelihood to Recommend

With our experience, Nexus Repo Manager can support large volumes & complex use cases across technologies. I see a bit of a challenge when it comes to very large volumes of docker though but the Sonatype team does everything to support our use cases.

Use Cases and Deployment Scope

We have been utilizing Repository Manager and Lifecyle for approximately five years now. The entire software development team interacts with the Sonatype Platform on a daily basis. Repository Manager is used as a proxy to external repositories, store internally developed artifacts, and Docker images. Since all packages that developers retrieve flow through Repository Manager, we are able to enforce our open source best practices. Allowing us to prevent unauthorized packages from being implemented into projects. Repository Manager and Lifecycle are both integrated into our CI/CD pipeline. While Repository Manager is used to pull and deploy packages, Lifecycle is searching for vulnerabilities. With each build, we are receiving a report for all of the components. Based on the valuable data Sonatype provides us, we are able to make decisions on whether to allow the build to continue. This prevents any vulnerable component from being introduced to our environments. Lifecycle also allows us to view newly discovered vulnerabilities within applications that have already been deployed, so they can be resolved as well.

Overall, Sonatype Platform greatly reduces the risk we assume each day.

Likelihood to Recommend

The different features Sonatype Platform offers checks all the boxes for us. From the artifact management with Repository Manager, to the vulnerability data from Lifecycle. Over the years it has proven itself, and I'm glad we went with the product.

Use Cases and Deployment Scope

We use Sonatype Platform Nexus Lifecycle to manage and remediate source code vulnerabilities and also using it for real-time monitoring of components throughout the SDLC, alerting teams about security vulnerabilities and other policy violations. Also, we use it to enforce software license compliance by identifying components with specific licensing terms and managing issues related to it.

Likelihood to Recommend

One of the best SCA tools available in market. Well suited for scenarios for where open source binaries are used. Also, allows users to minimize security vulnerabilities, permitting organizations to enhance development workflow. Sonatype Platform Lifecycle also gives the user complete control over their software supply chain, allowing them managing SDLC.

Use Cases and Deployment Scope

Top tier platform for identifying, remediating and managing known source code vulnerabilities across a large portfolio of applications. We incorporated Nexus Lifecycle scanning into our end to end pipelines with great success.

Likelihood to Recommend

Product suite fits nicely in a large enterprise environment with a lot of applications.

Use Cases and Deployment Scope

Sonatype Platform's Nexus Lifecycle is used in my company in the DevSecOps Department. We were looking for an SCA tool that was truly developer-oriented. We'd like security tools to be transparent for the application team, to motivate them to use them across every SDLC stage - Sonatype Platform is really good for that. It allows us to scale relatively quickly and increase the 3rd party dependencies security posture monitoring across the whole company.

Likelihood to Recommend

1. Team onboarding - because of the simplicity of initial tool configuration and SCM integration, onboarding of the Sonatype Platform Lifecycle is really convenient for the new teams.

2. Sonatype Platform NexusIQ is really great for Java and JavaScript technologies - configuration is really easy and the detail level from the results helps the teams to understand and mitigate the risks

3. Support for dotnet is significantly lower than for Java and JS - there is no native SBOM generation and analysis results are less detailed.

4. Some features like automatic PRs/PRs commenting/Grandfathering may be hard to understand and configure

Use Cases and Deployment Scope

Sonatype Nexus Lifecycle, we are able to identify issues with the 3rd party controls/components in our software very early into the development stage. Sonatype Lifecycle works very well within our DevOps practice, it helps us to implement continuous monitoring on 3rd party controls/components. It provides detailed reporting that helps us to understand the associated Vulnerabilities with the components and its dependencies.

Likelihood to Recommend

Using SCA tool in development stage helps development teams to identify issues with the Open-Source Software/3rd party components early into the development stage. that overall helps organization to fix the issues with lesser cost compared while making a plan to fix after the product is fully developed. For all the new development we prefer to use SCA platform like Sonatype from the beginning.

Use Cases and Deployment Scope

We use Sonatype Platform as a one solution for artifactory and DevSecOps lifecycle. Our use case is integrating Sonatype Platform in SDLC deliver through CICD. We use Sonatype Platform for OSS component evaluation.

Use cases:

1. OSS packages evaluation

2. Analyse the SCA (binary package scanning)

3. container image scan

all these use cases are in our CICD journey, and it accelerate our CICD deliverables.

Likelihood to Recommend

Sonatype Platform is suitable for big budget project where doesn't have storage issues.

Sonatype Platform is lacking some better dashboards for management perspective.

Use Cases and Deployment Scope

With over 3.000 business applications, 100 million lines of code, 500 development teams and roughly 1.500 builds per day, standardization, governance and control are key aspects we address with the Sonatype Platform.

Nexus Repository is used as the golden source for artifact management and acts as the crown jewel of the software development factory. All builds and off-the-shelf packages are pulled from Nexus prior to deployments downstream.

Any dependency that is consumed is first checked using Sonatype Firewall and subsequently scanned using Sonatype Lifecycle in the pipelines. Custom and default policies work together in securing our organization against attack vectors like malware, malicious components, security vulnerabilities, license violations and end of life dependencies.

Authorization to application information is centrally governed, access management too. Many integrations between pipelines running on Azure or on premise are centrally governed. Security reviews by expert teams is arranged through integration between Nexus Lifecycle and ServiceNow.

Risk Acceptance and other policy deviations are centrally managed and are used as vital information to assess the overall security posture of our organization.

Support for new technologies and assistance with remediation of new vulnerabilities that are found in components is received at a decent frequency by Sonatype.

Likelihood to Recommend

For a medium to large size organization with the possibility to setup a central support team to support the governance, maintenance and implementation of the Sonatype Platform, the product suite from Sonatype is very well suited. Setting up detailed configurations requires quite some effort and deep understanding of the Sonatype Platform. Whenever needed the support teams from Sonatype are available for technical and functional support. As well the Innovate platform of Sonatype offers customers to interact on specific topics and set up customer reference calls.

Use Cases and Deployment Scope

Our company uses the Sonatype Platform to repose our developed artifacts, proxy to external open source repositories, and centrally manage the companies artifacts. We also use the Sonatype Platform to managed the SDLC related to license and security vulnerabilities via policy. We use the policies to prevent unwanted libraries from being brought into the environment, as well as inform developers on remediations that need to be made. We support more than 5000 developers that are distributed across the globe. The Sonatype Platform is an essential part of how we manage open source libraries, which is a core part of our software development. We are a financial services company, and therefore, we own data that is considered a high value target for bad actors. The Sonatype Platform is integrated throughout the development lifecycle.

Likelihood to Recommend

I don't think that Sonatype has any legitimate competitors regarding their knowledge of open source software. That knowledge is seamlessly woven into their products. They have extended the value of that knowledge by applying AI to their library analysis. The false positive rate is near 0. If you are not developing software using a large percentage of open source code, there may be better options. Or, if you value minimizing costs over remediating vulnerabilities, there are probably better tools.