Sonatype Platform

We use two modules of Sonatype Nexus platform, Nexus LifeCycle and Nexus Repository.

• Nexus Repository: Nexus Repository is a good choice for being a repository manager. IAs such it does a good job of mirroring external repositories like artifactory etc. It saves network bandwidth/hard ware costs by allowing the teams to share artifacts with each other. Repository UI allows managing different artifacts. For bulk operations, CLI provides a value add. Support is available and helpful. Its a great choice is one is looking for repository manager which comes with support.
• Nexus LifeCycle : Provides checking the vulnerabilities in the builds. It is probably the best thing which Nexus offers. It comes with its REST api. Artifacts can be checked before getting deployed.

The different features Sonatype Platform offers checks all the boxes for us. From the artifact management with Repository Manager, to the vulnerability data from Lifecycle. Over the years it has proven itself, and I'm glad we went with the product.

One of the best SCA tools available in market. Well suited for scenarios for where open source binaries are used. Also, allows users to minimize security vulnerabilities, permitting organizations to enhance development workflow. Sonatype Platform Lifecycle also gives the user complete control over their software supply chain, allowing them managing SDLC.

Product suite fits nicely in a large enterprise environment with a lot of applications.

1. Team onboarding - because of the simplicity of initial tool configuration and SCM integration, onboarding of the Sonatype Platform Lifecycle is really convenient for the new teams.
2. Sonatype Platform NexusIQ is really great for Java and JavaScript technologies - configuration is really easy and the detail level from the results helps the teams to understand and mitigate the risks
3. Support for dotnet is significantly lower than for Java and JS - there is no native SBOM generation and analysis results are less detailed.
4. Some features like automatic PRs/PRs commenting/Grandfathering may be hard to understand and configure

Using SCA tool in development stage helps development teams to identify issues with the Open-Source Software/3rd party components early into the development stage. that overall helps organization to fix the issues with lesser cost compared while making a plan to fix after the product is fully developed. For all the new development we prefer to use SCA platform like Sonatype from the beginning.

Sonatype Platform is suitable for big budget project where doesn't have storage issues.
Sonatype Platform is lacking some better dashboards for management perspective.

For a medium to large size organization with the possibility to setup a central support team to support the governance, maintenance and implementation of the Sonatype Platform, the product suite from Sonatype is very well suited. Setting up detailed configurations requires quite some effort and deep understanding of the Sonatype Platform. Whenever needed the support teams from Sonatype are available for technical and functional support. As well the Innovate platform of Sonatype offers customers to interact on specific topics and set up customer reference calls.

I don't think that Sonatype has any legitimate competitors regarding their knowledge of open source software. That knowledge is seamlessly woven into their products. They have extended the value of that knowledge by applying AI to their library analysis. The false positive rate is near 0. If you are not developing software using a large percentage of open source code, there may be better options. Or, if you value minimizing costs over remediating vulnerabilities, there are probably better tools.

Sonatype Lifecycle is a strong product when it comes to scanning open source dependencies. I works really good with modern languages where using a dependency manager tool (gradle, maven, npm, pip...). It struggles more with projects where dependencies are manually managed like C/C++ legacy projects.

You can also scan a container, looking for vulnerabilities in the image itself. This works fine although a little bit more difficult to setup than the application dependency scans. If your product is container based, with Sonatype Lifecycle you have all your software footprint scanned.

Sonatype Nexus works well as an artifact repository for different programming languages. If set up correctly it is very easy to use in your Maven or Gradle scripts to manage your dependencies. It is also easy to aggregate different public repositories and manage access to these public repositories.

The Sonatype Nexus Platform is suitable if you have a need to either keep old historical versions of your builds. It’s also suitable if you have a need to ensure you can build old versions of your system even if the online source of a third-party library becomes unavailable. It's hard to justify the complexity of the platform if you are doing one-time prototyping and never have a need to go back to old builds.