1. Home
  2. Software Composition Analysis (SCA) Tools
  3. Sonatype Platform Reviews
  4. User Review of Sonatype Platform
Nobody knows Open Source like Sonatype
July 21, 2023

Nobody knows Open Source like Sonatype

Anonymous | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User

Modules Used

  • Nexus Repository Pro
  • Nexus Firewall
  • Nexus Lifecycle

Overall Satisfaction with Sonatype Platform

Our company uses the Sonatype Platform to repose our developed artifacts, proxy to external open source repositories, and centrally manage the companies artifacts. We also use the Sonatype Platform to managed the SDLC related to license and security vulnerabilities via policy. We use the policies to prevent unwanted libraries from being brought into the environment, as well as inform developers on remediations that need to be made. We support more than 5000 developers that are distributed across the globe. The Sonatype Platform is an essential part of how we manage open source libraries, which is a core part of our software development. We are a financial services company, and therefore, we own data that is considered a high value target for bad actors. The Sonatype Platform is integrated throughout the development lifecycle.
  • Block unwanted open source libraries from entering our environment
  • Provides appropriate level information to help our developers identify and remediate vulnerabilities.
  • Cost effective enterprise management of open source libraries.
  • Provides enterprise level reporting on our vulnerability footprint.
  • Sonatype Platform architecture is antiquated and needs to be updated on modern technologies.
  • Sonatype Platform UI is lacking in several basic usability features
  • There needs to be better features and support for their IDE plugins.
  • Blocking vulnerable components from entering our environment
  • Being able to leverage Sonatype's deep knowledge of Open Source Software
  • Enterprise level artifact management.
  • Sonatype's centralized management of artifacts have made it very easy for developers to share code in an efficient manner.
  • Sonatype's low false positive rate has made it easier to convince developers to remediate vulnerabilities
  • Sonatype's archaic architecture has made it more expensive to manage than it could be.
JFrog's architecture is significantly ahead of Sonatype's implementation. It would be a lot easier to globally manage a JFrog solution than a Sonatype solution. JFrog's UI is more user friendly and has more features. JFrog, however, is significantly behind Sonatype in the quality of the license and security vulnerability data. Also, based on the pricing models for the 2 companies, JFrog's cost was significantly higher than Sonatype's.

Do you think Sonatype Platform delivers good value for the price?

Yes

Are you happy with Sonatype Platform's feature set?

Yes

Did Sonatype Platform live up to sales and marketing promises?

Yes

Did implementation of Sonatype Platform go as expected?

Yes

Would you buy Sonatype Platform again?

Yes

I don't think that Sonatype has any legitimate competitors regarding their knowledge of open source software. That knowledge is seamlessly woven into their products. They have extended the value of that knowledge by applying AI to their library analysis. The false positive rate is near 0. If you are not developing software using a large percentage of open source code, there may be better options. Or, if you value minimizing costs over remediating vulnerabilities, there are probably better tools.