1. Home
  2. Software Composition Analysis (SCA) Tools
  3. Sonatype Platform Reviews
  4. User Review of Sonatype Platform
Get you covered - Scan your Open Source Dependencies
July 21, 2023

Get you covered - Scan your Open Source Dependencies

Anonymous | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User

Modules Used

  • Nexus Lifecycle
  • Nexus Container

Overall Satisfaction with Sonatype Platform

We use Sonatype Lifecycle to scan our open software dependencies and raise issues if these are vulnerable. It is easy to integrate this scan with a CI tool, the scan itself takes seconds and you can see the results in the log output or in a link that opens Sonatype Lifecycle report. The report is easy to understand, categorizing the vulnerabilities by its severity. You can look at lots of details for each vulnerability, this helps greatly identifying if you are vulnerable to the issue and if there is a new version of the dependency available that fixes the issue.

  • Scan all open source dependencies, looking for vulnerabilities
  • Detailed information about each vulnerability
  • Great customer support!
  • Container scanning is cumbersome, difficult to get it working
  • If you look at a scan result in the dashboard, you cannot see the git branch where it was produced (you only see the commit hash)
  • Dependency Scanning
  • License Check
  • Reporting and mitigation information
  • Helps us to meet our security requirements
  • Helps us keeping our open source dependencies up to date
  • Helps us managing licenses, ensuring all components we use are ok to be used in a commercial scenario
Out of other products we evaluated before choosing Sonatype, the later looked far more user friendly, easy to understand and work with. This was key for us, as the tool needs to be used by many engineers that don't have security as their main focus. Having a tool that is easy to understand and work with, makes the process of evaluating open source dependencies much easier and appealing for developers.

Do you think Sonatype Platform delivers good value for the price?

Yes

Are you happy with Sonatype Platform's feature set?

Yes

Did Sonatype Platform live up to sales and marketing promises?

Yes

Did implementation of Sonatype Platform go as expected?

Yes

Would you buy Sonatype Platform again?

Yes

Sonatype Lifecycle is a strong product when it comes to scanning open source dependencies. I works really good with modern languages where using a dependency manager tool (gradle, maven, npm, pip...). It struggles more with projects where dependencies are manually managed like C/C++ legacy projects.

You can also scan a container, looking for vulnerabilities in the image itself. This works fine although a little bit more difficult to setup than the application dependency scans. If your product is container based, with Sonatype Lifecycle you have all your software footprint scanned.