Get you covered - Scan your Open Source Dependencies
July 21, 2023
Get you covered - Scan your Open Source Dependencies
Score 9 out of 10
Vetted Review
Verified User
Modules Used
- Nexus Lifecycle
- Nexus Container
Overall Satisfaction with Sonatype Platform
We use Sonatype Lifecycle to scan our open software dependencies and raise issues if these are vulnerable. It is easy to integrate this scan with a CI tool, the scan itself takes seconds and you can see the results in the log output or in a link that opens Sonatype Lifecycle report. The report is easy to understand, categorizing the vulnerabilities by its severity. You can look at lots of details for each vulnerability, this helps greatly identifying if you are vulnerable to the issue and if there is a new version of the dependency available that fixes the issue.
- Scan all open source dependencies, looking for vulnerabilities
- Detailed information about each vulnerability
- Great customer support!
- Container scanning is cumbersome, difficult to get it working
- If you look at a scan result in the dashboard, you cannot see the git branch where it was produced (you only see the commit hash)
- Dependency Scanning
- License Check
- Reporting and mitigation information
- Helps us to meet our security requirements
- Helps us keeping our open source dependencies up to date
- Helps us managing licenses, ensuring all components we use are ok to be used in a commercial scenario
Out of other products we evaluated before choosing Sonatype, the later looked far more user friendly, easy to understand and work with. This was key for us, as the tool needs to be used by many engineers that don't have security as their main focus. Having a tool that is easy to understand and work with, makes the process of evaluating open source dependencies much easier and appealing for developers.
Do you think Sonatype Platform delivers good value for the price?
Yes
Are you happy with Sonatype Platform's feature set?
Yes
Did Sonatype Platform live up to sales and marketing promises?
Yes
Did implementation of Sonatype Platform go as expected?
Yes
Would you buy Sonatype Platform again?
Yes