1. Home
  2. Software Composition Analysis (SCA) Tools
  3. Sonatype Platform Reviews
  4. User Review of Sonatype Platform
Deliver Agile AppSec with Sonatype Platform NexusIQ!
November 07, 2023

Deliver Agile AppSec with Sonatype Platform NexusIQ!

Anonymous | TrustRadius Reviewer
Score 6 out of 10
Vetted Review
Verified User

Modules Used

  • Nexus Lifecycle

Overall Satisfaction with Sonatype Platform

Sonatype Platform's Nexus Lifecycle is used in my company in the DevSecOps Department. We were looking for an SCA tool that was truly developer-oriented. We'd like security tools to be transparent for the application team, to motivate them to use them across every SDLC stage - Sonatype Platform is really good for that. It allows us to scale relatively quickly and increase the 3rd party dependencies security posture monitoring across the whole company.
  • SBOM continuous monitoring
  • Easy SCM integration
  • Tool onboarding
  • Tool capabilities for dotnet technology
  • More detailed remediation steps
  • Better pre-commit feedback for developers
  • More out-of-the-box features
  • Give us visibility on the security posture of 3rd party dependencies used
  • Enable continuous monitoring to react on zero-day vulnerabilities quicker
  • Dashboards and reporting capabilities are easy to understand for management
  • Less vulnerabilities in our products
  • SCA implementation in SSDLC
  • Dotnet configuration is more challenging comparing to other technologies
  • Black Duck Software Composition Analysis (SCA)
Sonatype Platform's Nexus Lifecycle performs pretty great while talking about security vulnerabilities. It uses multiple vulnerability databases and provides really detailed reports. The tool is easy to use for endusers on different levels: within the IDE, CI pipeline and in maintenance level.
BlackDuck is a tool that is better from the licence management perspective, however it is harder to use and configure. I really like the way how BD calculates the risk, however this feature is also available in Sonatype Platform NexusIQ now.

Do you think Sonatype Platform delivers good value for the price?

Yes

Are you happy with Sonatype Platform's feature set?

Yes

Did Sonatype Platform live up to sales and marketing promises?

Yes

Did implementation of Sonatype Platform go as expected?

Yes

Would you buy Sonatype Platform again?

Yes

1. Team onboarding - because of the simplicity of initial tool configuration and SCM integration, onboarding of the Sonatype Platform Lifecycle is really convenient for the new teams.
2. Sonatype Platform NexusIQ is really great for Java and JavaScript technologies - configuration is really easy and the detail level from the results helps the teams to understand and mitigate the risks
3. Support for dotnet is significantly lower than for Java and JS - there is no native SBOM generation and analysis results are less detailed.
4. Some features like automatic PRs/PRs commenting/Grandfathering may be hard to understand and configure