Sonatype Lifecycle

We use Sonatype Lifecycle  primarily as a binary repository management solution for managing software artifacts. Our company has a large stack of tools for software development, and Sonatype Lifecycle  is part of these tools. We use it solely for managing software artifacts without utilizing the software composition analysis or the vulnerability checking capabilities. We are expanding our clients and services as part of Digital Service of Brazil.

The most valuable feature for us is Sonatype Lifecycle's capability in identifying vulnerabilities. It has a large portfolio for vulnerability analysis, making it a leader in vulnerability checking. In comparison, the performance of other products, like JFrog's, does not reach the same level in identifying vulnerabilities. Additionally, Sonatype Lifecycle is very stable, especially in managing binary artifacts for over fifteen years with minimal problems, even with more than 700 developers working on a single node.

Both JFrog and Sonatype should redesign their products to separate the binary repository management solution from the software composition analysis solutions. We prefer to purchase the binary repository management solution independently, but they offer both together, which increases costs. This integration is good but raises the price, being a significant issue for us. We also noticed a lack of detailed information for configuring Sonatype Lifecycle for high availability and data recovery.

I have used Sonatype Lifecycle for over fifteen years.

Sonatype Lifecycle is very stable, especially in the binary repository management use case for managing binary artifacts. We have not experienced any significant issues over the fifteen years of use.

Both Sonatype and JFrog have solutions for high availability and data recovery, but Sonatype is more complex to configure. JFrog is easier to configure for high availability as it does not require extra components. It handles high availability at the database level, such as synchronizing JFrog repository servers without complicated configurations.

We use Sonatype Lifecycle in its open-source software edition, so we do not have experience with their customer service or technical support.

Positive

According to my calculations, if you are working with up to 200 developers, Sonatype is cheaper than JFrog. However, for larger numbers like our case with 1,000 user licenses, JFrog becomes much more cost-effective, roughly ten times cheaper than Sonatype. Their licensing models are different, impacting the price depending on the number of developers.

I compared Sonatype Lifecycle with JFrog Artifactory  and Xray.

Overall, I would rate Sonatype Lifecycle a nine out of ten.

On-premises

We use Sonatype Lifecycle  for scanning our SCA  product, software composition analysis. It is a category of product we use to scan third-party packages imported into the source code like Java, Node.js, or Python. 

It reports back as an enterprise product with UI reports and is very useful. We integrate it into our pipelines, generate reports, and our developers engage with it to fix issues and ensure the software supply chain is secure.

The solution provides a comprehensive overview of dependencies and their security status. The onboarding process is straightforward, and the UI is very clear. The integration into our CICD pipeline enables us to continuously monitor code changes and identify new vulnerabilities. This ensures we can address issues proactively. Lifecycle effectively manages dependencies and highlights unsecure packages. It does what it does better, with integration into other Sonatype products. This integrated ecosystem is advantageous for us.

It is a bit narrow, and we are expecting more features, especially with respect to SBOM and other detections. It is specific to only one category, and we would like them to add more diverse application security features. We expect products to do multiple things. It only does one thing, and we want it to expand its capabilities.

We have been working with Sonatype Lifecycle  for four years.

The product is stable and works as expected. There are no performance or reliability issues.

I find the solution scalable.

The technical support is good. I would rate them as eight out of ten. They are helpful when we raise any tickets.

Positive

We did not use another solution before this one.

The initial setup is not straightforward as it includes databases, yet the documentation is good, and we did not face any issues. The support is good, and the setup went smoothly.

It is a security product, so we installed it in our automation environment without tweaking anything. We brought users in, provided an overview of how developers should use it, and integrated it into a few applications before rolling it out to all.

We have seen cost savings and efficiency improvements as we now know what happens in what was previously a black box. The ROI is around two years, however, security improvements are hard to quantify.

We didn't evaluate other options since the product aligns with our ecosystem, enabling it to work well with other solutions we use.

I recommend it because it integrates well with other Sonatype products and does its job effectively. 

Overall, I would rate Sonatype Lifecycle as seven out of ten.

I work for a service-based company where we develop solutions based on customer requirements. That server was currently put up. 

I've also worked with product-based companies, developing software products for end-user requirements. That's my background, working broadly in telecom and healthcare.

This solution is for the client, and we do have internal customers who have been using this solution too.

Sonatype Lifecycle primarily has two main products: 

1. Sonatype Nexus and 
2. Sonatype Lifecycle. 

Lifecycle is mainly used for firewall management. If any issues are detected during the build process, they will be flagged, and each port can be addressed based on firewall and code scanning reports. 

Essentially, it streamlines the process, allowing us to easily identify code snippets that need attention and then act upon those findings.

It's heavily integrated within our organization due to our adherence to HIPAA regulations, which are critical for protecting health information. We ensure regulatory compliance is incorporated into both our code and the applications we develop.

• Detailed Violation Reports: The violation reports provided by Lifecycle are key, giving specific details on the types of violations and identifying the component within the application. Even with multiple components like web, app, and database tiers, each is evaluated separately through individual pipelines, and reports are provided for each.

• Version Tracking: Another important aspect is the version details, showing which version is causing issues. We follow a standard release naming convention (major, minor, patch), so we can easily see which version is problematic.

• Dependency Management: Additionally, we can address dependency-related information at a granular level, identifying component versions causing build blockages. This is a very helpful feature.

With Sonatype, I primarily work with the Nexus Repository. I like it the most because it can store many artifacts generated after applications are built. These artifacts can be retrieved at any time. 

Another valuable aspect of Sonatype is that it combines Lifecycle with the repository. The Lifecycle component integrates into every stage of the release, starting from code checkout and throughout the build process. This integration gives us insights into the code's quality and overall health. 

Additionally, Sonatype seamlessly integrates with other tools like GitLab, providing continuous integration, delivery, and deployment capabilities. 

It offers comprehensive reports on each stage, facilitating static code analysis and improving our understanding of code quality. All these integrations help provide valuable feedback to developers and stakeholders.

Mitigates security vulnerabilities:

It primarily analyzes code and provides vulnerability check results through the IQ Server. This server takes the application configuration and details, then provides a dashboard showing the vulnerabilities as critical, low, or high.

This is based on the policies defined in Lifecycle. Besides the default policies, we have custom policies that can be defined. These features evaluate the code and present those reports in the dashboard.

While Sonatype Lifecycle effectively manages artifacts in Nexus Repository and performs code firewall checks based on rules, it has the potential to expand further.

I am looking forward to additional features similar to SonarQube, especially since licenses are often split per component. SonarType could integrate cloud-based capabilities, addressing the increasing shift towards cloud workloads. While there have been demos and discussions around this, significant progress on scanning and analyzing cloud images remains to be seen.

I am looking forward to Sonatype incorporating these enhancements, particularly in regard to cloud-based features. On-prem workloads are getting to the cloud workloads. 

• I would like to see more cloud-related insights, such as logging capabilities for the images we use and image scanning information. 
• Additionally, it would be beneficial to have insights into the stages of dependencies and ensure they comply with standards. If there are any violations in respect to CVSS reports,
• Integrating CVSS (Common Vulnerability Scoring System) report rules into the Lifecycle module to detect and report violations would be valuable. I am hoping to see these enhancements from Sonatype in the future.

On the security side, I think there's a lot of development needed. There are many security tools on the market, like open-source ones, that Sonatype doesn't integrate with.

I have experience with this product. 

The stability of the product is very normal. If we don't bump it up with minor releases, and instead use the stable releases, there are no major issues. So far, the stability is perfectly fine.

I would rate the scalability an eight out of ten. 

Earlier, licenses were specific to on-premise servers, but now, Sonatype is also available in the cloud, offering more flexibility. Now, we can bump it up if required.  We can increase the number of user licenses as needed by contacting the Sonatype team.

We regularly evaluate our license usage and adjust based on our needs. For example, we initially had 100 licenses, but after analyzing usage patterns and integrating another team, we increased it to 200.

So, scalability is not an issue.

The support was good. However, getting the right resources for specific activities is a problem. 

Once an issue is identified, we need to raise a user request, which might become a development request, leading to long wait times. This is where we experience delays and needs improvement.

Neutral

Another tool that is equivalent to Sonatype is JFrog, but it does not have Lifecycle kind of features.

But, we can compare the Sonatype Nexus repository with JFrog Artifactory. We also have other options like Azure Artifacts in the cloud.

I would rate my experience with the initial setup a nine out of ten, with ten being easy. 

The installation itself is quick, but the configuration takes longer, especially with custom policies. If you use the default policies, it's much faster. 

The configuration needs to be tailored to the specific requirements of the team or application. Installation can be completed in three to four hours, but configuration may take a couple of days.

Deployment model: It is deployed both on the cloud and on-premises. 

Deployment resources: It doesn't require many resources. One engineer and another person should be able to handle it, especially for the policies and other details. Installation and setup are not difficult. 

However, ongoing maintenance is required, so an additional person might be helpful. Is the requirement solely for Sonatype, or do you have other tools to maintain as well?

I successfully set it up from scratch for my organization, conducted training sessions for the development team and leadership, and collaborated extensively with the Sonatype team for over eight years.

Steps for the deployment process:

1. First, we get the bundle. Once we receive the bundle, we will review the installation tips and identify the server for installation. The installation server is designed based on the environment, considering CPU, RAM, storage requirements, and database choice (Oracle or PostgreSQL). After all, the database is key. 
2. We download the package bundle from the website, which includes the installation script and a configuration file. The configuration file defines the connection details to the database. This is usually handled by the admin ID.
3. The next step is to create roles for the development team and other relevant teams, assigning users to these roles. The most time-consuming part is defining the custom policies tailored to our organization's specific needs, as we have numerous applications running with different teams and product lines.
4. Once the policies are defined, we integrate Sonatype with the CI/CD pipeline. This allows us to run scans, generate reports, and start using the tool effectively.

In terms of Sonatype, it's definitely worth it. The software is valuable. However, I'm expecting more additional features and frequent releases, as major releases take a long time. I think the Sonatype development team should release updates with additional features more often.

I would rate the pricing a seven out of ten, with ten being expensive. The price is high. 

It depends on the number of licenses. The price increases based on the fact bundle you are collecting. The number of licenses depends on the organization and how many we have.

My advice:

Sonatype Lifecycle has a lot of uses based on the user base. It's licensed based on support, not per user. So, if a team has 200 developers, I would recommend starting with a smaller number of licenses, like 50 or 75, and increasing it later if needed, rather than buying 200 licenses upfront. They can always compare and adjust based on their usage.

Overall, I would rate it an eight out of ten. 

Hybrid Cloud

We use this solution for libraries in our applications that need to be updated.

The solution is very easy to use. 

Improvements are needed as per customer requirements.

I have been using Sonatype Lifecycle for one year. 

The scalability is a ten out of ten. 

Overall, I would rate the solution a ten out of ten. 

Our primary use cases involve monitoring and securing our software supply chain. We use it to proactively identify and block any potentially insecure components from being downloaded, ensuring our firewall remains robust. Additionally, we use the platform to analyze both deployed and developing code throughout the development lifecycle.

The most valuable function of Sonatype Lifecycle is its code analysis capability, especially within the specific sub-product focusing on static analysis. This feature, particularly tailored for Java code, has been crucial in identifying and addressing vulnerabilities in our software.

There is room for improvement in the code analysis aspect of Sonatype Lifecycle, specifically in the area of deployment security. While the product effectively scans components and provides threat intelligence, it requires additional manual effort to ensure that the configuration of the product during deployment is done securely.

When it comes to new features, I would find it incredibly beneficial if Sonatype Lifecycle could integrate with deployment tools, enabling real-time identification of any vulnerabilities as developers push code to production.

It is a quite stable solution. I would rate the stability as a seven out of ten.

I would rate the scalability of the solution as a ten out of ten. It is suitable for any business size.

I would rate Sonatype's technical support a solid ten out of ten. They are highly engaged, conduct weekly meetings to discuss the product roadmap and competition, and even bring in engineers to provide hands-on guidance on using the product.

Positive

Setting up Sonatype Lifecycle can be complex, possibly influenced by deployment choices. While I haven't explored the latest architecture, there is potential for a simpler SaaS deployment. It is available both as an on-premises and cloud-based hybrid solution to suit different preferences and needs.

I would rate the affordability of the solution as an eight out of ten.

Overall, I would rate Sonatype Lifecycle as a six out of ten. It is a solid product with some room for improvement.