We performed a comparison between SonarQube and Sonatype Nexus Lifecycle based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Based on the parameters we compared, SonarQube and Sonatype Nexus Lifecycle seem to have a similar rating among users regarding ease of deployment, pricing, service and support, and ROI. In terms of features, users of SonarQube felt more scanning features were needed, while users of Sonatype Nexus Lifecycle felt the software needed to be more code-driven.
"It helps our developers work more efficiently as we can identify things in a code prior to it being pushed to where it needs to go."
"We can create a Quality Gate in order to fail Jenkins jobs where the code coverage is lower than the set percentage."
"Some of the most valuable features have been the latest up-to-date of the OWASP, the monitoring, the reporting, and the ease of use with the IDE plugins, in terms of integration."
"It provides you with many features, as it does with the premium model, but there are still extra features that can be purchased if needed."
"It easily ties into our continuous integration pipeline."
"This solution is simple to use and can be quickly deployed."
"We are using the Community edition. So, we don't have to incur any licensing costs. This is the best part."
"The SonarQube dashboard looks great."
"The data quality is really good. They've got some of the best in the industry as far as that is concerned. As a result, it helps us to resolve problems faster. The visibility of the data, as well as their features that allow us to query and search - and even use it in the development IDE - allow us to remediate and find things faster."
"The scanning capability is its most valuable feature, discovering vulnerable open source libraries."
"It's helped us free up staff time."
"The most valuable features of the Sonatype Nexus Lifecycle are the evaluation of the unit test coverage, vulnerability scanning, duplicate code lines, code smells, and unnecessary loops."
"The most important features of the Sonatype Nexus Lifecycle are the vulnerability reports."
"We really like the Nexus Firewall. There are increasing threats from npm, rogue components, and we've been able to leverage protection there. We also really like being able to know which of our apps has known vulnerabilities."
"Automating the Jenkins plugins and the build title is a big plus."
"The application onboarding and policy grandfathering features are good and the solution integrates well with our existing DevOps tools."
"We also use Fortify, which is another tool to find security errors. Fortify is a better security tool. It is better than SonarQube in finding errors. Sometimes, SonarQube doesn't find some of the errors that Fortify is able to find. Fortify also has a community, which SonarQube doesn't have. Its installation is a little bit complex. We need to install a database, install the product, and specify the version of the database and the product. They can simplify the installation and make it easier. We use docker for the installation because it is easier to use. Its dashboard needs to be improved. It is not intuitive. It is hard to understand the interface, and it can be improved to provide a better user experience."
"There could be better integration with other products."
"Having performance regression would be a helpful add on or ability to be able to do during the scan."
"I am not very pleased with the technical debt computation."
"We called support and complained but have not received any information as we use the free version. We had to fix it on our own and could not escalate it to the tool's developer."
"SonarQube's detail in the security could be improved. It may be helpful to have additional details, with regards to Oracle PL/SQL. For example, it's neither as built nor as thorough as Java. For now, this is the only additional feature I would like to see."
"SonarQube could improve its static application security testing as per the industry standard."
"We could use some team support, but since we are using the community version, it's not available."
"Fortify's software security center needs a design refresh."
"The reporting could be better."
"If you look at NPM-based applications, JavaScript, for example, these are only checkable via the build pipeline. You cannot upload the application itself and scan it, as is possible with Java, because a file could change significantly."
"Not all languages are supported in Fortify."
"The generation of false positives should be reduced."
"We do not use it for more because it is still too immature, not quite "finished." It is missing important features for making it a daily tool. It's not complete, from my point of view..."
"In terms of features, the reports natively come in as PDF or JSON. They should start thinking of another way to filter their reports. The reporting tool used by most enterprises, like Splunk and Elasticsearch, do not work as well with JSON."
"One thing that it is lacking, one thing I don't like, is that when you label something or add a status to it, you do it as an overall function, but you can't go back and isolate a library that you want to call out individually and remove a status from it. It's still lacking some functionality-type things for controlling labels and statuses. I'd like to be able to apply it across all of my apps, but then turn it off for one, and I can't do that."
SonarQube is ranked 1st in Application Security Tools with 110 reviews while Sonatype Lifecycle is ranked 6th in Application Security Tools with 42 reviews. SonarQube is rated 8.0, while Sonatype Lifecycle is rated 8.4. The top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". On the other hand, the top reviewer of Sonatype Lifecycle writes "Seamless to integrate and identify vulnerabilities and frees up staff time". SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Veracode and Fortify on Demand, whereas Sonatype Lifecycle is most compared with Black Duck, Fortify Static Code Analyzer, GitLab, Checkmarx One and Mend.io. See our SonarQube vs. Sonatype Lifecycle report.
See our list of best Application Security Tools vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.