We changed our name from IT Central Station: Here's why

Black Duck vs Sonatype Nexus Lifecycle comparison

Cancel
You must select at least 2 products to compare!
Black Duck Logo
17,477 views|12,198 comparisons
Sonatype Nexus Lifecycle Logo
23,885 views|13,468 comparisons
Featured Review
Find out what your peers are saying about Black Duck vs. Sonatype Nexus Lifecycle and other solutions. Updated: January 2022.
563,327 professionals have used our research since 2012.
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"The knowledge base and the management system are the most valuable features of Black Duck Hub. It has a very helpful management environment. They offer an editor where we can check the discovered license, which is retrieved from their knowledge base. They have a huge knowledge base build over the years. It gives you some possibilities, such as this license with possibility A could cause a vulnerability issue or a potential breach.""Black Duck is pretty extensive in terms of the scan reserves and the vulnerability exposures. From that perspective, I'm happy with it.""The solution works well on Mac products.""I like the fact that the product auto analyzes components.""The stability is okay.""The most valuable feature is the vulnerability scanning, and that it's easy to use.""The installation is very easy."

More Black Duck Pros →

"We really like the Nexus Firewall. There are increasing threats from npm, rogue components, and we've been able to leverage protection there. We also really like being able to know which of our apps has known vulnerabilities.""Its engine itself is most valuable in terms of the way it calculates and decides whether a security vulnerability exists or not. That's the most important thing. Its security is also pretty good, and its listing about the severities is also good.""The proxy repository is probably the most valuable feature to us because it allows us to be more proactive in our builds. We're no longer tied to saving components to our repository.""The component piece, where you can analyze the component, is the most valuable. You can pull the component up and you can look at what versions are bad, what versions are clean, and what versions haven't been reported on yet. You can make decisions based off of that, in terms of where you want to go. I like that it puts all that information right there in a window for you.""For us, it's seeing not only the licensing and security vulnerabilities but also seeing the age of the open-sources included within our software. That allows us to take proactive steps to make sure we're updating the software to versions that are regularly maintained and that don't have any vulnerabilities.""Some of the more profound features include the REST APIs. We tend to make use of those a lot. They also have a plugin for our CI/CD; we use Jenkins to do continuous integration, and it makes our pipeline build a lot more streamlined. It integrates with Jenkins very well.""The integrations into developer tooling are quite nice. I have the integration for Eclipse and for Visual Studio. Colleagues are using the Javascript IDE from JetBrains called WebStorm and there is an integration for that from Nexus Lifecycle. I have not heard about anything that is not working. It's also quite easy to integrate it. You just need to set up a project or an app and then you just make the connection in all the tools you're using.""When I started to install the Nexus products and started to integrate them into our development cycle, it helped us construct or fill out our development process in general. The build stage is a really good template for us and it helped establish a structure that we could build our whole continuous integration and development process around. Now our git repos are tagged for different build stages data, staging, and for release. That aligns with the Nexus Lifecycle build stages."

More Sonatype Nexus Lifecycle Pros →

Cons
"The scanner client is limited by the size of software it can handle.""We're not too sure about the extension of the firewall. It never shows up in the Hub.""We have been having some issues with the latest releases where we are not able to scan our applications with the help of Black Duck.""It needs to be more user-friendly for developers and in general, to ensure compliance.""The initial setup could be simplified. It was somewhat complex.""It is a cloud-only solution. In many cases, companies like to evaluate the software, but they're very reluctant to give you the software. It would be great if they could offer an on-prem component that could be used to scan the code and then upload the discovery results to the cloud and get all the information from there, but there is no such possibility. You have to upload the code to the Black Duck cloud system. Of course, they have a strong legal department, and they offer some configuration, but it is never enough. You have to give the code, which is a drawback. In modern designs like Snyk or FOSSA, you don't need to give the code. It requires more native integration with Coverity because they go together technically. You need both Coverity and Black Duck Hub. It would be really helpful for companies working in this space to get a combined offer from the same company. They should provide an option to buy Coverity for an additional fee. Coverity combined with Black Duck Hub will provide a one-step analysis to get everything you need and a unified report. It would be really great to be able to connect Black Duck Hub with Coverity unified reports.""Due to the fact that, with our software developer life cycle, we don't need to scan our source code every day or every week. For that reason, we find the cost is too high. We might only actually use it five to ten times a year, which makes it expensive."

More Black Duck Cons →

"It would be helpful if it had a more detailed view of what has been quarantined, for people who don't have Lifecycle licenses. Other than that, it's pretty good.""One of the things that we specifically did ask for is support for transitive dependencies. Sometimes a dependency that we define in our POM file for a certain library will be dependent on other stuff and we will pull that stuff in, then you get a cascade of libraries that are pulled in. This caused confusing to us at first, because we would see a component that would have security ticket or security notification on it and wonder "Where is this coming in from?" Because when we checked what we defined as our dependencies it's not there. It didn't take us too long effort to realize that it was a transitive dependency pulled in by something else, but the question then remains "Which dependency is doing that?"""We had some issues, and I think we might still have some issues, where the Sonatype Nexus Repository has integrations with IQ and SonarQube. We're getting some errors on the UI, so we've had Sonatype look into that a little bit.""It's the right kind of tool and going in the right direction, but it really needs to be more code-driven and oriented to be scaled at the developer level.""The biggest thing that I have run into, which there are ways around, is being able to easily access the auditing data from a third-party tool; being able to pull all of that into one place in a cohesive manner where you can report off of that. We've had a little bit of a challenge with that. There are a number of things available to work with, to help with that in the tool, but we just haven't explored them yet.""One area of improvement, about which I have spoken to the Sonatype architect a while ago, is related to the installation. We still have an installation on Linux machines. The installation should move to EKS or Kubernetes so that we can do rollover updates, and we don't have to take the service down. My primary focus is to have at least triple line availability of my tools, which gives me a very small window to update my tools, including IQ. Not having them on Kubernetes means that every time we are performing an upgrade, there is downtime. It impacts the 0.1% allocated downtime that we are allowed to have, which becomes a challenge. So, if there is Kubernetes installation, it would be much easier. That's one thing that definitely needs to be improved.""Some of the APIs are just REST APIs and I would like to see more of the functionality in the plugin side of the world. For example, with the RESTful API I can actually delete or move an artifact from one Nexus repository to another. I can't do that with the pipeline API, as of yet. I'd like to see a bit more functionality on that side.""Nexus Lifecycle is multiple products. One drawback I've noticed is that there are some differences in the features between the products within Lifecycle. They need to maintain the same structure, but there are some slight differences."

More Sonatype Nexus Lifecycle Cons →

Pricing and Cost Advice
  • "The price is quite high because the behavior of the software during the scan is similar to competing products."
  • "The price is low. It's not an expensive solution."
  • "Black Duck is more suitable if you require a lot of licensing compliance. For smaller organizations, WhiteSource is better because its pricing policies are not really suitable for huge organizations."
  • More Black Duck Pricing and Cost Advice →

  • "The price is good. We certainly get a lot more in return. However, it's also hard to get the funds to roll out such a product for the entire firm. Therefore, pricing has been a limiting factor for us. However, it's a fair price."
  • "The license fee may be a bit harder for startups to justify. But it will save you a headache later as well as peace of mind. Additionally, it shows your own customers that you value security stuff and will protect yourselves from any licensing issues, which is good marketing too."
  • "In addition to the license fee for IQ Server, you have to factor in some running costs. We use AWS, so we spun up an additional VM to run this. If the database is RDS that adds a little bit extra too. Of course someone could run it on a pre-existing VM or physical server to reduce costs. I should add that compared to the license fee, the running costs are so minimal they had no effect on our decision to use IQ Server."
  • "Pricing is decent. It's not horrible. It's middle-of-the-road, as far as our ranking goes. They're a little bit more but that's also because they provide more."
  • "Lifecycle, to the best of my recollection, had the best pricing compared with other solutions."
  • "Cost is a drawback. It's somewhat costly."
  • "It's expensive, but you get what you pay for. There were no problems with the base license and how they do it. It was transparent. You don't have to worry. You can scan to your heart's delight."
  • "Given the number of users we have, it is one of the most expensive tools in our portfolio, which includes some real heavy-duty tools such as GitLab, Jira, etc. It is definitely a bit on the expensive side, and the ambiguity in how the licenses are calculated adds to the cost as well. If there is a better understanding of how the licenses are being calculated, there would be a better agreement between the two parties, and the cost might also be a little less. There is no extra cost from Sonatype. There is an operational cost on the BT side in terms of resources, etc."
  • More Sonatype Nexus Lifecycle Pricing and Cost Advice →

    report
    Use our free recommendation engine to learn which Software Composition Analysis (SCA) solutions are best for your needs.
    563,327 professionals have used our research since 2012.
    Questions from the Community
    Top Answer: 
    We researched Black Duck but ultimately chose WhiteSource when looking for an application security tool. WhiteSource is a software solution that enables agile open source security and license… more »
    Top Answer: 
    Black Duck is pretty extensive in terms of the scan reserves and the vulnerability exposures. From that perspective, I'm happy with it.
    Top Answer: 
    We are not the primary team to procure this solution. My counterparts in Paris are the only ones who are aware of the pricing. We are only using a few of the licenses because they had acquired several… more »
    Top Answer: 
    We like the data that Sonatype Nexus Lifecycle consistently delivers. This solution helps us in fixing and understanding the issues a lot quicker. The policy engine allows you to set up different… more »
    Top Answer: 
    The quality or the profiles that you can set are most valuable. The remediation of issues that you can do and how the information is offered is also valuable.
    Top Answer: 
    There are additional costs in commercial offerings for add-ons such as Nexus Container or IDE Advanced Toolkit. They come with additional fees or licenses.
    Ranking
    Views
    17,477
    Comparisons
    12,198
    Reviews
    7
    Average Words per Review
    645
    Rating
    7.6
    Views
    23,885
    Comparisons
    13,468
    Reviews
    17
    Average Words per Review
    1,910
    Rating
    8.6
    Comparisons
    Also Known As
    Blackduck Hub, Black Duck Protex, Black Duck Security Checker
    Nexus Lifecycle
    Learn More
    Overview

    Black Duck is a comprehensive solution for managing security, license compliance, and code quality risks that come from the use of open source in applications and containers. Named a leader in software composition analysis (SCA) by Forrester, Black Duck gives you unmatched visibility into third-party code, enabling you to control it across your software supply chain and throughout the application life cycle.

    Nexus Lifecycle gives you full control over your software supply chain and allows you to define rules, actions, and policies that work best for your organization and teams.

    Offer
    Learn more about Black Duck
    Learn more about Sonatype Nexus Lifecycle
    Sample Customers
    Samsung, Siemens, ScienceLogic, Noser Engineering AG, ClickFox, Dynatrace, CopperLeaf
    Genome.One, Blackboard, Crediterform, Crosskey, Intuit, Progress Software, Qualys, Liberty Mutual Insurance
    Top Industries
    VISITORS READING REVIEWS
    Computer Software Company35%
    Comms Service Provider15%
    Financial Services Firm10%
    Manufacturing Company9%
    REVIEWERS
    Financial Services Firm33%
    Insurance Company17%
    Manufacturing Company13%
    Computer Software Company8%
    VISITORS READING REVIEWS
    Computer Software Company26%
    Financial Services Firm18%
    Comms Service Provider13%
    Government6%
    Company Size
    REVIEWERS
    Small Business38%
    Large Enterprise63%
    VISITORS READING REVIEWS
    Small Business16%
    Midsize Enterprise12%
    Large Enterprise72%
    REVIEWERS
    Small Business27%
    Midsize Enterprise17%
    Large Enterprise57%
    VISITORS READING REVIEWS
    Small Business30%
    Midsize Enterprise18%
    Large Enterprise51%
    Find out what your peers are saying about Black Duck vs. Sonatype Nexus Lifecycle and other solutions. Updated: January 2022.
    563,327 professionals have used our research since 2012.

    Black Duck is ranked 6th in Software Composition Analysis (SCA) with 7 reviews while Sonatype Nexus Lifecycle is ranked 1st in Software Composition Analysis (SCA) with 18 reviews. Black Duck is rated 7.6, while Sonatype Nexus Lifecycle is rated 8.6. The top reviewer of Black Duck writes "Auto analyzes components and supports a range of scales". On the other hand, the top reviewer of Sonatype Nexus Lifecycle writes "Checks our libraries for security and licensing issues". Black Duck is most compared with WhiteSource, Snyk, Fortify Static Code Analyzer, Veracode Software Composition Analysis and Checkmarx Software Composition Analysis, whereas Sonatype Nexus Lifecycle is most compared with SonarQube, WhiteSource, JFrog Xray, Snyk and Veracode. See our Black Duck vs. Sonatype Nexus Lifecycle report.

    See our list of best Software Composition Analysis (SCA) vendors.

    We monitor all Software Composition Analysis (SCA) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.