We performed a comparison between Checkmarx One, SonarQube, and Veracode based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools."The product's most valuable feature is static code and supply chain effect analysis. It provides a lot of visibility."
"The ability to track the vulnerabilities inside the code (origin and destination of weak variables or functions)."
"The most valuable features of Checkmarx are the automation and information that it provides in the reports."
"Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%."
"The most valuable feature for me is the Jenkins Plugin."
"Scan reviews can occur during the development lifecycle."
"What I like best about Checkmarx is that it has fewer false positives than other products, giving you better results."
"The most valuable features of Checkmarx are the Best Fix Location and the Payments option because you can save a lot of time trying to mitigate the configuration. Using these tools can save you a lot of time."
"The most valuable features are the wide array of languages, multiple languages per project, the breakdown of bugs, and the description of vulnerabilities and code smells (best practices)."
"Using SonarQube has helped us to identify areas of technical debt to work on, resulting in better code, fewer vulnerabilities, and fewer bugs."
"The most valuable feature of SonarQube I have found to be the configuration that has allowed us to can make adjusts to the demands of the code review. It gives a specified classification regarding the skill, prioritization, and it is easy for me to review and make my code."
"All the features of the solution are quite good."
"I like that it covers most programming languages for source code review."
"The tool helps us to monitor and manage violations. It manages the bugs and security violations."
"I like the by-default policies that are they, as they seem to cover most of what I need."
"The code coverage feature is very good."
"It can be very hard to make a good lab environment with a console with log windows and code bases. What I like about Veracode is that they managed to do that. It has a very responsive graphical user interface and has worked very well. I was very pleased with that."
"We like the fact that all the issues are identified and that Veracode provides sufficient information on how to resolve them."
"It allows us to prove our security levels to vendors, and additionally helps us with our HIPAA security policies."
"The most valuable feature is the efficiency of the tool in finding vulnerabilities."
"I like its integration with GitHub. I like using it from GitHub. I can use the GitHub URL and find out the vulnerabilities."
"We use Veracode static analysis during development to eliminate vulnerability issues"
"Because it is a SaaS offering, I do not have to support the infrastructure."
"The best feature of Veracode is that we can do static and dynamic scans."
"Checkmarx is not good because it has too many false positive issues."
"The product can be improved by continuing to expand the application languages and frameworks that can be scanned for vulnerabilities. This includes expanded coverage for mobile applications as well as open-source development tools."
"It is an expensive solution."
"Updating and debugging of queries is not very convenient."
"Licensing models and Swift language support are the aspects in which this product needs to improve. Swift is a new language, in which major customers require support for lower prices."
"The validation process needs to be sped up."
"Integration into the SDLC (i.e. support for last version of SonarQube) could be added."
"Micro-services need to be included in the next release."
"The solution is a bit lacking on the security side, in terms of finding and identifying vulnerabilities."
"If you don't have any experience with the configuration or how to configure the files, it can be complicated."
"SonarQube needs to improve its ease of use, integration with third-party platforms, and scalability."
"The handling of the contents of Docker container images could be better."
"I think the code security can be improved."
"The solution could improve the management reports by making them easier to understand for the technical team that needs to review them."
"The pricing could be reduced a bit. It's a little expensive."
"We had some issues scanning the master branch but when we upgraded to version 7.9 we noticed it does scan the master branch but we had to do a workaround for it to happen. This process could be improved in a future release."
"The sandbox could use some improvement; when creating a sandbox, it requires us to put the application name in twice, which seems unnecessary."
"The triage indicator was kind of hard to find. It's a very small arrow and I had no idea it was there."
"It needs to reach the level of Checkmarx's and Fortify Software's capabilities and service levels, or may further loosen the market share."
"Sometimes we get a lot of false positives even after configuring our policies, so that could be improved."
"We would like a way to mark entire modules as "safe." The lack of this feature hasn't stopped us previously, it just makes our task more tedious at times. That kind of feature would save us time."
"The zip file scanning has room for improvement."
"The scanning process for records could be faster and there is room for improvement in Veracode's performance."
"Security can always be improved."
SonarQube depends on completely what you configure the Rules. You will have the option of the Profile creation and can be assigned to the Projects. If you configure the project --> under them services configuration it is good to go. Proper configuration is important in the Sonat Qube. Yes, Sonarqube allows developers to delint their code before SAST.
Veracode recently introduced it. But this integration at developer Machine integration available for only JAVA coded Projets.
About the Vulnerability coverage, both are the same. OWASP TOP 10 is equal to Sans 25. sans25 is categorized with one category number and describes under that subsection. Refer to this. https://www.templarbit.com/blog/2018/02/08/owasp-top-10-vs-sans-cwe-25/
SonarQube can be used for SAST. However, based on our internal analysis, our team feel CheckMarx is better suited for Security compared to SonarQube. SoanrQube is used in day to day developer code scan and Checkmarx is used during code movement to staging or during release.