IT Central Station is now PeerSpot: Here's why
  • Home
  • Coverity vs. SonarQube

Coverity vs SonarQube comparison

Cancel
You must select at least 2 products to compare!
Veracode Logo

Veracode

Read 24 Veracode reviews
49,629 views|28,481 comparisons
Synopsys Logo

Coverity

Read 8 Coverity reviews
21,229 views|15,454 comparisons
Sonar Logo

SonarQube

Read 59 SonarQube reviews
87,178 views|71,809 comparisons
Featured Review
Anonymous User
Researched Coverity but chose Veracode: Effective at preventing vulnerable code from going into production, but static analysis is prone to false positives
Veracode has helped immensely with developer security training and in building developer security skills. Before we implemented it, we would find a... Read more →
Anonymous User
Straightforward to install and reports few false positives, but it should be easier to specify your own validation and sanitation routines
Anonymous User
Effective vulnerability scanning, good support, and simple setup
Buyer's Guide
Coverity vs. SonarQube
July 2022
Free Report: Coverity vs. SonarQube
Find out what your peers are saying about Coverity vs. SonarQube and other solutions. Updated: July 2022.
DOWNLOAD NOW
622,949 professionals have used our research since 2012.
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
Pros
"The static scan is the feature that we use the most, as it gives us insight into our source code. We have it integrated with our continuous integration, continuous delivery system, so we can get insight quickly.""The dynamic scanning tool is what I like the best. Compared to other tools that I've used for dynamic scanning, it's much faster and easier to use.""You can easily integrate it with Azure DevOps. This is an added value because we work with Azure DevOps. Veracode is natively supported and we don't have to work with APIs.""The policy reporting for ensuring compliance with industry standards and regulations is pretty comprehensive, especially around PCI. If you do the static analysis, the dynamic analysis, and then a manual penetration test, it aggregates all of these results into one report. And then they create a PCI-specific report around it which helps to illustrate how the application adheres to different standards.""The centralized view of different testing types helps reduce our risk exposure. The development teams have the freedom to choose their own libraries and languages. What happens is sometimes developers feel like a particular library is okay to use, then they will start using it, developing some functionality around it. However, as per our mandate, for every new repository that gets added and scanned, a report gets published. Based on that report, we decide if we can continue. In the past, we have found, by mistake, some developers have used copyleft licenses, which are a bit risky to use. We immediately replace these with more permissive, open-source licenses, so we are safe in the end.""There are quite a few features that are very reliable, like the newly launched Veracode Pipelines Scan, which is pretty awesome. It supports the synchronous pipeline pretty well. We been using it out of the Jira plugin, and that is fantastic.""The reporting being highly accurate is pretty cool. I use another product and I was always looking for answers as to what line, which part of the code, was wrong, and what to do about it. Veracode seems to have a solid database to look things up and a website to look things up.""Their dashboard is really good, overall. In my opinion, it's one of the best in the market, and I say that because we have used other service providers."

More Veracode Pros →

"I encountered a bug with Coverity, and I opened a ticket. Support provided me with a workaround. So it's working at the moment, or at least it seems to be.""It provides reports about a lot of potential defects.""The ability to scan code gives us details of existing and potential vulnerabilities. What really matters for us is to ensure that we are able to catch vulnerabilities ahead of time.""Coverity is scalable.""The most valuable feature is the integration with Jenkins.""The app analysis is the most valuable feature as I know other solutions don't have that.""One of the most valuable features is Contributing Events. That particular feature helps the developer understand the root cause of a defect. So you can locate the starting point of the defect and figure out exactly how it is being exploited.""The most valuable feature is that there were not a whole lot of false positives, at least on the codebases that I looked at."

More Coverity Pros →

"When comparing other static code analysis tools, SonarQube has fewer false-positive issues being reported. They have a lot of support for different tech stacks. It covers the entire developer community which includes Salesforce or it could be the regular Java.net project. It has actually sufficed all the needs in one tool for static code analysis.""It is working fine. It provides a good value for money.""SonarQube is a fantastic tool which saves us precious time.""Using SonarQube benefits us because we are able to avoid the inclusion of malware in our applications.""The solution can verify vulnerabilities, code smells, and hotspots. It makes the software more secure and it helps make a junior or novice developer sharper.""It is an easy tool that you can deploy and configure. After that you can measure the history of your obligation and integrate it with other tools like GitLab or GitHub or Azure DevOps to do quality code analysis.""It provides you with many features, as it does with the premium model, but there are still extra features that can be purchased if needed.""Apart from the security point of view, I like that it makes it easy to detect code smells and other issues in terms of code quality and standards."

More SonarQube Pros →

Cons
"There is much to be desired of UI and user experience. The UI is very slow. With every click, it just takes a lot of time for the pages to load. We have seen this consistently since getting this solution. The UI and UX are very disjointed.""Sometimes the scans are not done quickly, but the solutions that it provides are really good. The quality is high, but the analysis is not done extremely quickly.""If the dynamic scan is improved, then the speed might go up. That is somehow not happening. We have raised this concern. It might also help if they could time limit scans to 24 hours instead of letting them go for three days. Then, whatever results could be shared, even if the scan is not complete, that would definitely help us.""Third-party library scanning would be very useful to have. When I was researching this a year ago, there was not a third-party library scan available. This would be a nice feature to have because we are now running through some assessments and finding out which tool can do it since this information needs to be captured. Since Veracode is a security solution, this should be related.""The policies you have, where you can tune the findings you get, don't allow you not to file tickets about certain findings. It will always report the findings, even if you know you're not that concerned about a library writing to a system log, for example. It will keep raising them, even though you may have a ticket about it. The integration will keep updating the ticket every time the scan runs.""We tried to create an automatic scanning process for Veracode and integrate it into our billing process, but it was easier to adopt it to repositories based on GIT. Until now, our source control repository was Azure DevOps Server (Microsoft TFS) to managing our resources. This was not something that they supported. It took us some sessions together before we successfully implemented it.""The reports on offer are too verbose.""Another problem we have is that, while it is integrated with single sign-on—we are using Okta—the user interface is not great. That's especially true for a permanent link of a report of a page. If you access it, it goes to the normal login page that has nothing that says "Log in with single sign-on," unlike other software as a service that we use. It's quite bothersome because it means that we have to go to the Okta dashboard, find the Veracode link, and log in through it. Only at that point can we go to the permanent link of the page we wanted to access."

More Veracode Cons →

"When I put my code into Coverity for scanning, the code information of the product is in the system. The solution could be improved by providing a SBOM, a software bill of material.""Coverity is not stable.""Right now, the Coverity executable is around 1.2GB to download. If they can reduce it to approximately 600 or 700MB, that would be great. If they decrease the executable, it will be much easier to work in an environment like Docker.""Ideally, it would have a user-based license that does not have a restriction in the number of lines of code.""The solution could use more rules.""It should be easier to specify your own validation routines and sanitation routines.""Coverity is far from perfection, and I'm not 100 percent sure it's helping me find what I need to find in my role. We need exactly what we are looking for, i.e. security errors and vulnerabilities. It doesn't seem to be reporting while we are changing our code.""Its price can be improved. Price is always an issue with Synopsys."

More Coverity Cons →

"We could use some team support, but since we are using the community version, it's not available.""Their dashboarding is very limited. They can improve their dashboards for multiple areas, such as security review, maintainability, etc. They have all this information, so they should publish all this information on the dashboard so that the users can view the summary and then analyze it further. This is something that I would like to see in the next version.""The solution could improve the management reports by making them easier to understand for the technical team that needs to review them.""SonarQube could improve by adding automatic creation of tasks after scanning and more support for the Czech language.""The BPM language is important and should be considered in SonarQube.""If I configure a project in SonarQube, it generates a token. When we're compiling our code with SonarQube, we have to provide the token for security reasons. If IP-based connectivity is established with the solution, the project should automatically be populated without providing any additional token. It will be easy to provide just the IP address. It currently supports this functionality, but it makes a different branch in the project dashboard. From the configuration and dashboard point of view, it should have some transformations. There can be dashboard integration so that we can configure the dashboard for different purposes.""The time it took for me to do the whole process was approximately two hours because I had to download, read the documentation, and do the configurations.""The learning curve can be fairly steep at first, but then, it's not an entry-level type of application. It's not like an introduction to C programming. You should know not just C programming and how to make projects but also how to apply its findings to the bigger picture. I've had users who said that they wish it was easier to understand how to configure, but I don't know if that's doable because what it's doing is a very complicated thing. I don't know if it is possible to make a complicated thing trivially simple."

More SonarQube Cons →

Pricing and Cost Advice
  • "I don't really know about the pricing, but I'd say it's worth whatever Veracode is charging, because the solution is that good."
  • "Veracode's price is high. I would like them to better optimize their pricing."
  • "If I compare the pricing with other software tools, then it is quite competitive. Whatever the price is, they have always given us a good discount."
  • "Veracode is expensive. Some of its products are expensive. I don't think it's way more expensive than its competitors. The dynamic is definitely worth it, as I think it's cheaper than the competitors. The static scan is a little bit more expensive, around 20 percent more expensive. The manual pen test is more expensive, but it is an expensive service because it's a manual pen test and we also do retests. I don't think it is way more expensive than the competitors, but it's about 15 to 20 percent more expensive."
  • "We use this product per project rather than per developer... Your development model will really determine what the best fit is for you in terms of licensing, because of the project-based licensing. If you do a few projects, that's more attractive. If you have a large number of developers, that would also make the product a little more attractive."
  • "The pricing is really fair compared to a lot of other tools on the market."
  • "It is very reasonably priced compared to what we were paying our previous vendor. For the same price, we are getting much more value and reducing our AppSec costs from 40 to 50 percent."
  • "Veracode is one of the more expensive solutions in the market, but it is worth the expense because of the eLearning and the security consultations; everything is included in the license."

    • More Veracode Pricing and Cost Advice →

  • "The licensing fees are based on the number of lines of code."
  • "The price is competitive with other solutions."
  • "It is expensive."
  • "Coverity is very expensive."
  • "This is a pretty expensive solution. The overall value of the solution could be improved if the price was reduced. Licensing is done on an annual basis."

    • More Coverity Pricing and Cost Advice →

  • "We are using the open-source version, which is available free of cost."
  • "There is both a free and licensed version. The free version has limitations on development languages and support."
  • "For the Community edition, there is no extra cost. It's totally free. The Enterprise edition, Data Center edition, and Developer edition are the paid versions."
  • "We are using the open-source community version, but there are enterprise licenses available."
  • "SonarQube is an open-source product that can be used free of charge."
  • "I am satisfied with the pricing."
  • "Can try developer version for 14 days on the free trial."
  • "It's a bit expensive for us. The currency rate of the dollar is a problem but it may be fine for other countries."

    • More SonarQube Pricing and Cost Advice →

    report
    See Which Vendors Are Best For You
    Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
    See Recommendations
    622,949 professionals have used our research since 2012.
    Questions from the Community
    Which gives you more for your money - SonarQube or Veracode?
    Top Answer:SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis… more »
    Read all 6 answers   →
    What do you like most about Veracode?
    Top Answer:Veracode's technical support is great. They assigned us a TAM and once a week, we have a brief engagement with the TAM… more »
    Read all 64 answers   →
    What is your experience regarding pricing and costs for Veracode?
    Top Answer:Veracode recently introduced some pricing based on microservices. This model gives us a lot of flexibility in being able… more »
    Read all 41 answers   →
    How would you decide between Coverity and Sonarqube?
    Top Answer:We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security… more »
    What do you like most about Coverity?
    Top Answer:Coverity is scalable.
    Read all 12 answers   →
    What is your experience regarding pricing and costs for Coverity?
    Top Answer:This is a pretty expensive solution. The overall value of the solution could be improved if the price was reduced… more »
    Read all 10 answers   →
    Is SonarQube the best tool for static analysis?
    Top Answer:I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which… more »
    Read all 10 answers   →
    How does Snyk compare with SonarQube?
    Top Answer:Snyk does a great job identifying and reducing vulnerabilities. This solution is fully automated and monitors 24/7 to… more »
    How does Sonatype Nexus Lifecycle compare with SonarQube?
    Top Answer:We like the data that Sonatype Nexus Lifecycle consistently delivers. This solution helps us in fixing and understanding… more »
    Comparisons
    Also Known As
    Synopsys Static Analysis
    Sonar
    Learn More
    Veracode
    Synopsys
    Sonar
    Overview

    Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.

    Coverity® gives you the speed, ease of use, accuracy, industry standards compliance, and scalability that you need to develop high-quality, secure applications. Coverity identifies critical software quality defects and security vulnerabilities in code as it’s written, early in the development process, when it’s least costly and easiest to fix. With the Code Sight™ integrated development environment (IDE) plugin, developers get accurate analysis in seconds in their IDE as they code. Precise actionable remediation advice and context-specific eLearning help your developers understand how to fix their prioritized issues quickly, without having to become security experts. 

    Coverity seamlessly integrates automated security testing into your CI/CD pipelines and supports your existing development tools and workflows. Choose where and how to do your development: on-premises or in the cloud with the Polaris Software Integrity Platform™ (SaaS), a highly scalable, cloud-based application security platform. Coverity supports 22 languages and over 70 frameworks and templates.

    SonarQube is the leading tool for continuously inspecting Code Quality and Code Security, and guiding development teams during code reviews. SonarQube provides clear remediation guidance for 27 languages so developers can understand and fix issues, and so teams can deliver better and safer software. SonarQube integrates into your workflow to provide the right feedback at the right time: in-IDE with SonarLint, in pull requests, and in SonarQube itself. With over 225,000 deployments helping small development teams and global organizations, SonarQube provides the means for teams and companies around the world to own and impact their Code Quality and Code Security.

    Offer
    Keep your software secure
    Find out more

    Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.

    Learn more about Coverity
    Learn More
    Learn more about SonarQube
    Learn More
    Sample Customers
    State of Missouri, Rekner
    MStar Semiconductor, Alcatel-Lucent
    Bank of America, Siemens, Cognizant, Thales, Cisco, eBay
    Top Industries
    REVIEWERS
    Financial Services Firm31%
    Insurance Company11%
    Computer Software Company11%
    Healthcare Company7%
    VISITORS READING REVIEWS
    Computer Software Company26%
    Comms Service Provider14%
    Financial Services Firm12%
    Manufacturing Company7%
    REVIEWERS
    Computer Software Company25%
    Media Company13%
    Government13%
    Retailer13%
    VISITORS READING REVIEWS
    Computer Software Company26%
    Manufacturing Company20%
    Comms Service Provider14%
    Government4%
    REVIEWERS
    Computer Software Company22%
    Financial Services Firm21%
    Comms Service Provider10%
    Insurance Company7%
    VISITORS READING REVIEWS
    Computer Software Company24%
    Comms Service Provider15%
    Financial Services Firm14%
    Manufacturing Company8%
    Company Size
    REVIEWERS
    Small Business24%
    Midsize Enterprise27%
    Large Enterprise49%
    VISITORS READING REVIEWS
    Small Business16%
    Midsize Enterprise14%
    Large Enterprise70%
    REVIEWERS
    Small Business19%
    Midsize Enterprise19%
    Large Enterprise63%
    VISITORS READING REVIEWS
    Small Business13%
    Midsize Enterprise12%
    Large Enterprise75%
    REVIEWERS
    Small Business26%
    Midsize Enterprise17%
    Large Enterprise56%
    VISITORS READING REVIEWS
    Small Business14%
    Midsize Enterprise14%
    Large Enterprise72%
    Buyer's Guide
    Coverity vs. SonarQube
    July 2022
    Free Report: Coverity vs. SonarQube
    Find out what your peers are saying about Coverity vs. SonarQube and other solutions. Updated: July 2022.
    DOWNLOAD NOW
    622,949 professionals have used our research since 2012.

    Coverity is ranked 10th in Application Security Tools with 8 reviews while SonarQube is ranked 1st in Application Security Tools with 59 reviews. Coverity is rated 8.0, while SonarQube is rated 8.0. The top reviewer of Coverity writes "Straightforward to install and reports few false positives, but it should be easier to specify your own validation and sanitation routines". On the other hand, the top reviewer of SonarQube writes "Open-source, stable, and finds the problems for you and tells you where they are". Coverity is most compared with Micro Focus Fortify on Demand, Checkmarx, Klocwork, Fortify Application Defender and Snyk, whereas SonarQube is most compared with Checkmarx, Sonatype Nexus Lifecycle, Snyk, Micro Focus Fortify on Demand and Mend. See our Coverity vs. SonarQube report.

    See our list of best Application Security Tools vendors.

    We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.