We performed a comparison between HCL AppScan, SonarQube, and Trustwave App Scanner [EOL] based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools."This solution saves us time due to the low number of false positives detected."
"For me, as a manager, it was the ease of use. Inserting security into the development process is not normally an easy project to do. The ability for the developer to actually use it and get results and focuses, that's what counted."
"It is easy it is to use. It is quick to find things, because of the code scanning tools. It's quite simple to use and it is very good the way it reports the findings."
"It highlights, with several grades of severity, the types of vulnerabilities, so we can focus on the most severe security vulnerabilities in the code."
"It has certainly helped us find vulnerabilities in our software, so this is priceless in the end."
"It is a stable solution...It is a scalable solution...The initial setup or installation of HCL AppScan is easy."
"The reporting part is the most valuable feature."
"You can easily find particular features and functions through the UI."
"Provides local scanning for developers."
"We consider it a handy tool that helps to resolve our issues immediately."
"I like the by-default policies that are they, as they seem to cover most of what I need."
"SonarQube: Recording of issues over a period of time, with an indication of the addition in the new issues or the reduction of existing issues (which were fixed)."
"I like that it has a better dashboard compared to Clockwork. It's also stable."
"The software quality gate streamlines the product's quality."
"Before you even compile, it can catch known vulnerability issues or patterns."
"SonarQube is one of the more popular solutions because it supports 29 languages."
"The stability is great. We haven't had any issues at all with it."
"IBM Security AppScan needs to add performance optimization for quickly scanning the target web applications."
"We would like to integrate with some of the other reporting tools that we're planning to use in the future."
"I would like to see the roadmap for this product. We are still waiting to see it as we have only so many resources."
"Visibility is an issue for us. Our partners do not know we have integrations with some of IBM products."
"The solution often has a high number of false positives. It's an aspect they really need to improve upon."
"I think being able to search across more containers, especially some of the docker elements. We need a little tighter integration there. That's the only thing I can see at this point."
"They should have a better UI for dashboards."
"In future releases, I would like to see more aggressive reports. I would also like to see less false positives."
"We're in the process of figuring out how to automate the workflow for QA audit controls on it. I think that's perhaps an area that we could use some buffing. We're a Kubernetes shop, so there are some things that aren't direct fits, which we're struggling with on the component Docker side. But nothing major."
"We also use Fortify, which is another tool to find security errors. Fortify is a better security tool. It is better than SonarQube in finding errors. Sometimes, SonarQube doesn't find some of the errors that Fortify is able to find. Fortify also has a community, which SonarQube doesn't have. Its installation is a little bit complex. We need to install a database, install the product, and specify the version of the database and the product. They can simplify the installation and make it easier. We use docker for the installation because it is easier to use. Its dashboard needs to be improved. It is not intuitive. It is hard to understand the interface, and it can be improved to provide a better user experience."
"The product needs to integrate other security tools for security scanning."
"I would also like SonarQube to be able to write custom scanning rules. More documentation would be helpful as well because some of our guys were struggling with the customization script."
"There could be better integration with other products."
"The time it took for me to do the whole process was approximately two hours because I had to download, read the documentation, and do the configurations."
"SonarQube's detail in the security could be improved. It may be helpful to have additional details, with regards to Oracle PL/SQL. For example, it's neither as built nor as thorough as Java. For now, this is the only additional feature I would like to see."
"The handling of the contents of Docker container images could be better."
"I would like to see a little more flexibility with regards to setting up profiles for vulnerabilities."
Earn 20 points
