Try our new research platform with insights from 80,000+ expert users

OpenText Core Application Security vs SonarQube Server (formerly SonarQube) comparison

OpenText and Sonar are both solutions in the Application Security Tools category. OpenText is ranked #14 with an average rating of 8.0, while Sonar is ranked #1 with an average rating of 8.3. OpenText holds a 4.3% mindshare in AS, compared to Sonar’s 22.4% mindshare. Additionally, 89% of OpenText users are willing to recommend the solution, compared to 81% of Sonar users who would recommend it.
OpenText Core Application S...
Read 60 OpenText Core Application Security reviews
  • 7,668 Views
  • 5,598 Comparison Views
89% willing to recommend
SonarQube Server (formerly ...
Read 116 SonarQube Server (formerly SonarQube) reviews
  • 43,055 Views
  • 27,555 Comparison Views
81% willing to recommend
 

Comparison Buyer's Guide

Download the report
Executive SummaryUpdated on Jun 19, 2025

OpenText Core Application Security and SonarQube Server compete in the application security and code quality assurance markets. Each product shines in different areas, with OpenText excelling in compliance and security guidance, while SonarQube stands out in code quality inspection and integration capabilities.

Features: OpenText Core Application Security provides HIPAA compliance, correlated static and dynamic results, and central testing program management. This solution offers on-demand testing suitable for development integration. SonarQube Server supports multiple programming languages and features code quality inspection and customizable coding rules. Its extensive plugin ecosystem enhances many functionalities and integrates smoothly with CI/CD pipelines.

Room for Improvement: OpenText needs to address false positives, improve bug tracking system integration, and simplify reporting. SonarQube should enhance language support, strengthen security rule robustness, and offer better third-party tool integration. The reporting and scalability features also require refinement.

Ease of Deployment and Customer Service: OpenText provides flexible deployment options across cloud and on-premises environments, supported by good customer service, although it can improve in response time. SonarQube's similar deployment flexibility is complemented by a community edition, though it could benefit from more responsive technical support.

Pricing and ROI: OpenText's subscription model is seen as costly but justified by its advanced features, offering significant ROI through preventive savings. SonarQube is accessible with open-source and various licensing models, though some features and plugins may incur additional costs. It delivers value through improved code quality.

DOWNLOAD THE COMPLETE REPORT
To learn more, read our detailed OpenText Core Application Security vs. SonarQube Server (formerly SonarQube) Report (Updated: July 2025).
Buyer's Guide
OpenText Core Application Security vs. SonarQube Server (formerly SonarQube)
July 2025
Download the complete report
Helped 865,985 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

OpenText Core Application S...
Ranking in Application Security Tools
14th
Ranking in Static Application Security Testing (SAST)
13th
Average Rating
8.0
Reviews Sentiment
7.8
Number of Reviews
60
Ranking in other categories
No ranking in other categories
SonarQube Server (formerly ...
Ranking in Application Security Tools
1st
Ranking in Static Application Security Testing (SAST)
1st
Average Rating
8.0
Reviews Sentiment
7.2
Number of Reviews
116
Ranking in other categories
Software Development Analytics (1st)
 

Mindshare comparison

As of August 2025, in the Application Security Tools category, the mindshare of OpenText Core Application Security is 4.3%, down from 5.1% compared to the previous year. The mindshare of SonarQube Server (formerly SonarQube) is 22.4%, down from 26.5% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Application Security Tools Market Share Distribution
ProductMarket Share (%)
SonarQube Server (formerly SonarQube)22.4%
OpenText Core Application Security4.3%
Other73.3%
Application Security Tools
 

Q&A Highlights

Miriam Tover - PeerSpot reviewer
Jan 11, 2019
What Is The Biggest Difference Between Fortify on Demand And SonarQube?
I think the benefit of Fortify on Demand is that it covers all the scan types: DAST, SAST. RASP, and Mobile. The research team that builds the vuln database is solid and well-staffed.
See all answers
 

Featured Reviews

Jonathan Steyn - PeerSpot reviewer
Source code analyzer, FPR file generation, reduction of false positives and generates compliance reports, for in-depth analysis
Not challenges with the product itself. The product is very reliable. It does have a steep learning curve. But, again, one thing that Fortify or OpenText does very well is training. There are a lot of free resources and training in the community forums, free training as well as commercial training where users can train on how to use the back-end systems and the scanning engines and how to use command-line arguments because some of the procedures or some of the tools do require a bit of a learning curve. That's the only challenge I've really seen for customers because you have to learn how to use the tool effectively. But Fortify has, in fact, improved its user interface and the way users engage the dashboards and the interfaces. It is intuitive. It's easy to understand. But in some regards, the cybersecurity specialist or AppSec would need a bit of training to engage the user interface and to understand how it functions. But from the point of the reliability index and how powerful the tool is, there's no challenge there. But it's just from a learning perspective; users might need a bit more skill to use the tool. The user interface isn't that tedious. It's not that difficult to understand. When I initially learned how to use the interfaces, I was able to master it within a week and was able to use it quite effectively. So training is required. All skills are needed to learn how to use the tool. I would like to see more enhancements in the dashboards. Dashboards are available. They do need some configuration and settings. But I would like to see more business intelligence capabilities within the tool. It's not particularly a cybersecurity function, but, for instance, business impact analysis or other features where you can actually use business intelligence capabilities within your security tool. That would be remarkable because not only do you have a cybersecurity tool, but you also have a tool that can give you business impact analysis and some other measurements. A bit more intelligence in terms of that from a cybersecurity perspective would be remarkable.
Read full review
Sthembiso Zondi - PeerSpot reviewer
Consistent improvements in code quality and security with effective integration and reliable technical support
The features of SonarQube Server (formerly SonarQube) that I find most useful are the suggestions received from reviewing the code. When they review the code, they provide suggestions on how to fix it, and we find those very useful from a development perspective. We use SonarQube Server's (formerly SonarQube) centralized management and visualization of code quality metrics on the dashboard because that's the executive dashboard that we send to the executives to show where we are in terms of quality, security, and where the company can improve. We use that for organizational improvement purposes. The ability to tailor metrics tracking in SonarQube Server (formerly SonarQube) has been beneficial to my team. There are team-specific dashboards which are related to specific repositories they utilize, and we have that aggregative dashboard that shows the whole organization's performance. We can drill down per specific repository, which makes it easier for the team to improve specific things.
Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The quality of application security testing reduces risk and gives very few false positives."
"Each bank may have its own core banking applications with proprietary support for different programming languages. This makes Fortify particularly relevant and advantageous in those cases."
"One of the top features is the source code review for vulnerabilities. When we look at source code, it's hard to see where areas may be weak in terms of security, and Fortify on Demand's source code review helps with that."
"The solution is user-friendly. One feature I find very effective is the tool's automatic scanning capability. It scans replicas of the code developers write and automatically detects any vulnerabilities. The integration with CI/CD tools is also useful for plugins."
"Fortify is effective in identifying such oversights, making it a really helpful tool despite its problems."
"This product is top-notch solution and the technology is the best on the market."
"The solution saves us a lot of money. We're trying to reduce exposure and costs related to remediation."
"We have the option to test applications with or without credentials."
More OpenText Core Application Security pros
"All the features of the solution are quite good."
"The integrations SonarQube provides with our software delivery pipeline are very seamless."
"The most valuable features are the wide array of languages, multiple languages per project, the breakdown of bugs, and the description of vulnerabilities and code smells (best practices)."
"It provides the security that is required from a solution for financial businesses."
"The solution has a plug-in that supports both C and C++ languages."
"The solution can verify vulnerabilities, code smells, and hotspots. It makes the software more secure and it helps make a junior or novice developer sharper."
"It assists during the development with SonarLint and helps the developer to change his approach or rather improve his coding pattern or style. That's one advantage I've seen. Another advantage is that we can customize the rules."
"The freemium version of SonarQube Server offers excellent value, especially compared to the high costs of Snyk."
More SonarQube Server (formerly SonarQube) pros
 

Cons

"Temenos's (T-24) info basic is a separate programming interface, and such proprietary platforms and programming interfaces were not easily supported by the out-of-the-box versions of Fortify."
"It natively supports only a few languages. They can include support for more native languages. The response time from the support team can also be improved. They can maybe include video tutorials explaining the remediation process. The remediation process is sometimes not that clear. It would be helpful to have videos. Sometimes, the solution that the tool gives in the GUI is not straightforward to understand for the developer. At present, for any such issues, you have to create a ticket for the support team and request help from the support team."
"The products must provide better integration with build tools."
"I would like the solution to add AI support."
"The cybersecurity specialist or AppSec would need a bit of training to engage the user interface and to understand how it functions."
"The product has a lot of false positives."
"I would like to see improvement in CI integration and integration with GitLab or Jenkins. It needs to be more simple."
"Fortify on Demand needs to improve its pricing."
More OpenText Core Application Security cons
"We're in the process of figuring out how to automate the workflow for QA audit controls on it. I think that's perhaps an area that we could use some buffing. We're a Kubernetes shop, so there are some things that aren't direct fits, which we're struggling with on the component Docker side. But nothing major."
"We previously experienced issues with security but a segregated security violation has been implemented and the issues we experienced are being fixed."
"After scanning our code and generating a report, it would be helpful if SonarQube could also generate a solution to fix vulnerabilities in the report."
"The solution could improve by having better-consulting services."
"In the next release, I would like to have notifications because now, it is a bit difficult. I think that's a feature which we could add there and it would benefit the users as well. For every full request, they should be able to see their bugs or vulnerability directly on the surface."
"The reporting is good, but I am not able to download a specific report as a PDF, so downloading reports is something that should be looked at."
"It requires advanced heuristics to recognize more complex constructs that could be disregarded as issues."
"The learning curve can be fairly steep at first, but then, it's not an entry-level type of application. It's not like an introduction to C programming. You should know not just C programming and how to make projects but also how to apply its findings to the bigger picture. I've had users who said that they wish it was easier to understand how to configure, but I don't know if that's doable because what it's doing is a very complicated thing. I don't know if it is possible to make a complicated thing trivially simple."
More SonarQube Server (formerly SonarQube) cons
 

Pricing and Cost Advice

"The pricing model it's based on how many applications you wish to scan."
"Fortify on Demand is affordable, and its licensing comes with a year of support."
"The price is fair compared to that of other solutions."
"Their subscriptions could use a little bit of a reworking, but I am very happy with what they're able to provide."
"It's a yearly contract, but I don't remember the dollar amount."
"Despite being on the higher end in terms of cost, the biggest value lies in its abilities, including robust features, seamless integration, and high-quality findings."
"We make an annual purchase of the licenses we need."
"The subscription model, on a per-scan basis, is a bit expensive. That's another reason we are not using it for all the apps."
More OpenText Core Application Security pricing and cost advice
"This is open source."
"I am satisfied with the pricing."
"Compared to similar solutions, SonarQube was more accessible to us and had more benefits, with regards to size of the code base and supported languages. Apart from the Enterprise licensing fee, there are no additional costs."
"The developer edition is based on cost per lines of code."
"People can try the free licenses and later can seek buying plugins/support, etc. once they started liking it."
"As a user and a consumer of this solution, it can be pricey for my company to support and use, even though there are many benefits. For this reason, we use the free version. In the future, as our product cycles develop and evolve at a more steady pace, we hope to invest in the licensing for this tool."
"We're using their free Community Edition version."
"There are many different packages with different pricing options available. We are able to try what we have and if we need extra features we can upgrade the license."
More SonarQube Server (formerly SonarQube) pricing and cost advice
report
See which vendors are best for you
Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
See recommendations
865,985 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
18%
Manufacturing Company
15%
Computer Software Company
10%
Government
8%
Financial Services Firm
16%
Computer Software Company
14%
Manufacturing Company
13%
Government
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
By reviewers
Company SizeCount
Small Business16
Midsize Enterprise8
Large Enterprise43
By reviewers
Company SizeCount
Small Business32
Midsize Enterprise21
Large Enterprise74
 

Questions from the Community

What do you like most about Micro Focus Fortify on Demand?
It helps deploy and track changes easily as per time-to-time market upgrades.
See all answers
What is your experience regarding pricing and costs for Micro Focus Fortify on Demand?
In comparison with other tools, they're competitive. It is not more expensive than other solutions, but their pricing is competitive. The licenses for Fortify On Demand are generally bought in unit...
See all answers
What needs improvement with Micro Focus Fortify on Demand?
There are frequent complaints about false positives from Fortify. One day it may pass a scan with no issues, and the next day, without any code changes, it will report vulnerabilities such as passw...
See all answers
Is SonarQube the best tool for static analysis?
I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have a look...
See all answers
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
See all answers
How would you decide between Coverity and Sonarqube?
We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing rem...
See all answers
 

Comparisons

Checkmarx One vs OpenText Core Application Security Logo
Checkmarx One vs OpenText Core Application Security
Compared 12% of the time
Coverity vs OpenText Core Application Security Logo
Coverity vs OpenText Core Application Security
Compared 10% of the time
Veracode vs OpenText Core Application Security Logo
Veracode vs OpenText Core Application Security
Compared 10% of the time
GitHub Advanced Security vs OpenText Core Application Security Logo
GitHub Advanced Security vs OpenText Core Application Security
Compared 7% of the time
OWASP Zap vs OpenText Core Application Security Logo
OWASP Zap vs OpenText Core Application Security
Compared 4% of the time
More OpenText Core Application Security Competitors
Checkmarx One vs SonarQube Server (formerly SonarQube) Logo
Checkmarx One vs SonarQube Server (formerly SonarQube)
Compared 17% of the time
Coverity vs SonarQube Server (formerly SonarQube) Logo
Coverity vs SonarQube Server (formerly SonarQube)
Compared 11% of the time
GitHub Advanced Security vs SonarQube Server (formerly SonarQube) Logo
GitHub Advanced Security vs SonarQube Server (formerly SonarQube)
Compared 10% of the time
Veracode vs SonarQube Server (formerly SonarQube) Logo
Veracode vs SonarQube Server (formerly SonarQube)
Compared 7% of the time
GitLab vs SonarQube Server (formerly SonarQube) Logo
GitLab vs SonarQube Server (formerly SonarQube)
Compared 2% of the time
More SonarQube Server (formerly SonarQube) Competitors
 

Product Reports

Buyer's Guide
OpenText Core Application Security
August 2025
OpenText Core Application Security reportDownload OpenText Core Application Security product report
Buyer's Guide
SonarQube Server (formerly SonarQube)
August 2025
SonarQube Server (formerly SonarQube) reportDownload SonarQube Server (formerly SonarQube) product report
 

Also Known As

Micro Focus Fortify on Demand
Sonar
 

Interactive Demo

Demo not available
OpenText
Sonar
 

Overview

OpenText Core Application Security offers robust features like static and dynamic scanning, real-time vulnerability tracking, and seamless integration with development platforms, designed to enhance code security and reduce operational costs.

OpenText Core Application Security is a cloud-based, on-demand service providing accurate and deep scanning capabilities with detailed reporting. Its integrations with development platforms ensure an enhanced security layer in the development lifecycle, benefiting users by lowering operational costs and facilitating efficient remediation. The platform addresses needs for intuitive interfaces, API support, and comprehensive vulnerability assessments, helping improve code security and accelerate time-to-market. Despite its strengths, challenges exist around false positives, report clarity, and language support, alongside confusing pricing and package options. Enhancements are sought in areas like CI/CD pipeline configuration, report visualization, scan times, and integration with third-party tools such as GitLab, container scanning, and software composition analysis.

What features define OpenText Core Application Security?
  • Static and Dynamic Scanning: Offers thorough analysis to identify vulnerabilities during development.
  • Real-time Vulnerability Tracking: Continuously updates and monitors potential security threats.
  • Seamless Development Platform Integration: Enhances security processes without disrupting workflows.
  • Cloud-Based Service: Provides flexible, on-demand security capabilities with accurate results.
  • API Support: Allows smooth integration and automation within existing systems.
What benefits should users look for in reviews?
  • Reduced Operational Costs: Optimizes resources by lowering costs associated with security management.
  • Efficient Remediation: Speeds up the process of identifying and resolving vulnerabilities.
  • Enhanced Code Security: Strengthens overall application security during the development lifecycle.
  • Accelerated Time-to-Market: Streamlines development stages by integrating essential security tools.

Industries like mobile applications, e-commerce, and banking leverage OpenText Core Application Security for its ability to identify vulnerabilities such as SQL injections. Integrating seamlessly with DevSecOps and security auditing processes, this tool supports developers in writing safer code, ensuring secure application deployment and enhancing software assurance.

OpenText

SonarQube Server enhances code quality and security via static code analysis. It detects vulnerabilities, improves standards, and reduces technical debt, integrating into CI/CD pipelines.

SonarQube Server is a comprehensive tool for enhancing code quality and security. It offers static code analysis to identify vulnerabilities, improve coding standards, and reduce technical debt. By integrating into CI/CD pipelines, it provides automated checks for adherence to best practices. Organizations use it for code inspection, security testing, and compliance, ensuring development environments with better maintainability and fewer issues.

What are the key features of SonarQube Server?
  • Support for 20+ languages: Extensive programming language support suitable for diverse coding environments.
  • Custom coding rules: Allows for tailored rule sets to match specific coding standards.
  • Flexible quality gates: Define criteria for code acceptance at various intervals.
  • CI/CD integration: Seamless integration with Continuous Integration/Continuous Deployment tools.
  • Rich interface: User-friendly dashboard with detailed visual insights.
What benefits should users expect from SonarQube Server?
  • Improved code quality: Enhanced analysis contributes to fewer bugs and improved coding practices.
  • Security enhancements: Identifies and mitigates security vulnerabilities pre-emptively.
  • Maintainability: Reduces technical debt, yielding long-term development efficiency.
  • Customizable: Flexibility in configuration aligns with specific project needs.

Many industries implement SonarQube Server to uphold coding standards, maintain security protocols, and streamline their software development lifecycle. In sectors like finance and healthcare, adhering to regulations and ensuring reliable software is critical, making SonarQube Server invaluable. It is often integrated into CI/CD pipelines, ensuring that code changes meet set standards before deployment. This approach enhances productivity and maintains compliance with industry-specific requirements.

Sonar
 

Sample Customers

SAP, Aaron's, British Gas, FICO, Cox Automative, Callcredit Information Group, Vital and more.
Information Not Available
Buyer's Guide
OpenText Core Application Security vs. SonarQube Server (formerly SonarQube)
July 2025
Free Report: OpenText Core Application Security vs. SonarQube Server (formerly SonarQube)
Find out what your peers are saying about OpenText Core Application Security vs. SonarQube Server (formerly SonarQube) and other solutions. Updated: July 2025.
DOWNLOAD NOW
865,985 professionals have used our research since 2012.
See our OpenText Core Application Security vs. SonarQube Server (formerly SonarQube) report.
See our list of best Application Security Tools vendors and best Static Application Security Testing (SAST) vendors.

We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.