Try our new research platform with insights from 80,000+ expert users

OpenText Core Application Security vs SonarQube Server (formerly SonarQube) comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Jun 19, 2025

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

OpenText Core Application S...
Ranking in Application Security Tools
14th
Ranking in Static Application Security Testing (SAST)
12th
Average Rating
8.0
Reviews Sentiment
7.8
Number of Reviews
60
Ranking in other categories
No ranking in other categories
SonarQube Server (formerly ...
Ranking in Application Security Tools
1st
Ranking in Static Application Security Testing (SAST)
1st
Average Rating
8.0
Reviews Sentiment
7.2
Number of Reviews
116
Ranking in other categories
Software Development Analytics (1st)
 

Mindshare comparison

As of July 2025, in the Application Security Tools category, the mindshare of OpenText Core Application Security is 4.3%, down from 5.1% compared to the previous year. The mindshare of SonarQube Server (formerly SonarQube) is 22.7%, down from 26.7% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Application Security Tools
 

Q&A Highlights

Miriam Tover - PeerSpot reviewer
Jan 11, 2019
 

Featured Reviews

Jonathan Steyn - PeerSpot reviewer
Source code analyzer, FPR file generation, reduction of false positives and generates compliance reports, for in-depth analysis
Not challenges with the product itself. The product is very reliable. It does have a steep learning curve. But, again, one thing that Fortify or OpenText does very well is training. There are a lot of free resources and training in the community forums, free training as well as commercial training where users can train on how to use the back-end systems and the scanning engines and how to use command-line arguments because some of the procedures or some of the tools do require a bit of a learning curve. That's the only challenge I've really seen for customers because you have to learn how to use the tool effectively. But Fortify has, in fact, improved its user interface and the way users engage the dashboards and the interfaces. It is intuitive. It's easy to understand. But in some regards, the cybersecurity specialist or AppSec would need a bit of training to engage the user interface and to understand how it functions. But from the point of the reliability index and how powerful the tool is, there's no challenge there. But it's just from a learning perspective; users might need a bit more skill to use the tool. The user interface isn't that tedious. It's not that difficult to understand. When I initially learned how to use the interfaces, I was able to master it within a week and was able to use it quite effectively. So training is required. All skills are needed to learn how to use the tool. I would like to see more enhancements in the dashboards. Dashboards are available. They do need some configuration and settings. But I would like to see more business intelligence capabilities within the tool. It's not particularly a cybersecurity function, but, for instance, business impact analysis or other features where you can actually use business intelligence capabilities within your security tool. That would be remarkable because not only do you have a cybersecurity tool, but you also have a tool that can give you business impact analysis and some other measurements. A bit more intelligence in terms of that from a cybersecurity perspective would be remarkable.
Sthembiso Zondi - PeerSpot reviewer
Consistent improvements in code quality and security with effective integration and reliable technical support
The features of SonarQube Server (formerly SonarQube) that I find most useful are the suggestions received from reviewing the code. When they review the code, they provide suggestions on how to fix it, and we find those very useful from a development perspective. We use SonarQube Server's (formerly SonarQube) centralized management and visualization of code quality metrics on the dashboard because that's the executive dashboard that we send to the executives to show where we are in terms of quality, security, and where the company can improve. We use that for organizational improvement purposes. The ability to tailor metrics tracking in SonarQube Server (formerly SonarQube) has been beneficial to my team. There are team-specific dashboards which are related to specific repositories they utilize, and we have that aggregative dashboard that shows the whole organization's performance. We can drill down per specific repository, which makes it easier for the team to improve specific things.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"While using Micro Focus Fortify on Demand we have been very happy with the results and findings."
"The solution scans our code and provides us with a dashboard of all the vulnerabilities and the criticality of the vulnerabilities. It is very useful that they provide right then and there all the information about the vulnerability, including possible fixes, as well as some additional documentation and links to the authoritative sources of why this is an issue and what's the correct way to deal with it."
"It improves future security scans."
"It helps deploy and track changes easily as per time-to-time market upgrades."
"The SAST feature is the most valuable."
"The licensing was good."
"Fortify helps us to stay updated with the newest languages and versions coming out."
"The most valuable feature is the capacity to be able to check vulnerabilities during the development process. The development team can check whether the code they are using is vulnerable to some type of attack or there is some type of vulnerability so that they can mitigate it. It helps us in achieving a more secure approach towards internal applications. It is an intuitive solution. It gives all the information that a developer needs to remediate a vulnerability in the coding process. It also gives you some examples of how to remediate a vulnerability in different programming languages. This solution is pretty much what we were searching for."
"SonarQube Server (formerly SonarQube) is very stable."
"I follow Quality Gate's graduation model within organization, and it is extremely helpful for me to benchmark products."
"The solution can verify vulnerabilities, code smells, and hotspots. It makes the software more secure and it helps make a junior or novice developer sharper."
"The product itself has a friendly UI."
"It easily ties into our continuous integration pipeline."
"The most valuable feature of this solution is that it is free."
"Any developer can easily identify issues using the process flow or steps provided by SonarQube. In terms of integration, SonarQube makes it quite easy, simplifying the steps for users."
"The product has a friendly UI that is easy to use and understand."
 

Cons

"We would like a reduction in the time frame of scans. It takes us three to five days to run a scan now. We would like that reduced to under three days."
"Takes up a lot of resources which can slow things down."
"It lacks of some important features that the competitors have, such as Software Composition Analysis, full dead code detection, and Agile Alliance's Best Practices and Technical Debt."
"Reporting could be improved."
"If you have a continuous integration in place, for example, and you want it to run along with your build and you want it to be fast, you're not going to get it. It adds to your development time."
"Integration to CI/CD pipelines could be improved. The reporting format could be more user friendly so that it is easy to read."
"The technical support is actually a problem that needs to be addressed. Since the acquisition and merger with Hewlett Packard, it has been really hard to know who the technical or salesperson to talk to."
".NET code scanning is still dependent on building the code base before running any scan. Also, it's dependent on an IDE such as Visual Studio."
"It should be user-friendly."
"The handling of the contents of Docker container images could be better."
"Depending on the tool's configuration, sometimes you get false alarms that are unimportant to you."
"One thing to improve would be the integration. There is a steep learning curve to get it integrated."
"In terms of analysis and findings, other tools provide more in-depth insights and detailed steps to mitigate or handle issues."
"I think the code security can be improved."
"An improvement is with false positives. Sometimes the tool can say there is an issue in your code but, really, you have to do things in a certain way due to external dependencies, and I think it's very hard to indicate this is the case."
"After scanning our code and generating a report, it would be helpful if SonarQube could also generate a solution to fix vulnerabilities in the report."
 

Pricing and Cost Advice

"I believe the rental license is not too expensive, but it provides a lot of information about the vulnerabilities."
"It is not more expensive than other solutions, but the pricing is competitive."
"The product's cost depends on the type of license."
"Their subscriptions could use a little bit of a reworking, but I am very happy with what they're able to provide."
"Micro Focus Fortify on Demand licenses are managed by our IT team and the license model is user-based."
"There are different costs for Micro Focus Fortify on Demand depending on the assessments you want to use. There is only a standard license needed to use the solution."
"The subscription model, on a per-scan basis, is a bit expensive. That's another reason we are not using it for all the apps."
"Fortify on Demand is affordable, and its licensing comes with a year of support."
"We pay €10 per month for this solution, which is good. It provides a good value for money."
"The price of this solution is more expensive than competitors. However, it works better than competitors."
"We are using the free, unlicensed version."
"The product’s price is lower than Veracode’s price."
"I was using the Community Edition, which is available free of charge."
"Compared to similar solutions, SonarQube was more accessible to us and had more benefits, with regards to size of the code base and supported languages. Apart from the Enterprise licensing fee, there are no additional costs."
"SonarQube price is a little bit higher than Kiuwan's. Kiuwan also gives a little bit of flexibility in terms of pricing."
"I think comparing the product to competitors it should be less expensive."
report
Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
861,524 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
19%
Manufacturing Company
15%
Computer Software Company
11%
Government
8%
Financial Services Firm
16%
Computer Software Company
15%
Manufacturing Company
13%
Government
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

What do you like most about Micro Focus Fortify on Demand?
It helps deploy and track changes easily as per time-to-time market upgrades.
What is your experience regarding pricing and costs for Micro Focus Fortify on Demand?
In comparison with other tools, they're competitive. It is not more expensive than other solutions, but their pricing is competitive. The licenses for Fortify On Demand are generally bought in unit...
What needs improvement with Micro Focus Fortify on Demand?
There are frequent complaints about false positives from Fortify. One day it may pass a scan with no issues, and the next day, without any code changes, it will report vulnerabilities such as passw...
Is SonarQube the best tool for static analysis?
I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have a look...
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
How would you decide between Coverity and Sonarqube?
We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing rem...
 

Also Known As

Micro Focus Fortify on Demand
Sonar
 

Interactive Demo

Demo not available
 

Overview

 

Sample Customers

SAP, Aaron's, British Gas, FICO, Cox Automative, Callcredit Information Group, Vital and more.
Information Not Available
Find out what your peers are saying about OpenText Core Application Security vs. SonarQube Server (formerly SonarQube) and other solutions. Updated: July 2025.
861,524 professionals have used our research since 2012.