I am not very familiar with SonarQube and their solutions, so I can not answer.
But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have a look at the Gartner Maqic Quadeant for Application Security Testing (AST) .
In the latest Gartner Quadrant for AST (Static and Dynamic App Security testing) these are the "Leaders" as per April 2020 according to Gartner ranking:
1. Synopsys
2. Checkmarx
3. MicroFocus (Fortify)
4. Veracode
5. WhiteHat Security
I used to work as a Fortify Sales Specialist in HP before Fortify was acquired by MicroFocus a few years ago.
I can strongly recommend Fortify because they have both the Static and Dynamic testing - and you can even choose to have the solution(-s) deployed as an "on-premise " or "Cloud" solution . In fact you can even have a "hybrid" between Cloud and On-Prem if you want depending on your organisations need and need for automation in different countries.
I can see you work for ACCENTURE? That is a big WW org. with different requirements for app testing accross different countries, I imagine?
So you can decide to have e.g. a Fortify "on-premise" version in one country and in another country you can have the solution deployed as a "Cloud service" so you get full freedom and the flexibility for automation and continous AppSec testing of the development teams coding.
This will also educate the Developer teams into becoming better coders because they will learn from the corrections in the coding done by Fortify.
And remember that you can also use this in your Sales advertising, because you can get a report to document that your coding and DevOps has been Security tested and analysed by the Fortify solution and therefore you can advertise your services are proved and documented as " Secure by design" by the Fortify solution.
I can help connect you directly with my old collegue from HP. He is today Fortify EMEA Global Head of Sales (based in UK).
Let me know if you want me to connect you or if you want to look at some other AppSec (AST) solution from the Gartner AST MQ report I mentioned above instead?
Search for a product comparison in Application Security Tools
SonarQube is one of the widely used and easy-to-use tools.
With some easy plug-ins, it would provide some very good insights into code quality, code coverage, static security, pattern-based errors, and performance engineering lapses in code.
But it is not a comprehensive static security-focused tool, like Veracode or Fortify. Also, the usability depends on whether you are using the free version or the enterprise edition (It has some associated cost) but not to the extent of other commercial tools. Hope this helps.
We have been using SonarQube and SonarLint (IDE) for quite some time on multiple projects and it is one of the best if not the best.
It can handle multiple tech stacks, gives a good view of the static code in terms of vulnerabilities, hotspots, code smells, bugs, etc. Allows adding plugins, integrate with CI/CD even with the community edition. Developer and Enterprise additions allow branch-level integration as well for pull requests.
Global Head of Quality Engineering at IGT Solutions
User
2021-06-16T06:02:07Z
Jun 16, 2021
There are many tools that can work for static code analysis, both in open source as well as in-licensed segments. It would be good to know your requirements for the tool. Are you just looking to have a static code analyzer and integrate it in the DevOps pipeline?
It is also important to know which programming language/code has been used for your application.
Additionally, SCA functionality is also important, if you are working for a big corporation, wherein open source libraries/components are not allowed.
If you stop at ‘static analysis’ and leave off the Security Testing part. I don’t even view this tool as a security tool, it’s much more about code quality.
Please have a look at the TICS framework, offered by www.tiobe.com, it is heavily used in the embedded industry, like Philips, ASML, Porsche, etc, to check the quality of the code. This framework also combines various other tools, like Coverity, Fortify and others.
Hello peers,
I am a Senior Program Manager at a large manufacturing company.
I am currently researching both SonarQube and CAST AIP. What are the main differences between these two solutions? Does CAST AIP scan for design violations?
Thankyou for your help.
Hi Joe - SonarQube is essentially a static code quality tool and has multiple versions (community is free and then we have developer, enterprise, and data center versions which are paid). As per the latest branding from CAST, they don't market AIP as a separate product and are bundled with CAST Imaging. CAST AIP is used to onboard the code base and perform analysis and the actual products are Imaging for architecture analysis and health, engineering, and security dashboards. The dashboards in CAST are richer and have more security features compared to SonarQube. Also, CAST does not have any free community version available. Both of them do static code analysis and do not look at run time code.
Hello peers,
I work for a large tech services company. I am currently researching Application Security Tools.
Which software is ideal for code quality and security? Are SonarQube and Snyk a good choice? Are there any better alternatives?
Thank you for your help.
Hi Tej, as per my experience, SonarQube provides a better understanding of the code, it gives you a detailed analysis of the code up to the line level. It finds vulnerabilities in the code and runs test cases for you (if you add them). Also, you can customize the quality gate rules to define the parameters your code should pass like reliability, repetition of lines, etc. On the other hand, Snyk offers you an overview of the tools you are using, or the APIs you are using inside the code and gives vulnerability notifications and fixes. SonarQube doesn't fix or doesn't give any suggestions but Snyk will give you suggestions on which version of that dependency should be used and why. I have integrated both Snyk and SonarQube as both are open source up to a certain level.
Board Member at a tech vendor with 1,001-5,000 employees
May 15, 2023
Hi Tej, you should also check out CAST (castsoftware.com). Their kit does a very thorough analysis that may be a good option depending on the complexity of your codebase.
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technology products and we want your vote!
If there’s a technology solution that’s really impressed you, here’s an opportunity to recognize that. It’s easy: go to the PeerSpot voting site, complete the brief voter registration form, review the list of nominees and vote. Get your colleagues to vote, too!
...
What is OWASP?
The OWASP or Open Web Application Security Project is a nonprofit foundation dedicated to improving software security. It operates under an open community model, meaning that anyone can participate in and contribute to OWASP-related online chats and projects. The OWASP ensures that its offerings (online tools, videos, forums, events, etc.) remain free and are easily accessible t...
Hi community members,
Here is our new Community Spotlight for YOU. We publish it to help you catch up on recent contributions by community members.
Do you find it useful? Please comment below!
Trending
Top HCI in 2022
What are the main differences between XDR and SIEM?
Articles
Top 5 Ethernet Switches in 2022
SASE: what is it and what are the main benefits?
Questions
Che...
Privacy Concerns in an RPA Implementation Program.
The biggest concern we (as RPA solution implementors) have faced when interacting with clients and customers were:
1. Regulatory and Compliance issues.
2. InfoSec and Security issues.
3. Audit Issues.
Regulatory and Compliance Issues: There is a huge penalty if the wrong data gets updated and emails are sent to customers by the regulatory...
ICT is getting more and more complex: today I have several systems in Chicago, several more in Amsterdam and if you need to protect your environment you will need to check on-premises, the cloud at Amazon, and the cloud at Microsoft Azure.
Why is Performance related to security?
For the following reasons:
Today we need more than one tool to protect our environment. You need anti-spoofing...
I am not very familiar with SonarQube and their solutions, so I can not answer.
But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have a look at the Gartner Maqic Quadeant for Application Security Testing (AST) .
In the latest Gartner Quadrant for AST (Static and Dynamic App Security testing) these are the "Leaders" as per April 2020 according to Gartner ranking:
1. Synopsys
2. Checkmarx
3. MicroFocus (Fortify)
4. Veracode
5. WhiteHat Security
I used to work as a Fortify Sales Specialist in HP before Fortify was acquired by MicroFocus a few years ago.
I can strongly recommend Fortify because they have both the Static and Dynamic testing - and you can even choose to have the solution(-s) deployed as an "on-premise " or "Cloud" solution . In fact you can even have a "hybrid" between Cloud and On-Prem if you want depending on your organisations need and need for automation in different countries.
I can see you work for ACCENTURE? That is a big WW org. with different requirements for app testing accross different countries, I imagine?
So you can decide to have e.g. a Fortify "on-premise" version in one country and in another country you can have the solution deployed as a "Cloud service" so you get full freedom and the flexibility for automation and continous AppSec testing of the development teams coding.
This will also educate the Developer teams into becoming better coders because they will learn from the corrections in the coding done by Fortify.
And remember that you can also use this in your Sales advertising, because you can get a report to document that your coding and DevOps has been Security tested and analysed by the Fortify solution and therefore you can advertise your services are proved and documented as " Secure by design" by the Fortify solution.
I can help connect you directly with my old collegue from HP. He is today Fortify EMEA Global Head of Sales (based in UK).
Let me know if you want me to connect you or if you want to look at some other AppSec (AST) solution from the Gartner AST MQ report I mentioned above instead?
SonarQube is one of the widely used and easy-to-use tools.
With some easy plug-ins, it would provide some very good insights into code quality, code coverage, static security, pattern-based errors, and performance engineering lapses in code.
But it is not a comprehensive static security-focused tool, like Veracode or Fortify. Also, the usability depends on whether you are using the free version or the enterprise edition (It has some associated cost) but not to the extent of other commercial tools. Hope this helps.
We have been using SonarQube and SonarLint (IDE) for quite some time on multiple projects and it is one of the best if not the best.
It can handle multiple tech stacks, gives a good view of the static code in terms of vulnerabilities, hotspots, code smells, bugs, etc. Allows adding plugins, integrate with CI/CD even with the community edition. Developer and Enterprise additions allow branch-level integration as well for pull requests.
@reviewer1572348 thank you for your reply!
The static tool we can use is Fortify or IBM Appscan.
SonarQube is widely used for coding standards.
SonarQube is not the best SAST, is a SAST but like any other open-source SAST, the best SAST is from the leader of "Gartner Quadrant for AST".
There are many tools that can work for static code analysis, both in open source as well as in-licensed segments. It would be good to know your requirements for the tool. Are you just looking to have a static code analyzer and integrate it in the DevOps pipeline?
It is also important to know which programming language/code has been used for your application.
Additionally, SCA functionality is also important, if you are working for a big corporation, wherein open source libraries/components are not allowed.
If you stop at ‘static analysis’ and leave off the Security Testing part. I don’t even view this tool as a security tool, it’s much more about code quality.
Please have a look at the TICS framework, offered by www.tiobe.com, it is heavily used in the embedded industry, like Philips, ASML, Porsche, etc, to check the quality of the code. This framework also combines various other tools, like Coverity, Fortify and others.
Veracode will work with it & give value on complimentary way ..
@Anshuman Kishore @TibinLukose @Donovan Greeff you've recently written reviews for SonarQube - do you have some insight to help @Manoj Kumar Kemisetty with this question?