2020-07-19T02:18:00Z
Manoj Kumar Kemisetty - PeerSpot reviewer
Sap Advanced Business Application Programming Consultant at Accenture
  • 11
  • 2825

Is SonarQube the best tool for static analysis?

Hi community members,

Is SonarQube is the best tool for static analysis? Are there any good tools that compete with SonarQube?

10
PeerSpot user
10 Answers
Peter Arvedlund - PeerSpot reviewer
Enterprise Accont Executive at Keepit A/S
User
2020-07-24T21:42:19Z
Jul 24, 2020

I am not very familiar with SonarQube and their solutions, so I can not answer.


But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have  a look at the Gartner Maqic Quadeant for Application Security Testing (AST) .


In the latest Gartner Quadrant for AST (Static and Dynamic App Security testing) these are the "Leaders" as per April 2020 according to Gartner ranking:


1. Synopsys


2. Checkmarx


3. MicroFocus  (Fortify)


4. Veracode


5. WhiteHat Security


I used to work as a Fortify Sales Specialist in HP before Fortify was acquired by MicroFocus a few years ago.


I can strongly recommend Fortify because they have both the Static and Dynamic testing - and you can even choose to have the solution(-s) deployed as an "on-premise " or "Cloud" solution . In fact you can even have a "hybrid" between Cloud and On-Prem if you want depending on your organisations need and need for automation in different countries. 


I can see you work for ACCENTURE? That is a big WW org. with different requirements for app testing accross different countries, I imagine? 


So you can decide to have e.g. a Fortify "on-premise" version in one country and in another country you can have the solution deployed as a "Cloud service" so you get full freedom and the flexibility for automation and continous AppSec testing of the development teams coding. 


This will also educate the Developer teams into becoming better coders because they will learn from the corrections in the coding done by Fortify.


And remember that you can also use this in your Sales advertising, because you can get a report to document that your coding and DevOps has been Security tested and analysed by the Fortify solution and therefore you can advertise your services are proved and documented as  " Secure by design" by the Fortify solution.


I can help connect you directly with my old collegue from HP. He is today Fortify EMEA Global Head of Sales (based in UK).


Let me know if you want me to connect you or if you want to look at some other AppSec (AST) solution from the Gartner AST MQ report I mentioned above instead? 

Search for a product comparison in Application Security Tools
RS
Transformation Leader at TEKsystems (ex Aston Carter)
Real User
Leaderboard
2021-06-17T14:12:21Z
Jun 17, 2021

SonarQube is one of the widely used and easy-to-use tools. 


With some easy plug-ins, it would provide some very good insights into code quality, code coverage, static security, pattern-based errors, and performance engineering lapses in code. 


But it is not a comprehensive static security-focused tool, like Veracode or Fortify. Also, the usability depends on whether you are using the free version or the enterprise edition (It has some associated cost) but not to the extent of other commercial tools. Hope this helps.

Vishal-Goyal - PeerSpot reviewer
Chief Architect at Peristent Systems
Real User
Top 5Leaderboard
2021-06-17T09:01:21Z
Jun 17, 2021

We have been using SonarQube and SonarLint (IDE) for quite some time on multiple projects and it is one of the best if not the best. 


It can handle multiple tech stacks, gives a good view of the static code in terms of vulnerabilities, hotspots, code smells, bugs, etc. Allows adding plugins, integrate with CI/CD even with the community edition. Developer and Enterprise additions allow branch-level integration as well for pull requests.

Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Community Manager
Jun 17, 2021

@reviewer1572348 thank you for your reply!

PeerSpot user
NP
Team Lead at CNSI
Real User
2020-07-24T12:26:20Z
Jul 24, 2020

The static tool we can use is Fortify or IBM Appscan.


SonarQube is widely used for coding standards.

Curtis Yanko - PeerSpot reviewer
DevSecOps Evangelist & Coach at Shiftleft
Vendor
Top 5
2021-03-02T13:45:40Z
Mar 2, 2021

If you stop at ‘static analysis’ and leave off the Security Testing part. I don’t even view this tool as a security tool, it’s much more about code quality.

Ricardo Oyarzo Mansilla - PeerSpot reviewer
Arquitecto de seguridad de TI at a consumer goods company with 10,001+ employees
Real User
2021-06-17T21:38:09Z
Jun 17, 2021

SonarQube is not the best SAST, is a SAST but like any other open-source SAST, the best SAST is from the leader of "Gartner Quadrant for AST".

Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
655,711 professionals have used our research since 2012.
Yatender Sharma - PeerSpot reviewer
Global Head of Quality Engineering at IGT Solutions
User
2021-06-16T06:02:07Z
Jun 16, 2021

There are many tools that can work for static code analysis, both in open source as well as in-licensed segments. It would be good to know your requirements for the tool. Are you just looking to have a static code analyzer and integrate it in the DevOps pipeline?


It is also important to know which programming language/code has been used for your application. 


Additionally, SCA functionality is also important, if you are working for a big corporation, wherein open source libraries/components are not allowed.

SK
Independent Consultant at Klusener Consultancy
Consultant
2020-09-24T06:56:38Z
Sep 24, 2020

Please have a look at the TICS framework, offered by www.tiobe.com, it is heavily used in the embedded industry, like Philips, ASML, Porsche, etc, to check the quality of the code. This framework also combines various other tools, like Coverity, Fortify and others.

Anshuman Kishore - PeerSpot reviewer
Director Product Development at Mycom Osi
Real User
Top 10Leaderboard
2020-07-27T03:59:44Z
Jul 27, 2020

Veracode will work with it & give value on complimentary way ..

Rony_Sklar - PeerSpot reviewer
Community Manager at PeerSpot (formerly IT Central Station)
Community Manager
2020-07-20T14:36:24Z
Jul 20, 2020

@Anshuman Kishore @TibinLukose @Donovan Greeff you've recently written reviews for SonarQube - do you have some insight to help @Manoj Kumar Kemisetty with this question? 

Related Questions
Vishal-Goyal - PeerSpot reviewer
Chief Architect at Peristent Systems
Aug 12, 2022
Dear experts, I wanted to check with those who have experience in using both SonarQube Community Edition and SonarQube Enterprise Edition. What real advantages do you see in spending money to procure an enterprise license vs using community edition which is free? I'm aware enterprise provides better programming languages coverage, strong reporting and more rules. But I wanted to hear feedbac...
See 1 answer
AQ
Independent Professional at Studio Dott. Ing. Angelo Quaglia
Aug 12, 2022
Decoration of pull requests is pretty cool.
Netanya Carmi - PeerSpot reviewer
Content Manager at PeerSpot (formerly IT Central Station)
Nov 3, 2021
Which is better and why?
See 1 answer
Nov 3, 2021
We like the data that Sonatype Nexus Lifecycle consistently delivers. This solution helps us in fixing and understanding the issues a lot quicker. The policy engine allows you to set up different types of violations according to your specific needs. It allows us to see the licensing and security vulnerabilities as well as the age of our open sources in our software. This helps us ensure we stay up to date with our software and that we don’t have any vulnerabilities. We would really like to see Sonatype Nexus Lifecycle be more code-driven and scaled at the developer level. It really should be smoother and faster at finding the relationships between libraries and enterprises. The GUI has some limitations and could be problematic for some larger-scale companies. SonarQube is easy to deploy and configure. It also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. It is great if you want to quickly focus on functional requirements. This solution is very easy to use and understand. There were some security issues with our code that SonarQube did not find. Defining the quality of rules should be improved to ensure that low-performance code does not move forward to production. We would like to see better security scanning and statistical analysis from this solution. Conclusion Both of these are amazing, highly-regarded solutions. We chose Sonatype Nexus as a better fit for us. We felt that SonarQube needed multiple other products in order to function well and was lacking in some of the reporting qualities we desired. We felt that the proprietary data that Sonatype Nexus provides with regard to libraries was a great characteristic for us. We found that this solution integrates well with the other products we are using. We especially like the REST API, which we can drive remotely and automate.
Related Articles
Ariel Lindenfeld - PeerSpot reviewer
Director of Community at PeerSpot
Aug 21, 2022
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technology products and we want your vote! If there’s a technology solution that’s really impressed you, here’s an opportunity to recognize that. It’s easy: go to the PeerSpot voting site, complete the brief voter registration form, review the list of nominees and vote. Get your colleagues to vote, too! ...
Deena Nouril - PeerSpot reviewer
Tech Blogger
Aug 5, 2022
What is OWASP? The OWASP or Open Web Application Security Project is a nonprofit foundation dedicated to improving software security. It operates under an open community model, meaning that anyone can participate in and contribute to OWASP-related online chats and projects. The OWASP ensures that its offerings (online tools, videos, forums, events, etc.) remain free and are easily accessible t...
See 2 comments
Ben Arbeit - PeerSpot reviewer
Manager at a retailer with 51-200 employees
Jul 31, 2022
Thanks for this informative article.
Jairo Willian Pereira - PeerSpot reviewer
Information Security Manager at a financial services firm with 5,001-10,000 employees
Aug 5, 2022
OWASP is nice, but very specific and currently limited. How about trying ISO-24772 for all?
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Mar 4, 2022
Hi community members, Here is our new Community Spotlight for YOU. We publish it to help you catch up on recent contributions by community members. Do you find it useful? Please comment below! Trending Top HCI in 2022 What are the main differences between XDR and SIEM? Articles Top 5 Ethernet Switches in 2022 SASE: what is it and what are the main benefits? Questions Che...
Ram Chenna - PeerSpot reviewer
Enterprise Architect at Blueray Digital Services
Dec 15, 2021
Privacy Concerns in an RPA Implementation Program. The biggest concern we (as RPA solution implementors) have faced when interacting with clients and customers were: 1. Regulatory and Compliance issues. 2. InfoSec and Security issues. 3. Audit Issues. Regulatory and Compliance Issues: There is a huge penalty if the wrong data gets updated and emails are sent to customers by the regulatory...
Tjeerd Saijoen - PeerSpot reviewer
CEO at Rufusforyou
Sep 3, 2021
ICT is getting more and more complex: today I have several systems in Chicago, several more in Amsterdam and if you need to protect your environment you will need to check on-premises, the cloud at Amazon, and the cloud at Microsoft Azure.  Why is Performance related to security? For the following reasons:  Today we need more than one tool to protect our environment. You need anti-spoofing...
See 2 comments
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at ASPL INFO Services
Sep 1, 2021
Very good insights about correlation for security with performance.
Johann Delaunay - PeerSpot reviewer
Key Account Manager at ITRS Group
Sep 3, 2021
Interesting positioning and way of thinking, thank you very much for the article!
Moderator
davidstrom - PeerSpot reviewer
Owner at David Strom Inc.
Related Categories
Explore this product
Related Articles
Ariel Lindenfeld - PeerSpot reviewer
Director of Community at PeerSpot
Aug 21, 2022
PeerSpot User's Choice Award 2022
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technol...
Deena Nouril - PeerSpot reviewer
Tech Blogger
Aug 5, 2022
What is OWASP Top 10 in 2022
What is OWASP? The OWASP or Open Web Application Security Project is a nonprofit foundation dedi...
Download Free Report
Download our free SonarQube Report and get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
DOWNLOAD NOW
655,711 professionals have used our research since 2012.