We performed a comparison between SonarQube and Synopsys Defensics based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools."It is very good at identifying technical debt."
"Before you even compile, it can catch known vulnerability issues or patterns."
"The product is simple."
"SonarQube is one of the more popular solutions because it supports 29 languages."
"When comparing other static code analysis tools, SonarQube has fewer false-positive issues being reported. They have a lot of support for different tech stacks. It covers the entire developer community which includes Salesforce or it could be the regular Java.net project. It has actually sufficed all the needs in one tool for static code analysis."
"I like that it's easy to navigate not just in terms of code findings but you can actually see them in the context of your source code because it gives you a copy of your code with the items that it found and highlights them. You can see it directly in your code, so you can easily go back and make the corrections in the code. It basically finds the problems for you and tells you where they are."
"We consider it a handy tool that helps to resolve our issues immediately."
"The static code analysis of the solution is the most important aspect for us. When it comes to security breaches within the code, we can leverage some rules to allow us to identify the repetition in our code and the possible targets that we may have. It makes it very easy to review our code for security purposes."
"We have found multiple issues in our embedded system network protocols, related to buffer overflow. We have reduced some of these issues."
"The product is related to US usage with TLS contact fees, i.e. how more data center connections will help lower networking costs."
"Whatever the test suit they give, it is intelligent. It will understand the protocol and it will generate the test cases based on the protocol: protocol, message sequence, protocol, message structure... Because of that, we can eliminate a lot of unwanted test cases, so we can execute the tests and complete them very quickly."
"We're in the process of figuring out how to automate the workflow for QA audit controls on it. I think that's perhaps an area that we could use some buffing. We're a Kubernetes shop, so there are some things that aren't direct fits, which we're struggling with on the component Docker side. But nothing major."
"The BPM language is important and should be considered in SonarQube."
"The solution could improve by providing more advanced technologies."
"The product provides false reports sometimes."
"The solution could improve the management reports by making them easier to understand for the technical team that needs to review them."
"Dynamic scanning is missing and there are some issues with security scanning."
"We have tens of millions of code to be analyzed and processed. There can be some performance degradation if we are applying Sonar Link to large code or code that is complex. When the code had to be analyzed is when we ran into the main issues. There were several routines involved to solve those performance issues but this process should be improved."
"It would be a great add-on if SonarQube could update its database for vulnerabilities or plugging parts."
"Codenomicon Defensics should be more advanced for the testing sector. It should be somewhat easy and flexible to install."
"It does not support the complete protocol stack. There are some IoT protocols that are not supported and new protocols that are not supported."
"Sometimes, when we are testing embedded devices, when we trigger the test cases, the target will crash immediately. It is very difficult for us to identify the root cause of the crash because they do not provide sophisticated tools on the target side. They cover only the client-side application... They do not have diagnostic tools for the target side. Rather, they have them but they are very minimal and not very helpful."
Earn 20 points
SonarQube is ranked 1st in Application Security Tools with 112 reviews while Synopsys Defensics is ranked 5th in Fuzz Testing Tools. SonarQube is rated 8.0, while Synopsys Defensics is rated 8.6. The top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". On the other hand, the top reviewer of Synopsys Defensics writes "Technical support provided protocol-specific documentation to prove that some positives were not false". SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Veracode and GitHub Advanced Security, whereas Synopsys Defensics is most compared with Snyk, Fortify on Demand, Invicti, HCL AppScan and PortSwigger Burp Suite Professional.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
