We performed a comparison between HCL AppScan, Klocwork, and SonarQube based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools."We leverage it as a quality check against code."
"There's extensive functionality with custom rules and a custom knowledge base."
"The UI was very intuitive."
"IBM AppScan has made our work easy, as we can do four to five scans of websites at a time, which saves time when it comes to vulnerability."
"You can easily find particular features and functions through the UI."
"The most valuable feature of HCL AppScan is scanning QR codes."
"The static scans are good, and the SaaS as well."
"Compared to other tools only AppScan supports special language."
"There's a feature in Klocwork called 'on-the-fly analysis', which helps developers to find and fix the defects at the time of development itself."
"We like using the static analysis and code refactoring, which are very valuable because of our requirements to meet safety critical levels and reliability."
"The most valuable feature is the Incremental analysis."
"There is a central Klocwork server at our headquarter in France so we connect the client directly to the server on-premises remotely."
"The tool helps the team to think beforehand about corner cases or potential bugs that might arise in real-time."
"One can increase the number of vendors, so the solution is scalable."
"Technical support is quite good."
"Klocwork's most valuable feature is the static code analysis feature. It detects the potential problem earlier to allow the developer to receive feedback quickly and then address it before it becomes a problem."
"The most valuable features are the wide array of languages, multiple languages per project, the breakdown of bugs, and the description of vulnerabilities and code smells (best practices)."
"All the features of the solution are quite good."
"Using SonarQube benefits us because we are able to avoid the inclusion of malware in our applications."
"It helps our developers work more efficiently as we can identify things in a code prior to it being pushed to where it needs to go."
"We can create a Quality Gate in order to fail Jenkins jobs where the code coverage is lower than the set percentage."
"It is a very good tool for analysis despite its limitations."
"This solution has the capability to analyze source code in almost all the languages in the market."
"It provides you with many features, as it does with the premium model, but there are still extra features that can be purchased if needed."
"The penetration testing feature should be included."
"I would love to see more containers. Many of the tools are great, they require an amount of configuration, setup and infrastructure. If most the applications were in a container, I think everything would be a little bit faster, because all our clients are now using containers."
"IBM Security AppScan needs to add performance optimization for quickly scanning the target web applications."
"They have to improve support."
"A desktop version should be added."
"It has crashed at times."
"The solution needs to improve in some areas. The tool needs to add more languages. It also needs to improve its speed."
"The solution's scalability can be a matter of concern because one license runs on one machine only."
"This solution could be improved if they offered support of more languages including Ada and Golang. They currently only support seven languages."
"I hope that in each new release they add new features relating to the addition of checkers, improving their analysis engines etc."
"Now the only issue we have is that whenever we need to get the code we have to build it first. Then we can get the report."
"Klocwork does have a problem with true positives. It only found 30% of true positives in the Juliet test case."
"The way to define the rules is too complex. The definition/rules for static analysis could be automated according to various SILs, so as to avoid confusion."
"We'd like to see integration with Agile DevOps and Agile methodologies."
"We bought Klocwork, but it was limited to one little program, but the program is now sort of failing. So, we have a license for usage on a program that is sort of failing, and we really can't use the license on anything else."
"I would like to see better codes between projects and a more user-friendly desktop in the next release."
"It requires advanced heuristics to recognize more complex constructs that could be disregarded as issues."
"There could be better integration with other products."
"I would also like SonarQube to be able to write custom scanning rules. More documentation would be helpful as well because some of our guys were struggling with the customization script."
"There are limitations to the free version that limit development options as far as languages."
"The BPM language is important and should be considered in SonarQube."
"We did have some trouble with the LDAP integration for the console."
"Having performance regression would be a helpful add on or ability to be able to do during the scan."
"Currently requires multiple tools, lacking one overall tool."
