We performed a comparison between Checkmarx One, SonarQube, and Veracode based on real PeerSpot user reviews.
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools."We were using HPE Security Fortify to scan code for security vulnerabilities, but it can scan only after a successful compile. If the code has dependencies or build errors, the scan fails. With Checkmarx, pre-compile scanning is seamless. This allows us to scan more code."
"Vulnerability details is valuable."
"The setup is fairly easy. We didn't struggle with the process at all."
"The solution is always updating to continuously add items that create a level of safety from vulnerabilities. It's one of the key features they provide that's an excellent selling point. They're always ahead of the game when it comes to finding any vulnerabilities within the database."
"The user interface is modern and nice to use."
"The most valuable features of Checkmarx are the automation and information that it provides in the reports."
"The most valuable features of Checkmarx are difficult to pinpoint because of the way the functionalities and the features are intertwined, it's difficult to say which part of them I prefer most. You initiate the scan, you have a scan, you have the review set, and reporting, they all work together as one whole process. It's not like accounting software, where you have the different features, et cetera."
"Helps us check vulnerabilities in our SAP Fiori application."
"Integrate it into the developers' workbench so that they can bench check their code against what will be done in the server-based audit version."
"SonarQube has a lot of value, it reviews the basic coding standards and security vulnerabilities of code that help to reduce issues."
"The features of SonarQube that I find most valuable for identifying code smells are its comprehensive code analysis capabilities, which cover various aspects of code sustainability."
"SonarQube is a fantastic tool which saves us precious time."
"The most valuable feature is the security hotspot feature that identifies where your code is prone to have security issues."
"Using SonarQube benefits us because we are able to avoid the inclusion of malware in our applications."
"I like that it's easy to navigate not just in terms of code findings but you can actually see them in the context of your source code because it gives you a copy of your code with the items that it found and highlights them. You can see it directly in your code, so you can easily go back and make the corrections in the code. It basically finds the problems for you and tells you where they are."
"I like that it has a better dashboard compared to Clockwork. It's also stable."
"I believe the static analysis is Veracode's best and most valuable feature. Software composition analysis is a feature that most people don't use, and we don't use SCA for most of our applications. However, this is an essential feature because it provides insight into the third-party libraries we use."
"What I found most valuable in Veracode Static Analysis is that it categorizes security vulnerabilities."
"The user interface is excellent, the code review process is quick and provides great analytics to understand our code better, and the SAST scan is high-speed."
"The most valuable features of Veracode Static Analysis are its ability to work with GitLab and GitHub so that you can do the reviews and force the code."
"Veracode offers various security features."
"I like the way the flaws are reported in the system."
"Veracode creates a list of issues. You can go through them one by one and click through to a new window with all the information about the issue discovered."
"The most important feature is the static scanning analysis, and the reason is that it can tell us vulnerability in that code, right before we go ahead and push something to production or provide something to a client... Dynamic scanning actually hits our Web applications, to try to detect any well known Web application vulnerabilities as well."
"They can support the remaining languages that are currently not supported. They can also create a different model that can identify zero-day attacks. They can work on different patterns to identify and detect zero-day vulnerability attacks."
"I think the CxAudit tool has room for improvement. At the beginning you can choose a scan of a project, but in any event the project must be scanned again (wasting time)."
"Checkmarx could improve by reducing the price."
"I would like the product to include more debugging and developed tools. It needs to also add enhancements on the coding side."
"I would like to see the DAST solution in the future."
"Checkmarx reports many false positives that we need to manually segregate and mark “Not exploitable”."
"C, C++, VB and T-SQL are not supported by this product. Although, C and C++ were advertised as being supported."
"We can run only one project at a time."
"From a reporting perspective, we sometimes have problems interpreting the vulnerability scan reports. For example, if it finds a possible threat, our analysts have to manually check the provided reports, and sometimes we have issues getting all the data needed to properly verify if it's accurate or not."
"I think the code security can be improved."
"Expression of common vulnerabilities and exposures is not always current."
"It would be a great add-on if SonarQube could update its database for vulnerabilities or plugging parts."
"I am not very pleased with the technical debt computation."
"It requires advanced heuristics to recognize more complex constructs that could be disregarded as issues."
"There is no automation. You need to put the code there and test. You then pull the results and put them back in the development environment. There is no integration with the development environment. We would like it to be integrated with our development environment, which is basically the CI/CD pipeline or the IDE that we have."
"The solution could improve the management reports by making them easier to understand for the technical team that needs to review them."
"When it comes to the speed of the pipeline scan, one of the things we have found with Veracode is that it's very fast with Java-based applications but a bit slow with C/C++ based applications. So we have implemented the pipeline scan only for Java-based applications not for the C/C++ applications."
"Veracode's false positives have room for improvement."
"The technical support service has room for improvement."
"I would like to see expanded coverage for supporting more platforms, frameworks, and languages."
"There is room for improvement in the speed of the system. Sometimes, the servers are very busy and slow... Also, the integration with SonarQube is very weak, so we had to implement a custom solution to extend it."
"Maybe the pipeline scanning doesn't support enough languages. It might only support Java and Python only, so that could be improved."
"Sometimes, the scans halt or drop for some reason, and we need to get help from Veracode to fix it."
"There should be more APIs, especially in SCA, to get some results or automate some things."
SonarQube depends on completely what you configure the Rules. You will have the option of the Profile creation and can be assigned to the Projects. If you configure the project --> under them services configuration it is good to go. Proper configuration is important in the Sonat Qube. Yes, Sonarqube allows developers to delint their code before SAST.
Veracode recently introduced it. But this integration at developer Machine integration available for only JAVA coded Projets.
About the Vulnerability coverage, both are the same. OWASP TOP 10 is equal to Sans 25. sans25 is categorized with one category number and describes under that subsection. Refer to this. https://www.templarbit.com/blog/2018/02/08/owasp-top-10-vs-sans-cwe-25/
SonarQube can be used for SAST. However, based on our internal analysis, our team feel CheckMarx is better suited for Security compared to SonarQube. SoanrQube is used in day to day developer code scan and Checkmarx is used during code movement to staging or during release.