Though some employees in the organization use Coverity, I chose SonarQube because it is easy to integrate with our software component.

We did look at a lot of other ones. Some of the names I actually can't recall. There were code quality analyzers out there besides that. We did review them and settled on this one because it's very widely used, and the open-source capabilities are pretty well-supported to where you can use it without obligation. None of them are trivial to set up and use because they are doing a very complicated process. They all have their different ways of going about things, but you've got to understand any one of them. We picked this route.

Veracode is more efficient in security analysis. It also has software composition analysis features. So, it would be difficult for SonarQube to compete with Veracode.

We evaluated other products such as Veracode, Checkmarx as well as SonarQube.

The main difference is that SonarQube is free.

I have evaluated Fortify Application Defender.

We used some main code quality tools before, along with certain plugins. SonarQube is better due to its integrated nature and easier management. There is no hassle to keep everything up to date.

I have evaluated Fortify.

No.

We are currently evaluating other solutions that are open-source. The company is trying to reduce the amount of money spent on solutions.

We are looking for the newest technologies but the biggest stopper for us is money.

Once we identified the need, I researched different solutions. I tried SonarQube and one or two others.

We evaluated Micro Focus Fortify. From a cost perspective, we selected SonarQube. Now we are using the enterprise license as well. 

SonarQube is the only code scanning software I've tried, but I've also seen Nexus Scanner. However, it's not for binary scanning and so forth. It won't scan your source code. It's just an artifact scanner. 

We also evaluated Checkmarx, Veracode and open source solutions specific to each programming language. 

We had looked at other code quality systems. We had looked at a number of them. I don't remember them all, but Clockwork was on that list. I think it comes down to picking one and getting used to how it works because they all do mostly the same thing. Some of them focus more on Java, some more on C++. I think Java seems to be the favorite. As far as what they can really do for you, there didn't seem to be any one of them that does ten times what another does. There were some differences, but not no show-stoppers that I recall. I guess the advice would be that one of several tools could do a good job for you, but you still have to manage it and manage the behavior that goes along with it.

We did not evaluate other options before choosing this solution.

I looked at Checkmarx but it wasn't as straightforward as SonarQube because it's only supporting Linux and maybe Windows, but I wasn't able to find any local scanning support for Mac computers, and that was an issue. I'd like to learn more about Checkmarx. 

Now we are looking for a more mature solution and evaluating other products. We want a complete code analysis platform that is more mature.

We will either go with the paid Developer active license or solutions such as Checkmarx or MicroFocus.

You cannot really compare this product to commercial solutions. However, the features that it provides out of the box are very good.

When it comes to other technologies, such as the Checkmarx of the world, they are better than SonarQube. This is something that they should look at as this project evolves.

We are looking into corporate security and a couple different tooling options for doing data code analysis and security scanning.

We have looked into a few options: 

• We are looking at IBM AppScan.
• I am going to be running a small PoC next week with Veracode. I started doing a bit of research on Veracode, and I saw how it ties in compared with SonarQube.

We didn't evaluate other options. 

We evaluated the Checkmark Software Exposure Platform and Veracode, but they were expensive for a first go.

I have evaluated many other solutions similar to SonarQube.

Yes, and we did so again recently (2016). We had an encumbant Coverity solution which was very expensive and very under-used (too complicated). Since then we have also considered specific security analysis tools as complementary products (e.g. CheckMarx, Veracode, Nexus Life-cycle/Firewall, and a few others). We have since selected from these.

We have already used SonarLint. I am considering both SonarLint and SonarQube.

We are using Sonar, and we also evaluated Checkmarx. The version of Sonar we are using is the free version of it. Checkmarx is quite a bit different and more helpful compared to Sonar. There are a lot of features missing in the free version of SonarQube that I want to have that already exist in Checkmarx.  

I didn't. I am not sure if there are any other open source static analysis tools as good as this that I have found; Well at least three or four years ago there weren't.

Not really.

We did not evaluate other static code analysis solutions.

I have evaluated other solutions.

Yes, we have evaluated plenty of alternatives nothing really comparable.

We did evaluate other options, for example Q1 and Veracode. In specific cases we created different aspects with different tools and these were the top peers that we would compare it to - Q1 and Veracode.

In terms of differences, Veracode is used more for the security of the development and you can configure the gates while thinking about software security and things like that. With Q1, the difference is the type of the license. In Q1 you have projects and you pay for the line. I know that SonarQube was changing the licensing plan. Right now, before you pay for a license, you pay for fair lines that you extend. This is the difference between these three tools.

Only one option we found competitive was CAST, but the prices and the functionality didn't convince us at all.

We are also evaluating Acunetix and will know what direction we want to go in the next few weeks.

Based on the testing, Acunetix offers something different. Acunetix has many features that are not found in SonarQube.

We evaluated other solutions including Cobra Static Code Analyzer, but we were not satisfied with their customer support in the open source community.

We are looking for how we can integrate several products. We are using static code analysis, we are looking into runtime code analysis, and of course, we have a web application firewall. The problem with all of these tools is that you need a lot of maintenance, and you have a lot of false positives. So, we have tried to find the best solution.

I did an exercise a couple of months ago with my colleague. After this, I listed other products and their security aspects. I don't know if we found a solution that can offer us better features for security. I don't know if we will keep SonarQube in the pipeline or we will sell the product and get another product. I'm not sure at this point.

We are constantly evaluating other products. So it might be that we will go with Micro Focus, for example, or any other tool in the future. It depends on what is offered by the product and what fits the client needs and budget.

I have experience with Parasoft and other similar tools. 

We evaluated other open-source products and found that SonarQube was the best one of the set.

We did some R&D according to our product need and found SonarQube as a solution.

We considered using Fortify.

No, I didn't. I was employed specifically for this plugin, and while know other code-quality control solutions exist, I didn't explore any of them.

We evaluated the market, and because security scans are so different, there was not a good COTS or open source solution that met our needs so we went with the best open source solution, which was SonarQube.

I did not evaluated other options.

No.

I evaluated other products including Veracode and I felt that SonarQube was the best product.