2020-07-19T02:18:00Z

Is SonarQube the best tool for static analysis?

982

Is SonarQube is the best tool for static analysis or there are any good tools which compete with SonarQube?

ITCS user
Guest
1010 Answers

author avatar
Top 10LeaderboardReal User

SonarQube is one of the widely used and easy-to-use tools. 


With some easy plug-ins, it would provide some very good insights into code quality, code coverage, static security, pattern-based errors, and performance engineering lapses in code. 


But it is not a comprehensive static security-focused tool, like Veracode or Fortify. Also, the usability depends on whether you are using the free version or the enterprise edition (It has some associated cost) but not to the extent of other commercial tools. Hope this helps.

2021-06-17T14:12:21Z
author avatar
Top 5LeaderboardReal User

We have been using SonarQube and SonarLint (IDE) for quite some time on multiple projects and it is one of the best if not the best. 


It can handle multiple tech stacks, gives a good view of the static code in terms of vulnerabilities, hotspots, code smells, bugs, etc. Allows adding plugins, integrate with CI/CD even with the community edition. Developer and Enterprise additions allow branch-level integration as well for pull requests.

2021-06-17T09:01:21Z
author avatarEvgeny Belenky
Community Manager

@reviewer1572348 Have you been using it for multiple programming languages?  If so, for which ones?  
Have you had a sense of equal coverage for each of them? 
Thank you!

author avatarreviewer1572348 (Chief Architect at a computer software company with 10,001+ employees)
Top 5LeaderboardReal User

@Evgeny Belenky Yes. We have used it for typescript, java, .NET, SQL. Coverage depends on the rules available for each language. It is possible to import more rules if required. My experience has been great till now. 

author avatarEvgeny Belenky
Community Manager

@reviewer1572348 thank you for your reply!

author avatar
User

The static tool we can use is Fortify or IBM Appscan.


SonarQube is widely used for coding standards.

2020-07-24T12:26:20Z
author avatar
User

There are many tools that can work for static code analysis, both in open source as well as in licensed segments. It would be good to know your requirements for the tool. Are you just looking to have a static code analyzer and integrate it in the DevOps pipeline?


It is also important to know which programming language, code is being written with for application. Additionally, SCA functionality is also important, if you are working for a big corporation, wherein open source libraries/components are not allowed.

2021-06-16T06:02:07Z
author avatar
Top 5Vendor

If you stop at ‘static analysis’ and leave off the Security Testing part. I don’t even view this tool as a security tool, it’s much more about code quality.

2021-03-02T13:45:40Z
author avatar
Top 10LeaderboardConsultant

Please have a look at the TICS framework, offered by www.tiobe.com, it is heavily used in the embedded industry, like Philips, ASML, Porsche, etc, to check the quality of the code. This framework also combines various other tools, like Coverity, Fortify and others.

2020-09-24T06:56:38Z
author avatar
Top 20Real User

Veracode will work with it & give value on complimentary way ..

2020-07-27T03:59:44Z
author avatar
Real User

SonarQube is not the best SAST, is a SAST but like any other open-source SAST, the best SAST is from the leader of "Gartner Quadrant for AST".

2021-06-17T21:38:09Z
author avatar
Community Manager

@Anshuman Kishore @TibinLukose @Donovan Greeff you've recently written reviews for SonarQube - do you have some insight to help @Manoj Kumar Kemisetty with this question? 

2020-07-20T14:36:24Z
Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: July 2021.
524,194 professionals have used our research since 2012.