Let the community know what you think. Share your opinions now!
Choosing the right static analysis software requires multiple components:1. What are my business requirements and do I have champion BUs 2. What does your application portfolio look like (Lang. developed, Line of Code, etc.) and do we have a complete application inventory. 3. Who will manage the software and do they have the skillset (be honest, most teams ASSUME they do) 4. Next have a Proof Of Value with well defined POV success criteria that you've gathered from the BUs. 5. When looking at a Static Code Analysis software vendor, you may want to scope what Software Composition Analysis they integrate with as well. Over the past few years this has been highly critical part of AppSec programs. For instance, Veracode has their product SourceClear...CheckMarx previously integrated with WhiteSource, but that relationship ended. Synopsys has been working on their integration with Coverity and BlackDuck. Finally Fortify takes the vendor neutral approach and has integrations with BlackDuck, WhiteSource and Snyk where the plugins are open source and maintained by the vendor. Fortify's integration with SonaType takes it a bit deeper to validate if and where the 3rd party/open source code is instantiated within your code.
Key takeaway, many organizations will use 1 or more Static Code Analysis vendors to meet the business' needs. If you need a unified dashboard reporting for them all look at Saltworks Security Saltminer or contact me (Shameless plug)
Hi, I wanted to check if anyone has used CodeMR for doing architecture engineering and static code analysis.
I see that this product offers an architectural visual view something which most other tools in this space don't do.
And how does it compare to SonarQube and other static code analysis products?