Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Difference between SonarQube and Fortify? [closed]

Tags:

security

continuous-integration

sonarqube

fortify

devops

Can someone tell me what is the difference between SonarQube and Fortify? Both are static code analysis tool. I found out Fortify is more inclined towards security as it gives information about vulnerabilities included in OWASP, SANS etc. SonarQube also shows this information.

like image 254
user3847894 Avatar asked Oct 15 '19 15:10

user3847894

People also ask

Is SonarQube a SCA?

SonarQube has no feature on the Software Composition Analysis (SCA) domain.

What is fortify used for?

Fortify Software Security Center: An AppSec platform that enables organizations to automate an application security program. It provides management, development, and security teams a way to work together to triage, track, validate, and manage software security activities.

What is difference between veracode and SonarQube?

SonarQube and Veracode are application security and code quality management options. SonarQube provides a free and open source community edition and focuses on static code analysis, while Veracode provides SAST, but also DAST, IAST, and penetration testing, as well as application security consulting.

Is fortify open source?

Both Fortify and GitLab Ultimate offer open source component scanning along with Static and Dynamic Application Security Testing. …

2 Answers

When comparing product its good to have a list of things, here is my list let me know what you think.

Fortify

  • static analysis
  • can't add rules, using configuration as code
  • proprietary rules
  • manual file upload use case, no easy way of pipeline integration
  • does not provide git branch perspectives, improvements over other branches
  • provide only security code metrics
  • not opensource
  • has only paid support model

SonarQube

  • static analysis
  • can add rules, using configuration as code
  • has standard rules based on language being used
  • automated code upload use case, has tooling for major frameworks
  • provide git branch perspectives, improvements over other branches
  • provide all code quality metrics, including security
  • opensource
  • has paid support model
  • free cloud host sonarcloud.io
like image 157
Max Barrass Avatar answered Oct 21 '22 12:10

Max Barrass

Fortify essentially classifies the code quality issues in terms of its security impact on the solution. While Sonarqube is more of a Static code analysis tool which also gives you like "code smells," though Sonarqube also lists out the vulnerabilities as part of its analysis.

However, the biggest difference is in-terms of Cost. Sonarqube is Free to use (with community support) while Fortify needs a license, which is expensive.

like image 41
Soumen Mukherjee Avatar answered Oct 21 '22 11:10

Soumen Mukherjee
Sign in to Comment

Related questions

how to encrypt emails in mysql database but still be able to query them?
How to escape user-supplied parameters with a SQL query?
I am getting a JavaScript alert in my project that I didn't create, threatening me?
ASP.NET MVC4 Security, Authentication, and Authorization
Why Java is secure compared with other programming languages? [closed]
How to remove headers revealing system info when sending mail in php
Generating RSA keys for given modulus and exponent
Is there a list of which browser supports which TLS cipher suite? [closed]
Secured Android SharedPreferences Error: 'Caused by: java.lang.RuntimeException: Field keySize_ for...'
Session Hijacking in practice
Easiest way to limit executable to running on a certain computer
Security with PHP Sessions
How to configure CORS and Basic Authorization in Spring Boot?
java.lang.NoClassDefFoundError: sun/security/ssl/SupportedEllipticCurvesExtension
How to not hardcode passwords?
What is difference between HTTPS and TCP over SSL
Export Public Key from an p12-file
javax.ejb.EJBAccessException: JBAS013323: Invalid User
iOS Bluetooth BLE security and "Just works" association model
How to interpret hasPermission in spring security?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!