HCL AppScan vs SonarQube

Likelihood to Recommend

HCL AppScan (formerly from IBM) is well suited for reducing security flaws in my team's secure code development. The software identifies a lot of issues automatically which helps us reduce delivery time and prevent security breaches. HCL AppScan (formerly from IBM) lacks innovation and automation functionalities, while other tools offer artificial intelligence-driven analysis that helps the team reduce time and money. Also, there is a need to reduce false-positives generated by the solution

Read full review

Bhavsheel Kohli

Team Lead / Research Specialist

AccentureInformation Technology & Services, 5001-10,000 employees

View all 2 answers on this topic

We have a headache every time when making a new commit+push, because:

Check rules could be tight and motivate developers to change the source code.
Sonar rules insist on their own rules and no way for trade.
Sometimes we missed that some piece of code does not cover by the test, so we need to return to the task again
SonarCube + SonarLint helps us to achieve the best quality source code but takes so much time for it.

Read full review

Aleksei Jegorov

Java / Kotlin back-end and Android developer

Digital Magic OUComputer Software, 11-50 employees

View all 13 answers on this topic

Pros

AppScan works well in finding application vulnerabilities such as SQL injection, cross-site scripting and all of the OWASP top 10.
Flexible reporting allows us to generate executive reports for application owners as well as separate technical reports for developers and system engineers.
Technical reports include remediation information and cross reference CVSS scores
Because it maintains data on all repeated assessments it helps us to do trending and metrics on compliance

Read full review

Seth Shestack

Executive Director, Deputy CISO

Temple UniversityHigher Education, 5001-10,000 employees

View all 2 answers on this topic

Best thing about it is that it offers an online instance (SonarCloud) where we can dry run an open source project by forking a github repository
Provides detailed analysis of the stacks that it checks for bugs and issues in code stacks.
Provides a good amount of documentation on how for configuration and installation and how to use it.
Provides a strong integration with azure devops and jenkins for creating DSL pipelines.

Read full review

Arush Soel

DevOps Engineer

Bebo Technologies Pvt LtdComputer Software, 501-1000 employees

View all 13 answers on this topic

Cons

Reduce number of false poitives
Add automation tools to reduce manual effort
improve user experience
prepare dynamic dashboards

Read full review

Bhavsheel Kohli

Team Lead / Research Specialist

AccentureInformation Technology & Services, 5001-10,000 employees

View all 2 answers on this topic

SonarQube motivates us to get a big team to write these endless tests to cover everything.
Integration with Jira and Jenkins has some tricky moments.
Setup process could take a lot of time.
Sometimes check rules could be very strict, like 'too many parameters in constructor.'

Read full review

Aleksei Jegorov

Java / Kotlin back-end and Android developer

Digital Magic OUComputer Software, 11-50 employees

View all 13 answers on this topic

Support Rating

No score

No answers yet

No answers on this topic

SonarQube 9.0

Based on 2 answers

We we easily able to integrate the SonarQube steps into our TFS process via the Microsoft Marektplace, we didn't have the need to call SonarQube support. We've used their online documentation and community forum if we ran into any issues.

Read full review

Verified User

Professional in Information Technology

Insurance Company, 51-200 employees

View all 2 answers on this topic

Alternatives Considered

We have been using AppScan for about 14 years (Before it was acquired by IBM). A few years ago we did an upgrade from the standard edition to the enterprise edition (to allow several users at once) in order to accommodate the growth of our team. Prior to this upgrade we looked at several other products and decided to stay with AppScan.One of the major reasons was our familiarity with this product so that we could upgrade without the need to train our staff on a new product. All of these products were very close in comparison so we found no compelling reason to change.

Read full review

Seth Shestack

Executive Director, Deputy CISO

Temple UniversityHigher Education, 5001-10,000 employees

View all 2 answers on this topic

SonarQube is an open-source. It's a scalable product. The costs for this application, for the kind of job it does, are pretty descent. Pipeline scan is more secured in SonarQube. Its a very good tool and its support multiple languages. Its main core competency is of static code analysis and that is why SonarQube exists and it does it exceedingly well. The quality of scan on code convention, best practices, coding standards, unit test coverage etc makes them one of the best competent tool in the market

Read full review

Debobrata Bose

Solution Architect

Danske IT and Support Services India Pvt LtdFinancial Services, 10,001+ employees

View all 13 answers on this topic

Return on Investment

Reduced manual effort by 20-30%
Integrate 3-4 security solutions with other tools in the system
prevent sql injection attacks in our business

Read full review

Bhavsheel Kohli

Team Lead / Research Specialist

AccentureInformation Technology & Services, 5001-10,000 employees

View all 2 answers on this topic

Our client is quite pleased with the demonstration of this tools
Our organisation is using a community edition right now but is planning to migrate to a enterprise version to use it commercially.
It is quite a costly tool but our organisation is willing to buy it for its enhanced features and security

Read full review

Arush Soel

DevOps Engineer

Bebo Technologies Pvt LtdComputer Software, 501-1000 employees

View all 13 answers on this topic

Pricing Details

General

Free Trial

—

Free/Freemium Version

—

Premium Consulting/Integration Services

—

Entry-level set up fee?

No

HCL AppScan Editions & Modules

—

Additional Pricing Details

—

General

Free Trial

Yes

Free/Freemium Version

Yes

Premium Consulting/Integration Services

Yes

Entry-level set up fee?

No

SonarQube Editions & Modules

Edition

Community	Free
Developer EDITION	Starts at $150²
Enterprise EDITION	Starts at $20,000³
Data Center EDITION	Starts at $130,000⁴

100,000 Lines of Code
1 Million Lines of Code
20 Million Lines of Code

Additional Pricing Details

—

HCL AppScan

SonarQube

Likelihood to Recommend

HCL AppScan

SonarQube

Pros

HCL AppScan

SonarQube

Cons

HCL AppScan

SonarQube

Support Rating

HCL AppScan

SonarQube

Alternatives Considered

HCL AppScan

SonarQube

Return on Investment

HCL AppScan

SonarQube

Pricing Details

General

Free Trial

Free/Freemium Version

Premium Consulting/Integration Services

Entry-level set up fee?

HCL AppScan Editions & Modules

Additional Pricing Details

General

Free Trial

Free/Freemium Version

Premium Consulting/Integration Services

Entry-level set up fee?

SonarQube Editions & Modules

Edition

Additional Pricing Details

Add comparison