What users are saying about
6 Ratings
<a href='https://www.trustradius.com/static/about-trustradius-scoring' target='_blank' rel='nofollow noopener'>trScore algorithm: Learn more.</a>
Score 8 out of 100
41 Ratings
<a href='https://www.trustradius.com/static/about-trustradius-scoring' target='_blank' rel='nofollow noopener'>trScore algorithm: Learn more.</a>
Score 8.4 out of 100

Highlights

SonarQube, from SonarSource, and Micro Focus Fortify on Demand are application security tools. SonarQube provides a free and open source community edition and focuses on static code analysis. Micro Focus Fortify on Demand is commercially available and provides the functionality of multiple Micro Focus security tools delivered as service: Fortify Static Code Analyzer, Fortify WebInspect, and Fortify Application Defender. Together the service encompasses DAST, SAST, RAST, IAST, static code analysis (SCA), and real-time security assist that provides guidance while developers are working in their preferred IDE. Its Software Composition Analysis is powered by Micro Focus’s partnership with SCA specialist Sonatype. SonarQube is not as extensive an option, rather it is focused on code quality and SAST.

Both products are commonly deployed at larger enterprises, while SonarQube also appears among cost-conscious smaller companies, who enjoy free and open source tools like SonarQube. While the options present overlapping features, there is nothing to prevent developers from deploying Fortify on Demand and SonarQube together, which may present an attractive best-of-both-worlds (e.g. code quality + security) solution for some projects.

Features

Developers turn to Micro Focus and SonarQube for a variety of reasons.

SonarQube excels as an SAST tool. It allows users to set their own coding standards, enforce them, and ensure best practice. Users describe an excellent code checking process, and detailed issue and bug tracking with commenting and issue highlighting. SonarQube integrates well into a CI/CD pipeline, and will work beside Fortify on Demand. In fact a SonarQube plugin exists in the Micro Focus marketplace for doing just that.

Micro Focus is a large, multifarious and trusted provider of developer tools for those with the budget to use them. Fortify on Demand is among a small class of products that provide SAST, DAST, static code analysis, as well as real-time security assessment delivered together in a single service. There are  very few similarly broad options, including Synopsys’ managed application testing, Checkmarx, and Veracode. Very few other AppSec suites match the sheer breadth of Micro Focus Fortify on Demand from a similarly respected vendor. Reviewers appreciate its ease of use and deployment vs on-premise testing tools and suites, the automated delivery of features, and the centralization of test result review and management.

Limitations

There are a few reasons some businesses choose to pass on including Fortify on Demand, or SonarQube, in a CI/CD pipeline for AppSec.

While SonarQube is praised for enforcing coding standards, it is not as well-regarded as a security tool. Users also point to unreliability in some of its integrations (Jira), and an open source community that is not as active as other more widely adopted tools. Also, SonarQube provides SAST only. It cannot be the singular, comprehensive solution some might desire.

While Fortify on Demand is a comprehensive solution, reviewers note a few issues, such as scans with a high rate of false positives along with less than helpful remediation, feeble (relative to SonarQube) code quality assistance, and byzantine pricing with uncertainty about what features will be included going forward (as opposed as being gated off as an “add-on” available for an additional fee) making it difficult to determine what the ROI will be vs. on-prem solutions that might include open source tools posing little or no cost.

Pricing

Users can get started with SonarQube for free via the open source Community Edition. Paid plans are priced per instance per year, starting with the Developer Edition that adds Branch Analysis and other vulnerability detection features for $150, the Enterprise Edition which adds advanced reporting and portfolio management for $20,000, and the Data Center edition available for $130,000.

Delivered as-a-service, Fortify on Demand offers a cloud-based subscription available with a 15-day free trial. Pricing is not published through Micro Focus, however, through VARs a Fortify on Demand subscription license for one assessment unit is available for about $990 for a year long subscription.

Likelihood to Recommend

Micro Focus Fortify on Demand

Integrated as part of our CI / CD chain. Scans are done in an automated fashion and defects are reported out and tracked. Easy to use, easy to integrate. Very pleased with the product. It does not perform cross module analysis scanning for vulnerabilities that may cross applications as well as it could, but it's pretty close.
Gene Baker | TrustRadius Reviewer

SonarQube

We have a headache every time when making a new commit+push, because:
  • Check rules could be tight and motivate developers to change the source code.
  • Sonar rules insist on their own rules and no way for trade.
  • Sometimes we missed that some piece of code does not cover by the test, so we need to return to the task again
  • SonarCube + SonarLint helps us to achieve the best quality source code but takes so much time for it.
Aleksei Jegorov | TrustRadius Reviewer

Pros

Micro Focus Fortify on Demand

  • SAST
  • DAST
  • Manage Software Security Risk
  • Automation
  • Compliance
  • Integration
Gene Baker | TrustRadius Reviewer

SonarQube

  • Best thing about it is that it offers an online instance (SonarCloud) where we can dry run an open source project by forking a github repository
  • Provides detailed analysis of the stacks that it checks for bugs and issues in code stacks.
  • Provides a good amount of documentation on how for configuration and installation and how to use it.
  • Provides a strong integration with azure devops and jenkins for creating DSL pipelines.
Arush Soel | TrustRadius Reviewer

Cons

Micro Focus Fortify on Demand

  • Cross module compliance
Gene Baker | TrustRadius Reviewer

SonarQube

  • SonarQube motivates us to get a big team to write these endless tests to cover everything.
  • Integration with Jira and Jenkins has some tricky moments.
  • Setup process could take a lot of time.
  • Sometimes check rules could be very strict, like 'too many parameters in constructor.'
Aleksei Jegorov | TrustRadius Reviewer

Support Rating

Micro Focus Fortify on Demand

Micro Focus Fortify on Demand 10.0
Based on 2 answers
Always receive excellent support from the vendor. No issues there.
Gene Baker | TrustRadius Reviewer

SonarQube

SonarQube 9.0
Based on 2 answers
We we easily able to integrate the SonarQube steps into our TFS process via the Microsoft Marektplace, we didn't have the need to call SonarQube support. We've used their online documentation and community forum if we ran into any issues.
Anonymous | TrustRadius Reviewer

Alternatives Considered

Micro Focus Fortify on Demand

CAST in my opinion provides a far superior product in that it can parse in an entire suite of applications and do scans across modules. HP Fortify probably has deeper and more current scanning so I think both products complement each other. I would not rely solely on Fortify and would try to have that as part of the mix of products. Overall it's a good product. We use Fortify because the Enterprise has made that a mandatory part of our security suite.
Gene Baker | TrustRadius Reviewer

SonarQube

SonarQube is an open-source. It's a scalable product. The costs for this application, for the kind of job it does, are pretty descent. Pipeline scan is more secured in SonarQube. Its a very good tool and its support multiple languages. Its main core competency is of static code analysis and that is why SonarQube exists and it does it exceedingly well. The quality of scan on code convention, best practices, coding standards, unit test coverage etc makes them one of the best competent tool in the market
Debobrata Bose | TrustRadius Reviewer

Return on Investment

Micro Focus Fortify on Demand

  • Good as part of our security suite to help prevent successful attacks.
  • Reporting of defects helps to educate developers.
  • Worth the price we paid.
Gene Baker | TrustRadius Reviewer

SonarQube

  • Our client is quite pleased with the demonstration of this tools
  • Our organisation is using a community edition right now but is planning to migrate to a enterprise version to use it commercially.
  • It is quite a costly tool but our organisation is willing to buy it for its enhanced features and security
Arush Soel | TrustRadius Reviewer

Pricing Details

Micro Focus Fortify on Demand

General

Free Trial
Free/Freemium Version
Premium Consulting/Integration Services
Entry-level set up fee?
No

Micro Focus Fortify on Demand Editions & Modules

Additional Pricing Details

SonarQube

General

Free Trial
Yes
Free/Freemium Version
Yes
Premium Consulting/Integration Services
Yes
Entry-level set up fee?
No

SonarQube Editions & Modules

Edition
CommunityFree
Developer EDITIONStarts at $1502
Enterprise EDITIONStarts at $20,0003
Data Center EDITIONStarts at $130,0004
  1. 100,000 Lines of Code
  2. 1 Million Lines of Code
  3. 20 Million Lines of Code
Additional Pricing Details

Add comparison