What users are saying about
Top Rated
60 Ratings
6 Ratings
<a href='https://www.trustradius.com/static/about-trustradius-scoring' target='_blank' rel='nofollow noopener'>trScore algorithm: Learn more.</a>
Score 7.9 out of 100
Top Rated
60 Ratings
<a href='https://www.trustradius.com/static/about-trustradius-scoring' target='_blank' rel='nofollow noopener'>trScore algorithm: Learn more.</a>
Score 8.2 out of 100

Highlights

SonarQube, from SonarSource, and Micro Focus Fortify on Demand are application security tools. SonarQube provides a free and open source community edition and focuses on static code analysis. Micro Focus Fortify on Demand is commercially available and provides the functionality of multiple Micro Focus security tools delivered as service: Fortify Static Code Analyzer, Fortify WebInspect, and Fortify Application Defender. Together the service encompasses DAST, SAST, RAST, IAST, static code analysis (SCA), and real-time security assist that provides guidance while developers are working in their preferred IDE. Its Software Composition Analysis is powered by Micro Focus’s partnership with SCA specialist Sonatype. SonarQube is not as extensive an option, rather it is focused on code quality and SAST.

Both products are commonly deployed at larger enterprises, while SonarQube also appears among cost-conscious smaller companies, who enjoy free and open source tools like SonarQube. While the options present overlapping features, there is nothing to prevent developers from deploying Fortify on Demand and SonarQube together, which may present an attractive best-of-both-worlds (e.g. code quality + security) solution for some projects.

Features

Developers turn to Micro Focus and SonarQube for a variety of reasons.

SonarQube excels as an SAST tool. It allows users to set their own coding standards, enforce them, and ensure best practice. Users describe an excellent code checking process, and detailed issue and bug tracking with commenting and issue highlighting. SonarQube integrates well into a CI/CD pipeline, and will work beside Fortify on Demand. In fact a SonarQube plugin exists in the Micro Focus marketplace for doing just that.

Micro Focus is a large, multifarious and trusted provider of developer tools for those with the budget to use them. Fortify on Demand is among a small class of products that provide SAST, DAST, static code analysis, as well as real-time security assessment delivered together in a single service. There are  very few similarly broad options, including Synopsys’ managed application testing, Checkmarx, and Veracode. Very few other AppSec suites match the sheer breadth of Micro Focus Fortify on Demand from a similarly respected vendor. Reviewers appreciate its ease of use and deployment vs on-premise testing tools and suites, the automated delivery of features, and the centralization of test result review and management.

Limitations

There are a few reasons some businesses choose to pass on including Fortify on Demand, or SonarQube, in a CI/CD pipeline for AppSec.

While SonarQube is praised for enforcing coding standards, it is not as well-regarded as a security tool. Users also point to unreliability in some of its integrations (Jira), and an open source community that is not as active as other more widely adopted tools. Also, SonarQube provides SAST only. It cannot be the singular, comprehensive solution some might desire.

While Fortify on Demand is a comprehensive solution, reviewers note a few issues, such as scans with a high rate of false positives along with less than helpful remediation, feeble (relative to SonarQube) code quality assistance, and byzantine pricing with uncertainty about what features will be included going forward (as opposed as being gated off as an “add-on” available for an additional fee) making it difficult to determine what the ROI will be vs. on-prem solutions that might include open source tools posing little or no cost.

Pricing

Users can get started with SonarQube for free via the open source Community Edition. Paid plans are priced per instance per year, starting with the Developer Edition that adds Branch Analysis and other vulnerability detection features for $150, the Enterprise Edition which adds advanced reporting and portfolio management for $20,000, and the Data Center edition available for $130,000.

Delivered as-a-service, Fortify on Demand offers a cloud-based subscription available with a 15-day free trial. Pricing is not published through Micro Focus, however, through VARs a Fortify on Demand subscription license for one assessment unit is available for about $990 for a year long subscription.

Community Pulse

Attribute Ratings

  • Micro Focus Fortify on Demand is rated higher in 1 area: Support Rating
  • SonarQube is rated higher in 1 area: Likelihood to Recommend

Likelihood to Recommend

8.0

Micro Focus Fortify on Demand

80%
1 Rating
8.4

SonarQube

84%
15 Ratings

Support Rating

10.0

Micro Focus Fortify on Demand

100%
2 Ratings
9.0

SonarQube

90%
2 Ratings

Likelihood to Recommend

Micro Focus

Integrated as part of our CI / CD chain. Scans are done in an automated fashion and defects are reported out and tracked. Easy to use, easy to integrate. Very pleased with the product. It does not perform cross module analysis scanning for vulnerabilities that may cross applications as well as it could, but it's pretty close.
Read full review

SonarSource

SonarQube has a friendly UI that is easy to use and understand. The admin's control panel is very good and It's not really difficult to get through the settings. Its possible to build many rules that apply for each programming language, for example, .NET, and Java. You can easily set up rules and even with the community version. It's a great tool but you have to have a good project plan before being introduced to the tools. I would recommend using the SonarQube open-source version to get used to it before purchasing the license. Before we go with an enterprise product, we have to know the terms and how things are done to run software quality
Read full review

Pros

Micro Focus

  • SAST
  • DAST
  • Manage Software Security Risk
  • Automation
  • Compliance
  • Integration
Read full review

SonarSource

  • Generating code quality report
  • Calculates junit coverage of the codebase very efficiently and precisely
  • Highlights the bugs and vulnerabilities in our codebase
  • Informs the user of the improvements which can be done to the code to make it cleaner
  • SonarQube also suggests remediation and resolution of the problems it highlights
Read full review

Cons

Micro Focus

  • Cross module compliance
Read full review

SonarSource

  • Local dashboard wont work without java installed on your machine
  • If talking about the local ui the configuration may be quite complex. Needs an experts advise
  • Its enterprise edition cost a fortune depending on a company size or users that may use it.
Read full review

Pricing Details

Micro Focus Fortify on Demand

Starting Price

Editions & Modules

Micro Focus Fortify on Demand editions and modules pricing
EditionModules

Footnotes

    Offerings

    Free Trial
    Free/Freemium Version
    Premium Consulting/Integration Services

    Entry-level set up fee?

    No setup fee

    Additional Details

    SonarQube

    Starting Price

    $0

    Editions & Modules

    SonarQube editions and modules pricing
    EditionModules
    CommunityFree1
    Developer EDITIONStarts at $1502
    Enterprise EDITIONStarts at $20,0003
    Data Center EDITIONStarts at $130,0004

    Footnotes

    1. none
    2. 100,000 Lines of Code
    3. 1 Million Lines of Code
    4. 20 Million Lines of Code

    Offerings

    Free Trial
    Free/Freemium Version
    Premium Consulting/Integration Services

    Entry-level set up fee?

    No setup fee

    Additional Details

    Support Rating

    Micro Focus

    Always receive excellent support from the vendor. No issues there.
    Read full review

    SonarSource

    We we easily able to integrate the SonarQube steps into our TFS process via the Microsoft Marektplace, we didn't have the need to call SonarQube support. We've used their online documentation and community forum if we ran into any issues.
    Read full review

    Alternatives Considered

    Micro Focus

    CAST in my opinion provides a far superior product in that it can parse in an entire suite of applications and do scans across modules. HP Fortify probably has deeper and more current scanning so I think both products complement each other. I would not rely solely on Fortify and would try to have that as part of the mix of products. Overall it's a good product. We use Fortify because the Enterprise has made that a mandatory part of our security suite.
    Read full review

    SonarSource

    I personally evaluated klocwork in a previous company and it worked well for Static Code Analysis for C++ applications but the Java support was not as good as SonarQube. Also the overall tooling and integrations provided by SonarQube is stellar and very other competitors can provide such services and IDE integrations. The output results from SonarQube tests can be easily read, including by other services for automation purposes, and creating reports for audits or other teams is nice and easy.
    Read full review

    Return on Investment

    Micro Focus

    • Good as part of our security suite to help prevent successful attacks.
    • Reporting of defects helps to educate developers.
    • Worth the price we paid.
    Read full review

    SonarSource

    • Our client is quite pleased with the demonstration of this tools
    • Our organisation is using a community edition right now but is planning to migrate to a enterprise version to use it commercially.
    • It is quite a costly tool but our organisation is willing to buy it for its enhanced features and security
    Read full review

    Add comparison