SonarQube and Klocwork both compete in the static code analysis category. SonarQube seems to have the upper hand due to its extensive language support and integration capabilities.
Features: SonarQube offers extensive language support, customizable quality profiles, unit test integrations, and pre-commit checks. It also has issue reporting and enhanced security features with plugins like "3D Code Metrics" that make it versatile. Klocwork provides static code analysis and on-the-fly defect detection during development with support for multiple languages.
Room for Improvement: SonarQube users report issues with long analysis times, limited mobile application support, and the need for better API documentation. Users also desire enhanced security checks. Klocwork could improve global variable detection, increase language support, and streamline integration and reporting features. Its rigid licensing has also been noted as a challenge.
Ease of Deployment and Customer Service: SonarQube supports a range of deployment options including on-premises, hybrid, and public cloud configurations. Its strong community provides resources, though official support can be inconsistent. Klocwork offers stable on-premises and private cloud deployment with a focus on direct technical support, making it less flexible but more reliable in support.
Pricing and ROI: SonarQube provides a cost-effective solution with both free and enterprise options, delivering notable ROI through improved code quality and security. The enterprise pricing has faced some criticism. Klocwork is competitively priced with fixed and floating server licenses, offering good ROI through enhanced security and reduced defect rates, though its higher upfront cost can be a barrier compared to SonarQube's scalable pricing.
The main ROI factors include efficiency and how we meet compliance standards for various automotive requirements.
It is easily integrable with the CI/CD pipeline and supports multiple projects with its extensive plugin options.
I have seen a return on the investment from SonarQube Server (formerly SonarQube) because the value it adds relates to static code analysis and vulnerability assessments needed for our FDA approval process.
We see productivity increasing based on the fact that the code review is mostly automated, allowing the developer to fix the code themselves before assigning it to someone else to review, thus receiving that ROI.
The customer support team is very responsive, proactive, and engages in conversations to ensure our needs are met.
The issue is not about the knowledge of the support but about the prioritization of the tickets they handle.
During the initial phase, there was a need for follow-ups and clarifications.
The community support is quite effective.
The customer service and support for SonarQube Cloud are responsive and helpful.
Integrating it into different solutions is straightforward.
Klocwork supports our scalability needs without issues, even as project volumes increase.
The program-to-program enablement is scalable.
There are limitations, and it seems to have fewer capabilities than Veracode.
It has been used in multiple projects and performs well.
I would rate the scalability of SonarQube Server as a 10 because we can configure the server to scan multiple projects based on the number of lines.
Installation is easy, and the solution is stable.
I think SonarQube Server (formerly SonarQube) is stable, and we did not face any problems unless there was a power outage or if the LAN cable was plugged out.
From my team's feedback, it is almost an eight out of ten.
It is a quite stable solution.
There are too many warnings, and it requires expertise to determine the correct category for them.
Klocwork sometimes provides too many additional warnings which require expertise to manage.
We would like Klocwork to connect to Git and notify developers of issues tied to specific commits.
There is another website called Code Warrior that really takes you through the entire journey, so you can truly understand what the issue is along with some actual coding examples.
I would like to see SonarQube Cloud provide more detailed solutions for fixing code issues, especially solutions related to CVEs.
I need a solution that can bring together three key areas: vulnerabilities, static scanning, and misarchitecture.
It is less expensive than Coverity.
The solution is not very cheap, however, it is less expensive than Coverity.
Klocwork was competitively priced, making it a cost-effective solution for us.
I would rate the pricing for SonarQube Server (formerly SonarQube) as an 8, where 1 is very cheap and 10 is very expensive, because Coverity is very expensive, and while SonarQube is not cheap, it is still less expensive than Coverity.
They always offer around a two-year contract, but we always take a one-year contract because it's expensive.
The freemium version of SonarQube Server offers excellent value, especially compared to the high costs of Snyk.
The most valuable feature of Klocwork is the static analysis tools, which help identify potential security threats and errors.
Its integration with the CI/CD pipeline has helped streamline the software development process.
It takes just half a day to set up.
The most valuable aspect of SonarQube's scanning feature for me is its accuracy and seamless integration with our existing tools, and it provides reliable results with fewer false positives, which saves a lot of time for developers.
Some of the static code analysis capabilities are the most beneficial.
I find SonarQube Cloud very easy to use and simple to integrate initially.
| Product | Mindshare (%) |
|---|---|
| SonarQube | 13.6% |
| Klocwork | 1.4% |
| Other | 85.0% |
| Company Size | Count |
|---|---|
| Small Business | 12 |
| Midsize Enterprise | 2 |
| Large Enterprise | 12 |
| Company Size | Count |
|---|---|
| Small Business | 43 |
| Midsize Enterprise | 24 |
| Large Enterprise | 79 |
Klocwork offers advanced static code analysis with integration capabilities for enhanced development efficiency, supporting various development environments and providing clear defect reports. It streamlines software development by reducing defects and improving code quality.
Klocwork integrates seamlessly into CI/CD pipelines, providing real-time and incremental analysis to identify and rectify code defects quickly. It supports multiple integrated development environments (IDEs) and minimizes false positives in its analysis. While primarily supporting C/C++, Java, and C#, there is a need to expand language support and enhance its static analysis engine. The tool assists in adhering to industry standards with features like automated code parsing and MISRA compliance checks. Ease of setup and collaboration capabilities further promotes efficiency, although the dashboard could benefit from user-friendly updates and better integration with Agile tools.
What are the primary features of Klocwork?Klocwork is extensively implemented in industries that prioritize software quality and security standards, particularly in environments focused on C/C++ development on Linux systems. Its capabilities in automated code parsing, traffic analysis, and support for DevOps integration make it invaluable for industries requiring strict MISRA compliance and internal standards adherence. By aiding refactoring and detecting memory-related vulnerabilities, Klocwork contributes to the maintainability and security standards in these sectors.
SonarQube leads automated code review, enhancing code quality and security in AI-driven SDLCs. It analyzes pull requests, providing developers with actionable feedback and AI-driven fixes before code merges. Trusted by top enterprises, it supports SaaS and self-managed deployments.
SonarQube supports a wide range of programming languages and integrates seamlessly with CI/CD tools like Jenkins. It is renowned for its static code analysis, code coverage, and security vulnerability detection. While its open-source foundation and scalability are praised, users seek enhanced integration across multiple languages, better security features, and improved documentation. Despite challenges, its ability to automate code inspections and ensure compliance with coding standards makes it essential in software development processes, facilitating continuous improvement.
What are the most important features?In industries like finance, healthcare, and automotive, SonarQube is leveraged for static code analysis, automating code inspections, and ensuring compliance with stringent standards. Teams integrate it into their CI/CD pipelines to maintain high-quality code, identify security vulnerabilities, and enhance code maintainability.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
