SonarQube and Klocwork both compete in the static code analysis category. SonarQube seems to have the upper hand due to its extensive language support and integration capabilities.
Features: SonarQube offers extensive language support, customizable quality profiles, unit test integrations, and pre-commit checks. It also has issue reporting and enhanced security features with plugins like "3D Code Metrics" that make it versatile. Klocwork provides static code analysis and on-the-fly defect detection during development with support for multiple languages.
Room for Improvement: SonarQube users report issues with long analysis times, limited mobile application support, and the need for better API documentation. Users also desire enhanced security checks. Klocwork could improve global variable detection, increase language support, and streamline integration and reporting features. Its rigid licensing has also been noted as a challenge.
Ease of Deployment and Customer Service: SonarQube supports a range of deployment options including on-premises, hybrid, and public cloud configurations. Its strong community provides resources, though official support can be inconsistent. Klocwork offers stable on-premises and private cloud deployment with a focus on direct technical support, making it less flexible but more reliable in support.
Pricing and ROI: SonarQube provides a cost-effective solution with both free and enterprise options, delivering notable ROI through improved code quality and security. The enterprise pricing has faced some criticism. Klocwork is competitively priced with fixed and floating server licenses, offering good ROI through enhanced security and reduced defect rates, though its higher upfront cost can be a barrier compared to SonarQube's scalable pricing.
The main ROI factors include efficiency and how we meet compliance standards for various automotive requirements.
It is easily integrable with the CI/CD pipeline and supports multiple projects with its extensive plugin options.
I have seen a return on the investment from SonarQube Server (formerly SonarQube) because the value it adds relates to static code analysis and vulnerability assessments needed for our FDA approval process.
We see productivity increasing based on the fact that the code review is mostly automated, allowing the developer to fix the code themselves before assigning it to someone else to review, thus receiving that ROI.
The customer support team is very responsive, proactive, and engages in conversations to ensure our needs are met.
The issue is not about the knowledge of the support but about the prioritization of the tickets they handle.
During the initial phase, there was a need for follow-ups and clarifications.
The community support is quite effective.
The customer service and support for SonarQube Cloud are responsive and helpful.
Integrating it into different solutions is straightforward.
Klocwork supports our scalability needs without issues, even as project volumes increase.
The program-to-program enablement is scalable.
There are limitations, and it seems to have fewer capabilities than Veracode.
It has been used in multiple projects and performs well.
I would rate the scalability of SonarQube Server as a 10 because we can configure the server to scan multiple projects based on the number of lines.
Installation is easy, and the solution is stable.
I think SonarQube Server (formerly SonarQube) is stable, and we did not face any problems unless there was a power outage or if the LAN cable was plugged out.
From my team's feedback, it is almost an eight out of ten.
It is a quite stable solution.
There are too many warnings, and it requires expertise to determine the correct category for them.
Klocwork sometimes provides too many additional warnings which require expertise to manage.
We would like Klocwork to connect to Git and notify developers of issues tied to specific commits.
I would like to see SonarQube Cloud provide more detailed solutions for fixing code issues, especially solutions related to CVEs.
I need a solution that can bring together three key areas: vulnerabilities, static scanning, and misarchitecture.
Static code analysis is good, but the product lacks dynamic code scanning capabilities, an area where Veracode excels.
It is less expensive than Coverity.
The solution is not very cheap, however, it is less expensive than Coverity.
Klocwork was competitively priced, making it a cost-effective solution for us.
I would rate the pricing for SonarQube Server (formerly SonarQube) as an 8, where 1 is very cheap and 10 is very expensive, because Coverity is very expensive, and while SonarQube is not cheap, it is still less expensive than Coverity.
They always offer around a two-year contract, but we always take a one-year contract because it's expensive.
The freemium version of SonarQube Server offers excellent value, especially compared to the high costs of Snyk.
The most valuable feature of Klocwork is the static analysis tools, which help identify potential security threats and errors.
Its integration with the CI/CD pipeline has helped streamline the software development process.
It takes just half a day to set up.
Some of the static code analysis capabilities are the most beneficial.
I find SonarQube Cloud very easy to use and simple to integrate initially.
It gives precise reports compared to Coverity and has a slightly lower number of false positives.
| Product | Market Share (%) |
|---|---|
| SonarQube | 16.9% |
| Klocwork | 1.3% |
| Other | 81.8% |
| Company Size | Count |
|---|---|
| Small Business | 12 |
| Midsize Enterprise | 2 |
| Large Enterprise | 12 |
| Company Size | Count |
|---|---|
| Small Business | 41 |
| Midsize Enterprise | 24 |
| Large Enterprise | 79 |
Klocwork detects security, safety, and reliability issues in real-time by using this static code analysis toolkit that works alongside developers, finding issues as early as possible, and integrates with teams, supporting continuous integration and actionable reporting.
SonarQube leads automated code review, enhancing code quality and security in AI-driven SDLCs. It analyzes pull requests, providing developers with actionable feedback and AI-driven fixes before code merges. Trusted by top enterprises, it supports SaaS and self-managed deployments.
SonarQube supports a wide range of programming languages and integrates seamlessly with CI/CD tools like Jenkins. It is renowned for its static code analysis, code coverage, and security vulnerability detection. While its open-source foundation and scalability are praised, users seek enhanced integration across multiple languages, better security features, and improved documentation. Despite challenges, its ability to automate code inspections and ensure compliance with coding standards makes it essential in software development processes, facilitating continuous improvement.
What are the most important features?In industries like finance, healthcare, and automotive, SonarQube is leveraged for static code analysis, automating code inspections, and ensuring compliance with stringent standards. Teams integrate it into their CI/CD pipelines to maintain high-quality code, identify security vulnerabilities, and enhance code maintainability.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
