11

Can someone tell me what is the difference between SonarQube and Fortify? Both are static code analysis tool. I found out Fortify is more inclined towards security as it gives information about vulnerabilities included in OWASP, SANS etc. SonarQube also shows this information.

Jeromy French
  • 11,812
  • 19
  • 76
  • 129
user3847894
  • 986
  • 4
  • 16
  • 37

3 Answers3

12

Fortify essentially classifies the code quality issues in terms of its security impact on the solution. While Sonarqube is more of a Static code analysis tool which also gives you like "code smells," though Sonarqube also lists out the vulnerabilities as part of its analysis.

However, the biggest difference is in-terms of Cost. Sonarqube is Free to use (with community support) while Fortify needs a license, which is expensive.

Amol M Kulkarni
  • 21,143
  • 34
  • 120
  • 164
Soumen Mukherjee
  • 2,953
  • 3
  • 22
  • 34
  • 4
    Not only this for Fortify. Fortify when doing his Security Analysis, try to identify all the points with no sanitizing systems, try to apply some security rules on the dataflow etc.... As I remember, Sonarqube did not a so indeep analysis. – SPoint Oct 17 '19 at 08:44
  • 2
    Actually, paid versions of SonarQube [do provide data tracing/tainting analysis](https://www.sonarqube.org/features/security/). And if you're thinking about Fortify, you're probably thinking about paying for something anyway. – WillD Feb 21 '20 at 18:16
  • SonarQube cloud version (SonarCloud) is only free in case you don't mind that your code becomes accessible to the public. – Luis Gouveia Jul 22 '20 at 10:40
  • Just a random question around Fortify Pricing, how much does the license cost? – jadavparesh06 Jun 29 '23 at 04:34
9

When comparing product its good to have a list of things, here is my list let me know what you think.

Fortify

  • static analysis
  • can't add rules, using configuration as code
  • proprietary rules
  • manual file upload use case, no easy way of pipeline integration
  • does not provide git branch perspectives, improvements over other branches
  • provide only security code metrics
  • not opensource
  • has only paid support model

SonarQube

  • static analysis
  • can add rules, using configuration as code
  • has standard rules based on language being used
  • automated code upload use case, has tooling for major frameworks
  • provide git branch perspectives, improvements over other branches
  • provide all code quality metrics, including security
  • opensource
  • has paid support model
  • free cloud host sonarcloud.io
Max Barrass
  • 2,776
  • 1
  • 19
  • 10
  • Very good explanation based on various points, I agree with all the points on Fortify side except there is a Jenkins plugins available now which can be used for integrating with pipelines, which scores each uploads. – Pravin Jadhav Nov 02 '20 at 17:11
  • SonarQube has an community where you can get some help if you don't have paid support. – G. Ann - SonarSource Team Feb 11 '22 at 13:42
-3

The main difference is the quality of the results. Fortify is an enterprise grade solution, sonarqube works hard but is not in the same league.

Jose Sanchez
  • 3
  • 1
  • 2
    Can you please describe in more detail what you mean by "the quality of the results"? If you actually mean the same as what @Max Barrass wrote in his reply, you can also just wait until you have enough reputation and vote his post up. Thank you! – fose Jul 09 '20 at 19:41
  • It would be helpful if you elaborated on the ways Fortify beats Sonarqube – IEnjoyEatingVegetables Mar 08 '22 at 19:58