-1

My applications are based on Java, Kotlin and React. Besides SonarQube there are other popular tools like:

Amazon CodeGuru helps you improve code quality and automate code reviews by scanning and profiling Java and Python applications. CodeGuru Reviewer can detect potential defects and bugs in your code.

Synopsys Coverity Static Analysis identifies critical software quality defects and security vulnerabilities in code and any lapses in industry compliance standards.

PMD is most useful when integrated into your build process. It can then be used as a quality gate, to enforce a coding standard for your codebase

Checkstyle is a development tool to help programmers write Java code that adheres to a coding standard. It automates the process of checking Java code to spare humans of this boring (but important) task.

SpotBugs is a program which uses static analysis to look for bugs in Java code.

Considering the power all these tools resides in SonarQube. Should I use only SonarQube or combination of these are required?

I study various static code analysers and am looking for a recommendation.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Joseph Salom
  • 3
  • 2

1 Answers1

1

All static analyzers are different based on their own communities. Some analyzers have different checks or logic that none of the others have. Even if 2 analyzers have the same check, one could work better than the other, or one may be easier to run locally before submitting to a CI for a more in-depth review.

I recommend to enabling as many different analyzers as you can as long as they let you turn checks on/off and disable violations that you disagree with. Customizing these tools to the style of your project is what ultimately matters.

rveach
  • 2,081
  • 15
  • 25