We performed a comparison between Parasoft SOAtest and SonarQube based on real PeerSpot user reviews.
Find out in this report how the two Static Application Security Testing (SAST) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."Automatic testing is the most valuable feature."
"Generating new messages, based on the existing .EDN and .XML messages, is a crucial part or the testing project that I’m currently in."
"Parasoft SOAtest has improved the quality of our automated web services, which can be easily implemented through service chaining and service virtualization."
"We do a lot of web services testing and REST services testing. That is the focus of this product."
"Good write and read files which save execution inputs and outputs and can be stored locally."
"We can automate our scenarios in a data driven format, which shows there is no rework on scripts. We only need to update the test data and run for a number of scenarios."
"They have a feature where they can record traffic and create tests on the report traffic."
"We have seen a return on investment."
"We consider it a handy tool that helps to resolve our issues immediately."
"It has very good scalability and stability."
"We advise all of our developers to have this solution in place."
"One of the most valuable features of SonarQube is its ability to detect code quality during development. There are rules that define various technologies—Java, C#, Python, everything—and these rules declare the coding standards and code quality. With SonarQube, everything is detectable during the time of development and continuous integration, which is an advantage. SonarQube also has a Quality Gate, where the code should reach 85%. Below that, the code cannot be promoted to a further environment, it should be in a development environment only. So the checks are there, and SonarQube will provide that increase. It also provides suggestions on how the code can be fixed and methods of going about this, without allowing hackers to exploit the code. Another valuable feature is that it is tightly integrated with third-party tools. For example, we can see the SonarQube metrics in Bitbucket, the code repository. Once I raise the full request, the developer, team lead, or even the delivery lead can see the code quality metrics of the deliverable so that they can make a decision. SonarQube will also cover all of the top OWASP vulnerabilities, however it doesn't have penetration testing or hacker testing. We use other tools, like Checkmarx, to do penetration testing from the outside."
"I like that it helps us maintain our work quality and code security."
"It is working fine. It provides a good value for money."
"SonarQube is designed well making it easy to use, simple to identify issues and find solutions to problems."
"It automatically scans for code, detects vulnerabilities, and generates daily reports."
"Enabling/disabling an optional element of an XML request is only possible if a data source (e.g., Excel sheet) is connected to the test. Otherwise, the option is not available at all in the drop-down menu."
"The product is very slow to start up, and that is a bit of a problem, actually."
"Compatibility with HTTP 1.1 and TLS 1.2 needs to be improved."
"From an automation point of view, it should have better clarity and be more user friendly."
"Tuning the tool takes time because it gives quite a long list of warnings."
"The summary reports could be improved."
"The feedback that we received from the DevOps of our organization was that the tool was a little heavy from the transformation perspective."
"During the process of working with SOAtest and building test cases, the .TST files will grow. A negative side effect is that saving your changes takes more time."
"For improvement, this solution could be offered on Docker and the cloud and the support for this solution could be improved. Customizing rules could also be made simpler."
"I am not very pleased with the technical debt computation."
"I would like to see dynamic code analysis in the next version of the software."
"There are limitations to the free version that limit development options as far as languages."
"SonarQube could be improved with more dynamic testing—basically, now, it's a static code analysis scan. For example, when the developer writes the code and does the corresponding unit test, he can cover functional and non-functional. So the SonarQube could be improved by helping to execute unit tests and test dynamically, using various parameters, and to help detect any vulnerabilities. Currently, it'll just give the test case and say whether it passes or fails—it won't give you any other input or dynamic testing. They could use artificial intelligence to build a feature that would help developers identify and fix issues in the early stages, which would help us deliver the product and reduce costs. Another area with room for improvement is in regard to automating things, since the process currently needs to be done manually."
"There are times that we have the database crash. However, this might be an issue with how we have configured it and not a software issue. Apart from this, I do not see any issues with the solution."
"I think the code security can be improved."
"You may need to purchase add-ons to get the useability you desire."
Parasoft SOAtest is ranked 28th in Static Application Security Testing (SAST) with 30 reviews while SonarQube is ranked 1st in Static Application Security Testing (SAST) with 110 reviews. Parasoft SOAtest is rated 8.2, while SonarQube is rated 8.0. The top reviewer of Parasoft SOAtest writes "Good API testing and RIT feature; clarity could be improved". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Parasoft SOAtest is most compared with Postman, Coverity, Polyspace Code Prover, Klocwork and ReadyAPI, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Coverity, Veracode and Snyk. See our Parasoft SOAtest vs. SonarQube report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.