Jul 08, 2020
My opinions are my own and do not represent any other entities that I may be or have been affiliated with.
On this topic I think it is important to acknowledge that no matter which solution you go for you will have false positives. I don't think there will be any solution that properly solves this anytime soon.
As for Checkmarx vs SonarQube...
Checkmarx may cover more rules over a wider landscape, however I personally found this extra breadth covered outlyer rules and mostly lower priority issues. Both Checkmarx and SonarQube cover the OWASP top 10 and Sans25.
Both tools can be tuned to help reduce false positives, for both you will need to analyse your tuning to ensure you are not introducing false negatives. Any tools that provide you customisation come with the risk that you could make things worse.
SonarQube has very good integration into most development IDEs empowering the engineers to run scans against the company rules on their local machine before submitting your source control and further tooling. In some it will even check the code automatically while you type it.
I see you also included Veracode in here. In my opinion that is a far superior tool to Checkmarx, this is down to their more modern approach to this problem. They also allow local developer integration to self lint code before submission.
In a perfect world, I would use Sonar for development bugs, test coverage and technical debt measurements. Then veracode to handle the SAST side for me. In short I would not duplicate the security scans in Sonar and Veracode.
Hope that helps
