Try our new research platform with insights from 80,000+ expert users

SonarQube Server (formerly SonarQube) vs Synopsys Defensics comparison

 

Comparison Buyer's Guide

Executive Summary

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

SonarQube Server (formerly ...
Average Rating
8.0
Reviews Sentiment
7.2
Number of Reviews
114
Ranking in other categories
Application Security Tools (1st), Static Application Security Testing (SAST) (1st), Software Development Analytics (1st)
Synopsys Defensics
Average Rating
8.6
Number of Reviews
4
Ranking in other categories
Fuzz Testing Tools (5th)
 

Mindshare comparison

While both are Quality Assurance solutions, they serve different purposes. SonarQube Server (formerly SonarQube) is designed for Application Security Tools and holds a mindshare of 25.1%, down 26.9% compared to last year.
Synopsys Defensics, on the other hand, focuses on Fuzz Testing Tools, holds 23.1% mindshare, up 12.1% since last year.
Application Security Tools
Fuzz Testing Tools
 

Featured Reviews

Wang Dayong - PeerSpot reviewer
Easy to integrate and has a plug-in that supports both C and C++ languages
The product provides false reports sometimes. It also fails to understand the context of the code. It reports that a line of code has issues without considering its relation with the previous line. The product should improve the report quality. While it asks us to improve the code quality, it would be good if it also suggests how to improve the quality.
it_user508521 - PeerSpot reviewer
Helps us complete testing more quickly by eliminating many unwanted test cases
Sometimes, when we are testing embedded devices, when we trigger the test cases, the target will crash immediately. It is very difficult for us to identify the root cause of the crash because they do not provide sophisticated tools on the target side. They cover only the client-side application, and from that we can generate automated test cases, but what happens on the target device, what is the reason for the crash, for that we have to do manual debugging. They do not have diagnostic tools for the target side. Rather, they have them but they are very minimal and not very helpful. They can improve a lot on that.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"Can tweak rules and feed them into our build pipelines."
"All the features of the solution are quite good."
"Some of the most valuable features have been the latest up-to-date of the OWASP, the monitoring, the reporting, and the ease of use with the IDE plugins, in terms of integration."
"I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla."
"This solution is simple to use and can be quickly deployed."
"The fact that the solution does security scanning is valuable."
"With SonarQube's web interface, it is easy to drill down to see the individual problems, but also to look at the project from above and get the big picture, with possible larger problem areas."
"The static code analysis of the solution is the most important aspect for us. When it comes to security breaches within the code, we can leverage some rules to allow us to identify the repetition in our code and the possible targets that we may have. It makes it very easy to review our code for security purposes."
"We have found multiple issues in our embedded system network protocols, related to buffer overflow. We have reduced some of these issues."
"The product is related to US usage with TLS contact fees, i.e. how more data center connections will help lower networking costs."
"Whatever the test suit they give, it is intelligent. It will understand the protocol and it will generate the test cases based on the protocol: protocol, message sequence, protocol, message structure... Because of that, we can eliminate a lot of unwanted test cases, so we can execute the tests and complete them very quickly."
 

Cons

"You may need to purchase add-ons to get the useability you desire."
"I have found this solution creates more noise than competitors."
"We called support and complained but have not received any information as we use the free version. We had to fix it on our own and could not escalate it to the tool's developer."
"A better design of the interface and add some new rules."
"Code security could be better. They are already focusing on it, but I see a lot of improvement opportunities over there. I can see a lot of false positives in terms of security. They need to make the tests more accurate so that the false positives are not detected so frequently. It would also help if they provided us with an installer."
"SonarQube could improve its static application security testing as per the industry standard."
"We had some issues scanning the master branch but when we upgraded to version 7.9 we noticed it does scan the master branch but we had to do a workaround for it to happen. This process could be improved in a future release."
"I don't believe you can have metrics of code quality based upon code analysis. I don't think it's possible for a computer to do it."
"It does not support the complete protocol stack. There are some IoT protocols that are not supported and new protocols that are not supported."
"Codenomicon Defensics should be more advanced for the testing sector. It should be somewhat easy and flexible to install."
"Sometimes, when we are testing embedded devices, when we trigger the test cases, the target will crash immediately. It is very difficult for us to identify the root cause of the crash because they do not provide sophisticated tools on the target side. They cover only the client-side application... They do not have diagnostic tools for the target side. Rather, they have them but they are very minimal and not very helpful."
 

Pricing and Cost Advice

"The licence is standard open source licensing"
"I do not know about the pricing as I am using the community edition, which is free. But I compared the pricing with Sigma, and it is higher than SonarQube."
"Can try developer version for 14 days on the free trial."
"The tool's pricing is reasonable."
"The price of this solution is more expensive than competitors. However, it works better than competitors."
"The beauty of this solution is the free open-source version is capable enough in doing pretty much what an enterprise-level version can do."
"The price of the solution could be reduced."
"This is open source."
"Licensing is a bit expensive."
report
Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
845,040 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
17%
Computer Software Company
15%
Manufacturing Company
13%
Government
6%
Computer Software Company
22%
Manufacturing Company
17%
Financial Services Firm
9%
Healthcare Company
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
No data available
 

Questions from the Community

Is SonarQube the best tool for static analysis?
I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have a look...
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
How would you decide between Coverity and Sonarqube?
We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing rem...
Ask a question
Earn 20 points
 

Also Known As

Sonar
Defensics, Codenomicon Defensics
 

Interactive Demo

Demo not available
 

Overview

 

Sample Customers

Information Not Available
Coriant, CERT-FI, Next Generation Networks
Find out what your peers are saying about Sonar, Veracode, Checkmarx and others in Application Security Tools. Updated: March 2025.
845,040 professionals have used our research since 2012.