Hello peers,
I work for a large tech services company. I am currently researching Application Security Tools.
Which software is ideal for code quality and security? Are SonarQube and Snyk a good choice? Are there any better alternatives?
Thank you for your help.
@Tej Muchhala : Code Quality and Security are 2 different domains and depending on how deep you want to go, the choice of tools will vary.
1. SonarQube - This has both community editions and commercial editions. The community has limited scope and no reporting. The enterprise version has a far broader scope covered with excellent reporting capabilities. SQ does have rules to compare against OWASP's Top 10 for both 2017 and 2021. Wrt Code Quality, SQ looks at unit-level issues and not necessarily module/design issues.
2. CAST Software Intelligence - This has 2 products - CAST Highlights can do very rapid analysis and provide you software health and also open source safety assessment for 3rd party libraries you might be using. SQ does not look into 3rd party libraries' assessment. CAST also has a dedicated security dashboard that checks code against various industry standards like OWASP, ISO 5055, CWE Top 25, NIST, etc.
3. Snyk again has multiple products to cater to different areas of security. This is a great product and has seamless integrations into your CI pipeline.
Regards,
Vishal.
Hi Tej, you should also check out CAST (castsoftware.com). Their kit does a very thorough analysis that may be a good option depending on the complexity of your codebase.
Hi Tej, as per my experience, SonarQube provides a better understanding of the code, it gives you a detailed analysis of the code up to the line level. It finds vulnerabilities in the code and runs test cases for you (if you add them). Also, you can customize the quality gate rules to define the parameters your code should pass like reliability, repetition of lines, etc. On the other hand, Snyk offers you an overview of the tools you are using, or the APIs you are using inside the code and gives vulnerability notifications and fixes. SonarQube doesn't fix or doesn't give any suggestions but Snyk will give you suggestions on which version of that dependency should be used and why. I have integrated both Snyk and SonarQube as both are open source up to a certain level.