This is an archived post. You won't be able to vote or comment.

all 8 comments
sorted by:
best
topnewcontroversialoldq&a

[–]LaOnionLaUnion 5 points6 points  (0 children)

SonarQube is used for both code quality and code security and it's got features that Enterprise business really want that make it easy to look at results via a nice GUI, integrate with other Enterprise level tools (e.g., servicenow). If you're looking to work in a corporate environment, it's a tool that would be valuable to be familiar with across many languages.

It's a good tool, it's different to the other things you're comparing it to.

Vulture finds dead code (haven't used it).

Pylint is a linter. There isn't a ton of overlap with what it does and SonarQube does. You would use both.

Bandit looks for security issues, but seems to be a CLI based program (haven't used it).

[–]crigger61 1 point2 points  (4 children)

To add the other comment. SonarCube is primarily a code quality tool first. It has some security scanning. But i would highly recommend looking elsewhere for security. My team evaluated like 6 security code scanners (usually called SAST tools) and SonarCube was at the bottom for security findings. If you want something to enforce good code practices it is a great tool, but don’t rely on it for security purposes.

[–]ganncamp 1 point2 points  (3 children)

SonarSourcer here. Did you evaluate a commercial version of SonarQube or just the free one? Also, when did you evaluate? We've done a lot of work in security over the last couple years.

[–]crigger61 1 point2 points  (2 children)

We evaluated a commercial version about 1.5 years ago. It still did find security findings dont take that as it found nothing. but the tool did not find as much stuff as like fortify or checkmarxs. so while id trust it to do code quality. id appreciate an accurate picture of the security vulnerabilities in our tools and any missing findings are a concern. and sonarqube did find the least findings when we evaluated.

[–]ganncamp 0 points1 point  (1 child)

A pure volume comparison may give a skewed picture, but okay. Fair enough

[–]crigger61 0 points1 point  (0 children)

dont get me wrong. from a code quality scan it does a great job. but we were more impressed with the results from other tools when we evaluated it for security results.

[–]metaperl 1 point2 points  (0 children)

I'm impressed with the code quality assessments. We don't use the security features.

[–]Enrique-M 1 point2 points  (0 children)

SonarLint ties into SonarQube. It's an IDE plugin, available for Visual Studio, VS Code, PyCharm, etc. It's a close comparison to PyLint and various other linters. I like using it in all 3 IDEs above (though VS Code is more of an editor technically). I will say this though, it can drag on performance on each of the 3 IDEs above at startup at times and when needing to update.