Difference between SonarQube and Fortify?

security continuous-integration sonarqube devops fortify
user3847894 picture user3847894 · Oct 15, 2019 · Viewed 12.4k times · Source

Can someone tell me what is the difference between SonarQube and Fortify? Both are static code analysis tool. I found out Fortify is more inclined towards security as it gives information about vulnerabilities included in OWASP, SANS etc. SonarQube also shows this information.

Answer

Atmanirbhar Bharat picture Atmanirbhar Bharat · Oct 15, 2019

Fortify essentially classifies the code quality issues in terms of its security impact on the solution. While Sonarqube is more of a Static code analysis tool which also gives you like "code smells," though Sonarqube also lists out the vulnerabilities as part of its analysis.

However, the biggest difference is Cost .. Sonarqube is Free to use (with community support) while Fortify needs a license, which is expensive.

Related questions

How can I prevent SQL injection in PHP?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example: $unsafe_variable = $_POST['user_input']; mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')"); That's …

Read More
SecurityError: Blocked a frame with origin from accessing a cross-origin frame

I am loading an <iframe> in my HTML page and trying to access the elements within it using Javascript, but when I try to execute my code, I get the following error: SecurityError: Blocked a frame with origin "…

Read More
How to create .pfx file from certificate and private key?

I need .pfx file to install https on website on IIS. I have two separate files: certificate (.cer or pem) and private key (.crt) but IIS accepts only .pfx files. I obviously installed certificate and it is available in certificate …

Read More