What are the key differences between Sonar and Klocwork

[Daniel Mascarenhas]

Hi

I have been evaluating Sonar, for a while now. We already have Klocwork for static code analysis.
So currently, we are comparing these two tools.
1. What are the key differences between these two tools?
2. We observed, for Null Pointer related issues, Klocwork, does look into the dependent java files as well (Cross-referencing). Does sonar do something like this as well? Or does it scans each file as a standalone entity, without taking into account its dependent files?

Quick reply would really help.

Thanks in advance,
Daniel

[G. Ann Campbell]

Hi Daniel,

Below...

On Monday, 12 December 2016 02:20:11 UTC-5, Daniel Mascarenhas wrote:

Hi

I have been evaluating Sonar, for a while now. We already have Klocwork for static code analysis.
So currently, we are comparing these two tools.
1. What are the key differences between these two tools?

I'm tempted to give the classic "X rules Y drools" answer here. :-)

Can you be more specific about the domain areas of interest?

 

2. We observed, for Null Pointer related issues, Klocwork, does look into the dependent java files as well (Cross-referencing). Does sonar do something like this as well? Or does it scans each file as a standalone entity, without taking into account its dependent files?

We don't yet do cross-file analysis. We plan to get there "soon".

 

Ann

[Daniel Mascarenhas]

Hey, Ann

Thanks for the quick reply.

I know one difference. Klocwork does the job of finding bugs in the source code. Whereas (as per the docs) Sonar does scanning around 7 axes of pillars.
Considering we have to replace, Klocwork with Sonar, I need to know if 'Is there anything, which Klocwork does, but sonar is yet to reach there?'  (like you said, for 'cross referencing').


Thanks
Daniel

[G. Ann Campbell]

Hi Daniel,

SonarQube analyzers find Bugs, Vulnerabilities, and Code Smells. Our ability to find valuable Vulnerabilities isn't where we want it yet, but our ability to detect bugs gets better every day.

The "Seven Deadly Sins" to which you allude are no longer a focus. In fact, you'd be hard-pressed to find them in the docs anymore via the navigation. Instead, we focus on The Leak. I.e. we focus on helping you make sure your new code is clean. Always keep the new code clean and eventually (as your maintenance needs range over the code base) most of the code base will be clean.

I'm not terribly familiar with the capabilities of Klockwork, but I'll give you a list of our capabilities you can use for comparison:

* SonarLint offers in-IDE support with the same analyzers used on the SonarQube platform.

* We offer support for recognized coding standards

* I believe we pioneered Continuous Inspection.

* We certainly offer metrics, and present them in a comprehensive UI that you don't need to tune

Let me know if you have other specific questions.

Ann

---

G. Ann CAMPBELL | SonarSource

Product Manager

http://sonarsource.com

--
You received this message because you are subscribed to a topic in the Google Groups "SonarQube" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sonarqube/N-F7X-B3Orc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sonarqube+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/1603f03f-ba1c-4ae4-b36e-44f1c650b840%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[dani...@itcentralstation.com]

If you're still looking, you might find this direct comparison between SonarQube and Klocwork on IT Central Station to be helpful. Users interested in these solutions also read reviews for Veracode, which is included in this comparison as well.