SonarQube is cheaper than Klocwork with a clearer licence model, code of Community Edition is Open Source, it has wider community, but C/C++ analysis is quite recent and less mature.
Klocwork is a leader in Corporate environment for C/C++ Static Analysis.
It is fact that we are a bit less established in the C and C++ world than Klocwork.
I am not sure I understand what @scm_invn calls less mature in this context but I can try to highlight some differences.
First, C and C++ analysis are available in 3 products. On top of SonarQube you mentionned, you can add:
SonarLint is our linter. It is currently available in Visual Studio and Eclipse as Klocwork’s integration. A major difference being that our linter is free and you can use it. Of course, if applicable in your case, you can connect it to SonarQube or SonarCloud to see only your issues and not others’. Integration with other widely used C++ IDEs are being worked on. UPDATE in April 2022. SonarLint is also available for CLion and Visual Studio Code.
SonarCloud is our Cloud based code analysis service. It features C and C++ analysis. It is free for open souce projects and you can buy it for private projects.
About the analysis itself:
We have more rules overall: as of today more than 440 rules for C++ vs 268 for Klocwork if I am correct.
Klocwork has a strong focus and so far has a better coverage of MISRA and CERT than us.
We support C++ Core guidelines we have a good bunch of their original rules and some more are to come. As far as I know, Klocwork does not has such a focus.
Both Klocwork and us are providing static application security testing (SAST).
Outside of the comparison, I would add
We are integrated with plenty of SCMs, ALMs for pull requests and branch analysis. SonarQube is a very popular open-source platform that can analyse multi-languages projects.
We are based on llvm/clang code base and we are contributing back to the community.
We work hard every day to kill the noise and to improve the speed of our analysers.
We are easy to try through SonarCloud and SonarLint.
We love feedback and you can see the community is quite active.
I was curious to know if Sonar supports HIS metrics for C/C++ ?
And where does Sonar stand on coverage for MISRA today? I see that we do we have rules with tags for misra. However, as the last reply was in 2020, I am curious if Sonar has worked more on this area and what all has been worked on?
How does Sonar compare today in 2022 with Klocwork for C/C++ analysis? Is Klocwork still the market leader for C/C++ both in terms of functionalities and the market share?
I personally love Sonar’s UI, it’s integrations with SCMs and CI/CD tools and the amazing support/community.
Sonar does not support HIS metrics for C and C++. Feel free to raise a feature request on the forum.
No new MISRA rule has been implemented since 2020. We are keeping an eye on MISRA 202x. Here are all the MISRA C+±2008 rules we support. Here are all the MISRA C-2004 rules we support. Here are all the MISRA C-2012 rules we support.
I do not have any relevant market share numbers to comment on your statement about Klocwork being the market leader for C/C++. (And by the way, at SonarSource, we make a clear distinction between C and C++).
I do not know what you are referring to when you say Klocwork is the market leader for functionalities.
Doing such a comparison in an objective way is difficult (how should we count UI and the integration that you like? ). I doubt that a lot of people would take Sonar’s word for it. What I can tell for sure is that we are continuously improving a lot.
I think the best is to try it out for yourself. As a reminder, C and C++ are free in SonarLint, free in SonarCloud for open-source projects and can be evaluated in SonarQube.
On your final note, we are glad you like our UI and integration.
). I doubt that a lot of people would take Sonar’s word for it. What I can tell for sure is that we are continuously improving a lot.