Compare Sonarqube to Klocwork

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
  • what are you trying to achieve
  • what have you tried so far to achieve this

Can anyone tell me how does Sonarqube compare against Klowork?

For which language?

SonarQube is cheaper than Klocwork with a clearer licence model, code of Community Edition is Open Source, it has wider community, but C/C++ analysis is quite recent and less mature.
Klocwork is a leader in Corporate environment for C/C++ Static Analysis.

Hi @tstaycer32 and welcome.

It is fact that we are a bit less established in the C and C++ world than Klocwork.
I am not sure I understand what @scm_invn calls less mature in this context but I can try to highlight some differences.

First, C and C++ analysis are available in 3 products. On top of SonarQube you mentionned, you can add:

  • SonarLint is our linter. It is currently available in Visual Studio and Eclipse as Klocwork’s integration. A major difference being that our linter is free and you can use it. Of course, if applicable in your case, you can connect it to SonarQube or SonarCloud to see only your issues and not others’. Integration with other widely used C++ IDEs are being worked on.
  • SonarCloud is our Cloud based code analysis service. It features C and C++ analysis. It is free for open souce projects and you can buy it for private projects.

About the analysis itself:

  • We have more rules overall: as of today more than 440 rules for C++ vs 268 for Klocwork if I am correct.
  • Klocwork has a strong focus and so far has a better coverage of MISRA and CERT than us.
  • We support C++ Core guidelines we have a good bunch of their original rules and some more are to come. As far as I know, Klocwork does not has such a focus.
  • Both Klocwork and us are providing static application security testing (SAST).

Outside of the comparison, I would add

  • We are integrated with plenty of SCMs, ALMs for pull requests and branch analysis. SonarQube is a very popular open-source platform that can analyse multi-languages projects.
  • We are based on llvm/clang code base and we are contributing back to the community.
  • We work hard evey day to kill the noise and to improve the speed of our analysers.
  • We are easy to try through SonarCloud and SonarLint.
  • We love feedback and you can see the community is quite active.

I hope it helps.