I am currently using sonarcloud.io to scan an open source project I’m working on.
How comparable are the built in rules with the checks done by pmd & findsecbugs (spotbugs+find-sec-bugs) on java code?
I have integrated both as external analyzers, and can see issues tagged findsecbugs & pmd in sonarcloud. I’m unclear how to filter them though, or how they feature in the metrics, and whether additional configuration is helpful.
How comparable is the sonar java scanner with proprietary tools like Fortify static analyzer (which also makes use of findbugs) both in terms of static code analysis, and bytecode analysis?