Cast Software Vs Sonarqube Apical

Updated for 2018! CAST Application Intelligence Platform vs SonarQube comparison. Real users of Application Security share their secrets, tips and comparisons. The Correspondence between Software Quality. SonarQube TDPlugin. SonarQube (TD Plugin) PMD/FindBugs (Cast Method).

In my (huge) company we mostly use two tools for code analysis: • Sonar(Qube) - in the development, tightly integrated with CIs, known and loved my developers. • - required by the processes. No continuous measurements, only a couple of times a year, for instance on major releases. CAST analysis is completely decoupled from the development, done by a separate team (we just send the delivery package to analyse). I'm on the dev side as you may guess, I (somewhat) know Sonar/PMD, but not CAST. Ps3 homebrew installer download.

In any case I'm not quite happy with the frequency of the CAST analysis, but It is probably not the process I could influence or change. So I was thinking if it maybe would be possible to implement in Sonar similar rules as in CAST. Surely not all and not everything but at least something that there would be no big surprises from the CAST analysis of releases. I googled all over, looking for something like 'PMD rules for Sonar/PMD' but could not find anything. My question ist for those who have experience with both Sonar and CAST: Is it possible to implement CAST analysis rules (or a certain approximation thereof) in Sonar? I know both tools, CAST and SonarQube.

The answer to your question will be technology dependant: which languages are you using for your developments? Are you using any framework? Don't tell me just J2EE, because this covers a lot of different languages: Java, JavaScript, JSP, HTML.

Not talking about frameworks (Spring, Hibernate, Struts.) and each solution will have different analyzers for these languages with different rules. The main thing between CAST and SonarQube is that both use lexical analyzis to identify violations to programming best practices, but CAST also identify links between components (reason why it's slower). So CAST will have some metrics like fan-in/fan-out and some additional rules (that they name architectural or structural), like avoid direct access from presentation layer to data layer. Also, it comes with some xml files to analyze framework components. This kind of rules could represent an additional 20%, but again this is very language dependant.

And also of the versions of both tools as the number of rules may be different between releases. And no, I think that not all of these 'architectural' rules would be possible to implement with SonarQube. However, they are not all very critical so you don't miss so much. I suppose you company use CAST as some Quality Gate? In that case, I would recommand to work with the guys using CAST in order to identify which CAST rules are critical for them and could trigger a NoGo or KO. Just post these rules here, and I am sure you will get some good comments about it.

Do not hesitate to ask for further precision. First of all, thank you for the elaborate answer. We're on J2EE with JSF and (in my project particularly) JavaScript, underpinned by JPA/Hibernate on JBoss stack. So, sure, lots of stuff. We do have QGs but I don't think CAST analysis would bring a KO. I was actually told that CAST was a kind of 'industry standard', with standardized rules and metrics. So I was naively searching for 'CAST rules for PMD/Sonar'.