We also selected real-life open source repositories and not benchmarks as the quest here is to simulate what real developers do. As mentioned above, this led to our repo selection as we did not want to make scan times dependent on network bandwidth.
#Sonarqube vs veracode code#
The way we tested is we ran a scan for each of the repositories - SonarQube locally, LGTM and Snyk Code as SaaS. But for the purposes of this test, we focused on speed. On top of that, Snyk Code provides easy to understand data flow diagrams and extensive explanations, including examples of fixes used in open source libraries with the same context. Snyk Code provides IDE plugins that embed seamlessly into the developer workflow. It’s widely known that developers are most efficient when security issues are identified during the development process so they can be addressed before the code gets checked in. Speed is essential when a SAST solution wants to be developer-friendly. We selected this field as (1) the licenses allow us to run and compare, (2) these are semantic engines and not linters (like ESlint), (3) these are common and widely used engines, and (4) we have both a locally running and a SaaS in the field. It uses a proprietary constraint engine to achieve this. Aside from being developer-friendly and highly accurate, one of Snyk Code’s design goals is to be extremely fast. It is based on the former DeepCode scan engine, now with several months of additional development time within Snyk under its belt. We used the LGTM SaaS offering.įinally, Snyk Code is Snyk’s SAST solution. LGTM uses a deep semantic code search based on CodeQL. The second contestant is LGTM which originates from a company called Semmle which was acquired by GitHub. We have to take one of the existing developer machines (details below).
#Sonarqube vs veracode Pc#
As previous tests using the free SonarCloud edition showed: SonarQube on a good PC is faster than free SonarCloud, so it is not unfair to use the local engine instead of the cloud version. It runs locally, so we needed to provide a quite decent PC. We have chosen a random sample from top-rated repositories on GitHub to represent real-world challenges.Īs scanners, we have the Community Edition of SonarQube which is a broadly used open source static analysis tool. The idea was to mimic typically modern developer code sets and JavaScript seemed a good common delimiter. We have selected 48 JavaScript open source repositories (listed below). In summary, Snyk Code proves to be one of the fastest semantic scanning engines on the market. On average, Snyk Code is 5x times faster than SonarQube or 14x times faster than LGTM. Snyk Code is up to 106 times faster than LGTM. Static Application Security Testing (SAST) can only be developer-friendly when it provides near real-time feedback and does not delay your development processes. For our research, we made several assumptions, but we’ve shared the details in order to be transparent. We’ve been asked to provide a comparison of scan times between Snyk Code and two common SAST tools: LGTM and SonarQube.
0 kommentar(er)
