When comparing SonarQube vs Clang Static Analyzer, the Slant community recommends Clang Static Analyzer for most people. In the question“What are the best open source C++ static analysis tools?” Clang Static Analyzer is ranked 2nd while SonarQube is ranked 3rd. The most important reason people chose Clang Static Analyzer is:
The Clang Static Analyzer has been implemented as a library for ease-of-use analysis of any project. Simply just import the library.
Specs
Ranked in these QuestionsQuestion Ranking
Pros
Pro Continuous code quality as a service
Quick installation/configuration and code review. This follows rules that support industry standards.(across of installation of plugins). Quality model (Bugs track code, Vulnerabilities, Code Smells all are raised on code in a simple user interface)
Pro Implemented as a Library
The Clang Static Analyzer has been implemented as a library for ease-of-use analysis of any project. Simply just import the library.
Pro Standalone Tool
A command line utility that enables a user to run the static analyzer over their codebase as part of performing a regular build (from the command line). This works by sending the compiled files through the analyzer and upon completion of the build the results will be presented within the web browser.
Pro Maintained by a broad community.
This project has permanent support from a broad community.
Pro Static Analysis for C++, C and Objective-C projects
Supports basically all languages of the C family.
Cons
Con Enterprise deployment
The Enterprise Deployment version has commercial value.
Con Continuous work-in-progress
There are limitations to what static analysis can do, but the Clang Static Analyzer is far from reaching that point. There will be continuous improvements and updates to the project before the analyzer can reach its full potential. There is an upside that it will continually be worked on, however it is potentially behind other pay methods.
Con False Positives
Since static analysis can never be perfect, there are many bugs that may appear even though the code behaves correctly. This frequency of false positives can vary between different code checks.