- PMD is an open-source code analyzer rooted in Java and Apex with support for around 18 languages in total. SonarQube is an all-in-one code quality and security platform covering 40+ languages with static analysis plus reliability and maintainability metrics.
- PMD is fully free under BSD-style licensing with no paid tier. SonarQube has a free Community Build under LGPL-3.0 plus commercial Developer, Enterprise, and Data Center editions priced per instance per year by lines of code.
- PMD ships 400+ built-in rules and lets teams write XPath-based custom rules without recompiling the distribution. SonarQube uses its Sonar Way ruleset and adds taint analysis, security hotspots, and branch analysis in commercial editions.
- SonarQube provides a centralised dashboard, quality gate enforcement, PR decoration, and IDE integration via SonarQube for IDE (formerly SonarLint). PMD ships as a CLI and Maven / Gradle plugin without a hosted dashboard.
- Most teams that grow past basic linting move from PMD to SonarQube for the dashboard, multi-language coverage, and security-focused rules. PMD remains useful as a Java-and-Apex specialised second opinion or in lightweight Maven-only stacks.
Which Is Better: PMD or SonarQube?
SonarQube wins for breadth, dashboard, and security depth. PMD wins for zero-config Java linting and lightweight stacks.
PMD is an open-source static code analyzer first released in 2002, primarily focused on Java and Salesforce Apex with rules across roughly 18 languages.
It runs as a CLI or Maven / Gradle plugin, catches bug patterns, design smells, and a curated set of security risks, and works well in Java-only projects without a central dashboard.
SonarQube is a code quality and security platform built by SonarSource. It covers 40+ languages, surfaces findings in a hosted dashboard, integrates with SonarQube for IDE inside the editor, gates PRs, and adds taint analysis plus security hotspots in commercial editions.
For a single-language Java project that just wants linting in CI, PMD does the job. For everything else, SonarQube is the more complete answer.
Key Differences
| Dimension | PMD | SonarQube |
|---|---|---|
| License | BSD-style (fully free) | LGPL-3.0 Community Build + paid editions |
| Languages | Java, Apex, JavaScript, Kotlin, Swift, PL/SQL +more | 40+ languages |
| Analysis depth | Linter / pattern matching | Code quality + reliability + SAST + taint analysis (commercial) |
| IDE integration | Eclipse, IntelliJ via third-party plugins | First-party SonarQube for IDE (VS Code, IntelliJ, Eclipse, VS) |
| Dashboard | None first-party (CI-only output) | Hosted SonarQube Server or SonarQube Cloud SaaS |
| Quality gate | CLI exit codes only | Server-enforced gate with PR decoration |
| Custom rules | XPath rules without recompiling | Custom rules via plugins (Java) |
| Best for | Java-only Maven projects | Polyglot stacks with central dashboard requirement |
Head-to-Head
License and pricing
PMD is open source under a BSD-style license. There are no paid tiers. Install the CLI, the Maven plugin, or the Gradle plugin and run.
SonarQube’s Community Build is open source under the LGPL-3.0 license. The Developer, Enterprise, and Data Center editions add commercial features.
Branch analysis, taint analysis, security hotspots in PR decoration, project portfolios, and enterprise reporting are all behind the paid tiers. Sonar prices Developer Edition per instance per year, scaled by lines of code; tier figures are quoted on Sonar’s plans page rather than displayed on the public catalogue.
For teams that need only the basics, both tools have a free path. SonarQube’s commercial upgrade triggers when teams need PR-level branch analysis or deeper security findings.
Language coverage
PMD’s primary language is Java. The Java ruleset is the most mature, with rules dating back to PMD’s 2002 launch.
PMD also supports Salesforce Apex and Visualforce, JavaScript, Kotlin, Swift, PL/SQL, Velocity, JSP, WSDL, Maven POM, HTML, XML, XSL, and Modelica. Scala can be parsed but ships without built-in rules. Java is the gold standard for rule depth, and the others trail.
SonarQube supports 40+ languages out of the box. The Sonar Way ruleset covers each language with quality and security rules curated by Sonar’s research team.
Rule curation and custom rules
PMD ships 400+ built-in rules across categories: Best Practices, Code Style, Design, Documentation, Error Prone, Multithreading, Performance, and Security. Custom rules can be written in XPath without needing to recompile the PMD distribution, which makes rule authoring relatively low-friction for Java codebases.
SonarQube’s Sonar Way ruleset is curated by SonarSource. Each language has its own rule set, with around 600 Java rules in recent versions.
Custom rules require writing a Java plugin against SonarQube’s plugin API. That is significantly heavier than PMD’s XPath approach.
For teams that write custom Java rules regularly, PMD is the lighter touch. For teams that consume rules without writing many custom ones, SonarQube’s curated set is the easier path.
Analysis depth
PMD performs pattern matching on the AST. It catches design smells, code-style violations, common bug patterns, and a curated set of security-relevant patterns.
SonarQube’s open-source build does similar pattern matching plus reliability and maintainability metrics. The commercial editions add taint analysis through the Sonar Security Engine.
Taint analysis traces data flows from sources to sinks. That is the kind of analysis required for SQLi, XSS, command injection, and path traversal findings.
For deep security analysis, the commercial SonarQube editions outclass PMD. For surface-level linting, PMD competes well.
Developer experience
PMD runs as a CLI, a Maven plugin, a Gradle plugin, or via third-party IDE wrappers like the Eclipse PMD plugin and the JetBrains plugin. There is no first-party hosted dashboard. Output is XML, JSON, HTML, or SARIF.
SonarQube ships a server you host yourself, or you can use SonarQube Cloud as the SaaS option. The server is the dashboard. Issue triage, quality-gate enforcement, PR decoration, and historical trending all live there.
SonarQube for IDE (formerly SonarLint) is the first-party IDE plugin for VS Code, IntelliJ, Eclipse, and Visual Studio, with a connected mode that pulls server rules into the IDE.
For teams that want a central dashboard plus IDE-time feedback, SonarQube’s developer experience is significantly more complete.
When to Choose Each
Choose PMD when
- The project is Java-only or Java-and-Apex.
- You want a free, drop-in linter for Maven or Gradle without operating a server.
- You expect to write XPath-based custom rules regularly.
- You only need linting and basic security findings, not dashboard or PR decoration.
Choose SonarQube when
- The codebase is polyglot, mixing Java with JS/TS, Python, C#, or Go.
- You want a central dashboard with quality-gate enforcement and PR decoration.
- IDE-time feedback through SonarQube for IDE is part of the requirement.
- You need taint analysis and deeper security findings (commercial editions).
Choose both when
- Java-heavy stack where you want PMD’s specialised Java rules and SonarQube’s central dashboard. SonarQube can ingest PMD’s XML output as an external analyzer report.
Related comparisons
- Semgrep vs SonarQube — Custom-rule SAST engine vs all-in-one quality platform.
- Coverity vs SonarQube — Open-source platform vs deep commercial SAST engine.
- SonarQube vs Veracode — Open-source plus commercial vs Veracode binary analysis.
Frequently Asked Questions
What is the difference between PMD and SonarQube?
Is PMD a SAST tool or a linter?
Is SonarQube free?
Can I use PMD and SonarQube together?
Which has better Java support?
Does PMD do security scanning?
Founder, AppSec Santa
9+ years in application security. Reviews and compares 201 AppSec tools across 12 categories to help teams pick the right solution. More about me →