Try our new research platform with insights from 80,000+ expert users

SonarQube Server (formerly SonarQube) pros and cons

Vendor: Sonar

4.0 out of 5

113 reviews
81% willing to recommend

3,599 followers

Pros & Cons summary

SonarQube Server (formerly SonarQube) enhances software quality by enforcing coding standards, supporting multiple languages, and integrating with Jenkins. Quality Gates benchmark code standards, while detailed analysis improves coding habits. Users appreciate its comprehensive documentation and best practices support, but false positives and basic security features need improvement. Configuration and integration present challenges, and documentation lacks guidance. Report generation is difficult, hindering user satisfaction despite its contribution to professional growth and code security.

Buyer's Guide

Get pricing advice, tips, use cases and valuable features from real users of this product.

Prominent pros & cons

PROS

SonarQube Server enhances software quality by establishing and disseminating best practices throughout the development process.

It integrates seamlessly with continuous integration systems like Jenkins, improving code coverage and overall code health through automated quality gates.

SonarQube Server effectively tracks and manages technical debt, helping organizations identify and remedy vulnerabilities and code smells across multiple programming languages.

The tool supports in-depth code analysis and review, offering detailed documentation and explanations that contribute to educational growth and better coding practices.

SonarQube Server offers customizable dashboards and extensive integration capabilities with other static analysis tools, enhancing visibility and control over project metrics and unit test results.

CONS

SonarQube Server (formerly SonarQube) sometimes provides false positives, indicating issues that are not actual problems.

There is a need for better security features and more accurate vulnerability detection.

SonarQube Server (formerly SonarQube) lacks sufficient support for additional programming languages and custom rule creation.

Installation and configuration of SonarQube Server (formerly SonarQube) can be complex and require manual processes.

Documentation needs improvement for clarity and comprehensiveness.

SonarQube Server (formerly SonarQube) Pros review quotes

SG

Lead Engineer at a healthcare company with 10,001+ employees

May 20, 2019

We have the software metrics that SonarQube gives us, which is something we did not have before. This helps us work towards aiming coding standards to empower us to move in the direction of better code quality. SonarQube provides targets and metrics for that.

Read full review

SG

Lead Engineer at a healthcare company with 10,001+ employees

Jan 28, 2022

I like that it's easy to navigate not just in terms of code findings but you can actually see them in the context of your source code because it gives you a copy of your code with the items that it found and highlights them. You can see it directly in your code, so you can easily go back and make the corrections in the code. It basically finds the problems for you and tells you where they are.

Read full review

RR

Manager at kellton

Dec 10, 2021

One of the most valuable features of SonarQube is its ability to detect code quality during development. There are rules that define various technologies—Java, C#, Python, everything—and these rules declare the coding standards and code quality. With SonarQube, everything is detectable during the time of development and continuous integration, which is an advantage. SonarQube also has a Quality Gate, where the code should reach 85%. Below that, the code cannot be promoted to a further environment, it should be in a development environment only. So the checks are there, and SonarQube will provide that increase. It also provides suggestions on how the code can be fixed and methods of going about this, without allowing hackers to exploit the code. Another valuable feature is that it is tightly integrated with third-party tools. For example, we can see the SonarQube metrics in Bitbucket, the code repository. Once I raise the full request, the developer, team lead, or even the delivery lead can see the code quality metrics of the deliverable so that they can make a decision. SonarQube will also cover all of the top OWASP vulnerabilities, however it doesn't have penetration testing or hacker testing. We use other tools, like Checkmarx, to do penetration testing from the outside.

Read full review

SonarQube Server (formerly SonarQube)

Free Report: SonarQube Server (formerly SonarQube) Reviews and More

Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.

814,528 professionals have used our research since 2012.

SR

reviewer1407126

Team Lead at a computer software company with 10,001+ employees

Aug 30, 2020

It is a very good tool for analysis despite its limitations.

Read full review

Senior Java Developer at a financial services firm

Aug 29, 2017

Code Convention: Using the tool to implement some sort of coding convention is really useful and ensures that the code is consistent no matter how many contributors.

Read full review

PJ

reviewer1078050

Staff DevOps Specialist at a computer software company with 201-500 employees

Nov 11, 2021

My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it.

Read full review

HT

Information Technology Technical Architect at a insurance company with 51-200 employees

Sep 9, 2020

The product has a friendly UI that is easy to use and understand.

Read full review

AN

reviewer1522716

Project Manager at a manufacturing company with 1,001-5,000 employees

Nov 3, 2021

There's plenty of documentation available to users.

Read full review

GL

Chief Solutions Officer at CleverIT B.V.

Jan 6, 2021

It is an easy tool that you can deploy and configure. After that you can measure the history of your obligation and integrate it with other tools like GitLab or GitHub or Azure DevOps to do quality code analysis.

Read full review

PD

Manager at a wireless company with 11-50 employees

May 15, 2019

Integrate it into the developers' workbench so that they can bench check their code against what will be done in the server-based audit version.

Read full review

Show 10 more reviews (out of 104)

SonarQube Server (formerly SonarQube) Cons review quotes

SG

Lead Engineer at a healthcare company with 10,001+ employees

May 20, 2019

We've been using the Community Edition, which means that we get to use it at our leisure, and they're kind enough to literally give it to us. However, it takes a fair amount of effort to figure out how to get everything up and running. Since we didn't go with the professional paid version, we're not entitled to support. Of course that could be self-correcting if we were to make the step to buy into this and really use it. Then their technical support would be available to us to make strides for using it better.

Read full review

SG

Lead Engineer at a healthcare company with 10,001+ employees

Jan 28, 2022

The learning curve can be fairly steep at first, but then, it's not an entry-level type of application. It's not like an introduction to C programming. You should know not just C programming and how to make projects but also how to apply its findings to the bigger picture. I've had users who said that they wish it was easier to understand how to configure, but I don't know if that's doable because what it's doing is a very complicated thing. I don't know if it is possible to make a complicated thing trivially simple.

Read full review

RR

Manager at kellton

Dec 10, 2021

SonarQube could be improved with more dynamic testing—basically, now, it's a static code analysis scan. For example, when the developer writes the code and does the corresponding unit test, he can cover functional and non-functional. So the SonarQube could be improved by helping to execute unit tests and test dynamically, using various parameters, and to help detect any vulnerabilities. Currently, it'll just give the test case and say whether it passes or fails—it won't give you any other input or dynamic testing. They could use artificial intelligence to build a feature that would help developers identify and fix issues in the early stages, which would help us deliver the product and reduce costs. Another area with room for improvement is in regard to automating things, since the process currently needs to be done manually.

Read full review

SonarQube Server (formerly SonarQube)

Free Report: SonarQube Server (formerly SonarQube) Reviews and More

Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.

814,528 professionals have used our research since 2012.

SR

reviewer1407126

Team Lead at a computer software company with 10,001+ employees

Aug 30, 2020

There are limitations to the free version that limit development options as far as languages.

Read full review

Senior Java Developer at a financial services firm

Aug 29, 2017

An improvement is with false positives. Sometimes the tool can say there is an issue in your code but, really, you have to do things in a certain way due to external dependencies, and I think it's very hard to indicate this is the case.

Read full review

PJ

reviewer1078050

Staff DevOps Specialist at a computer software company with 201-500 employees

Nov 11, 2021

A little bit more emphasis on security and a bit more security scanning features would be nice.

Read full review

HT

Information Technology Technical Architect at a insurance company with 51-200 employees

Sep 9, 2020

The documentation is not clear and it needs to be updated.

Read full review

AN

reviewer1522716

Project Manager at a manufacturing company with 1,001-5,000 employees

Nov 3, 2021

There needs to be a shareable reporting piece or something we can click and generate easily.

Read full review

GL

Chief Solutions Officer at CleverIT B.V.

Jan 6, 2021

In terms of what can be improved, the areas that need more attention in the solution are its architecture and development.

Read full review

PD

Manager at a wireless company with 11-50 employees

May 15, 2019

We're in the process of figuring out how to automate the workflow for QA audit controls on it. I think that's perhaps an area that we could use some buffing. We're a Kubernetes shop, so there are some things that aren't direct fits, which we're struggling with on the component Docker side. But nothing major.

Read full review

Show 10 more reviews (out of 102)

Product Categories

Product Categories

Application Security Tools

Static Application Security Testing (SAST)

Software Development Analytics

Popular Comparisons

Popular Comparisons

Veracode vs SonarQube Server (formerly SonarQube)

GitLab vs SonarQube Server (formerly SonarQube)

Checkmarx One vs SonarQube Server (formerly SonarQube)

Snyk vs SonarQube Server (formerly SonarQube)

Tricentis Tosca vs SonarQube Server (formerly SonarQube)

Coverity vs SonarQube Server (formerly SonarQube)

OWASP Zap vs SonarQube Server (formerly SonarQube)

SonarQube Cloud (formerly SonarCloud) vs SonarQube Server (formerly SonarQube)

Mend.io vs SonarQube Server (formerly SonarQube)

Fortify on Demand vs SonarQube Server (formerly SonarQube)

OpenText UFT One vs SonarQube Server (formerly SonarQube)

Sonatype Lifecycle vs SonarQube Server (formerly SonarQube)

Acunetix vs SonarQube Server (formerly SonarQube)

CrowdStrike Falcon Cloud Security vs SonarQube Server (formerly SonarQube)

PortSwigger Burp Suite Professional vs SonarQube Server (formerly SonarQube)

See all alternatives

Product Categories

Product Categories

Application Security Tools

Static Application Security Testing (SAST)

Software Development Analytics

Popular Comparisons

Popular Comparisons

Veracode vs SonarQube Server (formerly SonarQube)

GitLab vs SonarQube Server (formerly SonarQube)

Checkmarx One vs SonarQube Server (formerly SonarQube)

Snyk vs SonarQube Server (formerly SonarQube)

Tricentis Tosca vs SonarQube Server (formerly SonarQube)

Coverity vs SonarQube Server (formerly SonarQube)

OWASP Zap vs SonarQube Server (formerly SonarQube)

SonarQube Cloud (formerly SonarCloud) vs SonarQube Server (formerly SonarQube)

Mend.io vs SonarQube Server (formerly SonarQube)

Fortify on Demand vs SonarQube Server (formerly SonarQube)

OpenText UFT One vs SonarQube Server (formerly SonarQube)

Sonatype Lifecycle vs SonarQube Server (formerly SonarQube)

Acunetix vs SonarQube Server (formerly SonarQube)

CrowdStrike Falcon Cloud Security vs SonarQube Server (formerly SonarQube)

PortSwigger Burp Suite Professional vs SonarQube Server (formerly SonarQube)

See all alternatives

Related questions

2,347

Is SonarQube the best tool for static analysis?

134

Which gives you more for your money - SonarQube or Veracode?

56

What Is The Biggest Difference Between Fortify on Demand And SonarQube?

140

What is the biggest difference between Checkmarx and SonarQube?

210

Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode

833

How does SonarQube instance relate to the license?

181

Which software is ideal for code quality and security?

62

What is the difference between Coverity and SonarQube?

60

What is the biggest difference between Coverity and SonarQube?

1,898

How would you decide between Coverity and Sonarqube?