SonarQube Server (formerly SonarQube) Reviews

SonarQube and SonarLint were adapted as part of the CI development process, i.e., the developers who committed to high severity issues in the repository were immediately notified via mail/Jenkins.

An actual RuntimeException bug was discovered and immediately fixed by using SonarQube with CI.

SonarLint: It gives code smell check during development, via linting in IntelliJ (it helped with best practices and in discovering the early potential bugs).

SonarQube: Recording of issues over a period of time, with an indication of the addition in the new issues or the reduction of existing issues (which were fixed).

There is need for support for the additional languages and ease of use in adding new rules for detecting issues. Some issues that were detected after committing to the CSM by SonarQube were not displayed in SonarLint scans (hopefully this was fixed in later versions).

A single developer claimed that the SonarLint plugin caused performance issues on his IntelliJ IDEA. However, this issue was not encountered by the other developers.

There were no scalability issues but we did not use SonarQube/SonarLint on very large code bases.

They have very good documentation at the SonarQube site; during inquiries on possible purchases, the SonarSource team was very responsive.

We did not use a different solution in the past.

The initial setup was relatively simple (raising a dedicated VM server for SonarQube, configuring a Jenkins job to interact with the SQ server on several CSMs).

The SonarLint setup is extremely simple in IntelliJ.

We did not purchase a license (required for C++ support), but this option was considered.

The Java SonarQube version, which is free to use, was extremely helpful and I suggested to my managers that we purchase a license.

We did not evaluate other static code analysis solutions.

I would recommend adopting the usage of SonarLint at the very least for Java development since it is a very good tool for helping to ensure high code quality.

It is mainly used as part of the CI/CD pipeline through Azure DevOps and Jenkins to do static code analysis.

We have the enterprise version. In terms of deployment, on-premise is the best description because they have their own cloud, but it is not a real cloud. It is like VMware.

In some instances, the project stakeholders were able to implement quality gate control for code coverage, security alerts, and things like that. It greatly improved the quality of the product. If our test code coverage is 80% and a person commits a change that brings the code coverage to below 80%, that code cannot be merged. We've been able to improve the quality of the products that we produce by using SonarQube. We are using it as a gate.

It is a great tool in a situation where you have a dynamic team, and you sometimes hire staff or subcontractors from other companies. It provided us with the ability to implement quality gates in our project. We could look at the data and see which developers were producing quality code and which developers were not too worried about the quality. It helped us out with our junior devs. I know of a few cases where having this system helped our junior devs in taking their skills one level up because we had set up a hard quality gate.

My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it.

A little bit more emphasis on security and a bit more security scanning features would be nice. 

It would also be nice if the discrepancy between the basic or free version and the enterprise version was less. In my opinion, some of the base functionality in the enterprise version should be in the basic version.

Currently, we have static code scanning, and we have the scanning of the Docker containers. It would be great if some sort of penetration testing could easily be implemented in SonarQube for deploying something and doing some basic security scans. Currently, we have to use third-party tools for that. If everything was all under one roof, it would be more comfortable, but I don't know if it is possible or feasible. It is a typical issue of centralization versus distribution. In our particular case, because we're using SonarQube for almost every other project, it would make sense, but that doesn't necessarily mean that it is the same case with everybody else.

I have been using this solution for four years in my current job.

I don't think I ever had a problem.

We haven't reached a point where it is anywhere near saturation. We haven't scaled it yet, and I don't know if it will ever happen. The way it is implemented right now is more than enough for what we need. 

We have used it in almost all projects of our client. It is a part of their process. It is used extensively, and it will be used for any future work that they might have where they develop any code that can be analyzed with SonarQube.

We probably have 30 or 40 users. Their roles are developer team leads, developers, and DevOps people. These are the three roles of people who use it on a daily basis and look at the reports and work with the system. At some point, the data might be shown to the actual client or somebody else.

I've never been in a situation where I needed their support.

I don't think that we used anything else previously. SonarQube was the first one.

It was straightforward. I wasn't technically involved in the deployment of SonarQube, but as far as I know, it was a matter of a few days.

We probably just bought the license and did it ourselves. For its deployment and maintenance, we don't have a dedicated person. It is one of the many systems that our internal IT team manages.

I don't have that data. I don't think that we've ever calculated that. 

My guess is that we have a yearly subscription. We use it quite extensively, so a monthly license wouldn't make sense. Yearly subscriptions are usually cheaper. 

In addition to the standard licensing fee, there is just the cost of running the hardware where it is hosted.

It is pretty straightforward, but if you don't intend to use it as a gate, it would just be a waste of time. You should invest in implementing such tools only when you have a clear understanding of how their results are going to be a part of a business process.

I would rate it a 10 out of 10. I've never had any kind of problems with it. I have some products because of which I have had a bad day, but I never had a bad day because of it.

We use the solution to do quality code analysis for keeping track of security hotspots. We also use it to avoid the delivery of problems as the result of new code from our partners who may be developing software for systems, making improvements and carrying out bug corrections. These are the features of SonarQube of which I am aware. 

SonarQube is a fantastic tool which saves us precious time. Prior to using the solution, all our code analysis was manual and this was very time consuming. The increase in the number of projects, including those involving the development team, meant that it was becoming increasingly challenging to keep up with our delivery schedules. SonarQube helped a lot in this regard. So too, the wonderful tool from Eclipse, SonarLint, was very helpful. These solutions allow the partners who develop our system, our code, to receive on-the-fly analysis of their computers. This affords delivery of a much more reliable code, something which allows us to focus our work on more aggregated value operations.

I am struggling to come up with an area needing improvement. I am a big fan of SonarQube. I do have familiarity with the solution, but not extensively on a daily basis in respect of development. 

This said, we did have some trouble with the LDAP integration for the console. 

As our company is not primarily IT-related we are late comers when it comes to adopting new technology. As such, we started using the community version of SonarQube around eight to ten months ago. 

I have limited personal experience working with the solution. I have a colleague who works with me and she is actually engaged in its operation. My role is to provide guidance in how to implement products. 

She works more in implementing the installation of the solution, in deploying the projects on SonarQube. But, I have a little more context with this tool.

I am a customer of SonarQube. 

At the moment, SonarQube is deployed on-premises. We have an installation running in one of our servers.

When we deploy on-cloud, we normally use Amazon Web Services. 

I rate SonarQube as a ten out of ten, easily. I think its fantastic, a wonderful tool. Even if I don't use it directly, it frees me up to focus on other tasks in my daily routine. 

It has improved code quality and helped shift quality left. It also paved the way for implementing Continuous Integration/Continuous Delivery.

The customizable dashboard and ability to include results and coverage from unit test and other static analysis code tools.

Ease of use/interface.

I didn't encounter any issues with stability.

No - the tool was implemented in a pilot, and successfully scaled to the enterprise.

Fairly good.

Yes, we used PMD, FindBugs and FxCop. Switched for the reporting and dashboard capabilities.

There was a bit of a learning curve and some customization to get it to work, but nothing too complex.

Get the paid version which allows the customized dashboard and provides technical support.

Do your research to make sure the tool is a good fit for your organization.

Also, give the development teams some time to adapt to the standards - set the thresholds lower to begin with, and then gradually raise it to desired levels, rewarding compliance and good behavior.

We use this solution for qualitative coding. We make use of the SonarLint plugin as well as the dashboard.

We previously experienced issues with security but a segregated security violation has been implemented and the issues we experienced are being fixed. We have also experienced duplications of rules within the system as well as code samples that are short of ten numbers. 

This is a stable solution.

This is a scalable solution. 

The initial setup was straightforward. 

Most of the deployment was done by me. Once a certain level of complexity was involved, a team was used to validate and deploy those parts of the solution. 

I would recommend SonarQube to other users as it is a good solution and the security issues we experienced are being fixed. 
I would rate this solution an eight out of ten. 

We are using SonarQube for scanning our services for issues as part of our IT department.

SonarQube has a lot of value, it reviews the basic coding standards and security vulnerabilities of code that help to reduce issues. 

SonarQube can improve by scanning the internal library which currently it does not do. We are looking for a solution for this.

I have been using SonarQube for approximately three years.

SonarQube is a stable solution.

I have found SonarQube to be stable. However, we have not tested it with more than one million lines of code.

We have a server that SonarQube is running on and we have approximately 50 people using it.

We have used technical support in the past but not recently.

I would rate the support from SonarQube a four out of five.

I have used Veracode previously.

The initial setup is straightforward for SonarQube.

We did the implementation in-house.

The DevOps team handles the maintenance of SonarQube.

We are using the Developer Edition and the cost is based on the amount of code that is being processed.

If SonarQube meets the needs of your use case then I use it.

I rate SonarQube an eight out of ten.

SonarQube can be used to analyze application code. We are testing SonarQube with some of our other products. We use the Sonar Link plugin with Teamscale, which is then applied to the main product we are using.

I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla.

We have to combine several products in order to cover as many flaws that might exist in the code. We have to integrate several products to set the security functionality of the product. SonarQube should have better functionality to cover all areas of security limiting our need for other products.

We have tens of millions of code to be analyzed and processed. There can be some performance degradation if we are applying Sonar Link to large code or code that is complex. When the code had to be analyzed is when we ran into the main issues. There were several routines involved to solve those performance issues but this process should be improved.

I have been using this solution for approximately three years.

There can be some stability issues.

I have used Veracode.

I have evaluated many other solutions similar to SonarQube.

I rate SonarQube a six out of ten.

When it comes to security, this solution is pretty great.

The static code analysis of the solution is the most important aspect for us. When it comes to security breaches within the code, we can leverage some rules to allow us to identify the repetition in our code and the possible targets that we may have. It makes it very easy to review our code for security purposes.

The solution is quite stable.

You can scale the solution if you need to.

In terms of solving for security breaches in the code, we are looking for different tools to help us catch things much sooner. Right now, we're not doing so well on this front.  Therefore, we are looking for some other options in the market. I'm not the one who is tasked with looking at the moment, however, we are actively seeking out a more effective option for the static code analysis. 

There are sometimes security breaches in our code, which aren't be caught by SonarQube. In the security area, SonarCube has to improve. It needs to better compete with other products.

The solution could offer some sort of alert feature. We've had an incident, where somebody removed the solution from the pipeline and there were a couple of code instances that were pushed and married with the codebase without passing through SonarQube. It would be nice if we were alerted to that. If the solution is off-line or turned off, we'd like to be able to tell so that we can decide if it should be on or if it was a mistake.

It would be great if it could support testing and configurations a bit more. 

We've only been working with the solution for one year. It hasn't been that long.

The solution is very stable. We don't have any issues with its reliability. It's been quite good so far.

The architecture that we have is not that big, however, from the scalability point of view, SonarQube supports scalability quite well.

At the moment, we have a hybrid working model on the vendor side, as well as on the in-house team. The in-house team has 5 members and the vendor has maybe 20 people, more or less. All in all, we can say we have about 25 people using the solution at any given time.

We did not previously use a different solution. It was always manual code reviewing via the most experienced team members who would offer guidance on adjustments.

Right now, we are not using the enterprise features of the solution. I don't know about the licensing as I was not the one who introduced SonarQube into the pipeline. I believe we are using the free community edition and therefore aren't actually paying any money for it.

I did an exercise a couple of months ago with my colleague. After this, I listed other products and their security aspects. I don't know if we found a solution that can offer us better features for security. I don't know if we will keep SonarQube in the pipeline or we will sell the product and get another product. I'm not sure at this point.

We're just customers. We don't have a business relationship with the company.

I believe we are using the latest version of the solution, however, I don't know the exact number.

I would advise others considering the solution to consider the level of security they need. If they are very concerned about security and the application is very sensitive, then SonarQube may not be the best option and they should seek out other products.

Overall, I would rate the solution seven out of ten.