Try our new research platform with insights from 80,000+ expert users
Calinescu Tudor - PeerSpot reviewer
Security Project Leader at ATOSS AG
Real User
Top 10
Plenty of features, but needs multiple other products to function well
Pros and Cons
  • "I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla."
  • "We have tens of millions of code to be analyzed and processed. There can be some performance degradation if we are applying Sonar Link to large code or code that is complex. When the code had to be analyzed is when we ran into the main issues. There were several routines involved to solve those performance issues but this process should be improved."

What is our primary use case?

SonarQube can be used to analyze application code. We are testing SonarQube with some of our other products. We use the Sonar Link plugin with Teamscale, which is then applied to the main product we are using.

What is most valuable?

I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla.

What needs improvement?

We have to combine several products in order to cover as many flaws that might exist in the code. We have to integrate several products to set the security functionality of the product. SonarQube should have better functionality to cover all areas of security limiting our need for other products.

We have tens of millions of code to be analyzed and processed. There can be some performance degradation if we are applying Sonar Link to large code or code that is complex. When the code had to be analyzed is when we ran into the main issues. There were several routines involved to solve those performance issues but this process should be improved.

For how long have I used the solution?

I have been using this solution for approximately three years.

Buyer's Guide
SonarQube Server (formerly SonarQube)
November 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
824,067 professionals have used our research since 2012.

What do I think about the stability of the solution?

There can be some stability issues.

Which solution did I use previously and why did I switch?

I have used Veracode.

Which other solutions did I evaluate?

I have evaluated many other solutions similar to SonarQube.

What other advice do I have?

I rate SonarQube a six out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
reviewer1472997 - PeerSpot reviewer
CTO at a computer software company with 11-50 employees
Real User
An open-source platform for the continuous inspection of code quality
Pros and Cons
  • "The good thing with SonarQube is it covers a lot of issues, it's a very robust framework."
  • "The exporting capabilities could be improved. Currently, exporting is fully dependent on the SonarQube environment."

What is our primary use case?

There are two versions: a free, open-source community version, and a subscription-based version.We use the community version, not the enterprise version.

We are a very small organization. In total, there are four of us who use this solution. We will keep using SonarQube, with some additions,  in the future.

Firstly, we use SonarQube to evaluate code for M&A projects. Secondly, we use it to detect vulnerabilities while performing security audits. Our third use case is the detection of violation of programming practices towards code refactoring and code maintenance. 

What needs improvement?

The results of exporting capability could be improved. Currently, exporting is a bit messy and fully dependent on the SonarQube environment. Sonar Qube offers REST API and you could export the results programmatically, but the process is quite slow and limited. You could extract the maximum 10000 results per query, which increases the overall execution process tremendously. I guess the majority of the users are based on Sonar Qube presentation capabilities, which is very restrictive for some use cases.

For how long have I used the solution?

I have been using SonarQube, every day, for more than two years. 

What do I think about the stability of the solution?

SonarQube is stable.

What do I think about the scalability of the solution?

I wouldn't say that isn't fully scalable. It's damn slow. It takes a lot of time parsing an average size codebase. If you'd like to scale up and deploy it on a cloud environment, it's a completely different scale of difficulty. We have done this but it's really hard.

How are customer service and technical support?

As we are using the community version, there is no technical support.

Which solution did I use previously and why did I switch?

I have used a wide variety of tools.SonarQube covers a wide variety of issues and it is well well designed robust framework.

How was the initial setup?

To be honest, for me, the initial setup was a piece of cake; however, other colleagues and clients of mine have said that it's damn difficult to install it and extract the results, at least the first time. Initially, It took me some time to go through the process. It is not straightforward at all, it's quite complicated — it's a tool developed by developers for developers. If you are not a core developer, and I am not, it's super difficult to figure out the installation process thanks to the multiple steps involved. The autogenerated script, isn't functional, it needs some tweaking.

My clients report that it takes about a week to install it properly, and you need about two weeks more to configure it, let alone the performance optimization.

The installation should be much simpler. There are competitive tools that come with a self-contained installation and configuration process. It requires a time investment to configure it properly. . In short, it should come with a self-contained functional configuration set.

Overall, the initial setup should be easier.

What about the implementation team?

Currently, I could configure SonarQube by myself. Only one person, knowledgeable enough, is required to deploy it.

What's my experience with pricing, setup cost, and licensing?

Unless you use a tech stack that is not supported, use the community version; there are no hidden costs or licensing required.

Which other solutions did I evaluate?

Yes, we have evaluated plenty of alternatives nothing really comparable.

What other advice do I have?

I would recommend this solution to others. It easily outperforms other static code tools — It's perfect as a static code analysis tool.

Overall, on a scale from one to ten, I would give SonarQube a rating of eight.

Which deployment model are you using for this solution?

On-premises

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
SonarQube Server (formerly SonarQube)
November 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
824,067 professionals have used our research since 2012.
Chief Solutions Officer at CleverIT B.V.
Reseller
Easy to deploy and applicable for various uses
Pros and Cons
  • "It is an easy tool that you can deploy and configure. After that you can measure the history of your obligation and integrate it with other tools like GitLab or GitHub or Azure DevOps to do quality code analysis."
  • "In terms of what can be improved, the areas that need more attention in the solution are its architecture and development."

What is our primary use case?

I am now working in a consultancy company and I work with different clients in different industries. For this reason I implement, for example, a delivery pipeline with the process whereby we need to validate the quality gate of the quality code. Meaning, the developer creates the unit testing and the code coverage, but grants the code coverage for a specific person. In other cases, we used to see what the technical depth was to see if if there are any bugs in the applications - the web application, mobile application and different languages, like, C-Sharp, JavaScript or Java, et cetera.

We deploy SonarQube on-premise on a Linux server and our pipelines were created with GitLab and Azure DevOps. Meaning that Azure DevOps and GitLab are the tools that do the build and release process.

We use Microsoft Azure and Google Cloud Platform a little.

What is most valuable?

In terms of most valuable feature, when you compute SonarQube you need to install an extension. This extension depends on the version control. You need to install different extensions or work with a specific language to use as the extensions, all of which I work in with different projects.

What needs improvement?

In terms of what can be improved, the areas that need more attention in the solution are its architecture and development.

Additionally, the QA team also needs work in different aspects. When you think about the support area - when the support team has an incident they need to do a hostage. When they do that they do a commit in the version control. These commits trigger a new build process and this process needs validation from SonarQube because we need to validate the quality of the software product for different cases and different aspects.

For how long have I used the solution?

I have been using SonarQube for about four years, with different versions.

What do I think about the stability of the solution?

SonarQube works very well, but I prefer SonarCloud because the tendency of the technology world is to think less about the structure and more about the process and the value that this process provides.

What do I think about the scalability of the solution?

In terms of scalability, with proper configuration and deployment, there is higher availability.

I have companies with 20 users and I have customers with 100 users. We work with a big company in Chile and in some cases national companies, in other cases international companies. With the international companies the majority of them are more than 1,000 users.

I have a technical DevOps team. The majority of the time we implement the trial version so that we show the value of the tool to our clients and they understand about the pricing and the cost of the tool.

It depends on the maturity of the company. In some case, we have companies that don't know about SonarQube so we deploy it to show the value. In other cases we have clients with no SonarQube experience but they know the quality of the codes. In this case we provide a license. In the majority of the cases we provide the license or the subscription for SonarCloud. Other clients get access to SonarQube directly.

How are customer service and technical support?

I have never used technical support from the SonarQube support team.

I work very well with the documentation you find on the internet.

How was the initial setup?

The initial setup is straightforward the majority of time. It takes about two hours.

What about the implementation team?

I work in a consultancy company so we do the implementation. We deploy for our customers.

Which other solutions did I evaluate?

We did evaluate other options, for example Q1 and Veracode. In specific cases we created different aspects with different tools and these were the top peers that we would compare it to - Q1 and Veracode.

In terms of differences, Veracode is used more for the security of the development and you can configure the gates while thinking about software security and things like that. With Q1, the difference is the type of the license. In Q1 you have projects and you pay for the line. I know that SonarQube was changing the licensing plan. Right now, before you pay for a license, you pay for fair lines that you extend. This is the difference between these three tools.

What other advice do I have?

I do recommend SonarQube because it is an easy tool that you can deploy and configure. After that you can measure the history of your obligation and integrate it with other tools like GitLab or GitHub or Azure DevOps to do quality code analysis.

On a scale of one to ten, I would give SonarQube an eight. To give it a 10 and not an eight, I would like to see architecture development and the QA area improved.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
PeerSpot user
reviewer1407126 - PeerSpot reviewer
Team Lead at a computer software company with 10,001+ employees
Real User
This is a very capable analysis tool for development projects but the free version has limitations
Pros and Cons
  • "It is a very good tool for analysis despite its limitations."
  • "There is a free version."
  • "There are limitations to the free version that limit development options as far as languages."

What is our primary use case?

We are using the free version of the SonarQube product. Be warned if you choose this version because it is lacking some of the capabilities and support. It is for this reason that we are currently considering migrating to a commercial solution.  

What is most valuable?

The main factor that makes the product valuable for us is that it is free because budget is always an issue. We do not have to pay for it, but there are many cons to using a free product at times. It is a very good tool even if it is free. The dashboard and the media that it provides are all quite helpful.  

We are always using SonarQube. But currently, we were trying to evaluate some more tools because Sonar in the free version has around 10 to 15 languages. If we go to the commercial version, they support 27 languages and there are a lot of limitations in the resources for traditional support which is not available for the free license users of Sonar.  

Integration is there with most of the tools, but we do not have full integration with the free version. That is why we were planning to go ahead and plan to work with some other commercial tools. But as a whole, Sonar will do what we need it to.  

What needs improvement?

Integration could be better in SonarQube in the free version. It does not have any bug tracking tool, like Jira. They are not integrated with enough additional programming tools.  

There is one issue with the dashboard. The dashboard which is there is okay. But sometimes if we have to work on multiple issues the application is giving us errors. Say we have five issues. All five issues might not be very important, so in cases where there are multiple issues, we would just want it to give us a warning about the important issue. It may be we will get to work on the things of greater importance and over-all have a better solution and we do not have to fix all five. Something like that would be good to help us to prioritize things so then we do not have to go into all the issues and fix them.  

We do have this categorization for major and minor issues, but let's say, again, if there are five major issues. I would like to maybe get a score involving the prioritization of these. Out of these five major issues, we should know which issue should be fixed first. This would give us a backup for planning and organizing the prioritization. It is that kind of data that we do not get on the dashboard. If we could, that would be helpful to give priority to the correct issues.  

For how long have I used the solution?

We have been using SonarQube for maybe for a year or so. A little more than that.  

What do I think about the stability of the solution?

The stability is good. We are not having problems with the product failing.  

What do I think about the scalability of the solution?

The stability of SonarQube is good. The scaling part is the problem. We cannot scale to all the other products that we want to use and we cannot improve and scale to other languages.  

The language issue is one that we are facing. If you want to use some languages like maybe tool languages or something people want to use, they are not all available in Sonar. In the commercial version of Sonar they may be available. But the free version, there are some limitations.  

So we do understand the limitations of the scalability. The free tool comes with its own advantages and disadvantages and limitations on scalability is one of the disadvantages.  

How are customer service and technical support?

We do not really have very much contact at all with technical support because SonarQube quite user friendly and intuitive. Technical support is not actually available with the free product, but we do have access to community tools online.   

There was this one issue that we had where we had raised a question in the community. We found that if we scanned our project with SonarLint and if we scanned our project with SonarQube, it was giving some different results. SonarQube was showing some issues and SonarLint was not showing any issues at all. There was a clear difference in the report. But when we Googled this issue and looked on the support web site, we found now that SonarLint does not give you the errors around integration. When it comes to SonarQube, it automatically integrates with other processes and scans your port to that. SolarLint does not do this in the same way. This is why SonarQube might give you some errors that SolarLint does not.  

So we are not in contact the company support. When there are times when we do have an issue, we see what we can Google or the SonarQube community. Usually, we do find out our answers.  

How was the initial setup?

The initial setup is quite straightforward. The setup process is very reasonable as far as it is logical and very simple. It doesn't take much time.  

Which other solutions did I evaluate?

We are using Sonar, and we also evaluated Checkmarx. The version of Sonar we are using is the free version of it. Checkmarx is quite a bit different and more helpful compared to Sonar. There are a lot of features missing in the free version of SonarQube that I want to have that already exist in Checkmarx.  

What other advice do I have?

Anyone considering SonarQube should initially start with a free trial and then start doing an evaluation. If you have a list of target requirements which you are looking for and you can accomplish these things with Sonar, then you can go ahead and use Sonar. If you are looking for something for diving more deeply into your application security, then you can possibly start with it and scale it or use some other complementary tools. If you want to see your reports, and how your development is performing, Sonar is the best tool, I think.  

On a scale from one to ten, where one is the worst and ten is the best, I would rate SonarQube as a seven-out-of-ten.  

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user700128 - PeerSpot reviewer
Director at a consultancy with 10,001+ employees
Real User
the tool was implemented in a pilot, and successfully scaled to the enterprise.
Pros and Cons
  • "The customizable dashboard and ability to include results and coverage from unit test and other static analysis code tools."
  • "Ease of use/interface."

How has it helped my organization?

It has improved code quality and helped shift quality left. It also paved the way for implementing Continuous Integration/Continuous Delivery.

What is most valuable?

The customizable dashboard and ability to include results and coverage from unit test and other static analysis code tools.

What needs improvement?

Ease of use/interface.

What do I think about the stability of the solution?

I didn't encounter any issues with stability.

What do I think about the scalability of the solution?

No - the tool was implemented in a pilot, and successfully scaled to the enterprise.

How are customer service and technical support?

Fairly good.

Which solution did I use previously and why did I switch?

Yes, we used PMD, FindBugs and FxCop. Switched for the reporting and dashboard capabilities.

How was the initial setup?

There was a bit of a learning curve and some customization to get it to work, but nothing too complex.

What's my experience with pricing, setup cost, and licensing?

Get the paid version which allows the customized dashboard and provides technical support.

What other advice do I have?

Do your research to make sure the tool is a good fit for your organization.

Also, give the development teams some time to adapt to the standards - set the thresholds lower to begin with, and then gradually raise it to desired levels, rewarding compliance and good behavior.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Team Lead at CNSI
Real User
Reliable and secure solution used for qualitative coding, including the SonarLint plugin
Pros and Cons
  • "We use this solution for qualitative coding. We make use of the SonarLint plugin as well as the dashboard."
  • "We previously experienced issues with security but a segregated security violation has been implemented and the issues we experienced are being fixed."

What is our primary use case?

We use this solution for qualitative coding. We make use of the SonarLint plugin as well as the dashboard.

What needs improvement?

We previously experienced issues with security but a segregated security violation has been implemented and the issues we experienced are being fixed. We have also experienced duplications of rules within the system as well as code samples that are short of ten numbers. 

What do I think about the stability of the solution?

This is a stable solution.

What do I think about the scalability of the solution?

This is a scalable solution. 

How was the initial setup?

The initial setup was straightforward. 

What about the implementation team?

Most of the deployment was done by me. Once a certain level of complexity was involved, a team was used to validate and deploy those parts of the solution. 

What other advice do I have?

I would recommend SonarQube to other users as it is a good solution and the security issues we experienced are being fixed. 
I would rate this solution an eight out of ten. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Inframan677 - PeerSpot reviewer
IT Infrastructure Head / Facilities Manager - ITIL V3 Certified ,Vmware Vsphere5 at a financial services firm with 51-200 employees
Real User
Improves code quality and basic security but code analyzing has limitations
Pros and Cons
  • "Strong code evaluation for budget-minded clients."
  • "Expression of common vulnerabilities and exposures is not always current."

What is our primary use case?

We use this SonarQube solution for code quality and as a basic security issues solution for our clients.

How has it helped my organization?

It has improved our options for offering products to our clients that can better meet their needs, lower costs, and improves code quality and basic security. 

What is most valuable?

Code analyzing is very valuable for detecting vulnerabilities but it has limitations.

What needs improvement?

With the aesthetic code analyzer or dynamic code analyzer, we would like to see zero vulnerabilities. This is actually currently not available with any available code analyzer so it is not the fault of this one product. We would like to see that the latest CVE (Common Vulnerabilities and Exposures) gets represented. This would be more useful but does not always happen. 

If we have more of an idea of the likelihood of zero vulnerabilities then the product is more useful for user communities.

For how long have I used the solution?

We have been using the SonarQube solution for about a year.

What do I think about the stability of the solution?

The product is stable.

What do I think about the scalability of the solution?

We use a centralized machine so scalability is not an issue. We have yet to realize a limitation.

How are customer service and technical support?

We have little or no interaction with technical support.

Which solution did I use previously and why did I switch?

We service client needs so we consider all solutions we are aware of and weigh the pros and cons for deployment with a specific client.

How was the initial setup?

Implementation is easy and very straightforward. We do a POC with our client and based on that we make a comparison to the client's needs and available solutions. We compare that with any of the open source options and with any of the premium commercial tools. We go with the one that makes sense. But the implementation of this product is not complex especially as we have experience with it.

What about the implementation team?

We do our own implementations for various clients. We do not need the assistance of another team.

What was our ROI?

Return on investment is enhanced code and security. The actual ROI is difficult to measure except that licensing a commercial product will cost more over the long term if this product is enough to meet the user's immediate needs.

What's my experience with pricing, setup cost, and licensing?

The product is basically free, so implementation is the greater cost. It will cost in man-hours for deployment and resources, or in consultation. The licensing fee is negligible.

Which other solutions did I evaluate?

We are constantly evaluating other products. So it might be that we will go with Micro Focus, for example, or any other tool in the future. It depends on what is offered by the product and what fits the client needs and budget.

What other advice do I have?

I would rate this product somewhere between six and seven. It works for many clients, but if the user need and application is super critical, people should go with commercial products like Micro Focus. If the deployment is less critical, they can go with that as SonarQube, or another open source software solution.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Manager at Dassault Systèmes
Real User
The FindSecBugs plugin has helped to solve our security vulnerability issues
Pros and Cons
  • "This has improved our organization because it has helped to find Security Vulnerabilities."
  • "The product's user documentation can be vastly improved."

What is our primary use case?

Our primary use case for this solution is security testing using the FindSecBugs plugin.

How has it helped my organization?

This has improved our organization because it has helped to find security vulnerabilities.

What is most valuable?

The most valuable feature is the FindSecBugs (Find Security Bugs) plugin, which finds security vulnerabilities.

What needs improvement?

The product's user documentation can be vastly improved.

For how long have I used the solution?

Still implementing.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros sharing their opinions.
Updated: November 2024
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros sharing their opinions.