Try our new research platform with insights from 80,000+ expert users
Deputy Manager Quality Assurance at eInfochips
Reseller
A stable open-source code quality inspection tool with a nice dashboard
Pros and Cons
  • "I like that it has a better dashboard compared to Clockwork. It's also stable."
  • "Technical support and the price could be better."

What is most valuable?

I like that it has a better dashboard compared to Clockwork. It's also stable.

What needs improvement?

Technical support and the price could be better.

For how long have I used the solution?

I have been using SonarQube for seven or eight years.

What do I think about the stability of the solution?

SonarQube is quite good in terms of stability.

Buyer's Guide
SonarQube Server (formerly SonarQube)
October 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,528 professionals have used our research since 2012.

How are customer service and support?

Technical support could be better. If we request support, it's a little bit delayed, and it's not consistent on email.

What's my experience with pricing, setup cost, and licensing?

SonarQube price is a little bit higher than Kiuwan's. Kiuwan also gives a little bit of flexibility in terms of pricing.

What other advice do I have?

On a scale from one to ten, I would give SonarQube an eight.

Disclosure: My company has a business relationship with this vendor other than being a customer: reseller
PeerSpot user
Senior System Analyst at a tech services company with 1,001-5,000 employees
Real User
User-friendly, easy to access, and it has good training documentation
Pros and Cons
  • "The most valuable features are that it is user-friendly, easy to access, and they provide good training files."
  • "Monitoring is a feature that can be improved in the next version."

What is our primary use case?

We are using this solution for analyzing sales, profit, and FI documents. We are using the HR section as well.

How has it helped my organization?

SonarQube simplified some of the processes and made others more complex.

What is most valuable?

The most valuable features are that it is user-friendly, easy to access, and they provide good training files. Ability to manage and customize reports. Sonar also models the relationship between packages and classes

What needs improvement?

It would be better if the users could have quick access to the features.

Monitoring is a feature that can be improved in the next version.

For how long have I used the solution?

I have been using SonarQube for three years.

What do I think about the stability of the solution?

This solution is stable. Stability is not an issue for us.

What do I think about the scalability of the solution?

It's scalable. Scaling is not a problem.

How are customer service and technical support?

Because of the sanctions in our country, we cannot contact technical support directly.

Which solution did I use previously and why did I switch?


How was the initial setup?

The initial setup was straightforward. It was a normal installation.

It took approximately five days to deploy.

What's my experience with pricing, setup cost, and licensing?

It's a bit expensive for us. The currency rate of the dollar is a problem but it may be fine for other countries.

This solution provides good features for users.

What other advice do I have?

Before implementing, they should have more knowledge about the performance, and the features. It will be helpful in learning the hardware also.

If you have good resources for the performance, you won't worry about it. It will also be dependent on your information, and how much knowledge you have.

I would rate SonarQube an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
SonarQube Server (formerly SonarQube)
October 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,528 professionals have used our research since 2012.
Calinescu Tudor - PeerSpot reviewer
Security Project Leader at ATOSS AG
Real User
Top 10
Plenty of features, but needs multiple other products to function well
Pros and Cons
  • "I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla."
  • "We have tens of millions of code to be analyzed and processed. There can be some performance degradation if we are applying Sonar Link to large code or code that is complex. When the code had to be analyzed is when we ran into the main issues. There were several routines involved to solve those performance issues but this process should be improved."

What is our primary use case?

SonarQube can be used to analyze application code. We are testing SonarQube with some of our other products. We use the Sonar Link plugin with Teamscale, which is then applied to the main product we are using.

What is most valuable?

I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla.

What needs improvement?

We have to combine several products in order to cover as many flaws that might exist in the code. We have to integrate several products to set the security functionality of the product. SonarQube should have better functionality to cover all areas of security limiting our need for other products.

We have tens of millions of code to be analyzed and processed. There can be some performance degradation if we are applying Sonar Link to large code or code that is complex. When the code had to be analyzed is when we ran into the main issues. There were several routines involved to solve those performance issues but this process should be improved.

For how long have I used the solution?

I have been using this solution for approximately three years.

What do I think about the stability of the solution?

There can be some stability issues.

Which solution did I use previously and why did I switch?

I have used Veracode.

Which other solutions did I evaluate?

I have evaluated many other solutions similar to SonarQube.

What other advice do I have?

I rate SonarQube a six out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
CTO at a computer software company with 11-50 employees
Real User
An open-source platform for the continuous inspection of code quality
Pros and Cons
  • "The good thing with SonarQube is it covers a lot of issues, it's a very robust framework."
  • "The exporting capabilities could be improved. Currently, exporting is fully dependent on the SonarQube environment."

What is our primary use case?

There are two versions: a free, open-source community version, and a subscription-based version.We use the community version, not the enterprise version.

We are a very small organization. In total, there are four of us who use this solution. We will keep using SonarQube, with some additions,  in the future.

Firstly, we use SonarQube to evaluate code for M&A projects. Secondly, we use it to detect vulnerabilities while performing security audits. Our third use case is the detection of violation of programming practices towards code refactoring and code maintenance. 

What needs improvement?

The results of exporting capability could be improved. Currently, exporting is a bit messy and fully dependent on the SonarQube environment. Sonar Qube offers REST API and you could export the results programmatically, but the process is quite slow and limited. You could extract the maximum 10000 results per query, which increases the overall execution process tremendously. I guess the majority of the users are based on Sonar Qube presentation capabilities, which is very restrictive for some use cases.

For how long have I used the solution?

I have been using SonarQube, every day, for more than two years. 

What do I think about the stability of the solution?

SonarQube is stable.

What do I think about the scalability of the solution?

I wouldn't say that isn't fully scalable. It's damn slow. It takes a lot of time parsing an average size codebase. If you'd like to scale up and deploy it on a cloud environment, it's a completely different scale of difficulty. We have done this but it's really hard.

How are customer service and technical support?

As we are using the community version, there is no technical support.

Which solution did I use previously and why did I switch?

I have used a wide variety of tools.SonarQube covers a wide variety of issues and it is well well designed robust framework.

How was the initial setup?

To be honest, for me, the initial setup was a piece of cake; however, other colleagues and clients of mine have said that it's damn difficult to install it and extract the results, at least the first time. Initially, It took me some time to go through the process. It is not straightforward at all, it's quite complicated — it's a tool developed by developers for developers. If you are not a core developer, and I am not, it's super difficult to figure out the installation process thanks to the multiple steps involved. The autogenerated script, isn't functional, it needs some tweaking.

My clients report that it takes about a week to install it properly, and you need about two weeks more to configure it, let alone the performance optimization.

The installation should be much simpler. There are competitive tools that come with a self-contained installation and configuration process. It requires a time investment to configure it properly. . In short, it should come with a self-contained functional configuration set.

Overall, the initial setup should be easier.

What about the implementation team?

Currently, I could configure SonarQube by myself. Only one person, knowledgeable enough, is required to deploy it.

What's my experience with pricing, setup cost, and licensing?

Unless you use a tech stack that is not supported, use the community version; there are no hidden costs or licensing required.

Which other solutions did I evaluate?

Yes, we have evaluated plenty of alternatives nothing really comparable.

What other advice do I have?

I would recommend this solution to others. It easily outperforms other static code tools — It's perfect as a static code analysis tool.

Overall, on a scale from one to ten, I would give SonarQube a rating of eight.

Which deployment model are you using for this solution?

On-premises

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Chief Solutions Officer at CleverIT B.V.
Reseller
Easy to deploy and applicable for various uses
Pros and Cons
  • "It is an easy tool that you can deploy and configure. After that you can measure the history of your obligation and integrate it with other tools like GitLab or GitHub or Azure DevOps to do quality code analysis."
  • "In terms of what can be improved, the areas that need more attention in the solution are its architecture and development."

What is our primary use case?

I am now working in a consultancy company and I work with different clients in different industries. For this reason I implement, for example, a delivery pipeline with the process whereby we need to validate the quality gate of the quality code. Meaning, the developer creates the unit testing and the code coverage, but grants the code coverage for a specific person. In other cases, we used to see what the technical depth was to see if if there are any bugs in the applications - the web application, mobile application and different languages, like, C-Sharp, JavaScript or Java, et cetera.

We deploy SonarQube on-premise on a Linux server and our pipelines were created with GitLab and Azure DevOps. Meaning that Azure DevOps and GitLab are the tools that do the build and release process.

We use Microsoft Azure and Google Cloud Platform a little.

What is most valuable?

In terms of most valuable feature, when you compute SonarQube you need to install an extension. This extension depends on the version control. You need to install different extensions or work with a specific language to use as the extensions, all of which I work in with different projects.

What needs improvement?

In terms of what can be improved, the areas that need more attention in the solution are its architecture and development.

Additionally, the QA team also needs work in different aspects. When you think about the support area - when the support team has an incident they need to do a hostage. When they do that they do a commit in the version control. These commits trigger a new build process and this process needs validation from SonarQube because we need to validate the quality of the software product for different cases and different aspects.

For how long have I used the solution?

I have been using SonarQube for about four years, with different versions.

What do I think about the stability of the solution?

SonarQube works very well, but I prefer SonarCloud because the tendency of the technology world is to think less about the structure and more about the process and the value that this process provides.

What do I think about the scalability of the solution?

In terms of scalability, with proper configuration and deployment, there is higher availability.

I have companies with 20 users and I have customers with 100 users. We work with a big company in Chile and in some cases national companies, in other cases international companies. With the international companies the majority of them are more than 1,000 users.

I have a technical DevOps team. The majority of the time we implement the trial version so that we show the value of the tool to our clients and they understand about the pricing and the cost of the tool.

It depends on the maturity of the company. In some case, we have companies that don't know about SonarQube so we deploy it to show the value. In other cases we have clients with no SonarQube experience but they know the quality of the codes. In this case we provide a license. In the majority of the cases we provide the license or the subscription for SonarCloud. Other clients get access to SonarQube directly.

How are customer service and technical support?

I have never used technical support from the SonarQube support team.

I work very well with the documentation you find on the internet.

How was the initial setup?

The initial setup is straightforward the majority of time. It takes about two hours.

What about the implementation team?

I work in a consultancy company so we do the implementation. We deploy for our customers.

Which other solutions did I evaluate?

We did evaluate other options, for example Q1 and Veracode. In specific cases we created different aspects with different tools and these were the top peers that we would compare it to - Q1 and Veracode.

In terms of differences, Veracode is used more for the security of the development and you can configure the gates while thinking about software security and things like that. With Q1, the difference is the type of the license. In Q1 you have projects and you pay for the line. I know that SonarQube was changing the licensing plan. Right now, before you pay for a license, you pay for fair lines that you extend. This is the difference between these three tools.

What other advice do I have?

I do recommend SonarQube because it is an easy tool that you can deploy and configure. After that you can measure the history of your obligation and integrate it with other tools like GitLab or GitHub or Azure DevOps to do quality code analysis.

On a scale of one to ten, I would give SonarQube an eight. To give it a 10 and not an eight, I would like to see architecture development and the QA area improved.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
PeerSpot user
it_user700128 - PeerSpot reviewer
Director at a consultancy with 10,001+ employees
Real User
the tool was implemented in a pilot, and successfully scaled to the enterprise.
Pros and Cons
  • "The customizable dashboard and ability to include results and coverage from unit test and other static analysis code tools."
  • "Ease of use/interface."

How has it helped my organization?

It has improved code quality and helped shift quality left. It also paved the way for implementing Continuous Integration/Continuous Delivery.

What is most valuable?

The customizable dashboard and ability to include results and coverage from unit test and other static analysis code tools.

What needs improvement?

Ease of use/interface.

What do I think about the stability of the solution?

I didn't encounter any issues with stability.

What do I think about the scalability of the solution?

No - the tool was implemented in a pilot, and successfully scaled to the enterprise.

How are customer service and technical support?

Fairly good.

Which solution did I use previously and why did I switch?

Yes, we used PMD, FindBugs and FxCop. Switched for the reporting and dashboard capabilities.

How was the initial setup?

There was a bit of a learning curve and some customization to get it to work, but nothing too complex.

What's my experience with pricing, setup cost, and licensing?

Get the paid version which allows the customized dashboard and provides technical support.

What other advice do I have?

Do your research to make sure the tool is a good fit for your organization.

Also, give the development teams some time to adapt to the standards - set the thresholds lower to begin with, and then gradually raise it to desired levels, rewarding compliance and good behavior.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Team Lead at CNSI
Real User
Reliable and secure solution used for qualitative coding, including the SonarLint plugin
Pros and Cons
  • "We use this solution for qualitative coding. We make use of the SonarLint plugin as well as the dashboard."
  • "We previously experienced issues with security but a segregated security violation has been implemented and the issues we experienced are being fixed."

What is our primary use case?

We use this solution for qualitative coding. We make use of the SonarLint plugin as well as the dashboard.

What needs improvement?

We previously experienced issues with security but a segregated security violation has been implemented and the issues we experienced are being fixed. We have also experienced duplications of rules within the system as well as code samples that are short of ten numbers. 

What do I think about the stability of the solution?

This is a stable solution.

What do I think about the scalability of the solution?

This is a scalable solution. 

How was the initial setup?

The initial setup was straightforward. 

What about the implementation team?

Most of the deployment was done by me. Once a certain level of complexity was involved, a team was used to validate and deploy those parts of the solution. 

What other advice do I have?

I would recommend SonarQube to other users as it is a good solution and the security issues we experienced are being fixed. 
I would rate this solution an eight out of ten. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
IT Infrastructure Head / Facilities Manager - ITIL V3 Certified ,Vmware Vsphere5 at a financial services firm with 51-200 employees
Real User
Improves code quality and basic security but code analyzing has limitations
Pros and Cons
  • "Strong code evaluation for budget-minded clients."
  • "Expression of common vulnerabilities and exposures is not always current."

What is our primary use case?

We use this SonarQube solution for code quality and as a basic security issues solution for our clients.

How has it helped my organization?

It has improved our options for offering products to our clients that can better meet their needs, lower costs, and improves code quality and basic security. 

What is most valuable?

Code analyzing is very valuable for detecting vulnerabilities but it has limitations.

What needs improvement?

With the aesthetic code analyzer or dynamic code analyzer, we would like to see zero vulnerabilities. This is actually currently not available with any available code analyzer so it is not the fault of this one product. We would like to see that the latest CVE (Common Vulnerabilities and Exposures) gets represented. This would be more useful but does not always happen. 

If we have more of an idea of the likelihood of zero vulnerabilities then the product is more useful for user communities.

For how long have I used the solution?

We have been using the SonarQube solution for about a year.

What do I think about the stability of the solution?

The product is stable.

What do I think about the scalability of the solution?

We use a centralized machine so scalability is not an issue. We have yet to realize a limitation.

How are customer service and technical support?

We have little or no interaction with technical support.

Which solution did I use previously and why did I switch?

We service client needs so we consider all solutions we are aware of and weigh the pros and cons for deployment with a specific client.

How was the initial setup?

Implementation is easy and very straightforward. We do a POC with our client and based on that we make a comparison to the client's needs and available solutions. We compare that with any of the open source options and with any of the premium commercial tools. We go with the one that makes sense. But the implementation of this product is not complex especially as we have experience with it.

What about the implementation team?

We do our own implementations for various clients. We do not need the assistance of another team.

What was our ROI?

Return on investment is enhanced code and security. The actual ROI is difficult to measure except that licensing a commercial product will cost more over the long term if this product is enough to meet the user's immediate needs.

What's my experience with pricing, setup cost, and licensing?

The product is basically free, so implementation is the greater cost. It will cost in man-hours for deployment and resources, or in consultation. The licensing fee is negligible.

Which other solutions did I evaluate?

We are constantly evaluating other products. So it might be that we will go with Micro Focus, for example, or any other tool in the future. It depends on what is offered by the product and what fits the client needs and budget.

What other advice do I have?

I would rate this product somewhere between six and seven. It works for many clients, but if the user need and application is super critical, people should go with commercial products like Micro Focus. If the deployment is less critical, they can go with that as SonarQube, or another open source software solution.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros sharing their opinions.
Updated: October 2024
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros sharing their opinions.