SonarQube Server (formerly SonarQube) Reviews

I'm a user also, but I'm also responsible for information security.

I am the principal of security in the office. I'm the one that actually advises people about enhancing or incorporating information security aspects. Right now, we are using a community version. We have yet to subscribe for the enterprise license because we need more disciplined developers first.

Within our organization, there are roughly 14 people using this solution.

We use it to find the scoop, or the use, for peer review for the developers. It will require more time, to get used to it and to get trained. My team is very small and I am part of the development team — I'm in the security team but I'm also part of the development team. I am helping to build this along with the team.

The product itself has a friendly UI. It's easy to use and we understand how to manage the admin control panel, it's really quick. It's really easy to perform admin jobs using the control panel. 

The tools are really easy to use. With the coding, we can build a bunch of rules that apply for each programming language, for example, CSS, Java, and more. Even with the community version, we can still set up rules. We accommodate them and they give us the best quality. It's been a great experience so far.

We could use some team support, but since we are using the community version, it's not available.

Also, because we are using the community version, we have some problems from time to time regarding the SSO logins.

Sometimes you need more time to configure things, to edit some profiles.

SonarQube has come to the end of the project phase. The development team doesn't really utilize this because it's in the product development phase. They need more paths and delivery — they don't really care about security. But now, since we are also certified technical security, we can go ahead and provide that for them.

In short, communication needs to be better.

Automation could be better. Sometimes by default, you need to configure some rules regarding detection. You need to have some parameters set regarding false-positive risk. 

We have had SonarQube for over a year, but we have only been using it for the past two months.

With the use of community version, we already have utilized and carried out our needs to fulfil application security at the earlier stage with small medium SDLC Team.

The initial setup was very straightforward. Overall, deployment took roughly one week.

There are so many qualitative tools other than SonarQube, but I think it's the only platform that is open-source; however, it doesn't cover you end-to-end — from the static, dynamic, and interactive source.

Once we're done with SonarQube, we will switch to a proprietary tool, like Qualys — something that provides more end-to-end — but before we can do that, we need more people who know how to properly run the software.

Overall, I would recommend SonarQube for your initial software quality.

On a scale from one to ten, I would give this solution a rating of eight.

SonarQube and SonarLint were adapted as part of the CI development process, i.e., the developers who committed to high severity issues in the repository were immediately notified via mail/Jenkins.

An actual RuntimeException bug was discovered and immediately fixed by using SonarQube with CI.

SonarLint: It gives code smell check during development, via linting in IntelliJ (it helped with best practices and in discovering the early potential bugs).

SonarQube: Recording of issues over a period of time, with an indication of the addition in the new issues or the reduction of existing issues (which were fixed).

There is need for support for the additional languages and ease of use in adding new rules for detecting issues. Some issues that were detected after committing to the CSM by SonarQube were not displayed in SonarLint scans (hopefully this was fixed in later versions).

A single developer claimed that the SonarLint plugin caused performance issues on his IntelliJ IDEA. However, this issue was not encountered by the other developers.

There were no scalability issues but we did not use SonarQube/SonarLint on very large code bases.

They have very good documentation at the SonarQube site; during inquiries on possible purchases, the SonarSource team was very responsive.

We did not use a different solution in the past.

The initial setup was relatively simple (raising a dedicated VM server for SonarQube, configuring a Jenkins job to interact with the SQ server on several CSMs).

The SonarLint setup is extremely simple in IntelliJ.

We did not purchase a license (required for C++ support), but this option was considered.

The Java SonarQube version, which is free to use, was extremely helpful and I suggested to my managers that we purchase a license.

We did not evaluate other static code analysis solutions.

I would recommend adopting the usage of SonarLint at the very least for Java development since it is a very good tool for helping to ensure high code quality.

It is mainly used as part of the CI/CD pipeline through Azure DevOps and Jenkins to do static code analysis.

We have the enterprise version. In terms of deployment, on-premise is the best description because they have their own cloud, but it is not a real cloud. It is like VMware.

In some instances, the project stakeholders were able to implement quality gate control for code coverage, security alerts, and things like that. It greatly improved the quality of the product. If our test code coverage is 80% and a person commits a change that brings the code coverage to below 80%, that code cannot be merged. We've been able to improve the quality of the products that we produce by using SonarQube. We are using it as a gate.

It is a great tool in a situation where you have a dynamic team, and you sometimes hire staff or subcontractors from other companies. It provided us with the ability to implement quality gates in our project. We could look at the data and see which developers were producing quality code and which developers were not too worried about the quality. It helped us out with our junior devs. I know of a few cases where having this system helped our junior devs in taking their skills one level up because we had set up a hard quality gate.

My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it.

A little bit more emphasis on security and a bit more security scanning features would be nice. 

It would also be nice if the discrepancy between the basic or free version and the enterprise version was less. In my opinion, some of the base functionality in the enterprise version should be in the basic version.

Currently, we have static code scanning, and we have the scanning of the Docker containers. It would be great if some sort of penetration testing could easily be implemented in SonarQube for deploying something and doing some basic security scans. Currently, we have to use third-party tools for that. If everything was all under one roof, it would be more comfortable, but I don't know if it is possible or feasible. It is a typical issue of centralization versus distribution. In our particular case, because we're using SonarQube for almost every other project, it would make sense, but that doesn't necessarily mean that it is the same case with everybody else.

I have been using this solution for four years in my current job.

I don't think I ever had a problem.

We haven't reached a point where it is anywhere near saturation. We haven't scaled it yet, and I don't know if it will ever happen. The way it is implemented right now is more than enough for what we need. 

We have used it in almost all projects of our client. It is a part of their process. It is used extensively, and it will be used for any future work that they might have where they develop any code that can be analyzed with SonarQube.

We probably have 30 or 40 users. Their roles are developer team leads, developers, and DevOps people. These are the three roles of people who use it on a daily basis and look at the reports and work with the system. At some point, the data might be shown to the actual client or somebody else.

I've never been in a situation where I needed their support.

I don't think that we used anything else previously. SonarQube was the first one.

It was straightforward. I wasn't technically involved in the deployment of SonarQube, but as far as I know, it was a matter of a few days.

We probably just bought the license and did it ourselves. For its deployment and maintenance, we don't have a dedicated person. It is one of the many systems that our internal IT team manages.

I don't have that data. I don't think that we've ever calculated that. 

My guess is that we have a yearly subscription. We use it quite extensively, so a monthly license wouldn't make sense. Yearly subscriptions are usually cheaper. 

In addition to the standard licensing fee, there is just the cost of running the hardware where it is hosted.

It is pretty straightforward, but if you don't intend to use it as a gate, it would just be a waste of time. You should invest in implementing such tools only when you have a clear understanding of how their results are going to be a part of a business process.

I would rate it a 10 out of 10. I've never had any kind of problems with it. I have some products because of which I have had a bad day, but I never had a bad day because of it.

We use the solution to do quality code analysis for keeping track of security hotspots. We also use it to avoid the delivery of problems as the result of new code from our partners who may be developing software for systems, making improvements and carrying out bug corrections. These are the features of SonarQube of which I am aware. 

SonarQube is a fantastic tool which saves us precious time. Prior to using the solution, all our code analysis was manual and this was very time consuming. The increase in the number of projects, including those involving the development team, meant that it was becoming increasingly challenging to keep up with our delivery schedules. SonarQube helped a lot in this regard. So too, the wonderful tool from Eclipse, SonarLint, was very helpful. These solutions allow the partners who develop our system, our code, to receive on-the-fly analysis of their computers. This affords delivery of a much more reliable code, something which allows us to focus our work on more aggregated value operations.

I am struggling to come up with an area needing improvement. I am a big fan of SonarQube. I do have familiarity with the solution, but not extensively on a daily basis in respect of development. 

This said, we did have some trouble with the LDAP integration for the console. 

As our company is not primarily IT-related we are late comers when it comes to adopting new technology. As such, we started using the community version of SonarQube around eight to ten months ago. 

I have limited personal experience working with the solution. I have a colleague who works with me and she is actually engaged in its operation. My role is to provide guidance in how to implement products. 

She works more in implementing the installation of the solution, in deploying the projects on SonarQube. But, I have a little more context with this tool.

I am a customer of SonarQube. 

At the moment, SonarQube is deployed on-premises. We have an installation running in one of our servers.

When we deploy on-cloud, we normally use Amazon Web Services. 

I rate SonarQube as a ten out of ten, easily. I think its fantastic, a wonderful tool. Even if I don't use it directly, it frees me up to focus on other tasks in my daily routine. 

It has improved code quality and helped shift quality left. It also paved the way for implementing Continuous Integration/Continuous Delivery.

The customizable dashboard and ability to include results and coverage from unit test and other static analysis code tools.

Ease of use/interface.

I didn't encounter any issues with stability.

No - the tool was implemented in a pilot, and successfully scaled to the enterprise.

Fairly good.

Yes, we used PMD, FindBugs and FxCop. Switched for the reporting and dashboard capabilities.

There was a bit of a learning curve and some customization to get it to work, but nothing too complex.

Get the paid version which allows the customized dashboard and provides technical support.

Do your research to make sure the tool is a good fit for your organization.

Also, give the development teams some time to adapt to the standards - set the thresholds lower to begin with, and then gradually raise it to desired levels, rewarding compliance and good behavior.

We use this solution for qualitative coding. We make use of the SonarLint plugin as well as the dashboard.

We previously experienced issues with security but a segregated security violation has been implemented and the issues we experienced are being fixed. We have also experienced duplications of rules within the system as well as code samples that are short of ten numbers. 

This is a stable solution.

This is a scalable solution. 

The initial setup was straightforward. 

Most of the deployment was done by me. Once a certain level of complexity was involved, a team was used to validate and deploy those parts of the solution. 

I would recommend SonarQube to other users as it is a good solution and the security issues we experienced are being fixed. 
I would rate this solution an eight out of ten. 

We are using SonarQube for scanning our services for issues as part of our IT department.

SonarQube has a lot of value, it reviews the basic coding standards and security vulnerabilities of code that help to reduce issues. 

SonarQube can improve by scanning the internal library which currently it does not do. We are looking for a solution for this.

I have been using SonarQube for approximately three years.

SonarQube is a stable solution.

I have found SonarQube to be stable. However, we have not tested it with more than one million lines of code.

We have a server that SonarQube is running on and we have approximately 50 people using it.

We have used technical support in the past but not recently.

I would rate the support from SonarQube a four out of five.

I have used Veracode previously.

The initial setup is straightforward for SonarQube.

We did the implementation in-house.

The DevOps team handles the maintenance of SonarQube.

We are using the Developer Edition and the cost is based on the amount of code that is being processed.

If SonarQube meets the needs of your use case then I use it.

I rate SonarQube an eight out of ten.

SonarQube can be used to analyze application code. We are testing SonarQube with some of our other products. We use the Sonar Link plugin with Teamscale, which is then applied to the main product we are using.

I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla.

We have to combine several products in order to cover as many flaws that might exist in the code. We have to integrate several products to set the security functionality of the product. SonarQube should have better functionality to cover all areas of security limiting our need for other products.

We have tens of millions of code to be analyzed and processed. There can be some performance degradation if we are applying Sonar Link to large code or code that is complex. When the code had to be analyzed is when we ran into the main issues. There were several routines involved to solve those performance issues but this process should be improved.

I have been using this solution for approximately three years.

There can be some stability issues.

I have used Veracode.

I have evaluated many other solutions similar to SonarQube.

I rate SonarQube a six out of ten.