Try our new research platform with insights from 80,000+ expert users
reviewer1023003 - PeerSpot reviewer
Development Team Lead at a financial services firm with 1,001-5,000 employees
Real User
IDE plugins are easy to use and integrate
Pros and Cons
  • "Some of the most valuable features have been the latest up-to-date of the OWASP, the monitoring, the reporting, and the ease of use with the IDE plugins, in terms of integration."
  • "SonarQube's detail in the security could be improved. It may be helpful to have additional details, with regards to Oracle PL/SQL. For example, it's neither as built nor as thorough as Java. For now, this is the only additional feature I would like to see."

What is our primary use case?

I use SonarQube for Google's web services, from a security perspective, as well as Oracle Forms, HTML Forms, and script. 

SonarQube is deployed on-premises. 

What is most valuable?

Some of the most valuable features have been the latest up-to-date of the OWASP, the monitoring, the reporting, and the ease of use with the IDE plugins, in terms of integration.

What needs improvement?

SonarQube's detail in the security could be improved. It may be helpful to have additional details, with regards to Oracle PL/SQL. For example, it's neither as built nor as thorough as Java. For now, this is the only additional feature I would like to see. 

For how long have I used the solution?

I have been working with the Community Edition for at least ten years, and I have been working with the Enterprise version for about a year. 

Buyer's Guide
SonarQube Server (formerly SonarQube)
March 2025
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
842,767 professionals have used our research since 2012.

What do I think about the stability of the solution?

So far, we are happy and haven't had any issues with stability.

The only maintenance this product needs, for now, is just updates and patches. 

SonarQube is an auditing requirement from our side and for our SDLC, so it is a gate in our SDLC. 

What do I think about the scalability of the solution?

SonarQube is easy to scale. As we've opted for the Docker builds, we haven't had issues yet. 

At this point, there are at least 300 people in my company who are working with SonarQube. 

Which solution did I use previously and why did I switch?

I have minor experience with Q One. The main difference is in the licensing structure, with regards to lines of code. We have noticed that Q One has a bit more details, but support for various languages is lacking. 

How was the initial setup?

The setup process of SonarQube is straightforward. Deployment took about a week, but the integration of the multiple teams—introducing them and getting them on board—took about a month. 

What about the implementation team?

We implemented this solution through an in-house team. 

What's my experience with pricing, setup cost, and licensing?

Compared to similar solutions, SonarQube was more accessible to us and had more benefits, with regards to size of the code base and supported languages. Apart from the Enterprise licensing fee, there are no additional costs. 

What other advice do I have?

I rate SonarQube an eight out of ten. 

To anyone who is looking into implementing SonarQube, I would recommend they look at what their requirements are, with regards to languages. If it's just Java, then the Community Edition is fine, but if there are any additional languages, then I would recommend Enterprise. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
CEO at ITShare
Real User
Good static code analysis but it's not stable and the installation is not user-friendly
Pros and Cons
  • "The static code analysis is very good."
  • "If you don't have any experience with the configuration or how to configure the files, it can be complicated."

What is our primary use case?

We use it for the static analysis of the source code to find issues or vulnerabilities.

What is most valuable?

The static code analysis is very good. In the banking sector, we have found several vulnerabilities and many issues in the source code.

What needs improvement?

If you don't have any experience with the configuration or how to configure the files, it can be complicated. The installation needs to be more user-friendly, as well as the interface, which could be more user-friendly.

For how long have I used the solution?

I use the full trial version of SonarQube. I have been using the latest version of SonarQube for six months.

What do I think about the stability of the solution?

There are issues with stability. It needs improvement.

We have four members in our organization who are using this solution.

What do I think about the scalability of the solution?

I am not able to evaluate the scalability. Once we go with the Enterprise version, we will know after three months, how efficient and scalable it is with large applications.

How are customer service and technical support?

I have not contacted technical support.

How was the initial setup?

The initial setup is straightforward. This solution is easy to install. It only takes five minutes.

We require a team of five to deploy and maintain it.

What about the implementation team?

I completed the installation myself.

Which other solutions did I evaluate?

We are also evaluating Acunetix and will know what direction we want to go in the next few weeks.

Based on the testing, Acunetix offers something different. Acunetix has many features that are not found in SonarQube.

What other advice do I have?

The enterprise version comes with many features. I have not been able to test it all because I am using the evaluation version. After three months of using this solution, I will have a better understanding of it.

We plan to continue using SonarQube. Some feel that it is unfair to compare SonarQube with other solutions as it has so many features.

I would rate this solution a seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
SonarQube Server (formerly SonarQube)
March 2025
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
842,767 professionals have used our research since 2012.
Inframan677 - PeerSpot reviewer
IT Infrastructure Head / Facilities Manager - ITIL V3 Certified ,Vmware Vsphere5 at a financial services firm with 51-200 employees
Real User
Improves code quality and basic security but code analyzing has limitations
Pros and Cons
  • "Strong code evaluation for budget-minded clients."
  • "Expression of common vulnerabilities and exposures is not always current."

What is our primary use case?

We use this SonarQube solution for code quality and as a basic security issues solution for our clients.

How has it helped my organization?

It has improved our options for offering products to our clients that can better meet their needs, lower costs, and improves code quality and basic security. 

What is most valuable?

Code analyzing is very valuable for detecting vulnerabilities but it has limitations.

What needs improvement?

With the aesthetic code analyzer or dynamic code analyzer, we would like to see zero vulnerabilities. This is actually currently not available with any available code analyzer so it is not the fault of this one product. We would like to see that the latest CVE (Common Vulnerabilities and Exposures) gets represented. This would be more useful but does not always happen. 

If we have more of an idea of the likelihood of zero vulnerabilities then the product is more useful for user communities.

For how long have I used the solution?

We have been using the SonarQube solution for about a year.

What do I think about the stability of the solution?

The product is stable.

What do I think about the scalability of the solution?

We use a centralized machine so scalability is not an issue. We have yet to realize a limitation.

How are customer service and technical support?

We have little or no interaction with technical support.

Which solution did I use previously and why did I switch?

We service client needs so we consider all solutions we are aware of and weigh the pros and cons for deployment with a specific client.

How was the initial setup?

Implementation is easy and very straightforward. We do a POC with our client and based on that we make a comparison to the client's needs and available solutions. We compare that with any of the open source options and with any of the premium commercial tools. We go with the one that makes sense. But the implementation of this product is not complex especially as we have experience with it.

What about the implementation team?

We do our own implementations for various clients. We do not need the assistance of another team.

What was our ROI?

Return on investment is enhanced code and security. The actual ROI is difficult to measure except that licensing a commercial product will cost more over the long term if this product is enough to meet the user's immediate needs.

What's my experience with pricing, setup cost, and licensing?

The product is basically free, so implementation is the greater cost. It will cost in man-hours for deployment and resources, or in consultation. The licensing fee is negligible.

Which other solutions did I evaluate?

We are constantly evaluating other products. So it might be that we will go with Micro Focus, for example, or any other tool in the future. It depends on what is offered by the product and what fits the client needs and budget.

What other advice do I have?

I would rate this product somewhere between six and seven. It works for many clients, but if the user need and application is super critical, people should go with commercial products like Micro Focus. If the deployment is less critical, they can go with that as SonarQube, or another open source software solution.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Manager at Dassault Systèmes
Real User
The FindSecBugs plugin has helped to solve our security vulnerability issues
Pros and Cons
  • "This has improved our organization because it has helped to find Security Vulnerabilities."
  • "The product's user documentation can be vastly improved."

What is our primary use case?

Our primary use case for this solution is security testing using the FindSecBugs plugin.

How has it helped my organization?

This has improved our organization because it has helped to find security vulnerabilities.

What is most valuable?

The most valuable feature is the FindSecBugs (Find Security Bugs) plugin, which finds security vulnerabilities.

What needs improvement?

The product's user documentation can be vastly improved.

For how long have I used the solution?

Still implementing.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user347526 - PeerSpot reviewer
Software Engineer, Agile/Lean Evangelist, Scrum Master at a tech services company with 51-200 employees
Consultant
My team's code bases have gotten better, with about 25% less issues since we began using it. However, they removed the design libraries and dependencies-checking features from v5.2.

What is most valuable?

Its dashboards, quality profile, quality gates and CI integration features (like as build breaker plugin) are the most valuable features for me.

Personally, I have used SonarQube for educational purposes. SonarQube is helpful for giving motivation to a small development team (10 members or a little above) on code quality improvements with small efforts.

How has it helped my organization?

My team uses just two features - dashboards and CI-build-breaker - for checking code quality and the stability of our code base. For those purpose, SonarQube has done its work greatly. We have seen a decrease of about 25% of issues from since we first started using it a few months ago, and my team code bases are getting better.

What needs improvement?

The only thing I don't like is that they removed the design libraries and dependencies-checking features from v5.2. I hope they reintroduce these features in the future.

For how long have I used the solution?

I've used it for approximately two years, since December 2013.

What was my experience with deployment of the solution?

I have not encountered any issues.

What do I think about the stability of the solution?

I have not encountered any issues.

What do I think about the scalability of the solution?

I have not encountered any issues.

How are customer service and technical support?

Customer Service:

I've not had to use them. I thinks it's online documentation is up to date, and it is enough to use them to solve problems and to understand features.

Technical Support:

I've not had to use them.

Which solution did I use previously and why did I switch?

My development team adopted SonarQube in January 2015 for code quality improvement, and had not used any code quality checking tool before.

How was the initial setup?

The initial setup is easy. They provide a step-by-step online guideline to follow for installing it.

What was our ROI?

It has decreased the efforts of my team for finding and fixing potential issues which exist in our code base.

What's my experience with pricing, setup cost, and licensing?

We are only using the free features.

What other advice do I have?

Just keep following their online installation and plugin development guide.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
ScalaCon4d53 - PeerSpot reviewer
Scala Contractor at a tech services company with 10,001+ employees
Real User
Code coverage is useful, but the solution lacks mutation testing
Pros and Cons
  • "If code coverage is a low number then that's of great value to me."
  • "I don't believe you can have metrics of code quality based upon code analysis. I don't think it's possible for a computer to do it."

How has it helped my organization?

We have literally thousands of rules and they are of medium effectiveness. The problem is that most people bypass the rules or turn them off. But even that is information to us. The fact that they have to turn the rules off is as much value to us as the rules themselves.

What is most valuable?

Code coverage of tests is their most valuable feature. Code coverage is of no value if it's high, but if it's a low number then that's of great value to me.

What needs improvement?

I would like to see something around mutation testing included in SonarQube. I'd like to see some mechanism of quality which has real meaning. The problem in metrics is that they're correlated. I'd like to see how they can add a feature to detect genuine quality, instead of numbers that people can game. The number can be manipulated. There are a few ways to do this, and mutation testing is one of them.

I would also be interested in more security scanning.

For how long have I used the solution?

Our company has been using this solution for over five years.

What do I think about the stability of the solution?

Stability has never been a problem. It would have to be unstable for me to experience a problem, and we haven't. So it's good.

What do I think about the scalability of the solution?

I don't really know how scalable this solution is, but I know we use it on thousands of projects, so it's probably good.

We have a pipeline. The pipeline currently runs 4000 teams through it, and all of them have SonarQube but usually with default rules. So that's pretty expensive. Now, we can't increase it because everything goes through it. We are evaluating what our best option is as we migrate our pipeline. We're migrating the pipeline and we're wondering what to do. If SonarQube did more security scanning, there's a good chance that we would use it more, in a different role. We're already using SonarQube everywhere, in some aspect.

Which solution did I use previously and why did I switch?

It was years ago. They probably evaluated other solutions. 

We're evaluating the use of different solutions at the moment, but I've just withdrawn from that task.

How was the initial setup?

In all the companies that I've worked with, nobody has ever had a problem with the initial setup. It takes time to set up. It's a big thing and you do it, but it's just a project.

What about the implementation team?

We used people in-house to deploy. We have about 100 people in our pipeline maintenance team. SonarQube has not led to any significant increase in that number. It's just absorbed as a part of the cost. There are no dedicated staff working on it.

What other advice do I have?

My advice is to focus on quality, not on tools. Work on the quality of your code and get a quality culture, but don't require the use of a tool. SonarQube is an okay tool. I'd suggest it as a default tool, but I wouldn't rave about it.

In all of my previous jobs, there has been somebody using SonarQube. They're usually very positive. I don't share that positiveness, but the reasons for that are that I don't believe you can have metrics of code quality based upon code analysis. I don't think it's possible for a computer to do it.

I don't rate any tool higher than a five or six, ever. JUnit is the only tool that gets a rating of ten. On a scale of one to ten, where ten is JUnit, I would rate SonarQube as about a five or a six.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Company Director at Alwyn Technologies
Real User
Nice display and reporting of issues but needs more of a focus on security
Pros and Cons
  • "We advise all of our developers to have this solution in place."
  • "I would like to see dynamic code analysis in the next version of the software."

What is our primary use case?

My primary use for this solution is to perform static code analysis.

What is most valuable?

The most valuable feature is the display of issues, like in Jira. That is very helpful for us to track our coding.

What needs improvement?

Improvements could be made in terms of security. 

I would like to see dynamic code analysis in the next version of the software.

For how long have I used the solution?

Between one and two years.

What do I think about the stability of the solution?

The stability is good.

What do I think about the scalability of the solution?

Scalability is good; we currently have five users but we will definitely be increasing our usage of this solution.

How are customer service and technical support?

We have not required technical support for this solution.

How was the initial setup?

This solution is not as easy to install as SonarLint. 

What's my experience with pricing, setup cost, and licensing?

We are using the free, unlicensed version.

Which other solutions did I evaluate?

We evaluated other solutions including Cobra Static Code Analyzer, but we were not satisfied with their customer support in the open source community.

What other advice do I have?

We advise all of our developers to have this solution in place. That way, whenever they are developing, the will get live tracking with respect to the quality of their code.

I would rate this solution a seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user697056 - PeerSpot reviewer
Senior Software Developer at a tech vendor
Vendor
Provides automated rules for determining if a project is above or below a quality threshold.
Pros and Cons
  • "Issue Explanations: Documentation with detailed samples. Helps in growing technical knowledge and re-writing logic to conforming solutions."
  • "It requires advanced heuristics to recognize more complex constructs that could be disregarded as issues."

How has it helped my organization?

Better live process: More automated quality control in the lifecycle of development/testing/deployment/production. This includes the prevention of potential bugs due to ineffective code, as well as keeping a more unified style of solutions. This is thanks to standard solutions offered by the issue tips. It raises code maintainability as well as flexibility, to some extent.

What is most valuable?

Quality Gate: Automated rules for determining if a project is above or below a quality threshold. This is a concise "red"/"green" style, basic quality-control. This is integrated in the development and deployment process.

Issue Explanations: Documentation with detailed samples. Helps in growing technical knowledge and re-writing logic to conforming solutions.

What needs improvement?

Deep intelligence and smarter code analysis: There are many cases where a bug or critical issue is reported. However, there is very little chance of rewriting the solution in some other way due to several circumstances. The written solution is actually safe.

It requires advanced heuristics to recognize more complex constructs that could be disregarded as issues.

There is a manual false positive feature for that, so it compensates for it. However, time and time again, some issues become annoying, since they are actually not issues. This can be time-tested though and configured/fine-tuned throughout working with the tool.

What do I think about the stability of the solution?

There were no stability issues. I can't think of any serious issues.

What do I think about the scalability of the solution?

There were no scalability issues, not as far as the development environments are concerned. I guess if there were tens of repos and maybe hundreds of commits per day, the analysis time would probably suffer. I suppose there is a way to cluster the solution somehow. I'm not sure. I never needed anything like it at the current scale that we have operated with it.

How are customer service and technical support?

I had no direct contact with tech support by myself, but I haven't heard any complaints about it going around either. I guess it is adequate.

Which solution did I use previously and why did I switch?

Previous to this solution, we used static code analysis using built-in IDE tools and plugins. SonarQube just centralizes the same thing and adds some extra layers to systemize and create a somewhat better pipelining for the quality analysis process.

IDE-related tools and plugins are still in use today, as first-in-line hints and helpers. SonarQube manages the quality threshold and it is part of the larger overall process.

How was the initial setup?

The initial setup was not complex at all. There is default configurations out of the box in many ways. It was rather straightforward.

What's my experience with pricing, setup cost, and licensing?

I have no advice on that part, as I'm not directly related to these aspects of the product myself.

What other advice do I have?

Try it, get used to it, configure, and fine-tune it. Make it part of your everyday quality pipeline as gates necessary to pass before the green light to production deployment.

While annoying occasionally with its issue reports, it is actually an invaluable source of better knowledge and applying it in practice to your solutions.

Saves you bunch of headaches and debugging/fixing sessions at production, which is ten times as costly than using the help of this.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros sharing their opinions.
Updated: March 2025
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros sharing their opinions.