SonarQube Server (formerly SonarQube) Reviews

When it comes to security, this solution is pretty great.

The static code analysis of the solution is the most important aspect for us. When it comes to security breaches within the code, we can leverage some rules to allow us to identify the repetition in our code and the possible targets that we may have. It makes it very easy to review our code for security purposes.

The solution is quite stable.

You can scale the solution if you need to.

In terms of solving for security breaches in the code, we are looking for different tools to help us catch things much sooner. Right now, we're not doing so well on this front.  Therefore, we are looking for some other options in the market. I'm not the one who is tasked with looking at the moment, however, we are actively seeking out a more effective option for the static code analysis. 

There are sometimes security breaches in our code, which aren't be caught by SonarQube. In the security area, SonarCube has to improve. It needs to better compete with other products.

The solution could offer some sort of alert feature. We've had an incident, where somebody removed the solution from the pipeline and there were a couple of code instances that were pushed and married with the codebase without passing through SonarQube. It would be nice if we were alerted to that. If the solution is off-line or turned off, we'd like to be able to tell so that we can decide if it should be on or if it was a mistake.

It would be great if it could support testing and configurations a bit more. 

We've only been working with the solution for one year. It hasn't been that long.

The solution is very stable. We don't have any issues with its reliability. It's been quite good so far.

The architecture that we have is not that big, however, from the scalability point of view, SonarQube supports scalability quite well.

At the moment, we have a hybrid working model on the vendor side, as well as on the in-house team. The in-house team has 5 members and the vendor has maybe 20 people, more or less. All in all, we can say we have about 25 people using the solution at any given time.

We did not previously use a different solution. It was always manual code reviewing via the most experienced team members who would offer guidance on adjustments.

Right now, we are not using the enterprise features of the solution. I don't know about the licensing as I was not the one who introduced SonarQube into the pipeline. I believe we are using the free community edition and therefore aren't actually paying any money for it.

I did an exercise a couple of months ago with my colleague. After this, I listed other products and their security aspects. I don't know if we found a solution that can offer us better features for security. I don't know if we will keep SonarQube in the pipeline or we will sell the product and get another product. I'm not sure at this point.

We're just customers. We don't have a business relationship with the company.

I believe we are using the latest version of the solution, however, I don't know the exact number.

I would advise others considering the solution to consider the level of security they need. If they are very concerned about security and the application is very sensitive, then SonarQube may not be the best option and they should seek out other products.

Overall, I would rate the solution seven out of ten.

The rich graphical representation of numbers which are meaningful to dev leads/managers and top management .

It was brought in to help with best practices in writing test cases, and each test should pass given all numbers are highlighted on SonarQube.

Executing sonar analysis on a big chunk of code - with an Oracle database does take up a lot of time.

Widgets - as the world of development expands, SonarQube should have plug-ins to cater to different technologies.

I've used it for three years.

No issues encountered.

No issues encountered.

No issues encountered.

It's very good, and I have personally had conversations with the SonarQube guys regarding plug-ins and modifications.

No previous solution was used.

The documentation is good . It should be fairly simple for someone with database knowledge.

We did it in-house.

I use SonarQube for Google's web services, from a security perspective, as well as Oracle Forms, HTML Forms, and script. 

SonarQube is deployed on-premises. 

Some of the most valuable features have been the latest up-to-date of the OWASP, the monitoring, the reporting, and the ease of use with the IDE plugins, in terms of integration.

SonarQube's detail in the security could be improved. It may be helpful to have additional details, with regards to Oracle PL/SQL. For example, it's neither as built nor as thorough as Java. For now, this is the only additional feature I would like to see. 

I have been working with the Community Edition for at least ten years, and I have been working with the Enterprise version for about a year. 

So far, we are happy and haven't had any issues with stability.

The only maintenance this product needs, for now, is just updates and patches. 

SonarQube is an auditing requirement from our side and for our SDLC, so it is a gate in our SDLC. 

SonarQube is easy to scale. As we've opted for the Docker builds, we haven't had issues yet. 

At this point, there are at least 300 people in my company who are working with SonarQube. 

I have minor experience with Q One. The main difference is in the licensing structure, with regards to lines of code. We have noticed that Q One has a bit more details, but support for various languages is lacking. 

The setup process of SonarQube is straightforward. Deployment took about a week, but the integration of the multiple teams—introducing them and getting them on board—took about a month. 

We implemented this solution through an in-house team. 

Compared to similar solutions, SonarQube was more accessible to us and had more benefits, with regards to size of the code base and supported languages. Apart from the Enterprise licensing fee, there are no additional costs. 

I rate SonarQube an eight out of ten. 

To anyone who is looking into implementing SonarQube, I would recommend they look at what their requirements are, with regards to languages. If it's just Java, then the Community Edition is fine, but if there are any additional languages, then I would recommend Enterprise. 

We use it for the static analysis of the source code to find issues or vulnerabilities.

The static code analysis is very good. In the banking sector, we have found several vulnerabilities and many issues in the source code.

If you don't have any experience with the configuration or how to configure the files, it can be complicated. The installation needs to be more user-friendly, as well as the interface, which could be more user-friendly.

I use the full trial version of SonarQube. I have been using the latest version of SonarQube for six months.

There are issues with stability. It needs improvement.

We have four members in our organization who are using this solution.

I am not able to evaluate the scalability. Once we go with the Enterprise version, we will know after three months, how efficient and scalable it is with large applications.

I have not contacted technical support.

The initial setup is straightforward. This solution is easy to install. It only takes five minutes.

We require a team of five to deploy and maintain it.

I completed the installation myself.

We are also evaluating Acunetix and will know what direction we want to go in the next few weeks.

Based on the testing, Acunetix offers something different. Acunetix has many features that are not found in SonarQube.

The enterprise version comes with many features. I have not been able to test it all because I am using the evaluation version. After three months of using this solution, I will have a better understanding of it.

We plan to continue using SonarQube. Some feel that it is unfair to compare SonarQube with other solutions as it has so many features.

I would rate this solution a seven out of ten.

We use this SonarQube solution for code quality and as a basic security issues solution for our clients.

It has improved our options for offering products to our clients that can better meet their needs, lower costs, and improves code quality and basic security. 

Code analyzing is very valuable for detecting vulnerabilities but it has limitations.

With the aesthetic code analyzer or dynamic code analyzer, we would like to see zero vulnerabilities. This is actually currently not available with any available code analyzer so it is not the fault of this one product. We would like to see that the latest CVE (Common Vulnerabilities and Exposures) gets represented. This would be more useful but does not always happen. 

If we have more of an idea of the likelihood of zero vulnerabilities then the product is more useful for user communities.

The product is stable.

We use a centralized machine so scalability is not an issue. We have yet to realize a limitation.

We have little or no interaction with technical support.

We service client needs so we consider all solutions we are aware of and weigh the pros and cons for deployment with a specific client.

Implementation is easy and very straightforward. We do a POC with our client and based on that we make a comparison to the client's needs and available solutions. We compare that with any of the open source options and with any of the premium commercial tools. We go with the one that makes sense. But the implementation of this product is not complex especially as we have experience with it.

We do our own implementations for various clients. We do not need the assistance of another team.

Return on investment is enhanced code and security. The actual ROI is difficult to measure except that licensing a commercial product will cost more over the long term if this product is enough to meet the user's immediate needs.

The product is basically free, so implementation is the greater cost. It will cost in man-hours for deployment and resources, or in consultation. The licensing fee is negligible.

We are constantly evaluating other products. So it might be that we will go with Micro Focus, for example, or any other tool in the future. It depends on what is offered by the product and what fits the client needs and budget.

I would rate this product somewhere between six and seven. It works for many clients, but if the user need and application is super critical, people should go with commercial products like Micro Focus. If the deployment is less critical, they can go with that as SonarQube, or another open source software solution.

Our primary use case for this solution is security testing using the FindSecBugs plugin.

This has improved our organization because it has helped to find security vulnerabilities.

The most valuable feature is the FindSecBugs (Find Security Bugs) plugin, which finds security vulnerabilities.

The product's user documentation can be vastly improved.

Its dashboards, quality profile, quality gates and CI integration features (like as build breaker plugin) are the most valuable features for me.

Personally, I have used SonarQube for educational purposes. SonarQube is helpful for giving motivation to a small development team (10 members or a little above) on code quality improvements with small efforts.

My team uses just two features - dashboards and CI-build-breaker - for checking code quality and the stability of our code base. For those purpose, SonarQube has done its work greatly. We have seen a decrease of about 25% of issues from since we first started using it a few months ago, and my team code bases are getting better.

The only thing I don't like is that they removed the design libraries and dependencies-checking features from v5.2. I hope they reintroduce these features in the future.

I've used it for approximately two years, since December 2013.

I have not encountered any issues.

I have not encountered any issues.

I have not encountered any issues.

I've not had to use them. I thinks it's online documentation is up to date, and it is enough to use them to solve problems and to understand features.

I've not had to use them.

My development team adopted SonarQube in January 2015 for code quality improvement, and had not used any code quality checking tool before.

The initial setup is easy. They provide a step-by-step online guideline to follow for installing it.

It has decreased the efforts of my team for finding and fixing potential issues which exist in our code base.

We are only using the free features.

Just keep following their online installation and plugin development guide.

This solution has the capability to analyze source code in almost all the languages in the market.

This is a well-rounded solution, however, some features could be made available on the free version. The price of the solution could be reduced.

I have used this solution for ten years. 

This is a stable solution. 

This is a scalable solution. We have been using it for all of our critical projects. 

I have never made the calculations to understand the real value of this solution but I know that the return of investment is very good. If not, we wouldn't have continued to use it for the past 10 years.

As a user and a consumer of this solution, it can be pricey for my company to support and use, even though there are many benefits. For this reason, we use the free version. In the future, as our product cycles develop and evolve at a more steady pace, we hope to invest in the licensing for this tool. 

This solution has evolved a lot in the last ten years. 

It comes with good DevOps implementation and security, which is a big problem today.