Our primary use case for this solution is security testing using the FindSecBugs plugin.
Manager at Dassault Systèmes
The FindSecBugs plugin has helped to solve our security vulnerability issues
Pros and Cons
- "This has improved our organization because it has helped to find Security Vulnerabilities."
- "The product's user documentation can be vastly improved."
What is our primary use case?
How has it helped my organization?
This has improved our organization because it has helped to find security vulnerabilities.
What is most valuable?
The most valuable feature is the FindSecBugs (Find Security Bugs) plugin, which finds security vulnerabilities.
What needs improvement?
The product's user documentation can be vastly improved.
Buyer's Guide
SonarQube Server (formerly SonarQube)
October 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,528 professionals have used our research since 2012.
For how long have I used the solution?
Still implementing.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Software Developer at a tech vendor
Provides automated rules for determining if a project is above or below a quality threshold.
Pros and Cons
- "Issue Explanations: Documentation with detailed samples. Helps in growing technical knowledge and re-writing logic to conforming solutions."
- "It requires advanced heuristics to recognize more complex constructs that could be disregarded as issues."
How has it helped my organization?
Better live process: More automated quality control in the lifecycle of development/testing/deployment/production. This includes the prevention of potential bugs due to ineffective code, as well as keeping a more unified style of solutions. This is thanks to standard solutions offered by the issue tips. It raises code maintainability as well as flexibility, to some extent.
What is most valuable?
Quality Gate: Automated rules for determining if a project is above or below a quality threshold. This is a concise "red"/"green" style, basic quality-control. This is integrated in the development and deployment process.
Issue Explanations: Documentation with detailed samples. Helps in growing technical knowledge and re-writing logic to conforming solutions.
What needs improvement?
Deep intelligence and smarter code analysis: There are many cases where a bug or critical issue is reported. However, there is very little chance of rewriting the solution in some other way due to several circumstances. The written solution is actually safe.
It requires advanced heuristics to recognize more complex constructs that could be disregarded as issues.
There is a manual false positive feature for that, so it compensates for it. However, time and time again, some issues become annoying, since they are actually not issues. This can be time-tested though and configured/fine-tuned throughout working with the tool.
What do I think about the stability of the solution?
There were no stability issues. I can't think of any serious issues.
What do I think about the scalability of the solution?
There were no scalability issues, not as far as the development environments are concerned. I guess if there were tens of repos and maybe hundreds of commits per day, the analysis time would probably suffer. I suppose there is a way to cluster the solution somehow. I'm not sure. I never needed anything like it at the current scale that we have operated with it.
How are customer service and technical support?
I had no direct contact with tech support by myself, but I haven't heard any complaints about it going around either. I guess it is adequate.
Which solution did I use previously and why did I switch?
Previous to this solution, we used static code analysis using built-in IDE tools and plugins. SonarQube just centralizes the same thing and adds some extra layers to systemize and create a somewhat better pipelining for the quality analysis process.
IDE-related tools and plugins are still in use today, as first-in-line hints and helpers. SonarQube manages the quality threshold and it is part of the larger overall process.
How was the initial setup?
The initial setup was not complex at all. There is default configurations out of the box in many ways. It was rather straightforward.
What's my experience with pricing, setup cost, and licensing?
I have no advice on that part, as I'm not directly related to these aspects of the product myself.
What other advice do I have?
Try it, get used to it, configure, and fine-tune it. Make it part of your everyday quality pipeline as gates necessary to pass before the green light to production deployment.
While annoying occasionally with its issue reports, it is actually an invaluable source of better knowledge and applying it in practice to your solutions.
Saves you bunch of headaches and debugging/fixing sessions at production, which is ten times as costly than using the help of this.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
SonarQube Server (formerly SonarQube)
October 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,528 professionals have used our research since 2012.
QA Engineer at a tech services company with 51-200 employees
It helps us to determine the maturity and quality of the coding of our software customers, preventing future crashes in the software.
What is most valuable?
To create your own quality profiles and gates is really cool; you can apply different policies depending the maturity grade of the project are you dealing with.
Also, we use a lot the time machine tool to take important decisions to determine if the projects are going in the right direction.
Elastic search is really helpful and also there is a plug-in we use a lot named "3D Code Metrics" that gives us a quick overview about the general situation about the projects.
Also, the integration with different CVS', and the dependency search are nice and helpful features.
How has it helped my organization?
This product helps us to determine the maturity and quality of the coding of our software customers, preventing future crashes in the software. We get users used to developing clean code makes SonarQube a valuable tool. Also, we use it for our internal software development helping us to create a good quality software.
What needs improvement?
With the new SonarQube versions, the analysis time is increasing, and some projects are difficult to configure due to the different modules and languages that it uses. A few versions ago, it had a multi-language option which was really helpful.
For how long have I used the solution?
I've used it for over two years.
What was my experience with deployment of the solution?
The worst about this tool I think is the upgrade method, and it's really easy to wreck the database when upgrading. It would be better idea to make less versions, but make it easier and consistent to upgrade. Also, sometimes if you are using really old instances and you move to a new version it's possible to lose some information about projects.
Thanks to this tool we can improve old code were developers are not available anymore and display the projects filtering by different fields, we save a lot of time, and time is money.
What do I think about the stability of the solution?
Once it is up and running, we didn't find any big issues with the stability, but it's important to configure in the right way the properties file according with you system specifications.
How are customer service and technical support?
Customer Service:
I think is good, also there is a new forum named "https://sonarqubehispano.org/display/HOME/Bienvenido" for the spanish community who helps a lot to spanish quality assurance fellas.
Technical Support:I think is good, also there is a new forum, https://sonarqubehispano.org/display/HOME/Bienvenido for the Spanish language community which helps a lot.
Which solution did I use previously and why did I switch?
I used a few specific tools for the PHP language, that tools were really powerful (Codesniffer, PHPCPD, PHP Mess Detector among others) and provide a good information about the quality of our code. Nowadays, I am mixing that tools with SonarQube, but in shortly, I am thinking of using just SonarQube. The reason is that SonarQube is including more and more PHP rules in every PHP plugin version.
How was the initial setup?
After dealing with configuration files and SonarQube is up and running there is not a big problem to start working with it, SonarQube include some standard quality profiles that makes it easier for the beginners. Also, the option to configure your own dashboard with different widgets exists.
What about the implementation team?
I have experience with both of them and the main problem is not how the tool is working, but it's to make people follow the rules and change bad habits. However, I think that's a common challenge for our QA guild.
What's my experience with pricing, setup cost, and licensing?
Actually SonarQube offers a lot of free plug-ins for different languages, and we add additional paid plug-ins as well, such as PL/SQL, COBOL and Views, and our experience tell us that it is worth it.
Which other solutions did I evaluate?
Only one option we found competitive was CAST, but the prices and the functionality didn't convince us at all.
Disclosure: My company has a business relationship with this vendor other than being a customer: We are a SonarQube partner in Spain.
Security Information Manager at a tech services company with 10,001+ employees
Reliable with a nice web interface but needs better reporting
Pros and Cons
- "The solution offers a very good community edition."
- "There isn't a very good enterprise report."
What is most valuable?
We find it very similar to Fortify and has the same advantages.
The web interface is very good.
We have found the solution to be stable.
The solution offers a very good community edition.
What needs improvement?
There isn't a very good enterprise report. They also do not have an application report. We'd like for them to work on this aspect.
For how long have I used the solution?
I've used the solution for three years. I've used it for a while now.
What do I think about the stability of the solution?
In terms of stability, the solution is reliable and the performance is good. There are no bugs. It's not glitchy. It doesn't crash or freeze.
How are customer service and support?
I've never used technical support. I can't talk about how helpful they are, never spoken with them personally.
If I do need to troubleshoot, I tend to rely on the community and search for answers there.
Which solution did I use previously and why did I switch?
We've also used Fortify.
How was the initial setup?
I didn't participate in the installation process. I can't speak to how easy or difficult the process was.
What's my experience with pricing, setup cost, and licensing?
I use the community version of the product.
What other advice do I have?
We are a customer and an end-user.
I'd rate the solution at a seven out of ten. It's mostly reliable.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Staff DevOps Specialist at a computer software company with 201-500 employees
Greatly improves the quality, straightforward to use, and stable
Pros and Cons
- "My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it."
- "A little bit more emphasis on security and a bit more security scanning features would be nice."
What is our primary use case?
It is mainly used as part of the CI/CD pipeline through Azure DevOps and Jenkins to do static code analysis.
We have the enterprise version. In terms of deployment, on-premise is the best description because they have their own cloud, but it is not a real cloud. It is like VMware.
How has it helped my organization?
In some instances, the project stakeholders were able to implement quality gate control for code coverage, security alerts, and things like that. It greatly improved the quality of the product. If our test code coverage is 80% and a person commits a change that brings the code coverage to below 80%, that code cannot be merged. We've been able to improve the quality of the products that we produce by using SonarQube. We are using it as a gate.
It is a great tool in a situation where you have a dynamic team, and you sometimes hire staff or subcontractors from other companies. It provided us with the ability to implement quality gates in our project. We could look at the data and see which developers were producing quality code and which developers were not too worried about the quality. It helped us out with our junior devs. I know of a few cases where having this system helped our junior devs in taking their skills one level up because we had set up a hard quality gate.
What is most valuable?
My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it.
What needs improvement?
A little bit more emphasis on security and a bit more security scanning features would be nice.
It would also be nice if the discrepancy between the basic or free version and the enterprise version was less. In my opinion, some of the base functionality in the enterprise version should be in the basic version.
Currently, we have static code scanning, and we have the scanning of the Docker containers. It would be great if some sort of penetration testing could easily be implemented in SonarQube for deploying something and doing some basic security scans. Currently, we have to use third-party tools for that. If everything was all under one roof, it would be more comfortable, but I don't know if it is possible or feasible. It is a typical issue of centralization versus distribution. In our particular case, because we're using SonarQube for almost every other project, it would make sense, but that doesn't necessarily mean that it is the same case with everybody else.
For how long have I used the solution?
I have been using this solution for four years in my current job.
What do I think about the stability of the solution?
I don't think I ever had a problem.
What do I think about the scalability of the solution?
We haven't reached a point where it is anywhere near saturation. We haven't scaled it yet, and I don't know if it will ever happen. The way it is implemented right now is more than enough for what we need.
We have used it in almost all projects of our client. It is a part of their process. It is used extensively, and it will be used for any future work that they might have where they develop any code that can be analyzed with SonarQube.
We probably have 30 or 40 users. Their roles are developer team leads, developers, and DevOps people. These are the three roles of people who use it on a daily basis and look at the reports and work with the system. At some point, the data might be shown to the actual client or somebody else.
How are customer service and support?
I've never been in a situation where I needed their support.
Which solution did I use previously and why did I switch?
I don't think that we used anything else previously. SonarQube was the first one.
How was the initial setup?
It was straightforward. I wasn't technically involved in the deployment of SonarQube, but as far as I know, it was a matter of a few days.
What about the implementation team?
We probably just bought the license and did it ourselves. For its deployment and maintenance, we don't have a dedicated person. It is one of the many systems that our internal IT team manages.
What was our ROI?
I don't have that data. I don't think that we've ever calculated that.
What's my experience with pricing, setup cost, and licensing?
My guess is that we have a yearly subscription. We use it quite extensively, so a monthly license wouldn't make sense. Yearly subscriptions are usually cheaper.
In addition to the standard licensing fee, there is just the cost of running the hardware where it is hosted.
What other advice do I have?
It is pretty straightforward, but if you don't intend to use it as a gate, it would just be a waste of time. You should invest in implementing such tools only when you have a clear understanding of how their results are going to be a part of a business process.
I would rate it a 10 out of 10. I've never had any kind of problems with it. I have some products because of which I have had a bad day, but I never had a bad day because of it.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
DevOps Lead at a marketing services firm with 1,001-5,000 employees
Very stable and easy to integrate, but is a bit expensive
Pros and Cons
- "The reporting and the results are quick. It gets integrated within the pipeline well."
- "The pricing could be reduced a bit. It's a little expensive."
What is our primary use case?
We generally use the solution in order to do static code analysis.
What is most valuable?
What I like about SonarQube is the integration of the pipelines. It is pretty easy.
The reporting and the results are quick. It gets integrated within the pipeline well.
The solution is very stable.
The scalability is very good.
We found the initial setup to be straightforward.
What needs improvement?
The solution has a very shallow SAST scanning. That is something that can be improved.
I'm not sure if there is any plan for having DAST, as well, which is the dynamic scanning. If they offered that in SonarQube that would be ideal. I'd like to know if there is a plan or roadmap for Sonar to have that included. However, right now, at least, from the SAST perspective, it can improve.
The pricing could be reduced a bit. It's a little expensive.
For how long have I used the solution?
We've been using the solution for the past two years or so. It's been a while.
What do I think about the stability of the solution?
The solution is pretty much stable. Sometimes we have observed some issues when there are a lot of services getting deployed together. We have noticed some resource constraints sometimes. Occasionally the CPU and memory get affected. That was the only thing. It could be due to the resources that we have provided and maybe not the fault of the product itself.
What do I think about the scalability of the solution?
I don't have the user count, however, from the application perspective, we have around 30 to 50 applications, which are on SonarQube. All of the teams that are managing those applications have access to that.
It is integrated within our pipelines. It gets used every day.
Right now we are not scaling the solution. It is just one server that we have. It is static of sizing and we do not scale it.
How are customer service and technical support?
We do have an enterprise version, however, that does not include the support right now.
If we have any issues we're trying to resolve them on your own. So far, that has been sufficient.
Which solution did I use previously and why did I switch?
We are also onboarding Checkmarx. We use both solutions.
We are not replacing anything. Maybe we will use both in conjunction. Checkmarx provides DAST, whereas this product does not.
How was the initial setup?
The initial setup is pretty simple.
I do not recall the exact amount of time it took to deploy the solution.
It does not require a lot of maintenance. It's just that whenever any latest version is coming in, we just have to upgrade it.
What about the implementation team?
We did the installation on our own. We did not need the assistance of any outside resources such as consultants or integrtors. It was all handled in-house.
What's my experience with pricing, setup cost, and licensing?
What we are looking at in the future is a bit of a price reduction. The pricing that we have been quoted for the next version is a little expensive. The pricing could be also a bit reduced.
What other advice do I have?
We are just a customer and an end-user.
While we installed the solution on the cloud, we host it on our machines.
I would recommend the product to the companies or the teams who are building from scratch, and they don't have anything for doing the scanning of their products. That is something where SonarQube can be pretty helpful.
It's good for a very small company with a limited number of products, which do not have a lot of compliance and security-related requirements that big enterprises might have.
I would rate the solution at a six out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Disclosure: I am a real user, and this review is based on my own experience and opinions.
CEO at ITShare
Good static code analysis but it's not stable and the installation is not user-friendly
Pros and Cons
- "The static code analysis is very good."
- "If you don't have any experience with the configuration or how to configure the files, it can be complicated."
What is our primary use case?
We use it for the static analysis of the source code to find issues or vulnerabilities.
What is most valuable?
The static code analysis is very good. In the banking sector, we have found several vulnerabilities and many issues in the source code.
What needs improvement?
If you don't have any experience with the configuration or how to configure the files, it can be complicated. The installation needs to be more user-friendly, as well as the interface, which could be more user-friendly.
For how long have I used the solution?
I use the full trial version of SonarQube. I have been using the latest version of SonarQube for six months.
What do I think about the stability of the solution?
There are issues with stability. It needs improvement.
We have four members in our organization who are using this solution.
What do I think about the scalability of the solution?
I am not able to evaluate the scalability. Once we go with the Enterprise version, we will know after three months, how efficient and scalable it is with large applications.
How are customer service and technical support?
I have not contacted technical support.
How was the initial setup?
The initial setup is straightforward. This solution is easy to install. It only takes five minutes.
We require a team of five to deploy and maintain it.
What about the implementation team?
I completed the installation myself.
Which other solutions did I evaluate?
We are also evaluating Acunetix and will know what direction we want to go in the next few weeks.
Based on the testing, Acunetix offers something different. Acunetix has many features that are not found in SonarQube.
What other advice do I have?
The enterprise version comes with many features. I have not been able to test it all because I am using the evaluation version. After three months of using this solution, I will have a better understanding of it.
We plan to continue using SonarQube. Some feel that it is unfair to compare SonarQube with other solutions as it has so many features.
I would rate this solution a seven out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Technical Architect at a tech services company with 501-1,000 employees
Effective vulnerability scanning, good support, and simple setup
Pros and Cons
- "SonarQube has a lot of value, it reviews the basic coding standards and security vulnerabilities of code that help to reduce issues."
- "SonarQube can improve by scanning the internal library which currently it does not do. We are looking for a solution for this."
What is our primary use case?
We are using SonarQube for scanning our services for issues as part of our IT department.
What is most valuable?
SonarQube has a lot of value, it reviews the basic coding standards and security vulnerabilities of code that help to reduce issues.
What needs improvement?
SonarQube can improve by scanning the internal library which currently it does not do. We are looking for a solution for this.
For how long have I used the solution?
I have been using SonarQube for approximately three years.
What do I think about the stability of the solution?
SonarQube is a stable solution.
What do I think about the scalability of the solution?
I have found SonarQube to be stable. However, we have not tested it with more than one million lines of code.
We have a server that SonarQube is running on and we have approximately 50 people using it.
How are customer service and support?
We have used technical support in the past but not recently.
I would rate the support from SonarQube a four out of five.
Which solution did I use previously and why did I switch?
I have used Veracode previously.
How was the initial setup?
The initial setup is straightforward for SonarQube.
What about the implementation team?
We did the implementation in-house.
The DevOps team handles the maintenance of SonarQube.
What's my experience with pricing, setup cost, and licensing?
We are using the Developer Edition and the cost is based on the amount of code that is being processed.
What other advice do I have?
If SonarQube meets the needs of your use case then I use it.
I rate SonarQube an eight out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros
sharing their opinions.
Updated: October 2024
Product Categories
Application Security Tools Static Application Security Testing (SAST) Software Development AnalyticsPopular Comparisons
Tricentis Tosca
SonarQube Cloud (formerly SonarCloud)
Fortify on Demand
OpenText UFT One
Sonatype Lifecycle
CrowdStrike Falcon Cloud Security
PortSwigger Burp Suite Professional
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Is SonarQube the best tool for static analysis?
- Which gives you more for your money - SonarQube or Veracode?
- What Is The Biggest Difference Between Fortify on Demand And SonarQube?
- What is the biggest difference between Checkmarx and SonarQube?
- Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
- How does SonarQube instance relate to the license?
- Which software is ideal for code quality and security?
- What is the difference between Coverity and SonarQube?
- What is the biggest difference between Coverity and SonarQube?
- How would you decide between Coverity and Sonarqube?