SonarQube Server (formerly SonarQube) Reviews

We have literally thousands of rules and they are of medium effectiveness. The problem is that most people bypass the rules or turn them off. But even that is information to us. The fact that they have to turn the rules off is as much value to us as the rules themselves.

Code coverage of tests is their most valuable feature. Code coverage is of no value if it's high, but if it's a low number then that's of great value to me.

I would like to see something around mutation testing included in SonarQube. I'd like to see some mechanism of quality which has real meaning. The problem in metrics is that they're correlated. I'd like to see how they can add a feature to detect genuine quality, instead of numbers that people can game. The number can be manipulated. There are a few ways to do this, and mutation testing is one of them.

I would also be interested in more security scanning.

Stability has never been a problem. It would have to be unstable for me to experience a problem, and we haven't. So it's good.

I don't really know how scalable this solution is, but I know we use it on thousands of projects, so it's probably good.

We have a pipeline. The pipeline currently runs 4000 teams through it, and all of them have SonarQube but usually with default rules. So that's pretty expensive. Now, we can't increase it because everything goes through it. We are evaluating what our best option is as we migrate our pipeline. We're migrating the pipeline and we're wondering what to do. If SonarQube did more security scanning, there's a good chance that we would use it more, in a different role. We're already using SonarQube everywhere, in some aspect.

It was years ago. They probably evaluated other solutions. 

We're evaluating the use of different solutions at the moment, but I've just withdrawn from that task.

In all the companies that I've worked with, nobody has ever had a problem with the initial setup. It takes time to set up. It's a big thing and you do it, but it's just a project.

We used people in-house to deploy. We have about 100 people in our pipeline maintenance team. SonarQube has not led to any significant increase in that number. It's just absorbed as a part of the cost. There are no dedicated staff working on it.

My advice is to focus on quality, not on tools. Work on the quality of your code and get a quality culture, but don't require the use of a tool. SonarQube is an okay tool. I'd suggest it as a default tool, but I wouldn't rave about it.

In all of my previous jobs, there has been somebody using SonarQube. They're usually very positive. I don't share that positiveness, but the reasons for that are that I don't believe you can have metrics of code quality based upon code analysis. I don't think it's possible for a computer to do it.

I don't rate any tool higher than a five or six, ever. JUnit is the only tool that gets a rating of ten. On a scale of one to ten, where ten is JUnit, I would rate SonarQube as about a five or a six.

My primary use for this solution is to perform static code analysis.

The most valuable feature is the display of issues, like in Jira. That is very helpful for us to track our coding.

Improvements could be made in terms of security. 

I would like to see dynamic code analysis in the next version of the software.

The stability is good.

Scalability is good; we currently have five users but we will definitely be increasing our usage of this solution.

We have not required technical support for this solution.

This solution is not as easy to install as SonarLint. 

We are using the free, unlicensed version.

We evaluated other solutions including Cobra Static Code Analyzer, but we were not satisfied with their customer support in the open source community.

We advise all of our developers to have this solution in place. That way, whenever they are developing, the will get live tracking with respect to the quality of their code.

I would rate this solution a seven out of ten.

Better live process: More automated quality control in the lifecycle of development/testing/deployment/production. This includes the prevention of potential bugs due to ineffective code, as well as keeping a more unified style of solutions. This is thanks to standard solutions offered by the issue tips. It raises code maintainability as well as flexibility, to some extent.

Quality Gate: Automated rules for determining if a project is above or below a quality threshold. This is a concise "red"/"green" style, basic quality-control. This is integrated in the development and deployment process.

Issue Explanations: Documentation with detailed samples. Helps in growing technical knowledge and re-writing logic to conforming solutions.

Deep intelligence and smarter code analysis: There are many cases where a bug or critical issue is reported. However, there is very little chance of rewriting the solution in some other way due to several circumstances. The written solution is actually safe.

It requires advanced heuristics to recognize more complex constructs that could be disregarded as issues.

There is a manual false positive feature for that, so it compensates for it. However, time and time again, some issues become annoying, since they are actually not issues. This can be time-tested though and configured/fine-tuned throughout working with the tool.

There were no stability issues. I can't think of any serious issues.

There were no scalability issues, not as far as the development environments are concerned. I guess if there were tens of repos and maybe hundreds of commits per day, the analysis time would probably suffer. I suppose there is a way to cluster the solution somehow. I'm not sure. I never needed anything like it at the current scale that we have operated with it.

I had no direct contact with tech support by myself, but I haven't heard any complaints about it going around either. I guess it is adequate.

Previous to this solution, we used static code analysis using built-in IDE tools and plugins. SonarQube just centralizes the same thing and adds some extra layers to systemize and create a somewhat better pipelining for the quality analysis process.

IDE-related tools and plugins are still in use today, as first-in-line hints and helpers. SonarQube manages the quality threshold and it is part of the larger overall process.

The initial setup was not complex at all. There is default configurations out of the box in many ways. It was rather straightforward.

I have no advice on that part, as I'm not directly related to these aspects of the product myself.

Try it, get used to it, configure, and fine-tune it. Make it part of your everyday quality pipeline as gates necessary to pass before the green light to production deployment.

While annoying occasionally with its issue reports, it is actually an invaluable source of better knowledge and applying it in practice to your solutions.

Saves you bunch of headaches and debugging/fixing sessions at production, which is ten times as costly than using the help of this.

To create your own quality profiles and gates is really cool; you can apply different policies depending the maturity grade of the project are you dealing with.

Also, we use a lot the time machine tool to take important decisions to determine if the projects are going in the right direction.

Elastic search is really helpful and also there is a plug-in we use a lot named "3D Code Metrics" that gives us a quick overview about the general situation about the projects.

Also, the integration with different CVS', and the dependency search are nice and helpful features.

This product helps us to determine the maturity and quality of the coding of our software customers, preventing future crashes in the software. We get users used to developing clean code makes SonarQube a valuable tool. Also, we use it for our internal software development helping us to create a good quality software.

With the new SonarQube versions, the analysis time is increasing, and some projects are difficult to configure due to the different modules and languages that it uses. A few versions ago, it had a multi-language option which was really helpful.

I've used it for over two years.

The worst about this tool I think is the upgrade method, and it's really easy to wreck the database when upgrading. It would be better idea to make less versions, but make it easier and consistent to upgrade. Also, sometimes if you are using really old instances and you move to a new version it's possible to lose some information about projects.

Thanks to this tool we can improve old code were developers are not available anymore and display the projects filtering by different fields, we save a lot of time, and time is money.

Once it is up and running, we didn't find any big issues with the stability, but it's important to configure in the right way the properties file according with you system specifications.

I think is good, also there is a new forum named "https://sonarqubehispano.org/display/HOME/Bienvenido" for the spanish community who helps a lot to spanish quality assurance fellas.

I think is good, also there is a new forum, https://sonarqubehispano.org/display/HOME/Bienvenido for the Spanish language community which helps a lot.

I used a few specific tools for the PHP language, that tools were really powerful (Codesniffer, PHPCPD, PHP Mess Detector among others) and provide a good information about the quality of our code. Nowadays, I am mixing that tools with SonarQube, but in shortly, I am thinking of using just SonarQube. The reason is that SonarQube is including more and more PHP rules in every PHP plugin version.

After dealing with configuration files and SonarQube is up and running there is not a big problem to start working with it, SonarQube include some standard quality profiles that makes it easier for the beginners. Also, the option to configure your own dashboard with different widgets exists.

I have experience with both of them and the main problem is not how the tool is working, but it's to make people follow the rules and change bad habits. However, I think that's a common challenge for our QA guild.

Actually SonarQube offers a lot of free plug-ins for different languages, and we add additional paid plug-ins as well, such as PL/SQL, COBOL and Views, and our experience tell us that it is worth it.

Only one option we found competitive was CAST, but the prices and the functionality didn't convince us at all.

I have used it in my previous company. In my current company, which I have joined recently, we don't use any of these tools. That's why I want to implement something for the company. I have the Community Edition of SonarQube. I am using one version prior to the latest one.

It was integrated with our build pipeline, and we had also customized the rules for the quality gate. For each release that got through SonarQube, it gave the results in terms of whether it was releasable or not. 

SLA was another use case. We internally had a rule that in case there are severity defects, they need to be fixed. If there is a false positive, it needs to be justified. That's the way it was used.

It assists during the development with SonarLint and helps the developer to change his approach or rather improve his coding pattern or style. That's one advantage I've seen. Another advantage is that we can customize the rules. 

I did an evaluation of the Enterprise Edition. It has the Portfolio view, which means you can roll up all your projects to the Portfolio level, and then it gives a visualization of each and every project's state in terms of security and other vulnerabilities.

It is very expensive. That's something that can be improved. 

I'm not sure if the latest vulnerabilities are being updated. When I compare it with Fortify on Demand (FoD), every now and then, they get all the latest and greatest versions for all these vulnerabilities as a rule pack. I'm not very sure about how that works in SonarQube, and how frequently they are updating the vulnerability databases and other things.

Their dashboarding is very limited. They can improve their dashboards for multiple areas, such as security review, maintainability, etc. They have all this information, so they should publish all this information on the dashboard so that the users can view the summary and then analyze it further. This is something that I would like to see in the next version. 

The portfolio-level dashboard is currently available only in the Enterprise Edition. They can have a similar dashboard in the Community Edition or at least in the Developer Edition. The portfolio-level dashboard is also very limited currently. There is hardly one report.

I have been using this solution for four years. 

It looks stable. So far, we haven't found any issues.

I contacted them once or twice. I am very satisfied with their support. I didn't have any concerns in terms of support.

It is straightforward. It takes very little time as compared to the other solutions.

It is very expensive. Its price should be improved.

I have worked on only two tools: one is Fortify on Demand, and the other one is SonarQube. Comparing these two, I would rate SonarQube an eight out of 10.

Our software developers use SonarQube to catch any issues that can be found by using static code analysis. My understanding is that it checks the core complexity by evaluating the coding rules to make sure of things such as the correct classes are private.

The developers are rejecting the idea that this product is useful.

Before you even compile, it can catch known vulnerability issues or patterns.

Our developers have complained about the Quality Gates and the number of false positives that this product reports. Their older code is breaking and with the Quality Gate on the pipeline, they are not able to safely release at this point. This means that they have to add a lot of things to the whitelist, so there is room for improvement in this regard.

We have been using SonarQube for less than six months. We have not yet onboarded it for production.

I have not seen any problems in terms of stability, although it has not been onboarded yet. Once that happens, we may see more problems.

We have not tried to scale yet.

The initial setup involved downloading the open-source code and installing it in a container. 

I was responsible for setting up this tool in our company.

We are using the open-source version, which is available free of cost.

We evaluated other open-source products and found that SonarQube was the best one of the set.

This product is regularly updated by the open-source community, although the changes are often project-specific and may not help in the general case.

I would rate this solution a five out of ten.

We use this solution in the development of our travel programs.

We use this program as a compliment to our security scans, in addition to Checkmarx.

The most valuable function is its usability. It uses a simple approach.

This solution finds issues that are similar to what is found by Checkmarx, and it would be nice if the overlap could be eliminated.

The plugins are not well documented.

This is a stable solution.

We do not have any problems with scalability.

We have approximately fifteen developers using this solution, on the Java site.

We have not needed to use the technical support.

We did not use another solution, prior to this one.

The setup is not complex. There are some issues during setup with the plugins because they are not well documented.

Some of the plugins that were previously free are not free now.

We are looking for how we can integrate several products. We are using static code analysis, we are looking into runtime code analysis, and of course, we have a web application firewall. The problem with all of these tools is that you need a lot of maintenance, and you have a lot of false positives. So, we have tried to find the best solution.

I would suggest trying the product. I like its useability because it has a simple approach.

We use this solution in conjunction with Jenkins, and we have a two-week deployment cycle.

I would rate this solution a seven out of ten.

I use this solution for our staging environment to review the security issues before going live or into production.

I have found this solution creates more noise than competitors. 

The documentation and reporting extract can improve because other solutions are far more advanced.

I have been using this solution for approximately two years.

The solution is stable.

The solution is scalable. However, we do not use it as a SaaS solution, we use it for our staging environment at a minimum scale. 

We have approximately 10 people using this solution in my organization.

Previously I worked with Fortify and Veracode and I have found those tools provided much better because they are from a commercial solution.

Our development team did the implementation of this solution.

This solution is free.

My advice to others is this solution is one of the best in the free market in the industry and it is a good one to use.

I rate SonarQube a seven out of ten.