Try our new research platform with insights from 80,000+ expert users
it_user333735 - PeerSpot reviewer
QA Engineer at a tech services company with 51-200 employees
Consultant
It helps us to determine the maturity and quality of the coding of our software customers, preventing future crashes in the software.

What is most valuable?

To create your own quality profiles and gates is really cool; you can apply different policies depending the maturity grade of the project are you dealing with.

Also, we use a lot the time machine tool to take important decisions to determine if the projects are going in the right direction.

Elastic search is really helpful and also there is a plug-in we use a lot named "3D Code Metrics" that gives us a quick overview about the general situation about the projects.

Also, the integration with different CVS', and the dependency search are nice and helpful features.

How has it helped my organization?

This product helps us to determine the maturity and quality of the coding of our software customers, preventing future crashes in the software. We get users used to developing clean code makes SonarQube a valuable tool. Also, we use it for our internal software development helping us to create a good quality software.

What needs improvement?

With the new SonarQube versions, the analysis time is increasing, and some projects are difficult to configure due to the different modules and languages that it uses. A few versions ago, it had a multi-language option which was really helpful.

For how long have I used the solution?

I've used it for over two years.

Buyer's Guide
SonarQube Server (formerly SonarQube)
March 2025
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
842,767 professionals have used our research since 2012.

What was my experience with deployment of the solution?

The worst about this tool I think is the upgrade method, and it's really easy to wreck the database when upgrading. It would be better idea to make less versions, but make it easier and consistent to upgrade. Also, sometimes if you are using really old instances and you move to a new version it's possible to lose some information about projects.

Thanks to this tool we can improve old code were developers are not available anymore and display the projects filtering by different fields, we save a lot of time, and time is money.

What do I think about the stability of the solution?

Once it is up and running, we didn't find any big issues with the stability, but it's important to configure in the right way the properties file according with you system specifications.

How are customer service and support?

Customer Service:

I think is good, also there is a new forum named "https://sonarqubehispano.org/display/HOME/Bienvenido" for the spanish community who helps a lot to spanish quality assurance fellas.

Technical Support:

I think is good, also there is a new forum, https://sonarqubehispano.org/display/HOME/Bienvenido for the Spanish language community which helps a lot.

Which solution did I use previously and why did I switch?

I used a few specific tools for the PHP language, that tools were really powerful (Codesniffer, PHPCPD, PHP Mess Detector among others) and provide a good information about the quality of our code. Nowadays, I am mixing that tools with SonarQube, but in shortly, I am thinking of using just SonarQube. The reason is that SonarQube is including more and more PHP rules in every PHP plugin version.

How was the initial setup?

After dealing with configuration files and SonarQube is up and running there is not a big problem to start working with it, SonarQube include some standard quality profiles that makes it easier for the beginners. Also, the option to configure your own dashboard with different widgets exists.

What about the implementation team?

I have experience with both of them and the main problem is not how the tool is working, but it's to make people follow the rules and change bad habits. However, I think that's a common challenge for our QA guild.

What's my experience with pricing, setup cost, and licensing?

Actually SonarQube offers a lot of free plug-ins for different languages, and we add additional paid plug-ins as well, such as PL/SQL, COBOL and Views, and our experience tell us that it is worth it.

Which other solutions did I evaluate?

Only one option we found competitive was CAST, but the prices and the functionality didn't convince us at all.

Disclosure: My company has a business relationship with this vendor other than being a customer: We are a SonarQube partner in Spain.
PeerSpot user
reviewer1620009 - PeerSpot reviewer
Head Innovation Hub at a tech services company with 201-500 employees
Consultant
Helps in improving the coding style and allows us to customize the rules
Pros and Cons
  • "It assists during the development with SonarLint and helps the developer to change his approach or rather improve his coding pattern or style. That's one advantage I've seen. Another advantage is that we can customize the rules."
  • "Their dashboarding is very limited. They can improve their dashboards for multiple areas, such as security review, maintainability, etc. They have all this information, so they should publish all this information on the dashboard so that the users can view the summary and then analyze it further. This is something that I would like to see in the next version."

What is our primary use case?

I have used it in my previous company. In my current company, which I have joined recently, we don't use any of these tools. That's why I want to implement something for the company. I have the Community Edition of SonarQube. I am using one version prior to the latest one.

It was integrated with our build pipeline, and we had also customized the rules for the quality gate. For each release that got through SonarQube, it gave the results in terms of whether it was releasable or not. 

SLA was another use case. We internally had a rule that in case there are severity defects, they need to be fixed. If there is a false positive, it needs to be justified. That's the way it was used.

What is most valuable?

It assists during the development with SonarLint and helps the developer to change his approach or rather improve his coding pattern or style. That's one advantage I've seen. Another advantage is that we can customize the rules. 

I did an evaluation of the Enterprise Edition. It has the Portfolio view, which means you can roll up all your projects to the Portfolio level, and then it gives a visualization of each and every project's state in terms of security and other vulnerabilities.

What needs improvement?

It is very expensive. That's something that can be improved. 

I'm not sure if the latest vulnerabilities are being updated. When I compare it with Fortify on Demand (FoD), every now and then, they get all the latest and greatest versions for all these vulnerabilities as a rule pack. I'm not very sure about how that works in SonarQube, and how frequently they are updating the vulnerability databases and other things.

Their dashboarding is very limited. They can improve their dashboards for multiple areas, such as security review, maintainability, etc. They have all this information, so they should publish all this information on the dashboard so that the users can view the summary and then analyze it further. This is something that I would like to see in the next version. 

The portfolio-level dashboard is currently available only in the Enterprise Edition. They can have a similar dashboard in the Community Edition or at least in the Developer Edition. The portfolio-level dashboard is also very limited currently. There is hardly one report.

For how long have I used the solution?

I have been using this solution for four years. 

What do I think about the stability of the solution?

It looks stable. So far, we haven't found any issues.

How are customer service and technical support?

I contacted them once or twice. I am very satisfied with their support. I didn't have any concerns in terms of support.

How was the initial setup?

It is straightforward. It takes very little time as compared to the other solutions.

What's my experience with pricing, setup cost, and licensing?

It is very expensive. Its price should be improved.

What other advice do I have?

I have worked on only two tools: one is Fortify on Demand, and the other one is SonarQube. Comparing these two, I would rate SonarQube an eight out of 10.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Buyer's Guide
SonarQube Server (formerly SonarQube)
March 2025
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
842,767 professionals have used our research since 2012.
reviewer1357878 - PeerSpot reviewer
DevSecOps Lead at a tech services company with 11-50 employees
MSP
Detects problems before source code is even compiled, but improvements are needed to reduce the false positives
Pros and Cons
  • "Before you even compile, it can catch known vulnerability issues or patterns."
  • "Our developers have complained about the Quality Gates and the number of false positives that this product reports."

What is our primary use case?

Our software developers use SonarQube to catch any issues that can be found by using static code analysis. My understanding is that it checks the core complexity by evaluating the coding rules to make sure of things such as the correct classes are private.

How has it helped my organization?

The developers are rejecting the idea that this product is useful.

What is most valuable?

Before you even compile, it can catch known vulnerability issues or patterns.

What needs improvement?

Our developers have complained about the Quality Gates and the number of false positives that this product reports. Their older code is breaking and with the Quality Gate on the pipeline, they are not able to safely release at this point. This means that they have to add a lot of things to the whitelist, so there is room for improvement in this regard.

For how long have I used the solution?

We have been using SonarQube for less than six months. We have not yet onboarded it for production.

What do I think about the stability of the solution?

I have not seen any problems in terms of stability, although it has not been onboarded yet. Once that happens, we may see more problems.

What do I think about the scalability of the solution?

We have not tried to scale yet.

How was the initial setup?

The initial setup involved downloading the open-source code and installing it in a container. 

What about the implementation team?

I was responsible for setting up this tool in our company.

What's my experience with pricing, setup cost, and licensing?

We are using the open-source version, which is available free of cost.

Which other solutions did I evaluate?

We evaluated other open-source products and found that SonarQube was the best one of the set.

What other advice do I have?

This product is regularly updated by the open-source community, although the changes are often project-specific and may not help in the general case.

I would rate this solution a five out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
AppSecAn0945 - PeerSpot reviewer
Application Security Analyst at a agriculture with 501-1,000 employees
Real User
Simple to use but the plugins are not well documented
Pros and Cons
  • "The most valuable function is its usability."
  • "This solution finds issues that are similar to what is found by Checkmarx, and it would be nice if the overlap could be eliminated."

What is our primary use case?

We use this solution in the development of our travel programs.

How has it helped my organization?

We use this program as a compliment to our security scans, in addition to Checkmarx.

What is most valuable?

The most valuable function is its usability. It uses a simple approach.

What needs improvement?

This solution finds issues that are similar to what is found by Checkmarx, and it would be nice if the overlap could be eliminated.

The plugins are not well documented.

For how long have I used the solution?

Several years.

What do I think about the stability of the solution?

This is a stable solution.

What do I think about the scalability of the solution?

We do not have any problems with scalability.

We have approximately fifteen developers using this solution, on the Java site.

How are customer service and technical support?

We have not needed to use the technical support.

Which solution did I use previously and why did I switch?

We did not use another solution, prior to this one.

How was the initial setup?

The setup is not complex. There are some issues during setup with the plugins because they are not well documented.

What's my experience with pricing, setup cost, and licensing?

Some of the plugins that were previously free are not free now.

Which other solutions did I evaluate?

We are looking for how we can integrate several products. We are using static code analysis, we are looking into runtime code analysis, and of course, we have a web application firewall. The problem with all of these tools is that you need a lot of maintenance, and you have a lot of false positives. So, we have tried to find the best solution.

What other advice do I have?

I would suggest trying the product. I like its useability because it has a simple approach.

We use this solution in conjunction with Jenkins, and we have a two-week deployment cycle.

I would rate this solution a seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
reviewer1592490 - PeerSpot reviewer
Security Engineer at a computer software company with 201-500 employees
Real User
Free, scalable, but documentation needs improvement
Pros and Cons
  • "The solution is stable."
  • "I have found this solution creates more noise than competitors."

What is our primary use case?

I use this solution for our staging environment to review the security issues before going live or into production.

What needs improvement?

I have found this solution creates more noise than competitors. 

The documentation and reporting extract can improve because other solutions are far more advanced.

For how long have I used the solution?

I have been using this solution for approximately two years.

What do I think about the stability of the solution?

The solution is stable.

What do I think about the scalability of the solution?

The solution is scalable. However, we do not use it as a SaaS solution, we use it for our staging environment at a minimum scale. 

We have approximately 10 people using this solution in my organization.

Which solution did I use previously and why did I switch?

Previously I worked with Fortify and Veracode and I have found those tools provided much better because they are from a commercial solution.

What about the implementation team?

Our development team did the implementation of this solution.

What's my experience with pricing, setup cost, and licensing?

This solution is free.

What other advice do I have?

My advice to others is this solution is one of the best in the free market in the industry and it is a good one to use.

I rate SonarQube a seven out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Senior Manager at Digichorus Technologies
Real User
Good code review and reporting of basic vulnerabilities in your applications
Pros and Cons
  • "SonarQube is good in terms of code review and to report on basic vulnerabilities in your applications."
  • "It does not provide deeper scanning of vulnerabilities in an application, on a live session. This is something we are not happy about. Maybe the reason for that is we are running the community edition currently, but other editions may improve on that aspect."

What is our primary use case?

We are using it for scanning our web applications, some internal applications and using it for code reviews.

What is most valuable?

SonarQube is good in terms of code review and to report on basic vulnerabilities in your applications. The code writing standard of SonarQube is good. It may be better in other editions but as we don't use those we're not able to find out with SonarQube. We are using the community, developer version for 14 days. If this version is successful we will go to the full version. We're using it on-premises.

What needs improvement?

It does not provide deeper scanning of vulnerabilities in an application, on a live session. This is something we are not happy about. Maybe the reason for that is we are running the community edition currently, but other editions may improve on that aspect.

For how long have I used the solution?

We have been using SonarQube for one year.

What do I think about the stability of the solution?

It is stable.

What do I think about the scalability of the solution?

SonarQube is scalable.

How was the initial setup?

SonarQube was easy to setup.

Which other solutions did I evaluate?

We considered using Fortify.

What other advice do I have?

I would rate SonarQube an eight out of 10.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Independent Consultant at Klusener Consultancy
Consultant
Reliable inspection with a quality indication system
Pros and Cons
  • "The overall quality of the indicator is good."
  • "I am not very pleased with the technical debt computation."

What is our primary use case?

We use this solution for auditing our system.

What is most valuable?

The overall quality of the indicator is good.

What needs improvement?

I am not very pleased with the technical debt computation, it's a bit arbitrary.

The codification metrics could also be improved.

For how long have I used the solution?

I have been using the open-source version, on and off, for the past few years. 

What do I think about the scalability of the solution?

The scalability is ok, but if you want to process large portfolios, it breaks down. 

How are customer service and technical support?

The technical support is reasonable.

How was the initial setup?

The initial setup was reasonable.

What's my experience with pricing, setup cost, and licensing?

There is a licensing fee, but I don't know the exact cost because I use this solution in partnership with other companies.

Which other solutions did I evaluate?

I have experience with Parasoft and other similar tools. 

What other advice do I have?

I would absolutely recommend this solution to another company.

On a scale from one to ten, I would give this solution a rating of eight. I would give it a higher rating if the technical debt computation was improved.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Team Lead at CNSI
Real User
Reliable and secure solution used for qualitative coding, including the SonarLint plugin
Pros and Cons
  • "We use this solution for qualitative coding. We make use of the SonarLint plugin as well as the dashboard."
  • "We previously experienced issues with security but a segregated security violation has been implemented and the issues we experienced are being fixed."

What is our primary use case?

We use this solution for qualitative coding. We make use of the SonarLint plugin as well as the dashboard.

What needs improvement?

We previously experienced issues with security but a segregated security violation has been implemented and the issues we experienced are being fixed. We have also experienced duplications of rules within the system as well as code samples that are short of ten numbers. 

What do I think about the stability of the solution?

This is a stable solution.

What do I think about the scalability of the solution?

This is a scalable solution. 

How was the initial setup?

The initial setup was straightforward. 

What about the implementation team?

Most of the deployment was done by me. Once a certain level of complexity was involved, a team was used to validate and deploy those parts of the solution. 

What other advice do I have?

I would recommend SonarQube to other users as it is a good solution and the security issues we experienced are being fixed. 
I would rate this solution an eight out of ten. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros sharing their opinions.
Updated: March 2025
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros sharing their opinions.