My primary use for this solution is to perform static code analysis.
Nice display and reporting of issues but needs more of a focus on security
Pros and Cons
- "We advise all of our developers to have this solution in place."
- "I would like to see dynamic code analysis in the next version of the software."
What is our primary use case?
What is most valuable?
The most valuable feature is the display of issues, like in Jira. That is very helpful for us to track our coding.
What needs improvement?
Improvements could be made in terms of security.
I would like to see dynamic code analysis in the next version of the software.
For how long have I used the solution?
Between one and two years.
Buyer's Guide
SonarQube Server (formerly SonarQube)
October 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
816,406 professionals have used our research since 2012.
What do I think about the stability of the solution?
The stability is good.
What do I think about the scalability of the solution?
Scalability is good; we currently have five users but we will definitely be increasing our usage of this solution.
How are customer service and support?
We have not required technical support for this solution.
How was the initial setup?
This solution is not as easy to install as SonarLint.
What's my experience with pricing, setup cost, and licensing?
We are using the free, unlicensed version.
Which other solutions did I evaluate?
We evaluated other solutions including Cobra Static Code Analyzer, but we were not satisfied with their customer support in the open source community.
What other advice do I have?
We advise all of our developers to have this solution in place. That way, whenever they are developing, the will get live tracking with respect to the quality of their code.
I would rate this solution a seven out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Application Security Analyst at a agriculture with 501-1,000 employees
Simple to use but the plugins are not well documented
Pros and Cons
- "The most valuable function is its usability."
- "This solution finds issues that are similar to what is found by Checkmarx, and it would be nice if the overlap could be eliminated."
What is our primary use case?
We use this solution in the development of our travel programs.
How has it helped my organization?
We use this program as a compliment to our security scans, in addition to Checkmarx.
What is most valuable?
The most valuable function is its usability. It uses a simple approach.
What needs improvement?
This solution finds issues that are similar to what is found by Checkmarx, and it would be nice if the overlap could be eliminated.
The plugins are not well documented.
For how long have I used the solution?
Several years.
What do I think about the stability of the solution?
This is a stable solution.
What do I think about the scalability of the solution?
We do not have any problems with scalability.
We have approximately fifteen developers using this solution, on the Java site.
How are customer service and technical support?
We have not needed to use the technical support.
Which solution did I use previously and why did I switch?
We did not use another solution, prior to this one.
How was the initial setup?
The setup is not complex. There are some issues during setup with the plugins because they are not well documented.
What's my experience with pricing, setup cost, and licensing?
Some of the plugins that were previously free are not free now.
Which other solutions did I evaluate?
We are looking for how we can integrate several products. We are using static code analysis, we are looking into runtime code analysis, and of course, we have a web application firewall. The problem with all of these tools is that you need a lot of maintenance, and you have a lot of false positives. So, we have tried to find the best solution.
What other advice do I have?
I would suggest trying the product. I like its useability because it has a simple approach.
We use this solution in conjunction with Jenkins, and we have a two-week deployment cycle.
I would rate this solution a seven out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
SonarQube Server (formerly SonarQube)
October 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
816,406 professionals have used our research since 2012.
Software Engineer, Agile/Lean Evangelist, Scrum Master at a tech services company with 51-200 employees
My team's code bases have gotten better, with about 25% less issues since we began using it. However, they removed the design libraries and dependencies-checking features from v5.2.
What is most valuable?
Its dashboards, quality profile, quality gates and CI integration features (like as build breaker plugin) are the most valuable features for me.
Personally, I have used SonarQube for educational purposes. SonarQube is helpful for giving motivation to a small development team (10 members or a little above) on code quality improvements with small efforts.
How has it helped my organization?
My team uses just two features - dashboards and CI-build-breaker - for checking code quality and the stability of our code base. For those purpose, SonarQube has done its work greatly. We have seen a decrease of about 25% of issues from since we first started using it a few months ago, and my team code bases are getting better.
What needs improvement?
The only thing I don't like is that they removed the design libraries and dependencies-checking features from v5.2. I hope they reintroduce these features in the future.
For how long have I used the solution?
I've used it for approximately two years, since December 2013.
What was my experience with deployment of the solution?
I have not encountered any issues.
What do I think about the stability of the solution?
I have not encountered any issues.
What do I think about the scalability of the solution?
I have not encountered any issues.
How are customer service and technical support?
Customer Service:
I've not had to use them. I thinks it's online documentation is up to date, and it is enough to use them to solve problems and to understand features.
Technical Support:I've not had to use them.
Which solution did I use previously and why did I switch?
My development team adopted SonarQube in January 2015 for code quality improvement, and had not used any code quality checking tool before.
How was the initial setup?
The initial setup is easy. They provide a step-by-step online guideline to follow for installing it.
What was our ROI?
It has decreased the efforts of my team for finding and fixing potential issues which exist in our code base.
What's my experience with pricing, setup cost, and licensing?
We are only using the free features.
What other advice do I have?
Just keep following their online installation and plugin development guide.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior/Lead Software Engineer at a government with 51-200 employees
Stable with good static code analysis but needs better security
Pros and Cons
- "The static code analysis of the solution is the most important aspect for us. When it comes to security breaches within the code, we can leverage some rules to allow us to identify the repetition in our code and the possible targets that we may have. It makes it very easy to review our code for security purposes."
- "There are sometimes security breaches in our code, which aren't be caught by SonarQube. In the security area, SonarCube has to improve. It needs to better compete with other products."
What is most valuable?
When it comes to security, this solution is pretty great.
The static code analysis of the solution is the most important aspect for us. When it comes to security breaches within the code, we can leverage some rules to allow us to identify the repetition in our code and the possible targets that we may have. It makes it very easy to review our code for security purposes.
The solution is quite stable.
You can scale the solution if you need to.
What needs improvement?
In terms of solving for security breaches in the code, we are looking for different tools to help us catch things much sooner. Right now, we're not doing so well on this front. Therefore, we are looking for some other options in the market. I'm not the one who is tasked with looking at the moment, however, we are actively seeking out a more effective option for the static code analysis.
There are sometimes security breaches in our code, which aren't be caught by SonarQube. In the security area, SonarCube has to improve. It needs to better compete with other products.
The solution could offer some sort of alert feature. We've had an incident, where somebody removed the solution from the pipeline and there were a couple of code instances that were pushed and married with the codebase without passing through SonarQube. It would be nice if we were alerted to that. If the solution is off-line or turned off, we'd like to be able to tell so that we can decide if it should be on or if it was a mistake.
It would be great if it could support testing and configurations a bit more.
For how long have I used the solution?
We've only been working with the solution for one year. It hasn't been that long.
What do I think about the stability of the solution?
The solution is very stable. We don't have any issues with its reliability. It's been quite good so far.
What do I think about the scalability of the solution?
The architecture that we have is not that big, however, from the scalability point of view, SonarQube supports scalability quite well.
At the moment, we have a hybrid working model on the vendor side, as well as on the in-house team. The in-house team has 5 members and the vendor has maybe 20 people, more or less. All in all, we can say we have about 25 people using the solution at any given time.
Which solution did I use previously and why did I switch?
We did not previously use a different solution. It was always manual code reviewing via the most experienced team members who would offer guidance on adjustments.
What's my experience with pricing, setup cost, and licensing?
Right now, we are not using the enterprise features of the solution. I don't know about the licensing as I was not the one who introduced SonarQube into the pipeline. I believe we are using the free community edition and therefore aren't actually paying any money for it.
Which other solutions did I evaluate?
I did an exercise a couple of months ago with my colleague. After this, I listed other products and their security aspects. I don't know if we found a solution that can offer us better features for security. I don't know if we will keep SonarQube in the pipeline or we will sell the product and get another product. I'm not sure at this point.
What other advice do I have?
We're just customers. We don't have a business relationship with the company.
I believe we are using the latest version of the solution, however, I don't know the exact number.
I would advise others considering the solution to consider the level of security they need. If they are very concerned about security and the application is very sensitive, then SonarQube may not be the best option and they should seek out other products.
Overall, I would rate the solution seven out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Scala Contractor at a tech services company with 10,001+ employees
Code coverage is useful, but the solution lacks mutation testing
Pros and Cons
- "If code coverage is a low number then that's of great value to me."
- "I don't believe you can have metrics of code quality based upon code analysis. I don't think it's possible for a computer to do it."
How has it helped my organization?
We have literally thousands of rules and they are of medium effectiveness. The problem is that most people bypass the rules or turn them off. But even that is information to us. The fact that they have to turn the rules off is as much value to us as the rules themselves.
What is most valuable?
Code coverage of tests is their most valuable feature. Code coverage is of no value if it's high, but if it's a low number then that's of great value to me.
What needs improvement?
I would like to see something around mutation testing included in SonarQube. I'd like to see some mechanism of quality which has real meaning. The problem in metrics is that they're correlated. I'd like to see how they can add a feature to detect genuine quality, instead of numbers that people can game. The number can be manipulated. There are a few ways to do this, and mutation testing is one of them.
I would also be interested in more security scanning.
For how long have I used the solution?
Our company has been using this solution for over five years.
What do I think about the stability of the solution?
Stability has never been a problem. It would have to be unstable for me to experience a problem, and we haven't. So it's good.
What do I think about the scalability of the solution?
I don't really know how scalable this solution is, but I know we use it on thousands of projects, so it's probably good.
We have a pipeline. The pipeline currently runs 4000 teams through it, and all of them have SonarQube but usually with default rules. So that's pretty expensive. Now, we can't increase it because everything goes through it. We are evaluating what our best option is as we migrate our pipeline. We're migrating the pipeline and we're wondering what to do. If SonarQube did more security scanning, there's a good chance that we would use it more, in a different role. We're already using SonarQube everywhere, in some aspect.
Which solution did I use previously and why did I switch?
It was years ago. They probably evaluated other solutions.
We're evaluating the use of different solutions at the moment, but I've just withdrawn from that task.
How was the initial setup?
In all the companies that I've worked with, nobody has ever had a problem with the initial setup. It takes time to set up. It's a big thing and you do it, but it's just a project.
What about the implementation team?
We used people in-house to deploy. We have about 100 people in our pipeline maintenance team. SonarQube has not led to any significant increase in that number. It's just absorbed as a part of the cost. There are no dedicated staff working on it.
What other advice do I have?
My advice is to focus on quality, not on tools. Work on the quality of your code and get a quality culture, but don't require the use of a tool. SonarQube is an okay tool. I'd suggest it as a default tool, but I wouldn't rave about it.
In all of my previous jobs, there has been somebody using SonarQube. They're usually very positive. I don't share that positiveness, but the reasons for that are that I don't believe you can have metrics of code quality based upon code analysis. I don't think it's possible for a computer to do it.
I don't rate any tool higher than a five or six, ever. JUnit is the only tool that gets a rating of ten. On a scale of one to ten, where ten is JUnit, I would rate SonarQube as about a five or a six.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Head Innovation Hub at a tech services company with 201-500 employees
Helps in improving the coding style and allows us to customize the rules
Pros and Cons
- "It assists during the development with SonarLint and helps the developer to change his approach or rather improve his coding pattern or style. That's one advantage I've seen. Another advantage is that we can customize the rules."
- "Their dashboarding is very limited. They can improve their dashboards for multiple areas, such as security review, maintainability, etc. They have all this information, so they should publish all this information on the dashboard so that the users can view the summary and then analyze it further. This is something that I would like to see in the next version."
What is our primary use case?
I have used it in my previous company. In my current company, which I have joined recently, we don't use any of these tools. That's why I want to implement something for the company. I have the Community Edition of SonarQube. I am using one version prior to the latest one.
It was integrated with our build pipeline, and we had also customized the rules for the quality gate. For each release that got through SonarQube, it gave the results in terms of whether it was releasable or not.
SLA was another use case. We internally had a rule that in case there are severity defects, they need to be fixed. If there is a false positive, it needs to be justified. That's the way it was used.
What is most valuable?
It assists during the development with SonarLint and helps the developer to change his approach or rather improve his coding pattern or style. That's one advantage I've seen. Another advantage is that we can customize the rules.
I did an evaluation of the Enterprise Edition. It has the Portfolio view, which means you can roll up all your projects to the Portfolio level, and then it gives a visualization of each and every project's state in terms of security and other vulnerabilities.
What needs improvement?
It is very expensive. That's something that can be improved.
I'm not sure if the latest vulnerabilities are being updated. When I compare it with Fortify on Demand (FoD), every now and then, they get all the latest and greatest versions for all these vulnerabilities as a rule pack. I'm not very sure about how that works in SonarQube, and how frequently they are updating the vulnerability databases and other things.
Their dashboarding is very limited. They can improve their dashboards for multiple areas, such as security review, maintainability, etc. They have all this information, so they should publish all this information on the dashboard so that the users can view the summary and then analyze it further. This is something that I would like to see in the next version.
The portfolio-level dashboard is currently available only in the Enterprise Edition. They can have a similar dashboard in the Community Edition or at least in the Developer Edition. The portfolio-level dashboard is also very limited currently. There is hardly one report.
For how long have I used the solution?
I have been using this solution for four years.
What do I think about the stability of the solution?
It looks stable. So far, we haven't found any issues.
How are customer service and technical support?
I contacted them once or twice. I am very satisfied with their support. I didn't have any concerns in terms of support.
How was the initial setup?
It is straightforward. It takes very little time as compared to the other solutions.
What's my experience with pricing, setup cost, and licensing?
It is very expensive. Its price should be improved.
What other advice do I have?
I have worked on only two tools: one is Fortify on Demand, and the other one is SonarQube. Comparing these two, I would rate SonarQube an eight out of 10.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Project Manager, Senior Architect at a computer software company with 1,001-5,000 employees
Well featured, easily manageable, identifies production issues
Pros and Cons
- "It is a good deal compared to all other tools on the market."
What is our primary use case?
We decided to implement the solution to keep up to date with testing, security, and other issues with developments, such as bugs.
What is most valuable?
In regards to features, overall the product is good. It minimizes the difficulty or issues that we encountered during the production. We are using the open-sourced version and issues can easily be resolved.
For how long have I used the solution?
I have been using the solution for four to five years.
What do I think about the stability of the solution?
We are using everything that is open-source and this allows us when we have the regular day to day issues, our team works on them directly to identifying their causes and they resolve them quickly.
What about the implementation team?
We have our internal team that is very knowledgeable, experienced, and have extreme abilities that handle our needs.
What's my experience with pricing, setup cost, and licensing?
I think comparing the product to competitors it should be less expensive.
What other advice do I have?
I would recommend SonarQube. It is a good deal compared to all other tools on the market. It certainly helped us, it is a good tool and should be definitely used.
I rate SonarQube a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Independent Consultant at Klusener Consultancy
Reliable inspection with a quality indication system
Pros and Cons
- "The overall quality of the indicator is good."
- "I am not very pleased with the technical debt computation."
What is our primary use case?
We use this solution for auditing our system.
What is most valuable?
The overall quality of the indicator is good.
What needs improvement?
I am not very pleased with the technical debt computation, it's a bit arbitrary.
The codification metrics could also be improved.
For how long have I used the solution?
I have been using the open-source version, on and off, for the past few years.
What do I think about the scalability of the solution?
The scalability is ok, but if you want to process large portfolios, it breaks down.
How are customer service and technical support?
The technical support is reasonable.
How was the initial setup?
The initial setup was reasonable.
What's my experience with pricing, setup cost, and licensing?
There is a licensing fee, but I don't know the exact cost because I use this solution in partnership with other companies.
Which other solutions did I evaluate?
I have experience with Parasoft and other similar tools.
What other advice do I have?
I would absolutely recommend this solution to another company.
On a scale from one to ten, I would give this solution a rating of eight. I would give it a higher rating if the technical debt computation was improved.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros
sharing their opinions.
Updated: October 2024
Product Categories
Application Security Tools Static Application Security Testing (SAST) Software Development AnalyticsPopular Comparisons
Fortify on Demand
Sonatype Lifecycle
CrowdStrike Falcon Cloud Security
PortSwigger Burp Suite Professional
GitHub Advanced Security
Qualys Web Application Scanning
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Is SonarQube the best tool for static analysis?
- Which gives you more for your money - SonarQube or Veracode?
- What Is The Biggest Difference Between Fortify on Demand And SonarQube?
- What is the biggest difference between Checkmarx and SonarQube?
- Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
- How does SonarQube instance relate to the license?
- Which software is ideal for code quality and security?
- What is the difference between Coverity and SonarQube?
- What is the biggest difference between Coverity and SonarQube?
- How would you decide between Coverity and Sonarqube?