SonarQube Server (formerly SonarQube) Reviews

We are using it for scanning our web applications, some internal applications and using it for code reviews.

SonarQube is good in terms of code review and to report on basic vulnerabilities in your applications. The code writing standard of SonarQube is good. It may be better in other editions but as we don't use those we're not able to find out with SonarQube. We are using the community, developer version for 14 days. If this version is successful we will go to the full version. We're using it on-premises.

It does not provide deeper scanning of vulnerabilities in an application, on a live session. This is something we are not happy about. Maybe the reason for that is we are running the community edition currently, but other editions may improve on that aspect.

We have been using SonarQube for one year.

It is stable.

SonarQube is scalable.

SonarQube was easy to setup.

We considered using Fortify.

I would rate SonarQube an eight out of 10.

We use this solution for auditing our system.

The overall quality of the indicator is good.

I am not very pleased with the technical debt computation, it's a bit arbitrary.

The codification metrics could also be improved.

I have been using the open-source version, on and off, for the past few years. 

The scalability is ok, but if you want to process large portfolios, it breaks down. 

The technical support is reasonable.

The initial setup was reasonable.

There is a licensing fee, but I don't know the exact cost because I use this solution in partnership with other companies.

I have experience with Parasoft and other similar tools. 

I would absolutely recommend this solution to another company.

On a scale from one to ten, I would give this solution a rating of eight. I would give it a higher rating if the technical debt computation was improved.

It's enabled us to improve software quality and help us to disseminate best practices.

This product is open source and very convenient.

A better design of the interface and add some new rules.

Only common issues have been experienced.

Only common issues have been experienced.

Customer Service:

I can't rate because there was no customer service.

Technical Support:

The technical documentation is really good and the community is great and active.

Nothing was implemented before this software, only PMD, a light control tool.

The technical documentation online is easy to understand, so the initial setup is straightforward. However, they need to adapt your organization's constraints to the software, which is more difficult.

We did it in-house.

This product is, to my mind, a reference so that if you decide to put in place this software, you will improve the quality control inside your organization. Simple and effective.

We are working in the banking sector, and our application code is quite large in terms of performance. Ranorex has helped us a lot to follow Java code conventions for writing performance oriented code.

It also has very good compatibility with continuous integration servers like Hudson and Jenkins.

It had changed the whole attitude of the developers of our team as they can see their code exceptions at compile time. With this, we have delivered a quality product to our stakeholders.

It would be great if it also covered XML code.

We have been using this solution in our Java web application for the last 18 months. We embedded SonarQube with the help of a SonarQube-maven plugin in our web application.

No issues encountered.

No issues encountered.

No issues encountered.

It's excellent as we get everything we need from the product.

It was somewhat complex as we have to integrate it with Apache Maven-2.2.1, and there is no listing of SonarQube version compatibility with Apache Maven.

We did it in-house.

It is quite an efficient product in terms of ROI.

Its is available on open to use license.

We did some R&D according to our product need and found SonarQube as a solution.

I would advise you to implement SonarQube if they are facing any performance related issues in their products.

We are using this solution to check and monitor application code to ensure security quality.

The solution has helped us mitigate problems in applications before they were a bigger issue.

The solution could improve by having better-consulting services.

I have been using SonarQube within the last 12 months.

The stability is good.

The installation was straightforward, we have an internal team that does it.

We have a team in our organization that does the implementation, configuration, and maintenance of the solution.

The price of the solution could be reduced.

I rate SonarQube a ten out of ten.

We use SonarQube to help with our software development and testing. At the moment, we're mainly using it for static analysis and code inspection. We have an on-premises server and we connect to it from there.

Our main use case is testing software for security weaknesses, but we also use it to help eliminate code smells and to make sure our code is compliant with established coding standards.

SonarQube lets us find security issues during development and testing so that we can release more secure and higher quality applications.

Apart from the security point of view, I like that it makes it easy to detect code smells and other issues in terms of code quality and standards.

From a reporting perspective, we sometimes have problems interpreting the vulnerability scan reports. For example, if it finds a possible threat, our analysts have to manually check the provided reports, and sometimes we have issues getting all the data needed to properly verify if it's accurate or not.

This is especially important when considering false positives, and often we have issues getting all the necessary information from SonarQube in order to determine whether it is a true vulnerability or a false positive.

Another suggestion for improvement is that SonarQube could be better when it comes to integration with different development pipelines for continuous monitoring. For example, whether you are scanning manually or on-demand, we would like more ways to integrate SonarQube into our pipeline so that we can get reports quickly and automatically as we work.

I have been using SonarQube for about two years now.

I have not run into major issues or bugs and it works well when it comes to stability.

I don't think we have had any problem with traffic or things like that. 

I don't have experience with SonarQube support because we do it all ourselves. 

I have not used any other similar solutions in the past. SonarQube is the first of its kind in my experience.

It's quite easy to set up, not too complex.

The development license cost is reasonable, and we've had no concerns about SonarQube when it comes to cost.

Personally, I can't compare it to other similar solutions like Fortify, but SonarQube does a good job when it comes to making sure our code is compliant with standards and free of any obvious security weaknesses. 

I would rate SonarQube a six out of ten.

Quality Gate helps us to merge code that was not covered with tests.

• We can create a Quality Gate in order to fail Jenkins jobs where the code coverage is lower than the set percentage.
• We can review possible faults in JavaScript code.

We had some issues where the Quality Gate check sometimes gets stuck and it is unclear.

We had some stability issues where the Quality Gate check sometimes got stuck and it was unclear. This seldom happens.

There were no scalability issues.

The technical support team has experts on it. They are available on Twitter, Google Groups, and StackOverflow.

We did not use a different tool before this one.

The initial setup required unzipping it and having MySQL install. We then set up a couple of configuration files. There was no need for IT for this.

This is open source.

• Languages Support - over 20 programming languages
• Pre-commit check directly into Eclipse
• Issues Report into PreviewMode
• Custom coding rules
• Unit tests
• Duplication and code duplication check
• Custom-defined checks

I have fallen in love with SonarQube when I could've easily built custom rules checks. However, doing that manually checking takes tons of time.

• Explicit checks for issues
• Severity tab tweaks
• Optimization into the Settings, such as adding new features/customization

I've used it for almost two years, starting with v4.3.3.

Predefined rules/overriding rules caused some issues.

6.5/10.

• Squale
• Panopticode
• CodePro AnalytiX

It was straightforward to install and setup, but complex to adapt to and learn.

We used a vendor team.

I did not evaluated other options.

I would advise you to think a lot before acting.