I use this solution for our staging environment to review the security issues before going live or into production.
Security Engineer at a computer software company with 201-500 employees
Free, scalable, but documentation needs improvement
Pros and Cons
- "The solution is stable."
- "I have found this solution creates more noise than competitors."
What is our primary use case?
What needs improvement?
I have found this solution creates more noise than competitors.
The documentation and reporting extract can improve because other solutions are far more advanced.
For how long have I used the solution?
I have been using this solution for approximately two years.
What do I think about the stability of the solution?
The solution is stable.
Buyer's Guide
SonarQube Server (formerly SonarQube)
November 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
824,067 professionals have used our research since 2012.
What do I think about the scalability of the solution?
The solution is scalable. However, we do not use it as a SaaS solution, we use it for our staging environment at a minimum scale.
We have approximately 10 people using this solution in my organization.
Which solution did I use previously and why did I switch?
Previously I worked with Fortify and Veracode and I have found those tools provided much better because they are from a commercial solution.
What about the implementation team?
Our development team did the implementation of this solution.
What's my experience with pricing, setup cost, and licensing?
This solution is free.
What other advice do I have?
My advice to others is this solution is one of the best in the free market in the industry and it is a good one to use.
I rate SonarQube a seven out of ten.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
DevOps Engineer at Trantor Software Private Limited
It's changed the attitude of our developers as they can see their code exceptions at compile time, but it would be great if it also covered XML code.
Valuable Features
We are working in the banking sector, and our application code is quite large in terms of performance. Ranorex has helped us a lot to follow Java code conventions for writing performance oriented code.
It also has very good compatibility with continuous integration servers like Hudson and Jenkins.
Improvements to My Organization
It had changed the whole attitude of the developers of our team as they can see their code exceptions at compile time. With this, we have delivered a quality product to our stakeholders.
Room for Improvement
It would be great if it also covered XML code.
Use of Solution
We have been using this solution in our Java web application for the last 18 months. We embedded SonarQube with the help of a SonarQube-maven plugin in our web application.
Deployment Issues
No issues encountered.
Stability Issues
No issues encountered.
Scalability Issues
No issues encountered.
Customer Service and Technical Support
It's excellent as we get everything we need from the product.
Initial Setup
It was somewhat complex as we have to integrate it with Apache Maven-2.2.1, and there is no listing of SonarQube version compatibility with Apache Maven.
Implementation Team
We did it in-house.
ROI
It is quite an efficient product in terms of ROI.
Pricing, Setup Cost and Licensing
Its is available on open to use license.
Other Solutions Considered
We did some R&D according to our product need and found SonarQube as a solution.
Other Advice
I would advise you to implement SonarQube if they are facing any performance related issues in their products.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
SonarQube Server (formerly SonarQube)
November 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
824,067 professionals have used our research since 2012.
Software Engineer at a tech services company with 11-50 employees
Beneficial testing tool, helps developer become sharper, and makes software more secure
Pros and Cons
- "The solution can verify vulnerabilities, code smells, and hotspots. It makes the software more secure and it helps make a junior or novice developer sharper."
- "The software testing tool capability could improve. It does not always integrate well. You have to use a specific plugin and the plugin does not always go in Apple's applications."
What is our primary use case?
I use SonarQube for testing software.
What is most valuable?
The solution can verify vulnerabilities, code smells, and hotspots. It makes the software more secure and it helps make a junior or novice developer sharper.
What needs improvement?
The software testing tool capability could improve. It does not always integrate well. You have to use a specific plugin and the plugin does not always go in Apple's applications.
In the next release, they should add the ability to analyze containers.
For how long have I used the solution?
I have been using SonarQube for approximately three years.
What do I think about the scalability of the solution?
We have mostly software developers using this solution are there are approximately 50 using it.
Which solution did I use previously and why did I switch?
I have used Snyk and it is more catered to a different audience than SolarQube.SolarQube is more for software developers.
How was the initial setup?
The installation is straightforward, especially with the new Docker implementation.
What about the implementation team?
I did the implementation of the solution myself.
What's my experience with pricing, setup cost, and licensing?
The process of purchasing the solution could improve.
What other advice do I have?
This solution is a good static test tool for developers. It helps keep the maintainability and security of software.
I rate SonarQube an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Good code review and reporting of basic vulnerabilities in your applications
Pros and Cons
- "SonarQube is good in terms of code review and to report on basic vulnerabilities in your applications."
- "It does not provide deeper scanning of vulnerabilities in an application, on a live session. This is something we are not happy about. Maybe the reason for that is we are running the community edition currently, but other editions may improve on that aspect."
What is our primary use case?
We are using it for scanning our web applications, some internal applications and using it for code reviews.
What is most valuable?
SonarQube is good in terms of code review and to report on basic vulnerabilities in your applications. The code writing standard of SonarQube is good. It may be better in other editions but as we don't use those we're not able to find out with SonarQube. We are using the community, developer version for 14 days. If this version is successful we will go to the full version. We're using it on-premises.
What needs improvement?
It does not provide deeper scanning of vulnerabilities in an application, on a live session. This is something we are not happy about. Maybe the reason for that is we are running the community edition currently, but other editions may improve on that aspect.
For how long have I used the solution?
We have been using SonarQube for one year.
What do I think about the stability of the solution?
It is stable.
What do I think about the scalability of the solution?
SonarQube is scalable.
How was the initial setup?
SonarQube was easy to setup.
Which other solutions did I evaluate?
We considered using Fortify.
What other advice do I have?
I would rate SonarQube an eight out of 10.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Solutions Architec at OSENTERPRISE SAC
Installation straightforward, stable, and reliable
Pros and Cons
- "The stability is good."
- "The solution could improve by having better-consulting services."
What is our primary use case?
We are using this solution to check and monitor application code to ensure security quality.
How has it helped my organization?
The solution has helped us mitigate problems in applications before they were a bigger issue.
What needs improvement?
The solution could improve by having better-consulting services.
For how long have I used the solution?
I have been using SonarQube within the last 12 months.
What do I think about the stability of the solution?
The stability is good.
How was the initial setup?
The installation was straightforward, we have an internal team that does it.
What about the implementation team?
We have a team in our organization that does the implementation, configuration, and maintenance of the solution.
What's my experience with pricing, setup cost, and licensing?
The price of the solution could be reduced.
What other advice do I have?
I rate SonarQube a ten out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Security at a tech services company with 51-200 employees
Secures our code against threats and bugs, but needs better pipeline integration
Pros and Cons
- "Apart from the security point of view, I like that it makes it easy to detect code smells and other issues in terms of code quality and standards."
- "From a reporting perspective, we sometimes have problems interpreting the vulnerability scan reports. For example, if it finds a possible threat, our analysts have to manually check the provided reports, and sometimes we have issues getting all the data needed to properly verify if it's accurate or not."
What is our primary use case?
We use SonarQube to help with our software development and testing. At the moment, we're mainly using it for static analysis and code inspection. We have an on-premises server and we connect to it from there.
Our main use case is testing software for security weaknesses, but we also use it to help eliminate code smells and to make sure our code is compliant with established coding standards.
How has it helped my organization?
SonarQube lets us find security issues during development and testing so that we can release more secure and higher quality applications.
What is most valuable?
Apart from the security point of view, I like that it makes it easy to detect code smells and other issues in terms of code quality and standards.
What needs improvement?
From a reporting perspective, we sometimes have problems interpreting the vulnerability scan reports. For example, if it finds a possible threat, our analysts have to manually check the provided reports, and sometimes we have issues getting all the data needed to properly verify if it's accurate or not.
This is especially important when considering false positives, and often we have issues getting all the necessary information from SonarQube in order to determine whether it is a true vulnerability or a false positive.
Another suggestion for improvement is that SonarQube could be better when it comes to integration with different development pipelines for continuous monitoring. For example, whether you are scanning manually or on-demand, we would like more ways to integrate SonarQube into our pipeline so that we can get reports quickly and automatically as we work.
For how long have I used the solution?
I have been using SonarQube for about two years now.
What do I think about the stability of the solution?
I have not run into major issues or bugs and it works well when it comes to stability.
What do I think about the scalability of the solution?
I don't think we have had any problem with traffic or things like that.
How are customer service and technical support?
I don't have experience with SonarQube support because we do it all ourselves.
Which solution did I use previously and why did I switch?
I have not used any other similar solutions in the past. SonarQube is the first of its kind in my experience.
How was the initial setup?
It's quite easy to set up, not too complex.
What's my experience with pricing, setup cost, and licensing?
The development license cost is reasonable, and we've had no concerns about SonarQube when it comes to cost.
What other advice do I have?
Personally, I can't compare it to other similar solutions like Fortify, but SonarQube does a good job when it comes to making sure our code is compliant with standards and free of any obvious security weaknesses.
I would rate SonarQube a six out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
DevOps at a tech company with 10,001+ employees
Keep source code well tested using SonarQube
Pros and Cons
- "We can create a Quality Gate in order to fail Jenkins jobs where the code coverage is lower than the set percentage."
- "We had some issues where the Quality Gate check sometimes gets stuck and it is unclear."
How has it helped my organization?
Quality Gate helps us to merge code that was not covered with tests.
What is most valuable?
- We can create a Quality Gate in order to fail Jenkins jobs where the code coverage is lower than the set percentage.
- We can review possible faults in JavaScript code.
What needs improvement?
We had some issues where the Quality Gate check sometimes gets stuck and it is unclear.
What do I think about the stability of the solution?
We had some stability issues where the Quality Gate check sometimes got stuck and it was unclear. This seldom happens.
What do I think about the scalability of the solution?
There were no scalability issues.
How are customer service and technical support?
The technical support team has experts on it. They are available on Twitter, Google Groups, and StackOverflow.
Which solution did I use previously and why did I switch?
We did not use a different tool before this one.
How was the initial setup?
The initial setup required unzipping it and having MySQL install. We then set up a couple of configuration files. There was no need for IT for this.
What's my experience with pricing, setup cost, and licensing?
This is open source.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Founder at a tech services company with 11-50 employees
Works fine and provides good value for money
Pros and Cons
- "It is working fine. It provides a good value for money."
- "One thing to improve would be the integration. There is a steep learning curve to get it integrated."
What is our primary use case?
We use it as a gatekeeper for our external developers to follow the rules. If they don't comply with the rules within the source code, they cannot commit.
What is most valuable?
It is working fine. It provides good value for money.
What needs improvement?
One thing to improve would be the integration. There is a steep learning curve to get it integrated.
For how long have I used the solution?
I have been using this solution for maybe two years.
What do I think about the stability of the solution?
It is stable.
What do I think about the scalability of the solution?
It is definitely scalable. Currently, we have six users.
How are customer service and technical support?
We didn't contact them.
Which solution did I use previously and why did I switch?
This was our first one.
How was the initial setup?
Its initial setup is okay. It is not too difficult. It probably took a couple of hours.
One developer is enough for its deployment.
What's my experience with pricing, setup cost, and licensing?
We pay €10 per month for this solution, which is good. It provides good value for money.
What other advice do I have?
I would recommend this solution to others. I would rate SonarQube a nine out of 10.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2024
Product Categories
Application Security Tools Static Application Security Testing (SAST) Software Development AnalyticsPopular Comparisons
Fortify on Demand
Sonatype Lifecycle
CrowdStrike Falcon Cloud Security
PortSwigger Burp Suite Professional
GitHub Advanced Security
Qualys Web Application Scanning
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Is SonarQube the best tool for static analysis?
- Which gives you more for your money - SonarQube or Veracode?
- What Is The Biggest Difference Between Fortify on Demand And SonarQube?
- What is the biggest difference between Checkmarx and SonarQube?
- Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
- How does SonarQube instance relate to the license?
- Which software is ideal for code quality and security?
- What is the difference between Coverity and SonarQube?
- What is the biggest difference between Coverity and SonarQube?
- How would you decide between Coverity and Sonarqube?