SonarQube Server (formerly SonarQube) Reviews

I was using SonarQube to scan my code for vulnerabilities as part of the DevOps process.

The most valuable features are code scanning and Quality Gates.

The reporting can be improved. In particular, the portability report can be better.

I would like to see better integration with the various DevOps tools.

I was using SonarQube for between six and ten months.

The stability is good.

The community support is great. I have not had reason to contact the technical support team from the vendor.

The initial setup is straightforward. I would not say that it is complex and it can be deployed in less than 10 minutes.

I was using the Community Edition, which is available free of charge.

I evaluated other products including Veracode and I felt that SonarQube was the best product.

I would rate this solution a seven out of ten.

I use SonarQube for testing software.

The solution can verify vulnerabilities, code smells, and hotspots. It makes the software more secure and it helps make a junior or novice developer sharper.

The software testing tool capability could improve. It does not always integrate well. You have to use a specific plugin and the plugin does not always go in Apple's applications.

In the next release, they should add the ability to analyze containers.

I have been using SonarQube for approximately three years.

We have mostly software developers using this solution are there are approximately 50 using it.

I have used Snyk and it is more catered to a different audience than SolarQube.SolarQube is more for software developers.

The installation is straightforward, especially with the new Docker implementation.

I did the implementation of the solution myself.

The process of purchasing the solution could improve.

This solution is a good static test tool for developers. It helps keep the maintainability and security of software.

I rate SonarQube an eight out of ten.

We decided to implement the solution to keep up to date with testing, security, and other issues with developments, such as bugs.

In regards to features, overall the product is good. It minimizes the difficulty or issues that we encountered during the production. We are using the open-sourced version and issues can easily be resolved.

I have been using the solution for four to five years.

We are using everything that is open-source and this allows us when we have the regular day to day issues, our team works on them directly to identifying their causes and they resolve them quickly.

We have our internal team that is very knowledgeable, experienced, and have extreme abilities that handle our needs.

I think comparing the product to competitors it should be less expensive.

I would recommend SonarQube. It is a good deal compared to all other tools on the market.  It certainly helped us, it is a good tool and should be definitely used.

I rate SonarQube a nine out of ten.

SonarQube is not valuable because of the information it gives it. We can gather that same information from several other tools as well. It is the way the information is presented that makes it so powerful. It provides a holistic picture of all quality issues in a software project. With SonarQube's web interface, it is easy to drill down to see the individual problems, but also to look at the project from above and get the big picture, with possible larger problem areas.

Individual developers are more concerned about the quality of their work when they see their results in the big picture.

About a year, in different projects, including the current one.

No.

No.

Not used.

We used the same tests, but with every developer running them individually. Now management can also get a picture of the quality assurance.

Very simple.

Price is high and only worth it if your organization has hundreds of developers.

No.

The feature I find most valuable are--

• Quick access to issues in the code
• The ability to define your own analysis profiles
• Easy integration with Jenkins

For the record, what I do with SonarQube is develop a language plugin for a language not previously covered by SonarQube. As such, my experience of running SonarQube is limited to that necessary to have the plugin tested, nothing more.

I'd like to see more API documentation, including, but not limited to, more extensive documentation of provided examples.

I've used it for eight months.

I only deployed it for development purposes and it was pretty straightforward. You unzip, configure, and run. Of course, production deployments will require more than that.

The provided archives are self running; but since this is a bona fide webapp, you might want to use your own servlet container to run it instead.

No, I didn't. I was employed specifically for this plugin, and while know other code-quality control solutions exist, I didn't explore any of them.

Product is good, but the API documentation is poor, when it exists at all.

Code exploration on the front-end, as well as the ability to import from Fortify, are valuable features.

It allows for better collaboration of our team members on security findings.

The Python code scan has so few rules that it is meaningless.

The support for mobile applications is limited to Android Lint importing, although the Android Lint report is fine on it's own so what it he point of using it.

And the Fortify plugin is deprecated.

I've used it for two years.

It is quality software, even if the plugins are often weaker than would be necessary to have a team centralize around it. It is good for an open source project, but creating plugins is important and so complicated and not well documented that it is rarely done.

No issues encountered.

No issues encountered.

It is open source so I don't try to rely on their technical support.

It was fairly straightforward, although some plugins depend on outside software to run, which is to be expected.

We implemented it ourselves.

It is free, so the price is good. If they had stronger plugins then we would gladly pay.

We evaluated the market, and because security scans are so different, there was not a good COTS or open source solution that met our needs so we went with the best open source solution, which was SonarQube.

We use it as a gatekeeper for our external developers to follow the rules. If they don't comply with the rules within the source code, they cannot commit. 

It is working fine. It provides good value for money.

One thing to improve would be the integration. There is a steep learning curve to get it integrated.

I have been using this solution for maybe two years.

It is stable.

It is definitely scalable. Currently, we have six users.

We didn't contact them.

This was our first one.

Its initial setup is okay. It is not too difficult. It probably took a couple of hours.

One developer is enough for its deployment.

We pay €10 per month for this solution, which is good. It provides good value for money.

I would recommend this solution to others. I would rate SonarQube a nine out of 10.

We use SonarQube for testing, reviewing, and ensuring the quality of application code.

The most valuable features are the analysis and detection of issues within the application code.

The solution could improve by providing more advanced technologies.

I have been using the solution within the last 12 months.

The SonarQube is stable.

The installation is easy.

The price of this solution is more expensive than competitors. However, it works better than competitors.

I have evaluated other solutions.

I rate SonarQube an eight out of ten.