SonarQube Server (formerly SonarQube) Reviews

Quality Gate helps us to merge code that was not covered with tests.

• We can create a Quality Gate in order to fail Jenkins jobs where the code coverage is lower than the set percentage.
• We can review possible faults in JavaScript code.

We had some issues where the Quality Gate check sometimes gets stuck and it is unclear.

We had some stability issues where the Quality Gate check sometimes got stuck and it was unclear. This seldom happens.

There were no scalability issues.

The technical support team has experts on it. They are available on Twitter, Google Groups, and StackOverflow.

We did not use a different tool before this one.

The initial setup required unzipping it and having MySQL install. We then set up a couple of configuration files. There was no need for IT for this.

This is open source.

We use it as a gatekeeper for our external developers to follow the rules. If they don't comply with the rules within the source code, they cannot commit. 

It is working fine. It provides good value for money.

One thing to improve would be the integration. There is a steep learning curve to get it integrated.

I have been using this solution for maybe two years.

It is stable.

It is definitely scalable. Currently, we have six users.

We didn't contact them.

This was our first one.

Its initial setup is okay. It is not too difficult. It probably took a couple of hours.

One developer is enough for its deployment.

We pay €10 per month for this solution, which is good. It provides good value for money.

I would recommend this solution to others. I would rate SonarQube a nine out of 10.

It's enabled us to improve software quality and help us to disseminate best practices.

This product is open source and very convenient.

A better design of the interface and add some new rules.

Only common issues have been experienced.

Only common issues have been experienced.

Customer Service:

I can't rate because there was no customer service.

Technical Support:

The technical documentation is really good and the community is great and active.

Nothing was implemented before this software, only PMD, a light control tool.

The technical documentation online is easy to understand, so the initial setup is straightforward. However, they need to adapt your organization's constraints to the software, which is more difficult.

We did it in-house.

This product is, to my mind, a reference so that if you decide to put in place this software, you will improve the quality control inside your organization. Simple and effective.

The feature I find most valuable are--

• Quick access to issues in the code
• The ability to define your own analysis profiles
• Easy integration with Jenkins

For the record, what I do with SonarQube is develop a language plugin for a language not previously covered by SonarQube. As such, my experience of running SonarQube is limited to that necessary to have the plugin tested, nothing more.

I'd like to see more API documentation, including, but not limited to, more extensive documentation of provided examples.

I've used it for eight months.

I only deployed it for development purposes and it was pretty straightforward. You unzip, configure, and run. Of course, production deployments will require more than that.

The provided archives are self running; but since this is a bona fide webapp, you might want to use your own servlet container to run it instead.

No, I didn't. I was employed specifically for this plugin, and while know other code-quality control solutions exist, I didn't explore any of them.

Product is good, but the API documentation is poor, when it exists at all.

Code exploration on the front-end, as well as the ability to import from Fortify, are valuable features.

It allows for better collaboration of our team members on security findings.

The Python code scan has so few rules that it is meaningless.

The support for mobile applications is limited to Android Lint importing, although the Android Lint report is fine on it's own so what it he point of using it.

And the Fortify plugin is deprecated.

I've used it for two years.

It is quality software, even if the plugins are often weaker than would be necessary to have a team centralize around it. It is good for an open source project, but creating plugins is important and so complicated and not well documented that it is rarely done.

No issues encountered.

No issues encountered.

It is open source so I don't try to rely on their technical support.

It was fairly straightforward, although some plugins depend on outside software to run, which is to be expected.

We implemented it ourselves.

It is free, so the price is good. If they had stronger plugins then we would gladly pay.

We evaluated the market, and because security scans are so different, there was not a good COTS or open source solution that met our needs so we went with the best open source solution, which was SonarQube.

• Languages Support - over 20 programming languages
• Pre-commit check directly into Eclipse
• Issues Report into PreviewMode
• Custom coding rules
• Unit tests
• Duplication and code duplication check
• Custom-defined checks

I have fallen in love with SonarQube when I could've easily built custom rules checks. However, doing that manually checking takes tons of time.

• Explicit checks for issues
• Severity tab tweaks
• Optimization into the Settings, such as adding new features/customization

I've used it for almost two years, starting with v4.3.3.

Predefined rules/overriding rules caused some issues.

6.5/10.

• Squale
• Panopticode
• CodePro AnalytiX

It was straightforward to install and setup, but complex to adapt to and learn.

We used a vendor team.

I did not evaluated other options.

I would advise you to think a lot before acting.

SonarQube is not valuable because of the information it gives it. We can gather that same information from several other tools as well. It is the way the information is presented that makes it so powerful. It provides a holistic picture of all quality issues in a software project. With SonarQube's web interface, it is easy to drill down to see the individual problems, but also to look at the project from above and get the big picture, with possible larger problem areas.

Individual developers are more concerned about the quality of their work when they see their results in the big picture.

About a year, in different projects, including the current one.

No.

No.

Not used.

We used the same tests, but with every developer running them individually. Now management can also get a picture of the quality assurance.

Very simple.

Price is high and only worth it if your organization has hundreds of developers.

No.

I was using SonarQube to scan my code for vulnerabilities as part of the DevOps process.

The most valuable features are code scanning and Quality Gates.

The reporting can be improved. In particular, the portability report can be better.

I would like to see better integration with the various DevOps tools.

I was using SonarQube for between six and ten months.

The stability is good.

The community support is great. I have not had reason to contact the technical support team from the vendor.

The initial setup is straightforward. I would not say that it is complex and it can be deployed in less than 10 minutes.

I was using the Community Edition, which is available free of charge.

I evaluated other products including Veracode and I felt that SonarQube was the best product.

I would rate this solution a seven out of ten.