SonarQube Server (formerly SonarQube) Reviews

We use SonarQube to check for vulnerabilities and quality. 

The solution has helped us to find flaws in the Syntax and comply with requirements. 

I have found the most valuable features to be scanning for bugs or fixing the hotspot. These features have helped to improve the code quality. 

I think the code security can be improved. Code security should comply with the standard security list. 

I would like to see the feature of Compliance Reporting added to the solution.

I have been using this solution for two years. 

I would rate the stability a ten out of ten. 

About ten people in my company are using this solution. On average, we use this solution once in a week. 

We chose SonarQube due to its free community edition. After a while, when we will need more features, we will probably purchase the solution next year. 

I would rate the initial setup a ten out of ten. The solution is easy to install and use. It took us only a day to deploy SonarQube. We downloaded the solution and followed the setup process. We simply integrated this solution with Azure DevOps. The maintenance of this solution is handled by one person from the database team. 

We implemented the solution through an in-house application developer. 

This solution is simple to use and can be quickly deployed. I would rate the solution an eight out of ten. 

I work on vulnerability management. I use the security features in SonarQube. I also use Veracode. I use both solutions to verify each other’s results.

We see the security issues in our solutions with the help of the product. It helps us improve the solutions.

There are many options and examples available in the tool that help us fix the issues it shows us.

The product must improve security analysis. It must introduce software composition analysis in future releases.

I have been using the solution for three years or more. I am using the latest version of the solution.

I rate the tool’s stability a nine out of ten.

I rate the tool’s scalability a seven out of ten.

The solution is deployed on the cloud.

We have seen an ROI because we are avoiding rework. The product helps us to fix security and quality.

The product’s price is lower than Veracode’s price.

Veracode is more efficient in security analysis. It also has software composition analysis features. So, it would be difficult for SonarQube to compete with Veracode.

There are a lot of functions and features in SonarQube. I would recommend the product to others. Overall, I rate the tool an eight out of ten.

We do a lot of development. We were previously doing it internally, and then we hired a couple of development partners. So, day in and day out, a lot of changes were happening. We wanted to ensure that whatever changes happened, they undergo some level of quality assessments. That was one of the reasons why we wanted to use it. 

We have started looking into it from the information security side, but it is being used by the core development team.

We are using the Community edition. So, we don't have to incur any licensing costs. This is the best part.

There is no automation. You need to put the code there and test. You then pull the results and put them back in the development environment. There is no integration with the development environment. We would like it to be integrated with our development environment, which is basically the CI/CD pipeline or the IDE that we have.

It's a stable solution.

It is not scalable if you have a bigger workload. Because it is a Community edition, it has its own restrictions and limitations in terms of the number of lines of codes.

We have 15 to 20 people who are using it.

We don't have any experience with them. We don't have any AMCs, and we don't have any technical support.

It was easy, but because we were using it for the first time, it took some time. I would rate it 3.5 out of five in terms of ease of setup.

We deployed it in-house. In terms of maintenance, there is only one person who is taking care of SonarQube as a platform or the services that are provided by SonarQube.

We are using the Community edition of SonarQube.

For a small setup with less number of applications, it is okay because it is easy to deploy and manage with a simple console. When the number of lines of code is high, it takes time, and you have to spend a lot of time in terms of getting the right results.

I would rate it a seven out of ten.

We have many developers and we use SonarQube to ensure that we don't have badly written code. We must have a way to write code that can be understood by different people.

Our developers are learning how to improve their code.

The most valuable features are the dashboard, the ability to drill down to the code, the technical debt estimation and the overall user-friendliness of the user interface.

The Enterprise edition has the additional features we need, but of course we have to pay for that.

I have been using SonarQube for approximately three months.

SonarQube is a reliable solution.

I have not tried to scale the solution. I am looking to integrate SonarQube with the 45 secure solutions.

I have not needed to contact technical support.

I found the user interface messages quite explanatory about issues. I didn't have to look up many issues elsewhere.

No.

The implementation of the solution is straightforward and it is well integrated with Atlassian software, i.e. Jira, Confluence, Bamboo and Butler.

We have a different group that is managing the SonarQube installation and setup.

SonarQube enterprise, I am not sure of the price but from what I understand they are charging a fee. It's is not clear if it is an annual fee or a one-off. 

I don't know the global figure but they are asking each director general approximately a lump sum of $5,000, which doesn't sound like a lot for what the solution does.

No.

My advice to others would be to take a look at the community edition of the SonarQube because it might be enough for their use case.

I rate SonarQube a nine out of ten.

We use SonarQube to find vulnerabilities in the source code, for better code quality, and code security.

The most valuable feature of this solution is that it is free.

There could be better integration with other products.

It could have more functionality, and the updates could be faster.

People must be trained extensively before they can use it.

I have been using SonarQube for three years.

It's a software as a service that you can access from on-premise.

The stability is fine. With any software, you must ensure that you keep up to date with the software. As a result, when there are new ways to attack you, the software detects it. You must be prepared. You can't just put it in and forget about it, you have to stay current.

More than just an environment, it was a project. There were about a dozen developers and five testers to ensure that the developers used the tool before handing it over to the testers. To ensure that everything was in order.

I have not contacted technical support.

Previously, we used Fortify. The company that I worked for owned Fortify. We then sold Fortify to another company. We could look at other products to do the job.

The initial setup was straightforward. It only took about two weeks to deploy.

Like in anything, if you're too restricted, it can result in being problematic, the same if you are too loose. In terms of the length of time it takes to deploy, we try to find a happy medium. Two weeks is reasonable.

I am the team leader, and I was assisted with the deployment by another very knowledgeable individual. We are a team of two.

We have seen a return on investment. It finds potential vulnerabilities inside a program's code. If you catch it and you fix it, it's good.

It's an open-source solution, with no additional costs.

We evaluated other products such as Veracode, Checkmarx as well as SonarQube.

The main difference is that SonarQube is free.

I am an expert in so many things, including security experts. We looked at the various products and chose one. And the reason was that any tool, any automated tool that can detect errors, is preferable to none at all.

Most systems are vulnerable at the application level, which means that people who program in Java or.NET may be brilliant, but they don't know about the security. The advice is that those who work in development must also understand security. They must test for security in the same way they test for whether something is red or blue. My recommendation is to have some type of training and to be aware that the application level is the place where most people attack.

I would rate SonarQube a six out of ten.

I have used it to test clients' websites. After testing, it gives a deep overview of website bugs and issues. 

A good point about SonarQube is that it gives you the solutions to resolve your issues. At times, I find the blocker (during times of emergency code deployment) doesn't allow the code to be checked-in to the repository unless the violations are fixed, which should enable the user to bypass the number of lines that should be part of the written method. 

It improved our website's look and feel. 

We consider it a handy tool that helps to resolve our issues immediately. 

It is a good tool for evaluating technical debt and introducing junior developers to codification standards and good practices. There is an amazing code quality application that defines coding standards. 

The tool is pretty much useful for a technical lead to reduce his efforts in reviewing the codes. The tool has integration with several languages. 

SonarQube is a Code Quality Assurance tool that collects and analyzes source code and provides reports on the code quality of your project. It combines static and dynamic analysis tools and enables quality to be measured continuously over time.

The solution's most valuable features are its:

• Code quality
• Release quality code
• Code security
• Security analysis

SonarQube empowers all developers to write cleaner and safer code. You can grow as a developer.

Integrations Analysis results are right where your code lives.

It works well with GitHub.

It should be user-friendly. I keep looking for improvements after every update. 

PeerSpot users give SonarQube an average rating of 8 out of 10. 

SonarQube is most commonly compared to Checkmarx: SonarQube vs Checkmarx.

The SonarQube brand is trusted by many teams and it has been validated. It is one of the most recommended free application security testing solutions. 

SonarQube is really a good tool for SAST with seamless integration to your CI/CD pipeline. We have used it on our website and had good results.

I have been using SonarQube 8.9.7 for a long time (since we had some issues in our software dealing with many critical issues that needed to be resolved for clients). 

I recommend SonarQube as it is beginner-friendly and can resolve your issues with the proper usage of your website.

The dimensional stability of the impression materials depends on the time elapsed between the completion of the impression and their casting, thus storage time is critical to obtaining reliable casts.

Beyond listening, customer service is doing everything in one's power to efficiently and accurately serve each customer.

Positive

We did use another solution, however, we found issues such as:

• Ineffective time management
• Lack of instant communication
• Not receiving timely feedback
• Not receiving clear instructions or expectations
• Share time management apps and resources for students
• Utilize educational technology (“EdTech”)
• There's also a need to increase peer review

The solution is easy to do and understand. It's not complicated and it's easy. It's a relatively straightforward process.

According to conventional wisdom, an annual ROI of approximately 7% or greater is considered a good ROI for an investment in stocks.

We primarily use SonarQube for quality control on the software being deployed in our company. We had to control the open-source software we use. We develop software and have to create builds around it. As part of this process, we want to be sure of the security conformity for each module.

It is installed and plugged into a Kubernetes pipeline build system.

Using SonarQube benefits us because we are able to avoid the inclusion of malware in our applications. We can repair vulnerabilities and exploits from outside of the organization.

The performance is good.

The handling of the contents of Docker container images could be better. We are building microservices using Docker containers, and the image is embedding a lot of software. The verification in the image could be improved because you're able to check the image while building it, but if you are using a prebuilt container image then it's more difficult to do.

I have been using SonarQube for between three and four years.

This solution consumes resources but that's something that is needed. In terms of performance, it's okay. It depends on the power of the hardware and servers that you have.

This is a product that we use on a daily basis. We are constantly developing software and this is used as part of the process.

We have never had problems in terms of scalability, so it's good. We have a license for approximately 250 users.

The technical support is good.

We did not use another similar solution prior to this one.

The initial setup is a little bit complex, although that's because of the type of tooling that it is. It took one person perhaps two months to deploy it.

The main thing that takes time during deployment is to get the users accustomed to it and use it properly. Essentially, the longest part of the deployment is the training time. Change management for people is time-consuming.

We handled the deployment completely in-house.

It is difficult to estimate ROI because this product is similar to insurance. If things were broken then it could cause a lot of damage to the company.

Once we identified the need, I researched different solutions. I tried SonarQube and one or two others.

My advice for anybody who is implementing this solution varies based on the use case and infrastructure that they have. For large scale-deployment, it needs more container images because it's easier to maintain. For a small company, it may be fine without them.

Overall, this is a good product. The only suggestion that I have for improvement is deeper container image analysis. The verification is already good but it depends on the format of the image. If you are speaking about a classical format, like a table or a zip file, it's okay. But, if you are talking about container images, there is room for improvement.

I would rate this solution an eight out of ten.

SonarQube is used for in-production scanning of applications. We are only doing unit testing to improve the overall quality of the code.

The developers have responsibility for unit testing, but it is very important that we check what they have been doing. SonarQube allows us to see the result directly in the pipeline.

We had some issues scanning the master branch but when we upgraded to version 7.9 we noticed it does scan the master branch but we had to do a workaround for it to happen. This process could be improved in a future release.

What we are seeing is for some of the Javascript projects SonarQube is not reading all the files. We had to manually configure it to accomplish what we wanted. However, we probably needed some documentation that we did not have that explained this process.

In an upcoming release, it would be beneficial to have the ability to use multiple applications under one project, and if we want to scan one of the applications we can just switch to that application, this would be really helpful.

I have been using SonarQube for approximately two years.

The solution is scalable. 

We have plans to increase the number of users using this solution because we have approximately 3,000 applications but only 200 are being used.

There are a lot of people using this solution in my organization because they are able to scan directly from their IDs.

We have worked with the support from SonarQube and we have had good experiences.

The initial setup was simple. When we did the upgrade and it took our team approximately two hours.

Our internal team did the implementation of the solution.

We are using the community version of the solution and we plan on purchasing licenses for the upgraded version soon. There is a limitation on how many lines of code can be scanned and this is why we are going to purchase a license for an increased amount.

SonarQube is a very nice tool and people can learn to code better from the analysis it provides. We needed to make sure our code is maintained properly and has high quality and this tool helped.

The solution has made the developers have more confidence in their code because from the scanning they can fix bugs and problems easily.

I rate SonarQube a seven out of ten.