We are using the solution for code quality and security.
Technology Manager at Publicis Sapient
Supports multiple program languages, highly scalable, and has open-source version
Pros and Cons
- "The solution has a wide variety of features and an open-source community that you are able to learn Java, JavaScript, or any other programing language."
- "There are times that we have the database crash. However, this might be an issue with how we have configured it and not a software issue. Apart from this, I do not see any issues with the solution."
What is our primary use case?
What is most valuable?
The solution has a wide variety of features and an open-source community that you are able to learn Java, JavaScript, or any other programing language. The quality profile rules that it provides based on the architect are set across the board, this provides continuity. Being able to fix all the application vulnerabilities before it reaches production is a huge benefit.
What needs improvement?
There are times that we have the database crash. However, this might be an issue with how we have configured it and not a software issue. Apart from this, I do not see any issues with the solution.
For how long have I used the solution?
I have been using the solution for approximately eight years.
Buyer's Guide
SonarQube Server (formerly SonarQube)
October 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
816,406 professionals have used our research since 2012.
What do I think about the scalability of the solution?
The scalability depends on the use case. You cannot install it with minimal resources and expect it to run thousands of jobs. It is scalable based on your environment. How big is your project? How many APIs do you want to scan? How many APIs per minute, etc. Based on that information you need to first decide upfront how much memory or how much storage you want to give to it. You need to have clear data with you and then use the resources to design accordingly. I think it is highly scalable and can operate seamlessly if you give it the environment that is sufficient. You cannot expect magic from it.
We have some projects that have 150 users with ten teams using the solution.
How are customer service and support?
We had to contact technical support back several years ago because we had an issue with one of the new SQL plugins which ended up being resolved. The support is not required anymore because they have very good documentation that meets our needs.
How was the initial setup?
The initial setup is straightforward.
What's my experience with pricing, setup cost, and licensing?
I do not know the price of the solution since I have not been involved in purchasing licenses. However, this solution requires a license and we have enterprise-level licenses for our organization and for our client.
The beauty of this solution is the free open-source version is capable enough in doing pretty much what an enterprise-level version can do. The enterprise-level has only a few more options, such as better reporting and generating PDFs. If you have a small-scale project or if you do not have a high budget, I think open-source will do wonders.
What other advice do I have?
For those wanting to implement this solution, I would suggest it is the best tool. It has a big open-source community where you learn any language. There are many extra plugins you can apply to scan in your code. It has support for Android, iOS, COBOL, Java, JavaScript databases, and more. It has everything you need.
I rate SonarQube a nine out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
IT Developer at PT Oto Multiartha
This solution is simple to use and can be quickly deployed
Pros and Cons
- "This solution is simple to use and can be quickly deployed."
- "I think the code security can be improved."
What is our primary use case?
We use SonarQube to check for vulnerabilities and quality.
How has it helped my organization?
The solution has helped us to find flaws in the Syntax and comply with requirements.
What is most valuable?
I have found the most valuable features to be scanning for bugs or fixing the hotspot. These features have helped to improve the code quality.
What needs improvement?
I think the code security can be improved. Code security should comply with the standard security list.
I would like to see the feature of Compliance Reporting added to the solution.
For how long have I used the solution?
I have been using this solution for two years.
What do I think about the stability of the solution?
I would rate the stability a ten out of ten.
What do I think about the scalability of the solution?
About ten people in my company are using this solution. On average, we use this solution once in a week.
Which solution did I use previously and why did I switch?
We chose SonarQube due to its free community edition. After a while, when we will need more features, we will probably purchase the solution next year.
How was the initial setup?
I would rate the initial setup a ten out of ten. The solution is easy to install and use. It took us only a day to deploy SonarQube. We downloaded the solution and followed the setup process. We simply integrated this solution with Azure DevOps. The maintenance of this solution is handled by one person from the database team.
What about the implementation team?
We implemented the solution through an in-house application developer.
What other advice do I have?
This solution is simple to use and can be quickly deployed. I would rate the solution an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
SonarQube Server (formerly SonarQube)
October 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
816,406 professionals have used our research since 2012.
System Analyst // System Architect at a tech services company with 10,001+ employees
Ensures code coverage and reduces vulnerabilities
Pros and Cons
- "The SonarQube dashboard looks great."
- "It would be better if SonarQube provided a good UI for external configuration."
What is our primary use case?
We wanted a coding standard. We used to get coverage using SonarQube, so once the coding coverage was more than 80%, it was only then we could get Jenkins to start the build. Otherwise, Jenkins would fail from the build process. SonarQube is the point at which we confirm the DI. It is in the JUnit test cases where the coverage of the source code was more than 80%.
What is most valuable?
The SonarQube dashboard looks great.
What needs improvement?
Currently, we are doing SonarQube's validations for external configuration via XML. It would be better if SonarQube provided a good UI for external configuration.
For how long have I used the solution?
I've used SonarQube for three and a half years since I started using the product in 2020.
What do I think about the stability of the solution?
I have not faced any issues with stability so far.
What do I think about the scalability of the solution?
If you know how to work with the solution, it is scalable. There should be some methodologies other than JUnit test cases. There should be some other area involving the code. Four or five developers are using SonarQube with JUnit test cases. They used to build in Jenkins because once Jenkins is built and SonarQube's code coverage is more than 80%, the build happens successfully. Otherwise, the build fails.
How are customer service and support?
SonarQube's technical support is good.
How would you rate customer service and support?
Positive
How was the initial setup?
Since I know how to install SonarQube, I had no issues. I don't think the installation is a big challenge because it's a one-time installation process. You wouldn't have to repeatedly install the solution.
The time taken to deploy the solution comes down to microservices.
What other advice do I have?
In the configuration you maintain for the external file used to evaluate the point, the lines should be less than 80 characters long, and the page should have less than 900 lines. The function size should also be split such that the maximum length of one should be less than 30. That's the configuration we are doing with SonarQube. Also, the number of clients we wrote should be covered within the JUnit test cases. When using Mockito for some of the database functionalities like login and authentication, SonarQube will evaluate the test cases passing through it, even when considering Mockito as the data provider for those test cases. And SonarQube covers those test cases.
When it comes to external configuration, even if we're changing the format of one field, that should be accommodated everywhere in the file. Discrepancies there could make it take some time to install the solution. If they had a UI for the setup, that would be good. Though the XML configuration can be tough, it could be automated.
In the Trivandrum team, we do around one to three microservices, like authentication and inventory. Those are two of the main microservices that I handle. The remaining are handled by some other team from Chennai or somewhere. For us, the coverage with microservices is more than 80%. The authentication service and the inventory services have good coverage.
If somebody is looking for good coverage and a good standard code, they should start using SonarQube. When writing the code, they can ensure it is written properly and not missing any code. If there are many lines we are missing or ignoring from the code, there could be cases where vulnerability can happen from those lines. Before you submit any code to any client, you should ensure the code coverage is more than 80% of the application. I rate SonarQube a nine out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
General Manager at Dalmia Bharat Group
Community edition is the best part, but there is no integration with the development environment
Pros and Cons
- "We are using the Community edition. So, we don't have to incur any licensing costs. This is the best part."
- "There is no automation. You need to put the code there and test. You then pull the results and put them back in the development environment. There is no integration with the development environment. We would like it to be integrated with our development environment, which is basically the CI/CD pipeline or the IDE that we have."
What is our primary use case?
We do a lot of development. We were previously doing it internally, and then we hired a couple of development partners. So, day in and day out, a lot of changes were happening. We wanted to ensure that whatever changes happened, they undergo some level of quality assessments. That was one of the reasons why we wanted to use it.
We have started looking into it from the information security side, but it is being used by the core development team.
What is most valuable?
We are using the Community edition. So, we don't have to incur any licensing costs. This is the best part.
What needs improvement?
There is no automation. You need to put the code there and test. You then pull the results and put them back in the development environment. There is no integration with the development environment. We would like it to be integrated with our development environment, which is basically the CI/CD pipeline or the IDE that we have.
What do I think about the stability of the solution?
It's a stable solution.
What do I think about the scalability of the solution?
It is not scalable if you have a bigger workload. Because it is a Community edition, it has its own restrictions and limitations in terms of the number of lines of codes.
We have 15 to 20 people who are using it.
How are customer service and support?
We don't have any experience with them. We don't have any AMCs, and we don't have any technical support.
How was the initial setup?
It was easy, but because we were using it for the first time, it took some time. I would rate it 3.5 out of five in terms of ease of setup.
What about the implementation team?
We deployed it in-house. In terms of maintenance, there is only one person who is taking care of SonarQube as a platform or the services that are provided by SonarQube.
What's my experience with pricing, setup cost, and licensing?
We are using the Community edition of SonarQube.
What other advice do I have?
For a small setup with less number of applications, it is okay because it is easy to deploy and manage with a simple console. When the number of lines of code is high, it takes time, and you have to spend a lot of time in terms of getting the right results.
I would rate it a seven out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Independent Professional at Studio Dott. Ing. Angelo Quaglia
Useful dashboard, user-friendly, and effective drill down ability
Pros and Cons
- "The most valuable features are the dashboard, the ability to drill down to the code, user-friendly, and the technical debt estimation."
- "The implementation of the solution is straightforward. However, we did have some initial initialization issues at the of the projects. I don't think it was SonarQube's fault. It was the way it was implemented in our organization because it's mainly integrated with many software, such as Jira, Confluence, and Butler."
What is our primary use case?
We have many developers and we use SonarQube to ensure that we don't have badly written code. We must have a way to write code that can be understood by different people.
How has it helped my organization?
Our developers are learning how to improve their code.
What is most valuable?
The most valuable features are the dashboard, the ability to drill down to the code, the technical debt estimation and the overall user-friendliness of the user interface.
What needs improvement?
The Enterprise edition has the additional features we need, but of course we have to pay for that.
For how long have I used the solution?
I have been using SonarQube for approximately three months.
What do I think about the stability of the solution?
SonarQube is a reliable solution.
What do I think about the scalability of the solution?
I have not tried to scale the solution. I am looking to integrate SonarQube with the 45 secure solutions.
How are customer service and support?
I have not needed to contact technical support.
I found the user interface messages quite explanatory about issues. I didn't have to look up many issues elsewhere.
Which solution did I use previously and why did I switch?
No.
How was the initial setup?
The implementation of the solution is straightforward and it is well integrated with Atlassian software, i.e. Jira, Confluence, Bamboo and Butler.
What about the implementation team?
We have a different group that is managing the SonarQube installation and setup.
What's my experience with pricing, setup cost, and licensing?
SonarQube enterprise, I am not sure of the price but from what I understand they are charging a fee. It's is not clear if it is an annual fee or a one-off.
I don't know the global figure but they are asking each director general approximately a lump sum of $5,000, which doesn't sound like a lot for what the solution does.
Which other solutions did I evaluate?
No.
What other advice do I have?
My advice to others would be to take a look at the community edition of the SonarQube because it might be enough for their use case.
I rate SonarQube a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Works
Good analysis of code quality, great for even junior developers, and improves a website's look/feel
Pros and Cons
- "We consider it a handy tool that helps to resolve our issues immediately."
- "It should be user-friendly."
What is our primary use case?
I have used it to test clients' websites. After testing, it gives a deep overview of website bugs and issues.
A good point about SonarQube is that it gives you the solutions to resolve your issues. At times, I find the blocker (during times of emergency code deployment) doesn't allow the code to be checked-in to the repository unless the violations are fixed, which should enable the user to bypass the number of lines that should be part of the written method.
How has it helped my organization?
It improved our website's look and feel.
We consider it a handy tool that helps to resolve our issues immediately.
It is a good tool for evaluating technical debt and introducing junior developers to codification standards and good practices. There is an amazing code quality application that defines coding standards.
The tool is pretty much useful for a technical lead to reduce his efforts in reviewing the codes. The tool has integration with several languages.
What is most valuable?
SonarQube is a Code Quality Assurance tool that collects and analyzes source code and provides reports on the code quality of your project. It combines static and dynamic analysis tools and enables quality to be measured continuously over time.
The solution's most valuable features are its:
- Code quality
- Release quality code
- Code security
- Security analysis
SonarQube empowers all developers to write cleaner and safer code. You can grow as a developer.
Integrations Analysis results are right where your code lives.
It works well with GitHub.
What needs improvement?
It should be user-friendly. I keep looking for improvements after every update.
PeerSpot users give SonarQube an average rating of 8 out of 10.
SonarQube is most commonly compared to Checkmarx: SonarQube vs Checkmarx.
The SonarQube brand is trusted by many teams and it has been validated. It is one of the most recommended free application security testing solutions.
SonarQube is really a good tool for SAST with seamless integration to your CI/CD pipeline. We have used it on our website and had good results.
For how long have I used the solution?
I have been using SonarQube 8.9.7 for a long time (since we had some issues in our software dealing with many critical issues that needed to be resolved for clients).
I recommend SonarQube as it is beginner-friendly and can resolve your issues with the proper usage of your website.
What do I think about the stability of the solution?
The dimensional stability of the impression materials depends on the time elapsed between the completion of the impression and their casting, thus storage time is critical to obtaining reliable casts.
How are customer service and support?
Beyond listening, customer service is doing everything in one's power to efficiently and accurately serve each customer.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We did use another solution, however, we found issues such as:
- Ineffective time management
- Lack of instant communication
- Not receiving timely feedback
- Not receiving clear instructions or expectations
- Share time management apps and resources for students
- Utilize educational technology (“EdTech”)
- There's also a need to increase peer review
How was the initial setup?
The solution is easy to do and understand. It's not complicated and it's easy. It's a relatively straightforward process.
What was our ROI?
According to conventional wisdom, an annual ROI of approximately 7% or greater is considered a good ROI for an investment in stocks.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Google
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Project Leader / Technical Expert at La francaise des jeux
Good performance, improves the security of our applications, helpful technical support
Pros and Cons
- "Using SonarQube benefits us because we are able to avoid the inclusion of malware in our applications."
- "The handling of the contents of Docker container images could be better."
What is our primary use case?
We primarily use SonarQube for quality control on the software being deployed in our company. We had to control the open-source software we use. We develop software and have to create builds around it. As part of this process, we want to be sure of the security conformity for each module.
It is installed and plugged into a Kubernetes pipeline build system.
How has it helped my organization?
Using SonarQube benefits us because we are able to avoid the inclusion of malware in our applications. We can repair vulnerabilities and exploits from outside of the organization.
What is most valuable?
The performance is good.
What needs improvement?
The handling of the contents of Docker container images could be better. We are building microservices using Docker containers, and the image is embedding a lot of software. The verification in the image could be improved because you're able to check the image while building it, but if you are using a prebuilt container image then it's more difficult to do.
For how long have I used the solution?
I have been using SonarQube for between three and four years.
What do I think about the stability of the solution?
This solution consumes resources but that's something that is needed. In terms of performance, it's okay. It depends on the power of the hardware and servers that you have.
This is a product that we use on a daily basis. We are constantly developing software and this is used as part of the process.
What do I think about the scalability of the solution?
We have never had problems in terms of scalability, so it's good. We have a license for approximately 250 users.
How are customer service and support?
The technical support is good.
Which solution did I use previously and why did I switch?
We did not use another similar solution prior to this one.
How was the initial setup?
The initial setup is a little bit complex, although that's because of the type of tooling that it is. It took one person perhaps two months to deploy it.
The main thing that takes time during deployment is to get the users accustomed to it and use it properly. Essentially, the longest part of the deployment is the training time. Change management for people is time-consuming.
What about the implementation team?
We handled the deployment completely in-house.
What was our ROI?
It is difficult to estimate ROI because this product is similar to insurance. If things were broken then it could cause a lot of damage to the company.
Which other solutions did I evaluate?
Once we identified the need, I researched different solutions. I tried SonarQube and one or two others.
What other advice do I have?
My advice for anybody who is implementing this solution varies based on the use case and infrastructure that they have. For large scale-deployment, it needs more container images because it's easier to maintain. For a small company, it may be fine without them.
Overall, this is a good product. The only suggestion that I have for improvement is deeper container image analysis. The verification is already good but it depends on the format of the image. If you are speaking about a classical format, like a table or a zip file, it's okay. But, if you are talking about container images, there is room for improvement.
I would rate this solution an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Project Manager at a manufacturing company with 1,001-5,000 employees
Great features, good code quality parameters, and is easy to set up
Pros and Cons
- "There's plenty of documentation available to users."
- "There needs to be a shareable reporting piece or something we can click and generate easily."
What is our primary use case?
We mainly need to do certain static analyses. While doing the coding, everybody sends a pool request. Before committing the code on the main branch, we need to ensure that the code is up to level. That is basically our way of working to ensure that whatever rules we have configured, whatever gates we have defined, that gets passed before committing the code into the main branch.
What is most valuable?
I like almost all of the features. We were initially using all these techniques by using different tools.
The vulnerabilities and the code quality parameters are really important for us.
The initial setup is easy.
There's plenty of documentation available to users.
The solution is stable.
The scalability is good.
What needs improvement?
The only features which I think are lagging are the reporting to generate a PDF report. That is not available currently in the development version. However, if it is available in the development version, then it will be really helpful for us. I checked with the team and it seems that it is only available in the enterprise version. If the report can be sent over email, that would really help.
For example, let's say if I need to report to management or management wants to see a dashboard based on what each project looks like. Those figures are not available. There needs to be a shareable reporting piece or something we can click and generate easily.
The only pain area for us is due to the fact that we purchased the 1 million lines of code license for now. We are a service product company, so some projects were finished in maybe less than six months and then maybe that is not useful for us. We need to remove those projects so we can utilize those lines of code for another project. That's something we need to see about. We're not sure how that works.
What do I think about the stability of the solution?
The solution is quite stable. Before, I used to generate reports by using some manual techniques. Now those are available right in SonarQube. The flexibility of rule configurations is great.
What do I think about the scalability of the solution?
We found the solution to be scalable. We already integrated SonarQube with our CI/CD pipeline in Azure DevOps, and it works really well. We also integrated with the Jenkins CI/CD pipeline, and we also linked with the Visual Studio using SonarLint. That works really well.
We plan on expanding and need more licenses.
How are customer service and support?
When we purchased the license, they actually charged an additional amount for the support. Therefore, we haven't bought the support. Plus, we already know SonarQube. We have enough team members available who already have experience in it. For that reason, support is not required from us. That said, across the internet or on Google, there is enough documentation available. Even on the SonarQube website, there is enough documentation.
How was the initial setup?
The initial setup is really straightforward. The supports are really good from the SonarQube. Enough documentation is also available. t's really straightforward to figure out how to do it.
What's my experience with pricing, setup cost, and licensing?
We purchased a SonarQube developer license. We do not have the enterprise version.
We pay for licensing on a yearly basis.
On the pricing side, it's 3,000 Euros for 1 million lines of code. Even if you look at the open-source, the open-source almost provide similar functions. Of course, some additional language support, among other things, however, the rest is available in open-source. If they can reduce the price, then I believe more people will join the licensed version rather than open-source. Pricing is a bit high based on the fact that they're already providing the open-source for free, and that also includes almost all the necessary items. People will not pay for the license if they can get most items for free. I would suggest if they reduce the price, that definitely it will boost the business.
What other advice do I have?
We already linked with the CI/CD pipeline, and everything is working really smoothly. We already got the additional language support also, which was not available in the open-source version. In the developer version, we have six-plus additional language support onboard. That is actually helpful for us. Overall, it's going really well.
The overall look and feel, the way of presenting the information, is really nice - including the way we can assign items. Everything looks okay. I also already integrated the APA of SonarQube in my external system and that really works. I don't see any integration problems so far. I would suggest those considering the solution simply go for SonarQube as it works really well for any integration of any software or with any third-party tools, including Azure DevOps.
I'd rate the solution at a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros
sharing their opinions.
Updated: October 2024
Product Categories
Application Security Tools Static Application Security Testing (SAST) Software Development AnalyticsPopular Comparisons
Fortify on Demand
Sonatype Lifecycle
CrowdStrike Falcon Cloud Security
PortSwigger Burp Suite Professional
GitHub Advanced Security
Qualys Web Application Scanning
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Is SonarQube the best tool for static analysis?
- Which gives you more for your money - SonarQube or Veracode?
- What Is The Biggest Difference Between Fortify on Demand And SonarQube?
- What is the biggest difference between Checkmarx and SonarQube?
- Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
- How does SonarQube instance relate to the license?
- Which software is ideal for code quality and security?
- What is the difference between Coverity and SonarQube?
- What is the biggest difference between Coverity and SonarQube?
- How would you decide between Coverity and Sonarqube?