SonarQube provides security vulnerabilities within the cloud. It identifies the code pattern and quality and detects the causes of any particular issues. We use this to minimize a lot of coding errors. I'm a lead dev ops consultant in IT infrastructure.
Lead DevOps Consultant at itcinfotech
Has a great quality gate feature and improves the code coverage in your core base
Pros and Cons
- "Improve the code coverage and evaluates the technical steps and percentage of code being resolved."
- "Lacks sufficient visibility and documentation."
What is our primary use case?
What is most valuable?
SonarQube helps to improve the code coverage in your core base and will give you the evaluation of the technical steps and the percentage of code being resolved. It can auto-calculate the technical depth. The beauty of the product is the quality gate where all parameters come together. If those parameters can pass through the quality gate successfully, you can go ahead with your build. You get clear and clean visibility in your code and it provides reliability. It's the most valuable feature.
What needs improvement?
We would like to have more visibility and more documentation, starting with the installation. It needs to be more standardized and explain all the features. We'd also like to get an idea of the level of stability we can get for our larger-sized projects. The notifications from the channel queue can be improved including email notifications. We currently rely on getting those notifications passed onto us and that should not be the case. The customization of different languages would also be helpful. If all the above could be implemented, SonarQube would be the best vulnerability security scanning tool.
For how long have I used the solution?
We've been using this solution for two years.
Buyer's Guide
SonarQube Server (formerly SonarQube)
October 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,528 professionals have used our research since 2012.
What do I think about the stability of the solution?
The stability is very good.
What do I think about the scalability of the solution?
Scalability is high and that includes within the different zones and regions that we require in the company. We use SonarQube about once a week and don't plan to increase usage for now.
How are customer service and support?
The technical support is excellent.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We previously used a different solution but moved to SonarQube because it better suits our use cases.
How was the initial setup?
The initial setup is straightforward and doesn't take much time. That said, setting up the quality level is challenging because of the different calculations required, setting up for issue tracking and getting the appropriate quality gate feature. It requires proper allocation and understanding the perameters. Deployment time is generally less than an hour, but it depends on the project size. Implementation generally requires a minimum of two people.
What was our ROI?
The fact that we have bug-free coding is a good return on investment.
What's my experience with pricing, setup cost, and licensing?
Licensing costs are in the mid-range for this kind of solution.
What other advice do I have?
This product provides a lot of freedom to achieve many things including generating certain reports that can be integrated with numerous other tools such as Power BI.
I rate this solution eight out of 10.
Which deployment model are you using for this solution?
Private Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Cloud Architecture Head at PagoNxt Merchant Solutions S.L.
Works well with very good integrations and pipelines
Pros and Cons
- "Can tweak rules and feed them into our build pipelines."
- "Currently requires multiple tools, lacking one overall tool."
What is our primary use case?
Our use case of SonarQube is to analyze code quality and to implement quality dates in our build pipelines.
What is most valuable?
The ability to tweak the rules and feed them into our build pipelines so that they can become an integral part of those pipelines is a valuable feature. This product works really well, the integrations and pipelines are good.
What needs improvement?
SonarQube currently requires multiple tools. I'd like to have the ability to use one tool overall.
For how long have I used the solution?
We've been using this solution for a few years.
What do I think about the stability of the solution?
The solution is stable.
What do I think about the scalability of the solution?
The solution is scalable.
What's my experience with pricing, setup cost, and licensing?
We pay a very reasonable, annual licensing fee.
What other advice do I have?
My recommendation is to just go with this out-of-the-box rule set first. Don't try to tweak them and learn what they mean. First learn what the alerts mean and then slowly tweak it to your specific use cases.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
SonarQube Server (formerly SonarQube)
October 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,528 professionals have used our research since 2012.
Information Technology Security at a consultancy with 10,001+ employees
A stable solution that needs to make its enterprise version and support available to users in Thailand
Pros and Cons
- "The initial setup is simple. It requires some security, but it's simple."
- "We called support and complained but have not received any information as we use the free version. We had to fix it on our own and could not escalate it to the tool's developer."
What is our primary use case?
We use the solution for the software scan and integrate the application, which is a dependency check for the scan. Our customers send us the already developed solution for functional tests and security scans.
What is most valuable?
Firstly, the integration with the pipeline is good. If you have the FICO pipeline integrated already, the depth of the pipeline will be good. Secondly, the solution is easy to understand. It took little time to learn and understand how to use data.
What needs improvement?
SonarQube has a community edition and an enterprise edition. The community edition is free, but the enterprise edition is not. In Thailand, we cannot use the enterprise edition because there are no resellers in Thailand. So we found many issues, like when you scan some source code, and if it's a problem, it appears the tool that we need to fix, but after our manual review, we found that we already did have something there. For example, it improves validation. But we did not get the input as it was already validated in another library. We called support and complained but have not received any information as we use the free version. We had to fix it on our own and could not escalate it to the tool's developer.
For how long have I used the solution?
I have been using SonarQube for a year.
What do I think about the stability of the solution?
It is a stable product. I rate it seven out of ten.
What do I think about the scalability of the solution?
I didn't have any scalability issues when we used the pipeline. But downloading the code and doing this again on a local laptop is quite slow, especially when somebody needs to try some code in a big and complex project. It takes about four to six hours. I don't know why it takes so long on a local laptop because it works fine in the integrated pipeline. For support in the integration pipeline, it could be nine or ten, but If it is on a local laptop, I think it would be only five.
How are customer service and support?
As we are using the free version, there is no technical support available. But the documentation support is okay for us. We read it depending on the website, but we cannot escalate the issue to the SonarQube provider.
Which solution did I use previously and why did I switch?
I used the Micro Focus Fortify, but the performance integration in the pipeline is faster in SonarQube. But in Fortify, the support is better as it is a commercial product, and we paid for it, so we can complain and get feedback in case of any issue. We complain if anything needs to be fixed, and they accept and fix it, but SonarQube does not have such a platform.
How was the initial setup?
The initial setup is simple. It requires some security, but it's simple. It has some community to help with the technical information, and the technical team of the solution is also okay. It takes one or two hours to deploy. I was not involved in the integration in the pipeline, but I was involved in the solution installed on the local laptop.
What's my experience with pricing, setup cost, and licensing?
I do not know about the pricing as I am using the community edition, which is free. But I compared the pricing with Sigma, and it is higher than SonarQube.
What other advice do I have?
If you need the support of SonarQube, then use the enterprise version.
SonarQube should have a foundation in Thailand so that we can buy the enterprise version and get support. Secondly, SonarQube still does not support many languages, but I am still determining which ones. So if these two can be improved, it will be good.
I rate it seven out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Automation Practice Leader at a financial services firm with 10,001+ employees
Provides great code coverage; code security scanning could be improved
Pros and Cons
- "The software quality gate streamlines the product's quality."
- "Code security scanning could be improved."
What is our primary use case?
We're using the enterprise edition of SonarQube. I'm the head of DevOps engineering and we are customers of SonarQube.
What is most valuable?
The most important feature is the software quality gate. When that's implemented we're able to streamline the product's quality. The other good features are SonarQube's code quality scanning and code coverage. If we use it effectively, we can capture the software code bugs early in the software development. It also helps us to identify the test coverage for the code that we're writing. It's a very, very important feature for the software developers and testers.
What needs improvement?
There is room for improvement in the code security space which is not as extensive as it could be. There are other products on the market which are much better in terms of code security scanning. I'd also like to see improvement in support which is quite expensive.
For how long have I used the solution?
I've been using this solution for six years.
What do I think about the stability of the solution?
The product is stable although maintenance is a little cumbersome.
What do I think about the scalability of the solution?
The product is scalable but there are some concerns. You need to regularly do a cleanup of the lines of codes that are being scanned, otherwise the license will run out. We were not initially aware of having to do that. We have around 700 users in the company and we have three or four people involved with maintenance.
How are customer service and technical support?
There's a problem with the technical support because it's offered as a separate paid package and doesn't come by default with the license. Most other products in the market include technical support with the software. There are various other products in the market, which are much better and offer support without any additional costs.
What's my experience with pricing, setup cost, and licensing?
Licensing costs could be lower. We paid around 60,000 Singapore Dollars for our 20 million lines of code.
What other advice do I have?
SonarQube is a very good tool for code quality.
I rate this solution a seven out of 10.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Technology Manager at Publicis Sapient
Supports multiple program languages, highly scalable, and has open-source version
Pros and Cons
- "The solution has a wide variety of features and an open-source community that you are able to learn Java, JavaScript, or any other programing language."
- "There are times that we have the database crash. However, this might be an issue with how we have configured it and not a software issue. Apart from this, I do not see any issues with the solution."
What is our primary use case?
We are using the solution for code quality and security.
What is most valuable?
The solution has a wide variety of features and an open-source community that you are able to learn Java, JavaScript, or any other programing language. The quality profile rules that it provides based on the architect are set across the board, this provides continuity. Being able to fix all the application vulnerabilities before it reaches production is a huge benefit.
What needs improvement?
There are times that we have the database crash. However, this might be an issue with how we have configured it and not a software issue. Apart from this, I do not see any issues with the solution.
For how long have I used the solution?
I have been using the solution for approximately eight years.
What do I think about the scalability of the solution?
The scalability depends on the use case. You cannot install it with minimal resources and expect it to run thousands of jobs. It is scalable based on your environment. How big is your project? How many APIs do you want to scan? How many APIs per minute, etc. Based on that information you need to first decide upfront how much memory or how much storage you want to give to it. You need to have clear data with you and then use the resources to design accordingly. I think it is highly scalable and can operate seamlessly if you give it the environment that is sufficient. You cannot expect magic from it.
We have some projects that have 150 users with ten teams using the solution.
How are customer service and technical support?
We had to contact technical support back several years ago because we had an issue with one of the new SQL plugins which ended up being resolved. The support is not required anymore because they have very good documentation that meets our needs.
How was the initial setup?
The initial setup is straightforward.
What's my experience with pricing, setup cost, and licensing?
I do not know the price of the solution since I have not been involved in purchasing licenses. However, this solution requires a license and we have enterprise-level licenses for our organization and for our client.
The beauty of this solution is the free open-source version is capable enough in doing pretty much what an enterprise-level version can do. The enterprise-level has only a few more options, such as better reporting and generating PDFs. If you have a small-scale project or if you do not have a high budget, I think open-source will do wonders.
What other advice do I have?
For those wanting to implement this solution, I would suggest it is the best tool. It has a big open-source community where you learn any language. There are many extra plugins you can apply to scan in your code. It has support for Android, iOS, COBOL, Java, JavaScript databases, and more. It has everything you need.
I rate SonarQube a nine out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
IT Developer at PT Oto Multiartha
This solution is simple to use and can be quickly deployed
Pros and Cons
- "This solution is simple to use and can be quickly deployed."
- "I think the code security can be improved."
What is our primary use case?
We use SonarQube to check for vulnerabilities and quality.
How has it helped my organization?
The solution has helped us to find flaws in the Syntax and comply with requirements.
What is most valuable?
I have found the most valuable features to be scanning for bugs or fixing the hotspot. These features have helped to improve the code quality.
What needs improvement?
I think the code security can be improved. Code security should comply with the standard security list.
I would like to see the feature of Compliance Reporting added to the solution.
For how long have I used the solution?
I have been using this solution for two years.
What do I think about the stability of the solution?
I would rate the stability a ten out of ten.
What do I think about the scalability of the solution?
About ten people in my company are using this solution. On average, we use this solution once in a week.
Which solution did I use previously and why did I switch?
We chose SonarQube due to its free community edition. After a while, when we will need more features, we will probably purchase the solution next year.
How was the initial setup?
I would rate the initial setup a ten out of ten. The solution is easy to install and use. It took us only a day to deploy SonarQube. We downloaded the solution and followed the setup process. We simply integrated this solution with Azure DevOps. The maintenance of this solution is handled by one person from the database team.
What about the implementation team?
We implemented the solution through an in-house application developer.
What other advice do I have?
This solution is simple to use and can be quickly deployed. I would rate the solution an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
System Analyst // System Architect at a tech services company with 10,001+ employees
Ensures code coverage and reduces vulnerabilities
Pros and Cons
- "The SonarQube dashboard looks great."
- "It would be better if SonarQube provided a good UI for external configuration."
What is our primary use case?
We wanted a coding standard. We used to get coverage using SonarQube, so once the coding coverage was more than 80%, it was only then we could get Jenkins to start the build. Otherwise, Jenkins would fail from the build process. SonarQube is the point at which we confirm the DI. It is in the JUnit test cases where the coverage of the source code was more than 80%.
What is most valuable?
The SonarQube dashboard looks great.
What needs improvement?
Currently, we are doing SonarQube's validations for external configuration via XML. It would be better if SonarQube provided a good UI for external configuration.
For how long have I used the solution?
I've used SonarQube for three and a half years since I started using the product in 2020.
What do I think about the stability of the solution?
I have not faced any issues with stability so far.
What do I think about the scalability of the solution?
If you know how to work with the solution, it is scalable. There should be some methodologies other than JUnit test cases. There should be some other area involving the code. Four or five developers are using SonarQube with JUnit test cases. They used to build in Jenkins because once Jenkins is built and SonarQube's code coverage is more than 80%, the build happens successfully. Otherwise, the build fails.
How are customer service and support?
SonarQube's technical support is good.
How would you rate customer service and support?
Positive
How was the initial setup?
Since I know how to install SonarQube, I had no issues. I don't think the installation is a big challenge because it's a one-time installation process. You wouldn't have to repeatedly install the solution.
The time taken to deploy the solution comes down to microservices.
What other advice do I have?
In the configuration you maintain for the external file used to evaluate the point, the lines should be less than 80 characters long, and the page should have less than 900 lines. The function size should also be split such that the maximum length of one should be less than 30. That's the configuration we are doing with SonarQube. Also, the number of clients we wrote should be covered within the JUnit test cases. When using Mockito for some of the database functionalities like login and authentication, SonarQube will evaluate the test cases passing through it, even when considering Mockito as the data provider for those test cases. And SonarQube covers those test cases.
When it comes to external configuration, even if we're changing the format of one field, that should be accommodated everywhere in the file. Discrepancies there could make it take some time to install the solution. If they had a UI for the setup, that would be good. Though the XML configuration can be tough, it could be automated.
In the Trivandrum team, we do around one to three microservices, like authentication and inventory. Those are two of the main microservices that I handle. The remaining are handled by some other team from Chennai or somewhere. For us, the coverage with microservices is more than 80%. The authentication service and the inventory services have good coverage.
If somebody is looking for good coverage and a good standard code, they should start using SonarQube. When writing the code, they can ensure it is written properly and not missing any code. If there are many lines we are missing or ignoring from the code, there could be cases where vulnerability can happen from those lines. Before you submit any code to any client, you should ensure the code coverage is more than 80% of the application. I rate SonarQube a nine out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
General Manager at Dalmia Bharat Group
Community edition is the best part, but there is no integration with the development environment
Pros and Cons
- "We are using the Community edition. So, we don't have to incur any licensing costs. This is the best part."
- "There is no automation. You need to put the code there and test. You then pull the results and put them back in the development environment. There is no integration with the development environment. We would like it to be integrated with our development environment, which is basically the CI/CD pipeline or the IDE that we have."
What is our primary use case?
We do a lot of development. We were previously doing it internally, and then we hired a couple of development partners. So, day in and day out, a lot of changes were happening. We wanted to ensure that whatever changes happened, they undergo some level of quality assessments. That was one of the reasons why we wanted to use it.
We have started looking into it from the information security side, but it is being used by the core development team.
What is most valuable?
We are using the Community edition. So, we don't have to incur any licensing costs. This is the best part.
What needs improvement?
There is no automation. You need to put the code there and test. You then pull the results and put them back in the development environment. There is no integration with the development environment. We would like it to be integrated with our development environment, which is basically the CI/CD pipeline or the IDE that we have.
What do I think about the stability of the solution?
It's a stable solution.
What do I think about the scalability of the solution?
It is not scalable if you have a bigger workload. Because it is a Community edition, it has its own restrictions and limitations in terms of the number of lines of codes.
We have 15 to 20 people who are using it.
How are customer service and support?
We don't have any experience with them. We don't have any AMCs, and we don't have any technical support.
How was the initial setup?
It was easy, but because we were using it for the first time, it took some time. I would rate it 3.5 out of five in terms of ease of setup.
What about the implementation team?
We deployed it in-house. In terms of maintenance, there is only one person who is taking care of SonarQube as a platform or the services that are provided by SonarQube.
What's my experience with pricing, setup cost, and licensing?
We are using the Community edition of SonarQube.
What other advice do I have?
For a small setup with less number of applications, it is okay because it is easy to deploy and manage with a simple console. When the number of lines of code is high, it takes time, and you have to spend a lot of time in terms of getting the right results.
I would rate it a seven out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros
sharing their opinions.
Updated: October 2024
Product Categories
Application Security Tools Static Application Security Testing (SAST) Software Development AnalyticsPopular Comparisons
Tricentis Tosca
SonarQube Cloud (formerly SonarCloud)
Fortify on Demand
OpenText UFT One
Sonatype Lifecycle
CrowdStrike Falcon Cloud Security
PortSwigger Burp Suite Professional
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Is SonarQube the best tool for static analysis?
- Which gives you more for your money - SonarQube or Veracode?
- What Is The Biggest Difference Between Fortify on Demand And SonarQube?
- What is the biggest difference between Checkmarx and SonarQube?
- Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
- How does SonarQube instance relate to the license?
- Which software is ideal for code quality and security?
- What is the difference between Coverity and SonarQube?
- What is the biggest difference between Coverity and SonarQube?
- How would you decide between Coverity and Sonarqube?