Try our new research platform with insights from 80,000+ expert users
Angelo Quaglia - PeerSpot reviewer
Independent Professional at Studio Dott. Ing. Angelo Quaglia
Real User
Top 5
Useful dashboard, user-friendly, and effective drill down ability
Pros and Cons
  • "The most valuable features are the dashboard, the ability to drill down to the code, user-friendly, and the technical debt estimation."
  • "The implementation of the solution is straightforward. However, we did have some initial initialization issues at the of the projects. I don't think it was SonarQube's fault. It was the way it was implemented in our organization because it's mainly integrated with many software, such as Jira, Confluence, and Butler."

What is our primary use case?

We have many developers and we use SonarQube to ensure that we don't have badly written code. We must have a way to write code that can be understood by different people.

How has it helped my organization?

Our developers are learning how to improve their code.

What is most valuable?

The most valuable features are the dashboard, the ability to drill down to the code, the technical debt estimation and the overall user-friendliness of the user interface.

What needs improvement?

The Enterprise edition has the additional features we need, but of course we have to pay for that.

Buyer's Guide
SonarQube Server (formerly SonarQube)
October 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,528 professionals have used our research since 2012.

For how long have I used the solution?

I have been using SonarQube for approximately three months.

What do I think about the stability of the solution?

SonarQube is a reliable solution.

What do I think about the scalability of the solution?

I have not tried to scale the solution. I am looking to integrate SonarQube with the 45 secure solutions.

How are customer service and support?

I have not needed to contact technical support.

I found the user interface messages quite explanatory about issues. I didn't have to look up many issues elsewhere.

Which solution did I use previously and why did I switch?

No.

How was the initial setup?

The implementation of the solution is straightforward and it is well integrated with Atlassian software, i.e. Jira, Confluence, Bamboo and Butler.

What about the implementation team?

We have a different group that is managing the SonarQube installation and setup.

What's my experience with pricing, setup cost, and licensing?

SonarQube enterprise, I am not sure of the price but from what I understand they are charging a fee. It's is not clear if it is an annual fee or a one-off. 

I don't know the global figure but they are asking each director general approximately a lump sum of $5,000, which doesn't sound like a lot for what the solution does.

Which other solutions did I evaluate?

No.

What other advice do I have?

My advice to others would be to take a look at the community edition of the SonarQube because it might be enough for their use case.

I rate SonarQube a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Product Security Architect at a tech services company with 51-200 employees
Real User
Top 10
A mature and admin-friendly solution that is easy to deploy and easy to maintain
Pros and Cons
  • "SonarQube is admin friendly."
  • "SonarQube is not development-centric like Snyk."

What is our primary use case?

We use the solution for security vulnerabilities, static code analysis, and a few code quality issues like code smells. We mostly concentrate on security vulnerabilities.

What is most valuable?

SonarQube is admin friendly.

What needs improvement?

SonarQube is not development-centric like Snyk. The product gives an IDE plug-in called SonarLint. It needs to be expanded more. SonarLint is very limited.

For how long have I used the solution?

I have been using the solution for the last five years.

What do I think about the stability of the solution?

The solution is quite mature. We did not have many issues.

What do I think about the scalability of the solution?

The tool is very scalable.

How are customer service and support?

Since it is an open-source product, we need to purchase support. However, the enterprise edition comes with a support package. The support package is really good. We get good support. We’ll have problems if we do not have support. I rate the support team a seven or eight out of ten. The quality of support depends on the support package we get. We had a limited package, so our support was at that level.

Which solution did I use previously and why did I switch?

I have worked with Snyk. Snyk is more developer friendly. I have also worked with Coverity. SonarQube has features that are similar to Snyk and Coverity. So, SonarQube is better because it is an open-source tool.

How was the initial setup?

The tool is easy to install compared to other products. We have to do basic things like installing our database and web applications. I do not find many problems with installation. The time taken for deployment depends on the nature of the setup and whether we are doing it for a large enterprise. The installation is quite simple, but it took a week to plan it. We had a good IT setup, which helped us. We do not need many people for implementation. It depends on the project structure.

What about the implementation team?

Our IT team installed the solution. The product is easy to maintain. We have a mature system, so we do not have many issues. To manage reports, we need people to run scans. However, we need only one person to manage the environment.

What's my experience with pricing, setup cost, and licensing?

It's an open-source product. All other solutions are commercial.

What other advice do I have?

SonarQube is introducing a developer edition, but I have not explored it yet. We are using the enterprise edition of the solution. My advice to other users would depend on their requirements. If an organization has Synopsys products, Coverity would be the right choice for them. However, it is costly. SonarQube has an open-source and enterprise edition along with support packages, which is really good. If someone wants a developer-friendly tool, then Snyk would be a good choice. Overall, I rate the solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
SonarQube Server (formerly SonarQube)
October 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,528 professionals have used our research since 2012.
User
Good analysis of code quality, great for even junior developers, and improves a website's look/feel
Pros and Cons
  • "We consider it a handy tool that helps to resolve our issues immediately."
  • "It should be user-friendly."

What is our primary use case?

I have used it to test clients' websites. After testing, it gives a deep overview of website bugs and issues. 

A good point about SonarQube is that it gives you the solutions to resolve your issues. At times, I find the blocker (during times of emergency code deployment) doesn't allow the code to be checked-in to the repository unless the violations are fixed, which should enable the user to bypass the number of lines that should be part of the written method. 

How has it helped my organization?

It improved our website's look and feel. 

We consider it a handy tool that helps to resolve our issues immediately. 

It is a good tool for evaluating technical debt and introducing junior developers to codification standards and good practices. There is an amazing code quality application that defines coding standards. 

The tool is pretty much useful for a technical lead to reduce his efforts in reviewing the codes. The tool has integration with several languages. 

What is most valuable?

SonarQube is a Code Quality Assurance tool that collects and analyzes source code and provides reports on the code quality of your project. It combines static and dynamic analysis tools and enables quality to be measured continuously over time.

The solution's most valuable features are its:

  • Code quality
  • Release quality code
  • Code security
  • Security analysis

SonarQube empowers all developers to write cleaner and safer code. You can grow as a developer.

Integrations Analysis results are right where your code lives.

It works well with GitHub.

What needs improvement?

It should be user-friendly. I keep looking for improvements after every update. 

PeerSpot users give SonarQube an average rating of 8 out of 10. 

SonarQube is most commonly compared to Checkmarx: SonarQube vs Checkmarx.

The SonarQube brand is trusted by many teams and it has been validated. It is one of the most recommended free application security testing solutions. 

SonarQube is really a good tool for SAST with seamless integration to your CI/CD pipeline. We have used it on our website and had good results.

For how long have I used the solution?

I have been using SonarQube 8.9.7 for a long time (since we had some issues in our software dealing with many critical issues that needed to be resolved for clients). 

I recommend SonarQube as it is beginner-friendly and can resolve your issues with the proper usage of your website.

What do I think about the stability of the solution?

The dimensional stability of the impression materials depends on the time elapsed between the completion of the impression and their casting, thus storage time is critical to obtaining reliable casts.

How are customer service and support?

Beyond listening, customer service is doing everything in one's power to efficiently and accurately serve each customer.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We did use another solution, however, we found issues such as:

  • Ineffective time management
  • Lack of instant communication
  • Not receiving timely feedback
  • Not receiving clear instructions or expectations
  • Share time management apps and resources for students
  • Utilize educational technology (“EdTech”)
  • There's also a need to increase peer review

How was the initial setup?

The solution is easy to do and understand. It's not complicated and it's easy. It's a relatively straightforward process.

What was our ROI?

According to conventional wisdom, an annual ROI of approximately 7% or greater is considered a good ROI for an investment in stocks.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Google
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Denis Walrave - PeerSpot reviewer
Project Leader / Technical Expert at La francaise des jeux
Real User
Good performance, improves the security of our applications, helpful technical support
Pros and Cons
  • "Using SonarQube benefits us because we are able to avoid the inclusion of malware in our applications."
  • "The handling of the contents of Docker container images could be better."

What is our primary use case?

We primarily use SonarQube for quality control on the software being deployed in our company. We had to control the open-source software we use. We develop software and have to create builds around it. As part of this process, we want to be sure of the security conformity for each module.

It is installed and plugged into a Kubernetes pipeline build system.

How has it helped my organization?

Using SonarQube benefits us because we are able to avoid the inclusion of malware in our applications. We can repair vulnerabilities and exploits from outside of the organization.

What is most valuable?

The performance is good.

What needs improvement?

The handling of the contents of Docker container images could be better. We are building microservices using Docker containers, and the image is embedding a lot of software. The verification in the image could be improved because you're able to check the image while building it, but if you are using a prebuilt container image then it's more difficult to do.

For how long have I used the solution?

I have been using SonarQube for between three and four years.

What do I think about the stability of the solution?

This solution consumes resources but that's something that is needed. In terms of performance, it's okay. It depends on the power of the hardware and servers that you have.

This is a product that we use on a daily basis. We are constantly developing software and this is used as part of the process.

What do I think about the scalability of the solution?

We have never had problems in terms of scalability, so it's good. We have a license for approximately 250 users.

How are customer service and support?

The technical support is good.

Which solution did I use previously and why did I switch?

We did not use another similar solution prior to this one.

How was the initial setup?

The initial setup is a little bit complex, although that's because of the type of tooling that it is. It took one person perhaps two months to deploy it.

The main thing that takes time during deployment is to get the users accustomed to it and use it properly. Essentially, the longest part of the deployment is the training time. Change management for people is time-consuming.

What about the implementation team?

We handled the deployment completely in-house.

What was our ROI?

It is difficult to estimate ROI because this product is similar to insurance. If things were broken then it could cause a lot of damage to the company.

Which other solutions did I evaluate?

Once we identified the need, I researched different solutions. I tried SonarQube and one or two others.

What other advice do I have?

My advice for anybody who is implementing this solution varies based on the use case and infrastructure that they have. For large scale-deployment, it needs more container images because it's easier to maintain. For a small company, it may be fine without them.

Overall, this is a good product. The only suggestion that I have for improvement is deeper container image analysis. The verification is already good but it depends on the format of the image. If you are speaking about a classical format, like a table or a zip file, it's okay. But, if you are talking about container images, there is room for improvement.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Project Manager at a manufacturing company with 1,001-5,000 employees
Real User
Great features, good code quality parameters, and is easy to set up
Pros and Cons
  • "There's plenty of documentation available to users."
  • "There needs to be a shareable reporting piece or something we can click and generate easily."

What is our primary use case?

We mainly need to do certain static analyses. While doing the coding, everybody sends a pool request. Before committing the code on the main branch, we need to ensure that the code is up to level. That is basically our way of working to ensure that whatever rules we have configured, whatever gates we have defined, that gets passed before committing the code into the main branch.

What is most valuable?

I like almost all of the features. We were initially using all these techniques by using different tools. 

The vulnerabilities and the code quality parameters are really important for us.

The initial setup is easy.

There's plenty of documentation available to users. 

The solution is stable.

The scalability is good.

What needs improvement?

The only features which I think are lagging are the reporting to generate a PDF report. That is not available currently in the development version. However, if it is available in the development version, then it will be really helpful for us. I checked with the team and it seems that it is only available in the enterprise version. If the report can be sent over email, that would really help.

For example, let's say if I need to report to management or management wants to see a dashboard based on what each project looks like. Those figures are not available. There needs to be a shareable reporting piece or something we can click and generate easily.  

The only pain area for us is due to the fact that we purchased the 1 million lines of code license for now. We are a service product company, so some projects were finished in maybe less than six months and then maybe that is not useful for us. We need to remove those projects so we can utilize those lines of code for another project. That's something we need to see about. We're not sure how that works.

What do I think about the stability of the solution?

The solution is quite stable. Before, I used to generate reports by using some manual techniques. Now those are available right in SonarQube. The flexibility of rule configurations is great.

What do I think about the scalability of the solution?

We found the solution to be scalable. We already integrated SonarQube with our CI/CD pipeline in Azure DevOps, and it works really well. We also integrated with the Jenkins CI/CD pipeline, and we also linked with the Visual Studio using SonarLint. That works really well.

We plan on expanding and need more licenses. 

How are customer service and support?

When we purchased the license, they actually charged an additional amount for the support. Therefore, we haven't bought the support. Plus, we already know SonarQube. We have enough team members available who already have experience in it. For that reason, support is not required from us. That said, across the internet or on Google, there is enough documentation available. Even on the SonarQube website, there is enough documentation. 

How was the initial setup?

The initial setup is really straightforward. The supports are really good from the SonarQube. Enough documentation is also available. t's really straightforward to figure out how to do it.

What's my experience with pricing, setup cost, and licensing?

We purchased a SonarQube developer license. We do not have the enterprise version.

We pay for licensing on a yearly basis.

On the pricing side, it's 3,000 Euros for 1 million lines of code. Even if you look at the open-source, the open-source almost provide similar functions. Of course, some additional language support, among other things, however, the rest is available in open-source. If they can reduce the price, then I believe more people will join the licensed version rather than open-source. Pricing is a bit high based on the fact that they're already providing the open-source for free, and that also includes almost all the necessary items. People will not pay for the license if they can get most items for free. I would suggest if they reduce the price, that definitely it will boost the business.

What other advice do I have?

We already linked with the CI/CD pipeline, and everything is working really smoothly. We already got the additional language support also, which was not available in the open-source version. In the developer version, we have six-plus additional language support onboard. That is actually helpful for us. Overall, it's going really well. 

The overall look and feel, the way of presenting the information, is really nice - including the way we can assign items. Everything looks okay. I also already integrated the APA of SonarQube in my external system and that really works. I don't see any integration problems so far. I would suggest those considering the solution simply go for SonarQube as it works really well for any integration of any software or with any third-party tools, including Azure DevOps.

I'd rate the solution at a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Jayashree Acharyya - PeerSpot reviewer
Director at PepsiCo
Real User
Top 5Leaderboard
Scalable, good technical support, but multiple application project option needed
Pros and Cons
  • "We have worked with the support from SonarQube and we have had good experiences."
  • "We had some issues scanning the master branch but when we upgraded to version 7.9 we noticed it does scan the master branch but we had to do a workaround for it to happen. This process could be improved in a future release."

What is our primary use case?

SonarQube is used for in-production scanning of applications. We are only doing unit testing to improve the overall quality of the code.

How has it helped my organization?

The developers have responsibility for unit testing, but it is very important that we check what they have been doing. SonarQube allows us to see the result directly in the pipeline.

What needs improvement?

We had some issues scanning the master branch but when we upgraded to version 7.9 we noticed it does scan the master branch but we had to do a workaround for it to happen. This process could be improved in a future release.

What we are seeing is for some of the Javascript projects SonarQube is not reading all the files. We had to manually configure it to accomplish what we wanted. However, we probably needed some documentation that we did not have that explained this process.

In an upcoming release, it would be beneficial to have the ability to use multiple applications under one project, and if we want to scan one of the applications we can just switch to that application, this would be really helpful.

For how long have I used the solution?

I have been using SonarQube for approximately two years.

What do I think about the scalability of the solution?

The solution is scalable. 

We have plans to increase the number of users using this solution because we have approximately 3,000 applications but only 200 are being used.

There are a lot of people using this solution in my organization because they are able to scan directly from their IDs.

How are customer service and technical support?

We have worked with the support from SonarQube and we have had good experiences.

How was the initial setup?

The initial setup was simple. When we did the upgrade and it took our team approximately two hours.

What about the implementation team?

Our internal team did the implementation of the solution.

What's my experience with pricing, setup cost, and licensing?

We are using the community version of the solution and we plan on purchasing licenses for the upgraded version soon. There is a limitation on how many lines of code can be scanned and this is why we are going to purchase a license for an increased amount.

What other advice do I have?

SonarQube is a very nice tool and people can learn to code better from the analysis it provides. We needed to make sure our code is maintained properly and has high quality and this tool helped.

The solution has made the developers have more confidence in their code because from the scanning they can fix bugs and problems easily.

I rate SonarQube a seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Senior System Analyst at a non-profit with 10,001+ employees
Real User
Open-source, feature-rich, integrates well, and has good community support but the user experience could be better
Pros and Cons
  • "It provides you with many features, as it does with the premium model, but there are still extra features that can be purchased if needed."
  • "The security in SonarQube could be better."

What is most valuable?

There is a large support system in the community. When we have issues we can get answers quickly and easily.

It provides you with many features, as it does with the premium model, but there are still extra features that can be purchased if needed.

It's very flexible.

I am from the application development team and for me, it is very good because it offers a lot of features in terms of code review, quality check, and more.

What needs improvement?

In discussions with the security team, there are many other products that are available that perform better. The security in SonarQube could be better.

SonarQube is more about the quality checks of the source code. It allows us to do a code review but it lacks security. It could perform better.

I would like to have better support for CI/CD as DevOps appliances, in terms of reporting on the issue and to be integrated with the pipeline. 

It integrates well but there is always room in this area to improve and to provide reports on the results. 

The user experience for the on-premises installation, creating a new project, defining the quality gate, and the user interface could be improved. It wasn't a simple experience.

For how long have I used the solution?

I have been using SonarQube for six months. We implemented it in September of last year.

What do I think about the stability of the solution?

It is very stable. We are still new to this product and learning, but there are times where SonarQube disconnects from the server with no alert or notification, and we have to run it again.

It can be managed by running different scripts. From time to time we have claims that SonarQube is not running on the server and discovered that the server was restarted but SonarQube did not restart.

I don't know if it is a flaw in the product itself or if we can manage it from our infrastructure.

It's stable but could be improved.

What do I think about the scalability of the solution?

I believe that it is scalable, but this is an area that we have not yet explored.

I know that there is an option to add a new rule. For example, if we are creating an application using Java, there is a list of predefined rules to check the quality against.

It's expandable at least in terms of code quality checks.

For now, I am the only user of this solution.

How was the initial setup?

The initial setup wasn't straightforward, but still, it was manageable.

This is an area that can also be improved to make it easier to install and setup. There are many other products that are easy to set up and install.

What about the implementation team?

I called an expert or a technical person who could work on it and manage it.

What's my experience with pricing, setup cost, and licensing?

SonarQube is a free, open-source product.

There are many different packages with different pricing options available. We are able to try what we have and if we need extra features we can upgrade the license.

What other advice do I have?

We will be using this solution for the next year, but we are considering migrating to the cloud.

From my experience, I would rate SonarQube a seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Gert Kersten - PeerSpot reviewer
Software Developer at BKWI
Real User
Allows for real-time feedback on code quality and highly stable solution
Pros and Cons
  • "We've configured it to run on each commit, providing feedback on our software quality. ]"
  • "During the setup process, we only had one issue related to the number of available files. To perform the analysis, you have quite a lot of available file handles, so we had to increase that limit."

What is our primary use case?

We use it to check the code quality of our software.

What is most valuable?

We've configured it to run on each commit, providing feedback on our software quality. The solution works quite well remotely.

What needs improvement?

We would appreciate having PNC checking, though that's only available in a more expensive license type.

There is also room for improvement in the installation process.

For how long have I used the solution?

I have been using this solution for a couple of years.

What do I think about the stability of the solution?

It is a stable solution. So, no issues with stability.

What do I think about the scalability of the solution?

We haven't had much requirement for scalability. We had a single-node instance, and that is sufficient for our needs.

We have around 13 developers using this solution. 

Which solution did I use previously and why did I switch?


How was the initial setup?

Another department handled the installation. We only had one issue related to the number of available files. To perform the analysis, you have quite a lot of available file handles, so we had to increase that limit.

However, maintenance is actually quite easy. It requires a couple of people.

Which other solutions did I evaluate?

We used some main code quality tools before, along with certain plugins. SonarQube is better due to its integrated nature and easier management. There is no hassle to keep everything up to date.

What other advice do I have?

I would definitely recommend using the solution.

Overall, I would rate the solution an eight out of ten. While I'm satisfied with the product, there's always room for improvement.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros sharing their opinions.
Updated: October 2024
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros sharing their opinions.