SonarQube Server (formerly SonarQube) Reviews

We are using SonarQube for many different reasons, but I was interested more in the security metrics based on the new updates for more particular rules.

The depth features I have found most valuable. You receive a quick comprehensive comparison overview regarding the current release and the last release and what type of depths dependency or duplication should be used. This is going to help you to make a more readable code and have more flexibility for the engineers to understand how things should work when they do not know.

I was more focused on the security aspects and not on quality. SonarQube focuses a lot on security and is going to provide some visibility around that area, but if there could be more focus on team management. For example, what type of remediation is going to be provided when the types of scans are being applied based on different rule sets at the SonarQube level, from the security point of view, this would be helpful.

If there was an official Docker image of SonarQube that could easily integrate into the pipeline would help the user to plug in and plug out and use it directly without any custom configuration. I am not sure if this is being offered already in an update but it would be very helpful.

In an upcoming release of the solution, I would like to see more types of programming languages added and improvement in their SaaS offering to compete better with other enterprise solutions, such as Fortify.

I have been using this SonarQube for approximately four years.

We are not relying on this solution as a go-to application security scanning tool. We use it for some minor enhancement regarding security, but we are using it actively in other departments for the code quality scanning. I have not had any problems using the solution, it has been stable.

We have approximately 15,000 engineers in my company and many of them are using this solution.

I have evaluated Fortify.

I rate SonarQube a six out of ten.

We use it to check the code quality, and the code review to find out the vulnerabilities about the central codes like simplifications and codes. We also use it for security management.

The most valuable feature is the security hotspot feature that identifies where your code is prone to have security issues.

It also gives you a very good highlight of what's changed, and what has to be changed in the future.

Apart from that, there are many other good features as it's a code analytics platform. It also has a dashboard reporting feature, which is very good. I also like the ease of its integration with Jenkins.

Another valuable feature is the time snapshot that it provides for the code. It provides the code quality, the lagging, and the training features like what already has gone wrong and what is likely to go wrong. It's a very good feature for a project to have a dashboard where the users can find everything about their project at a single glance.

There are various standards that are followed. Awareness is a must.

Product awareness is something that I would recommend. If the users are not aware of how to use the product, they won't understand the features.

I have been using SonarQube for three years. 

It is quite stable. There are no kind of issues that we face on SonarQube. It's just about the awareness where the users are not aware of a feature and that's where we need to jump in and explain some of the features about how it works.

It's definitely easy to scale. 

We do contact them based on the project team requirement. We contact them if they have to set up any specific kind of portfolio application and such application et cetera, internal.

Their support is good. They respond quickly. The response time is very good. They answer the queries within 24 to 48 hours. That's a plus for them. It's a very costly product, so we use the enterprise-level product. It does consume a lot of license cost for that.

We used Fortify, it is also another tool for static code analysis. The security team used to use that, but not in our team because ours was a newly assembled team for the work. 

The initial setup is simple. It's basically an orchestration platform on which I manage around 400 SonarQube incentives.

It's a mass production environment. I'm currently managing around 400 plus teams who are using the product. We are trying to migrate it onto Kubernetes.

The setup takes around five to ten minutes as I have created automation. 

It requires maintenance on the platform side, but not on the SonarQube side. Because there is a DB cleanup automatically inbuilt in Sonar, it does not require much to maintain within SonarQube itself.

It eats up a lot of memory. For a stack it's around 2.5GB. We use it on a daily basis. 

Everything is included in the standard licensing. 

Awareness about how to use the product is important. It's a very good product for developers because it gives you timely notifications about where the tool has gone wrong or what could go wrong in the future. That's popular for developers. It's very good for the stats about the product for architects

The metrics are how the budgeting should be done et cetera. These are the things that they can find out from the dashboard based on the lines of codes. 

In the next release, I would like to have notifications because now, it is a bit difficult. I think that's a feature which we could add there and it would benefit the users as well. For every full request, they should be able to see their bugs or vulnerability directly on the surface.

I would rate it an eight out of ten. 

I work for a government agency and we use this tool. It is lightweight and very cost effective as compared to IBM AppScan, but I wouldn't say it's a very good tool for vulnerability assessment. The dashboard is neat and easy to operate and the information on the dashboard makes it easy for the developers to work on. You can have it automated and set up for you to have an automated process every time the code is checked in. 

It definitely helped our organization in hardening the software, the application itself. This is a part of our process now.

The most valuable features are the dashboard reports and the ease of integrating it with Jenkins. 

Although it has Sonar built into it, it is still lacking. Customization features of identifying a particular attack still need to be worked on. To give you an example: if we want to scan and do a false positive analysis, those types of features are missing. If we want to rescan something from a particular point that is a feature that is also missing. It’s in our queue. That will hopefully save a lot of time.

This solution is very stable.

It supports around 25 plus languages.

The technical support is very good. When a product is good, we don't use them as regularly.

No, not that I am aware of.

Compared to other tools, the initial setup was straightforward. The deployment of the tool didn't take long at all. You need to take intrinsic care but setting up this tool is pretty easy. One can do it in a couple of hours. The dashboard is really neat and easy to operate. It gives a lot of information that makes it very easy for the developers. We haven't ever used more than one resource for operations.

We have this implemented in CSAD pipeline as one of the tools for finding bugs in source code. This kind of tool has the capabilities of debugging abnormalities or finding abnormalities. We use it the same as any other static one level detail, and with a few other static tools like AppScan and Checkmarx.

SonarQube is a very good tool. It is lightweight and very cost effective as compared to IBM AppScan. The dashboard is really neat and easy to operate. It gives a lot of information that makes it very easy for the developers. You can get it set up as an automated process every time the code is checked in. I would say, however, that it is not a vulnerability assessment tool. The dev and security team use this solution very closely. Fifteen to twenty people in total use it.

I would rate this solution an eight out of ten.

The product needs to integrate other security tools for security scanning. 

I have been using the product for a year. 

SonarQube is scalable. My company has 50 users. 

I rate SonarQube an eight out of ten. 

I use the solution for static code analysis and to identify vulnerabilities and code smells.

All the features of the solution are quite good.

New plug-ins should be integrated into SonarCloud to give more flexibility to the product.

I have been using the solution for the last couple of years.

I rate the stability an eight out of ten.

I rate the product’s scalability as an eight out of ten. Currently, not many teams are using the product. We are trying to increase the number of users.

The first time, the initial setup was complicated. It got easier once we got used to it.

The deployment took around one to two hours.

The solution is cheaper than other products.

We have not been able to use the product extensively. I would recommend the solution to others. It'll really help the developers to increase their development speed. Overall, I rate the solution an eight out of ten.

SonarQube is a code-scanning tool that ensures people follow the right coding standard. It detects any memory leaks or unwanted functions that have been written so developers can optimize the code for better performance. We don't know too much about how our customers use SonarQube because we just set it up for them. We show them how the reporting works and what to do to fix common issues. 

SonarQube is one of the more popular solutions because it supports 29 languages.

SonarQube supports most database languages, like SQL queries, PL/SQL, etc., but some newer programming languages are not there. For example, it's missing some more popular languages like Apache Groovy. I would like to see some support for scanning these new popular languages.

I would also like SonarQube to be able to write custom scanning rules. More documentation would be helpful as well because some of our guys were struggling with the customization script. 

I've been using SonarQube for the past eight years or so. I am a DevOps consultant who helps the end-users set up their environments. My clients operate in various industries, including the service industry. 

SonarQube takes five to 10 minutes to install, and I train people on this technology, so I install it for them and teach them how to use it. On Linux, it maybe takes another five or 10 minutes, but it is straightforward.

We first try it out with a limited number of users, so four or five users will run it, but the report is shared with multiple users. The report generated will go to thousands of users. You run the report from the DevOps point of view, then share it with everyone.

I'm involved in the price discussions, so I'm unaware of the cost. However, I don't see any other competitors in the same space. There are one or two, but they're not popular. SonarQube is free for one user, so people can explore it, but if they need enterprise support, they can buy licenses, and we can go forward.

SonarQube is the only code scanning software I've tried, but I've also seen Nexus Scanner. However, it's not for binary scanning and so forth. It won't scan your source code. It's just an artifact scanner. 

I rate SonarQube eight out of 10. I always recommend SonarQube because it is also available in an open-source version, so people can understand the power of this tool and how it can help in an IT setting. 

Our primary use case of SonarQube is getting feedback on code. We are using Spring Boot and Java 8. We are also using SonarLint, which is an Eclipse IDE plugin, to detect vulnerabilities during development. Once the developer finishes the code and commits the code into the Bitbucket code repository, the continuous integration pipeline will automatically run using Jenkins. As part of this pipeline, there is a build unit test and a SonarQube scan. All the parameters are configured as per project requirements, and the SonarQube scan will run immediately once the developer commits the code to the repository. The advantage of this is that we can see immediate feedback: how many vulnerabilities there are, what the code quality is, the code quality metrics, and if there are any issues with the changes that we made. Since the feedback is immediate, the developer can rectify it immediately and can further communicate changes. This helps us with product quality and having less vulnerabilities in the early stages of development. 

This solution is deployed on-premise. 

One of the most valuable features of SonarQube is its ability to detect code quality during development. There are rules that define various technologies—Java, C#, Python, everything—and these rules declare the coding standards and code quality. With SonarQube, everything is detectable during the time of development and continuous integration, which is an advantage. SonarQube also has a Quality Gate, where the code should reach 85%. Below that, the code cannot be promoted to a further environment, it should be in a development environment only. So the checks are there, and SonarQube will provide that increase. It also provides suggestions on how the code can be fixed and methods of going about this, without allowing hackers to exploit the code. 

Another valuable feature is that it is tightly integrated with third-party tools. For example, we can see the SonarQube metrics in Bitbucket, the code repository. Once I raise the full request, the developer, team lead, or even the delivery lead can see the code quality metrics of the deliverable so that they can make a decision. SonarQube will also cover all of the top OWASP vulnerabilities, however it doesn't have penetration testing or hacker testing. We use other tools, like Checkmarx, to do penetration testing from the outside. 

SonarQube could be improved with more dynamic testing—basically, now, it's a static code analysis scan. For example, when the developer writes the code and does the corresponding unit test, he can cover functional and non-functional. So the SonarQube could be improved by helping to execute unit tests and test dynamically, using various parameters, and to help detect any vulnerabilities. Currently, it'll just give the test case and say whether it passes or fails—it won't give you any other input or dynamic testing. They could use artificial intelligence to build a feature that would help developers identify and fix issues in the early stages, which would help us deliver the product and reduce costs. 

Another area with room for improvement is in regard to automating things, since the process currently needs to be done manually.

Aside from other helpful features, the most important thing that SonarQube needs to do—the key feature—is to detect security vulnerabilities. The rest of the other features are helpful to the developer and the team to deliver the product faster, but security is a mandatory feature. 

As for additional features, SonarQube covers most of the languages, but there is still room for improvement covering the latest version of the tech stack—for example, Java 13. They're still improving, and they're focusing on SonarCloud nowadays. Currently, we aren't using all the top quality features of SonarCloud. I also think it would be helpful if SonarQube could integrate with Jira, a work management tool, or other communication tools, like Skype or Microsoft Teams, so that a bot could report directly to the developer. 

I have been using SonarQube for the past three years. 

The stability and performance of SonarQube are good. We use it on a daily basis, as part of our code development. 

As far as maintenance, it mainly happens when the product is being developed. There may be some features which can be enhanced, based on customer feedback and the tech stack, such as how we can improve performance of have a deployment with zero downtime. There are so many technologies coming, so many things happening, and there is always room for code improvements and the product we develop. Our top considerations are quality and security, which are being improved in a continuous process. There are many new features and enhancements coming in—for example, if you want to upgrade from the Java 6 version, then you can upgrade the tech stack, which will reduce the number of lines of code and improve performance. 

This solution is easy to scale. The instances in which we are deploying it are easy to scale because we are using it in production. We aren't supposed to deploy as part of the development, but the scalability feature is there because we are using Ansible, Kubernetes, and Docker. 

In our organization, there are currently around 25,000 people working with SonarQube. 

We also use Checkmarx and Snyk. One of the main differences between them and SonarQube is that they have dynamic testing and analysis, rather than static analysis. 

The initial setup wasn't a complex process. It was straightforward, and I had no issues. The deployment happened automatically and the pipeline was complete in three minutes. It depends on the scale of the project, the number of code repositories, the number of modules you are deploying, and all that. I would say deployment should take five minutes, maximum. 

We implemented this solution through an in-house team. Everything happens internally and we have our own internal tools, so there are no third-parties involved in development. 

I'm not too aware of the pricing because a different team covers that, but SonarQube has been on the market for a very long time, so I would guess the pricing would be decent. 

I rate SonarQube an eight out of ten. 

To those looking to implement SonarQube, I would advise you not to run it manually—integrate it with tools like Bitbucket and Jenkins, and make it automatic. If you change one line of code, the SonarQube should run automatically and give you the report. Don't go and run it manually and check the reports and all—it should run automatically to the entire code base, not to your particular module. So you need to configure that, as well as your project requirements and what code quality metrics will be achievable—like 85% or 95%—because you want code quality for a better product, without loopholes. You need to configure these things before starting to work with SonarQube. 

We are a $4 billion valuation large company and we use the solution for status security, scanning, and code quality. I am currently in the process of building a pipeline for one of my customers and for that we are utilizing this solution for the static analysis.

The fact that the solution does security scanning is valuable. This is primarily why we use it. For code quality, we could utilize other tools, such as unit test coverage, which it gives you too, but having a more comprehensive tool is useful.

Having a tool that is comprehensive in nature is very useful because otherwise, we have to run through multiple tools in order to get the entire viewpoint of a particular set of code. For example, we use SonarQube in combination with Nexus, which is another product that gives us some other information. I guess when it comes to the gamut of things that we are looking for including static code quality, static testing, and dynamic testing of security. Having performance regression would be a helpful add on or ability to be able to do during the scan. 

In an upcoming release, I would like to see the dynamic security testing feature available. I would like to point out that they could already offer this feature but I have not been that deep into the solution to know yet.

I have been using the solution for approximately one year.

I have not run into any bugs or glitches. However, I have only been using it for a short time.

The pipeline that I am currently building is being used by the platforms team, which is approximately three people. We use the solution as part of the automated code review process. As far as a larger perspective of who is actually benefiting from it, the development team is about 35 people.

I have not needed to use technical support.

The set up was very easy.

I would recommend to those wanting to implement this solution to read the documentation, they are clear and easy to follow.

I rate SonarQube a nine out of ten.