SonarQube Server (formerly SonarQube) Reviews

I work for a government agency and we use this tool. It is lightweight and very cost effective as compared to IBM AppScan, but I wouldn't say it's a very good tool for vulnerability assessment. The dashboard is neat and easy to operate and the information on the dashboard makes it easy for the developers to work on. You can have it automated and set up for you to have an automated process every time the code is checked in. 

It definitely helped our organization in hardening the software, the application itself. This is a part of our process now.

The most valuable features are the dashboard reports and the ease of integrating it with Jenkins. 

Although it has Sonar built into it, it is still lacking. Customization features of identifying a particular attack still need to be worked on. To give you an example: if we want to scan and do a false positive analysis, those types of features are missing. If we want to rescan something from a particular point that is a feature that is also missing. It’s in our queue. That will hopefully save a lot of time.

This solution is very stable.

It supports around 25 plus languages.

The technical support is very good. When a product is good, we don't use them as regularly.

No, not that I am aware of.

Compared to other tools, the initial setup was straightforward. The deployment of the tool didn't take long at all. You need to take intrinsic care but setting up this tool is pretty easy. One can do it in a couple of hours. The dashboard is really neat and easy to operate. It gives a lot of information that makes it very easy for the developers. We haven't ever used more than one resource for operations.

We have this implemented in CSAD pipeline as one of the tools for finding bugs in source code. This kind of tool has the capabilities of debugging abnormalities or finding abnormalities. We use it the same as any other static one level detail, and with a few other static tools like AppScan and Checkmarx.

SonarQube is a very good tool. It is lightweight and very cost effective as compared to IBM AppScan. The dashboard is really neat and easy to operate. It gives a lot of information that makes it very easy for the developers. You can get it set up as an automated process every time the code is checked in. I would say, however, that it is not a vulnerability assessment tool. The dev and security team use this solution very closely. Fifteen to twenty people in total use it.

I would rate this solution an eight out of ten.

We use SonarQube to check for vulnerabilities and quality. 

The solution has helped us to find flaws in the Syntax and comply with requirements. 

I have found the most valuable features to be scanning for bugs or fixing the hotspot. These features have helped to improve the code quality. 

I think the code security can be improved. Code security should comply with the standard security list. 

I would like to see the feature of Compliance Reporting added to the solution.

I have been using this solution for two years. 

I would rate the stability a ten out of ten. 

About ten people in my company are using this solution. On average, we use this solution once in a week. 

We chose SonarQube due to its free community edition. After a while, when we will need more features, we will probably purchase the solution next year. 

I would rate the initial setup a ten out of ten. The solution is easy to install and use. It took us only a day to deploy SonarQube. We downloaded the solution and followed the setup process. We simply integrated this solution with Azure DevOps. The maintenance of this solution is handled by one person from the database team. 

We implemented the solution through an in-house application developer. 

This solution is simple to use and can be quickly deployed. I would rate the solution an eight out of ten. 

We primarily use SonarQube for quality control on the software being deployed in our company. We had to control the open-source software we use. We develop software and have to create builds around it. As part of this process, we want to be sure of the security conformity for each module.

It is installed and plugged into a Kubernetes pipeline build system.

Using SonarQube benefits us because we are able to avoid the inclusion of malware in our applications. We can repair vulnerabilities and exploits from outside of the organization.

The performance is good.

The handling of the contents of Docker container images could be better. We are building microservices using Docker containers, and the image is embedding a lot of software. The verification in the image could be improved because you're able to check the image while building it, but if you are using a prebuilt container image then it's more difficult to do.

I have been using SonarQube for between three and four years.

This solution consumes resources but that's something that is needed. In terms of performance, it's okay. It depends on the power of the hardware and servers that you have.

This is a product that we use on a daily basis. We are constantly developing software and this is used as part of the process.

We have never had problems in terms of scalability, so it's good. We have a license for approximately 250 users.

The technical support is good.

We did not use another similar solution prior to this one.

The initial setup is a little bit complex, although that's because of the type of tooling that it is. It took one person perhaps two months to deploy it.

The main thing that takes time during deployment is to get the users accustomed to it and use it properly. Essentially, the longest part of the deployment is the training time. Change management for people is time-consuming.

We handled the deployment completely in-house.

It is difficult to estimate ROI because this product is similar to insurance. If things were broken then it could cause a lot of damage to the company.

Once we identified the need, I researched different solutions. I tried SonarQube and one or two others.

My advice for anybody who is implementing this solution varies based on the use case and infrastructure that they have. For large scale-deployment, it needs more container images because it's easier to maintain. For a small company, it may be fine without them.

Overall, this is a good product. The only suggestion that I have for improvement is deeper container image analysis. The verification is already good but it depends on the format of the image. If you are speaking about a classical format, like a table or a zip file, it's okay. But, if you are talking about container images, there is room for improvement.

I would rate this solution an eight out of ten.

Our primary use case is to analyze source code for software bugs, technical debt, vulnerabilities, and test coverage. It provides an automated gated procedure to ensure that engineers are able to deliver great, secure code to production. 

We plug this process into our process right from the start enabling the IDE integrations so that engineers can scan their code before submission. Following on from that we run the scans on every change that has been submitted for review. 

This way we ensure that no core/fundamental issues are added to our codebases. 

It has helped many of the organizations that I have worked at to improve overall security, quality, and test confidence within the codebases. It also provides this in a speed efficient way. Engineers now feel much more proud of their solution as they gain confidence from these scans and their results. 

Engineers have also learned from the results and have improved themselves as engineers. This will help them with their careers. 

We are also able to get reports on our suite and generate a quality rating for ourselves utilizing this data and more. 

By far the quality gate controls. Without this, there would be no way to really utilize the power of this tool. We are able to automatically ensure that no code is delivered to production when it contains severe bugs or vulnerabilities. 

The tight integration to source control also helps us to keep the engineers in the loop with any follow-up actions for issues reported. 

Finally, the historical trend analysis gives us great insight into how we are improving based on our decisions, which are now driven by clear data.

It should keep up with newer technologies. As this is primarily open-source, it does require updates from the community. As such, there is sometimes a delay for new technologies to be covered by this too. 

Particularly around the languages that the webpages state they support. The big benefit of Sonar is that it handles so many different languages, problems, and static analysis in one place. 

When that one place has a low coverage for the most basic rules (OWASP top 10 for example) it starts to lose its value add. 

I have been using SonarQube for five years.

Good, I have not really had many issues with it. No major ones either. 

It all depends on where/how you are hosting it. The tool itself scales well. 

I have used Checkmarx and also tried a demo of Veracode. 

Checkmarx was far too heavy-handed and only handled security concerns for a VERY large price tag. 

Veracode is very good, however, the price vs a free solution was a deciding factor in many cases. 

It's very straightforward for a SaaS setup. 

For a self-hosted setup, it is documented well and fairly easy. 

We implemented in-house.

SonarQube will incur hosting costs. There are SaaS options available at competitive prices too. 

Self-hosting SonarQube is subject to its open-source licenses documented on their website. 

We also evaluated Checkmarx, Veracode and open source solutions specific to each programming language. 

Security analysis is a MUST. 

SonarQube is a code-scanning tool that ensures people follow the right coding standard. It detects any memory leaks or unwanted functions that have been written so developers can optimize the code for better performance. We don't know too much about how our customers use SonarQube because we just set it up for them. We show them how the reporting works and what to do to fix common issues. 

SonarQube is one of the more popular solutions because it supports 29 languages.

SonarQube supports most database languages, like SQL queries, PL/SQL, etc., but some newer programming languages are not there. For example, it's missing some more popular languages like Apache Groovy. I would like to see some support for scanning these new popular languages.

I would also like SonarQube to be able to write custom scanning rules. More documentation would be helpful as well because some of our guys were struggling with the customization script. 

I've been using SonarQube for the past eight years or so. I am a DevOps consultant who helps the end-users set up their environments. My clients operate in various industries, including the service industry. 

SonarQube takes five to 10 minutes to install, and I train people on this technology, so I install it for them and teach them how to use it. On Linux, it maybe takes another five or 10 minutes, but it is straightforward.

We first try it out with a limited number of users, so four or five users will run it, but the report is shared with multiple users. The report generated will go to thousands of users. You run the report from the DevOps point of view, then share it with everyone.

I'm involved in the price discussions, so I'm unaware of the cost. However, I don't see any other competitors in the same space. There are one or two, but they're not popular. SonarQube is free for one user, so people can explore it, but if they need enterprise support, they can buy licenses, and we can go forward.

SonarQube is the only code scanning software I've tried, but I've also seen Nexus Scanner. However, it's not for binary scanning and so forth. It won't scan your source code. It's just an artifact scanner. 

I rate SonarQube eight out of 10. I always recommend SonarQube because it is also available in an open-source version, so people can understand the power of this tool and how it can help in an IT setting. 

We have many developers and we use SonarQube to ensure that we don't have badly written code. We must have a way to write code that can be understood by different people.

Our developers are learning how to improve their code.

The most valuable features are the dashboard, the ability to drill down to the code, the technical debt estimation and the overall user-friendliness of the user interface.

The Enterprise edition has the additional features we need, but of course we have to pay for that.

I have been using SonarQube for approximately three months.

SonarQube is a reliable solution.

I have not tried to scale the solution. I am looking to integrate SonarQube with the 45 secure solutions.

I have not needed to contact technical support.

I found the user interface messages quite explanatory about issues. I didn't have to look up many issues elsewhere.

No.

The implementation of the solution is straightforward and it is well integrated with Atlassian software, i.e. Jira, Confluence, Bamboo and Butler.

We have a different group that is managing the SonarQube installation and setup.

SonarQube enterprise, I am not sure of the price but from what I understand they are charging a fee. It's is not clear if it is an annual fee or a one-off. 

I don't know the global figure but they are asking each director general approximately a lump sum of $5,000, which doesn't sound like a lot for what the solution does.

No.

My advice to others would be to take a look at the community edition of the SonarQube because it might be enough for their use case.

I rate SonarQube a nine out of ten.

We use the product in our pipeline. We primarily use it for development testing tool.

We can see what's being flagged by whatever requirements in the environment that we're going to. SonarCube has these rules that you set up. You can set the rules and adjust them. It allows us to either be at 80% or whatever the case may be. If you set up these conditions that can tighten down the developer's coding.

It's convenient due to the fact that it's open-source. 

We're able to identify bugs and those kinds of things before we actually push anything into a staging or production area. It helps our developers work more efficiently as we can identify things in a code prior to it being pushed to where it needs to go. It's a great little loop. You see this, fix it, take it back. Versus, putting something into an environment and then everything is all broken. It's a good development test tool. 

Nowadays you can add extensions, similar to what you can do with the Jenkins tool, the CICB tool, the build tool. Jenkins can have a lot of plugins that interface with a lot of vendors or it can do a lot of things. Just like Google Chrome where you can bring in an extension, you can do the same here. In SonarQube, you can add something by just adding an extension that you may have to pay extra for, However, that add-on has additional functionality that the base software may not necessarily have in its core.

For example, Fortify has some kind of special capability that they have for checking and SonarQube has created an extension that allows the Fortify extensions. Right now, I have Fortify, however, it's in this product at a very modular level.

The solution is still maturing a bit.

You may need to purchase add-ons to get the useability you desire.

We've been using the solution for about two years at this point.

The solution is open-source. It's free to use. 

Not everybody uses SonarQube. However, if they do use SonarQube and they're trying to look for functionality, then an extension into SonarQube is the way to go. We, for example, love how we can have Fortify functionality via this product. I can't speak for all the other shops, right. That's just our workflow.

I'd rate the solution at a perfect ten out of ten. For what it does as far as static code analysis, it's pretty good.

It prevents some vulnerabilities in the production environment.

I like that it covers most programming languages for source code review.

I also like the procedures that are already built-in that cover most of the items that already exist.

SonarQube does not cover BPM programming language. It only covers the Java layer from BPM WebMethods. When we were faced with this issue with one of your applications, we found that we were not able to scan the BPM code for configurations generated from the WebMethod.

The BPM language is important and should be considered in SonarQube.

It utilizes a lot of resources from the servers. I think this issue should be resolved because it takes approx 20% of the CPU utilization.

Reporting related to SonarQube only exists in the enterprise edition, and not in the Community Edition.

There are no limitations in the lines of code with the Community Edition, but with the Enterprise Version, there are limitations related to the lines of code.

I don't understand why you can use an infinite line code amount with the Community Edition and the Enterprise Edition is limited.

We have been dealing with SonarQube for more than one year.

It is stable in the system environment processes.

We haven't used it with the microservices or containers to check the scalability. We have used it on a Windows Server or Linux Server.

We contacted technical support about the BPM and WebMethod programming language. They supported us with a fast response and provided us with a solution that was not covered on SonarQube.

We only use SonarQube with SonarScanner.

The initial setup is simple and straightforward.

I am a consultant and my team completed the system server.

I requested this license for one million lines of code and they accepted this.

I don't know what was already paid.

We evaluated Micro Focus Fortify. From a cost perspective, we selected SonarQube. Now we are using the enterprise license as well. 

We are telecommunication customers, who have purchased a license. We are the largest telecommunications company in Saudi Arabia.

I would rate SonarQube an eight out of ten.