Try our new research platform with insights from 80,000+ expert users
PeerSpot user
Head of Software Delivery at a tech services company with 51-200 employees
Real User
Provides an automated gated procedure to ensure that engineers are able to deliver great, secure code to production
Pros and Cons
  • "Engineers have also learned from the results and have improved themselves as engineers. This will help them with their careers."

    What is our primary use case?

    Our primary use case is to analyze source code for software bugs, technical debt, vulnerabilities, and test coverage. It provides an automated gated procedure to ensure that engineers are able to deliver great, secure code to production. 

    We plug this process into our process right from the start enabling the IDE integrations so that engineers can scan their code before submission. Following on from that we run the scans on every change that has been submitted for review. 

    This way we ensure that no core/fundamental issues are added to our codebases. 

    How has it helped my organization?

    It has helped many of the organizations that I have worked at to improve overall security, quality, and test confidence within the codebases. It also provides this in a speed efficient way. Engineers now feel much more proud of their solution as they gain confidence from these scans and their results. 

    Engineers have also learned from the results and have improved themselves as engineers. This will help them with their careers. 

    We are also able to get reports on our suite and generate a quality rating for ourselves utilizing this data and more. 

    What is most valuable?

    By far the quality gate controls. Without this, there would be no way to really utilize the power of this tool. We are able to automatically ensure that no code is delivered to production when it contains severe bugs or vulnerabilities. 

    The tight integration to source control also helps us to keep the engineers in the loop with any follow-up actions for issues reported. 

    Finally, the historical trend analysis gives us great insight into how we are improving based on our decisions, which are now driven by clear data.

    What needs improvement?

    It should keep up with newer technologies. As this is primarily open-source, it does require updates from the community. As such, there is sometimes a delay for new technologies to be covered by this too. 

    Particularly around the languages that the webpages state they support. The big benefit of Sonar is that it handles so many different languages, problems, and static analysis in one place. 

    When that one place has a low coverage for the most basic rules (OWASP top 10 for example) it starts to lose its value add. 

    Buyer's Guide
    SonarQube Server (formerly SonarQube)
    December 2024
    Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
    831,265 professionals have used our research since 2012.

    For how long have I used the solution?

    I have been using SonarQube for five years.

    What do I think about the stability of the solution?

    Good, I have not really had many issues with it. No major ones either. 

    What do I think about the scalability of the solution?

    It all depends on where/how you are hosting it. The tool itself scales well. 

    Which solution did I use previously and why did I switch?

    I have used Checkmarx and also tried a demo of Veracode. 

    Checkmarx was far too heavy-handed and only handled security concerns for a VERY large price tag. 

    Veracode is very good, however, the price vs a free solution was a deciding factor in many cases. 

    How was the initial setup?

    It's very straightforward for a SaaS setup. 

    For a self-hosted setup, it is documented well and fairly easy. 

    What about the implementation team?

    We implemented in-house.

    What's my experience with pricing, setup cost, and licensing?

    SonarQube will incur hosting costs. There are SaaS options available at competitive prices too. 

    Self-hosting SonarQube is subject to its open-source licenses documented on their website. 

    Which other solutions did I evaluate?

    We also evaluated Checkmarx, Veracode and open source solutions specific to each programming language. 

    What other advice do I have?

    Security analysis is a MUST. 

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Angelo Quaglia - PeerSpot reviewer
    Independent Professional at Studio Dott. Ing. Angelo Quaglia
    Real User
    Top 5
    Useful dashboard, user-friendly, and effective drill down ability
    Pros and Cons
    • "The most valuable features are the dashboard, the ability to drill down to the code, user-friendly, and the technical debt estimation."
    • "The implementation of the solution is straightforward. However, we did have some initial initialization issues at the of the projects. I don't think it was SonarQube's fault. It was the way it was implemented in our organization because it's mainly integrated with many software, such as Jira, Confluence, and Butler."

    What is our primary use case?

    We have many developers and we use SonarQube to ensure that we don't have badly written code. We must have a way to write code that can be understood by different people.

    How has it helped my organization?

    Our developers are learning how to improve their code.

    What is most valuable?

    The most valuable features are the dashboard, the ability to drill down to the code, the technical debt estimation and the overall user-friendliness of the user interface.

    What needs improvement?

    The Enterprise edition has the additional features we need, but of course we have to pay for that.

    For how long have I used the solution?

    I have been using SonarQube for approximately three months.

    What do I think about the stability of the solution?

    SonarQube is a reliable solution.

    What do I think about the scalability of the solution?

    I have not tried to scale the solution. I am looking to integrate SonarQube with the 45 secure solutions.

    How are customer service and support?

    I have not needed to contact technical support.

    I found the user interface messages quite explanatory about issues. I didn't have to look up many issues elsewhere.

    Which solution did I use previously and why did I switch?

    No.

    How was the initial setup?

    The implementation of the solution is straightforward and it is well integrated with Atlassian software, i.e. Jira, Confluence, Bamboo and Butler.

    What about the implementation team?

    We have a different group that is managing the SonarQube installation and setup.

    What's my experience with pricing, setup cost, and licensing?

    SonarQube enterprise, I am not sure of the price but from what I understand they are charging a fee. It's is not clear if it is an annual fee or a one-off. 

    I don't know the global figure but they are asking each director general approximately a lump sum of $5,000, which doesn't sound like a lot for what the solution does.

    Which other solutions did I evaluate?

    No.

    What other advice do I have?

    My advice to others would be to take a look at the community edition of the SonarQube because it might be enough for their use case.

    I rate SonarQube a nine out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Buyer's Guide
    SonarQube Server (formerly SonarQube)
    December 2024
    Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
    831,265 professionals have used our research since 2012.
    Sr DevOps Engineer at incatech
    Real User
    Open-source with great extensions and great for identifying bugs
    Pros and Cons
    • "It helps our developers work more efficiently as we can identify things in a code prior to it being pushed to where it needs to go."
    • "You may need to purchase add-ons to get the useability you desire."

    What is our primary use case?

    We use the product in our pipeline. We primarily use it for development testing tool.

    How has it helped my organization?

    We can see what's being flagged by whatever requirements in the environment that we're going to. SonarCube has these rules that you set up. You can set the rules and adjust them. It allows us to either be at 80% or whatever the case may be. If you set up these conditions that can tighten down the developer's coding.

    What is most valuable?

    It's convenient due to the fact that it's open-source. 

    We're able to identify bugs and those kinds of things before we actually push anything into a staging or production area. It helps our developers work more efficiently as we can identify things in a code prior to it being pushed to where it needs to go. It's a great little loop. You see this, fix it, take it back. Versus, putting something into an environment and then everything is all broken. It's a good development test tool. 

    Nowadays you can add extensions, similar to what you can do with the Jenkins tool, the CICB tool, the build tool. Jenkins can have a lot of plugins that interface with a lot of vendors or it can do a lot of things. Just like Google Chrome where you can bring in an extension, you can do the same here. In SonarQube, you can add something by just adding an extension that you may have to pay extra for, However, that add-on has additional functionality that the base software may not necessarily have in its core.

    For example, Fortify has some kind of special capability that they have for checking and SonarQube has created an extension that allows the Fortify extensions. Right now, I have Fortify, however, it's in this product at a very modular level.

    What needs improvement?

    The solution is still maturing a bit.

    You may need to purchase add-ons to get the useability you desire.

    For how long have I used the solution?

    We've been using the solution for about two years at this point.

    What's my experience with pricing, setup cost, and licensing?

    The solution is open-source. It's free to use. 

    What other advice do I have?

    Not everybody uses SonarQube. However, if they do use SonarQube and they're trying to look for functionality, then an extension into SonarQube is the way to go. We, for example, love how we can have Fortify functionality via this product. I can't speak for all the other shops, right. That's just our workflow.

    I'd rate the solution at a perfect ten out of ten. For what it does as far as static code analysis, it's pretty good.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Test Expert at Saudi Telecom Company
    Real User
    Prevents vulnerabilities, supports most languages and built-in procedures
    Pros and Cons
    • "I like that it covers most programming languages for source code review."
    • "The BPM language is important and should be considered in SonarQube."

    How has it helped my organization?

    It prevents some vulnerabilities in the production environment.

    What is most valuable?

    I like that it covers most programming languages for source code review.

    I also like the procedures that are already built-in that cover most of the items that already exist.

    What needs improvement?

    SonarQube does not cover BPM programming language. It only covers the Java layer from BPM WebMethods. When we were faced with this issue with one of your applications, we found that we were not able to scan the BPM code for configurations generated from the WebMethod.

    The BPM language is important and should be considered in SonarQube.

    It utilizes a lot of resources from the servers. I think this issue should be resolved because it takes approx 20% of the CPU utilization.

    Reporting related to SonarQube only exists in the enterprise edition, and not in the Community Edition.

    There are no limitations in the lines of code with the Community Edition, but with the Enterprise Version, there are limitations related to the lines of code.

    I don't understand why you can use an infinite line code amount with the Community Edition and the Enterprise Edition is limited.

    For how long have I used the solution?

    We have been dealing with SonarQube for more than one year.

    What do I think about the stability of the solution?

    It is stable in the system environment processes.

    What do I think about the scalability of the solution?

    We haven't used it with the microservices or containers to check the scalability. We have used it on a Windows Server or Linux Server.

    How are customer service and technical support?

    We contacted technical support about the BPM and WebMethod programming language. They supported us with a fast response and provided us with a solution that was not covered on SonarQube.

    Which solution did I use previously and why did I switch?

    We only use SonarQube with SonarScanner.

    How was the initial setup?

    The initial setup is simple and straightforward.

    What about the implementation team?

    I am a consultant and my team completed the system server.

    What's my experience with pricing, setup cost, and licensing?

    I requested this license for one million lines of code and they accepted this.

    I don't know what was already paid.

    Which other solutions did I evaluate?

    We evaluated Micro Focus Fortify. From a cost perspective, we selected SonarQube. Now we are using the enterprise license as well. 

    What other advice do I have?

    We are telecommunication customers, who have purchased a license. We are the largest telecommunications company in Saudi Arabia.

    I would rate SonarQube an eight out of ten.

    Which deployment model are you using for this solution?

    Private Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Anshuman Kishore - PeerSpot reviewer
    Director Product Development at Mycom Osi
    Real User
    Top 5Leaderboard
    Reasonably priced, provides good code coverage and improves quality
    Pros and Cons
    • "The code coverage feature is very good."
    • "If the product could assist us with fixing issues by giving us more pointers then it would help to resolve more of the warnings without such a commitment in terms of time."

    What is our primary use case?

    We use SonarQube for determining code coverage, finding bugs, and searching for security-related issues in our development environment.

    What is most valuable?

    The code coverage feature is very good.

    What needs improvement?

    When performing the code coverage function, there are a lot of warnings that come up and you may not have time to solve them. You need to have the ability to overrule warnings or issues because it may not be possible to commit the time to resolve them immediately. If the product could assist us with fixing issues by giving us more pointers then it would help to resolve more of the warnings without such a commitment in terms of time.

    SonarQube needs some improvement in its ability to find security-related issues.

    For how long have I used the solution?

    I have been using SonarQube for the past seven or eight years.

    What do I think about the stability of the solution?

    We have not found any bugs or had trouble with stability. We have had some minor hiccups, here and there, but otherwise, we are fine.

    What do I think about the scalability of the solution?

    We have not found any issues with respect to scalability. 

    How are customer service and technical support?

    I have not personally been in contact with technical support. I believe that our team recently had contact with them when we migrated to the newer version, and we received help from their support agent.

    Which solution did I use previously and why did I switch?

    I have also used Veracode and when comparing the two, I find that Veracode is better at finding security-related issues during the static code analysis. At the same time, during my PoC with Veracode, they did not claim to be able to provide everything that SonarQube does. 

    How was the initial setup?

    I was not involved in the initial setup. However, I do know that it can be set up within one or two days.

    What about the implementation team?

    We have an in-house team for deployment and maintenance.

    What's my experience with pricing, setup cost, and licensing?

    I am satisfied with the pricing.

    What other advice do I have?

    In general, I am very satisfied with SonarQube and I highly recommend it. If you are looking for full coverage and quality improvement then it is the best product to use.

    I would rate this solution a nine out of ten.

    Which deployment model are you using for this solution?

    Hybrid Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Amazon Web Services (AWS)
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    reviewer2261370 - PeerSpot reviewer
    Head Section Mobile Developer at a manufacturing company with 10,001+ employees
    Real User
    Top 5
    A scalable solution that needs integration with other tools
    Pros and Cons
    • "SonarQube is scalable. My company has 50 users."
    • "The product needs to integrate other security tools for security scanning."

    What needs improvement?

    The product needs to integrate other security tools for security scanning. 

    For how long have I used the solution?

    I have been using the product for a year. 

    What do I think about the scalability of the solution?

    SonarQube is scalable. My company has 50 users. 

    What other advice do I have?

    I rate SonarQube an eight out of ten. 

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    reviewer1258632 - PeerSpot reviewer
    Product Security Architect at a tech services company with 51-200 employees
    Real User
    Top 5
    A mature and admin-friendly solution that is easy to deploy and easy to maintain
    Pros and Cons
    • "SonarQube is admin friendly."
    • "SonarQube is not development-centric like Snyk."

    What is our primary use case?

    We use the solution for security vulnerabilities, static code analysis, and a few code quality issues like code smells. We mostly concentrate on security vulnerabilities.

    What is most valuable?

    SonarQube is admin friendly.

    What needs improvement?

    SonarQube is not development-centric like Snyk. The product gives an IDE plug-in called SonarLint. It needs to be expanded more. SonarLint is very limited.

    For how long have I used the solution?

    I have been using the solution for the last five years.

    What do I think about the stability of the solution?

    The solution is quite mature. We did not have many issues.

    What do I think about the scalability of the solution?

    The tool is very scalable.

    How are customer service and support?

    Since it is an open-source product, we need to purchase support. However, the enterprise edition comes with a support package. The support package is really good. We get good support. We’ll have problems if we do not have support. I rate the support team a seven or eight out of ten. The quality of support depends on the support package we get. We had a limited package, so our support was at that level.

    Which solution did I use previously and why did I switch?

    I have worked with Snyk. Snyk is more developer friendly. I have also worked with Coverity. SonarQube has features that are similar to Snyk and Coverity. So, SonarQube is better because it is an open-source tool.

    How was the initial setup?

    The tool is easy to install compared to other products. We have to do basic things like installing our database and web applications. I do not find many problems with installation. The time taken for deployment depends on the nature of the setup and whether we are doing it for a large enterprise. The installation is quite simple, but it took a week to plan it. We had a good IT setup, which helped us. We do not need many people for implementation. It depends on the project structure.

    What about the implementation team?

    Our IT team installed the solution. The product is easy to maintain. We have a mature system, so we do not have many issues. To manage reports, we need people to run scans. However, we need only one person to manage the environment.

    What's my experience with pricing, setup cost, and licensing?

    It's an open-source product. All other solutions are commercial.

    What other advice do I have?

    SonarQube is introducing a developer edition, but I have not explored it yet. We are using the enterprise edition of the solution. My advice to other users would depend on their requirements. If an organization has Synopsys products, Coverity would be the right choice for them. However, it is costly. SonarQube has an open-source and enterprise edition along with support packages, which is really good. If someone wants a developer-friendly tool, then Snyk would be a good choice. Overall, I rate the solution an eight out of ten.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    reviewer1522716 - PeerSpot reviewer
    Project Manager at a manufacturing company with 1,001-5,000 employees
    Real User
    Great features, good code quality parameters, and is easy to set up
    Pros and Cons
    • "There's plenty of documentation available to users."
    • "There needs to be a shareable reporting piece or something we can click and generate easily."

    What is our primary use case?

    We mainly need to do certain static analyses. While doing the coding, everybody sends a pool request. Before committing the code on the main branch, we need to ensure that the code is up to level. That is basically our way of working to ensure that whatever rules we have configured, whatever gates we have defined, that gets passed before committing the code into the main branch.

    What is most valuable?

    I like almost all of the features. We were initially using all these techniques by using different tools. 

    The vulnerabilities and the code quality parameters are really important for us.

    The initial setup is easy.

    There's plenty of documentation available to users. 

    The solution is stable.

    The scalability is good.

    What needs improvement?

    The only features which I think are lagging are the reporting to generate a PDF report. That is not available currently in the development version. However, if it is available in the development version, then it will be really helpful for us. I checked with the team and it seems that it is only available in the enterprise version. If the report can be sent over email, that would really help.

    For example, let's say if I need to report to management or management wants to see a dashboard based on what each project looks like. Those figures are not available. There needs to be a shareable reporting piece or something we can click and generate easily.  

    The only pain area for us is due to the fact that we purchased the 1 million lines of code license for now. We are a service product company, so some projects were finished in maybe less than six months and then maybe that is not useful for us. We need to remove those projects so we can utilize those lines of code for another project. That's something we need to see about. We're not sure how that works.

    What do I think about the stability of the solution?

    The solution is quite stable. Before, I used to generate reports by using some manual techniques. Now those are available right in SonarQube. The flexibility of rule configurations is great.

    What do I think about the scalability of the solution?

    We found the solution to be scalable. We already integrated SonarQube with our CI/CD pipeline in Azure DevOps, and it works really well. We also integrated with the Jenkins CI/CD pipeline, and we also linked with the Visual Studio using SonarLint. That works really well.

    We plan on expanding and need more licenses. 

    How are customer service and support?

    When we purchased the license, they actually charged an additional amount for the support. Therefore, we haven't bought the support. Plus, we already know SonarQube. We have enough team members available who already have experience in it. For that reason, support is not required from us. That said, across the internet or on Google, there is enough documentation available. Even on the SonarQube website, there is enough documentation. 

    How was the initial setup?

    The initial setup is really straightforward. The supports are really good from the SonarQube. Enough documentation is also available. t's really straightforward to figure out how to do it.

    What's my experience with pricing, setup cost, and licensing?

    We purchased a SonarQube developer license. We do not have the enterprise version.

    We pay for licensing on a yearly basis.

    On the pricing side, it's 3,000 Euros for 1 million lines of code. Even if you look at the open-source, the open-source almost provide similar functions. Of course, some additional language support, among other things, however, the rest is available in open-source. If they can reduce the price, then I believe more people will join the licensed version rather than open-source. Pricing is a bit high based on the fact that they're already providing the open-source for free, and that also includes almost all the necessary items. People will not pay for the license if they can get most items for free. I would suggest if they reduce the price, that definitely it will boost the business.

    What other advice do I have?

    We already linked with the CI/CD pipeline, and everything is working really smoothly. We already got the additional language support also, which was not available in the open-source version. In the developer version, we have six-plus additional language support onboard. That is actually helpful for us. Overall, it's going really well. 

    The overall look and feel, the way of presenting the information, is really nice - including the way we can assign items. Everything looks okay. I also already integrated the APA of SonarQube in my external system and that really works. I don't see any integration problems so far. I would suggest those considering the solution simply go for SonarQube as it works really well for any integration of any software or with any third-party tools, including Azure DevOps.

    I'd rate the solution at a nine out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Buyer's Guide
    Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros sharing their opinions.
    Updated: December 2024
    Buyer's Guide
    Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros sharing their opinions.