Try our new research platform with insights from 80,000+ expert users
PeerSpot user
Head of Software Delivery at a tech services company with 51-200 employees
Real User
Provides an automated gated procedure to ensure that engineers are able to deliver great, secure code to production
Pros and Cons
  • "Engineers have also learned from the results and have improved themselves as engineers. This will help them with their careers."

    What is our primary use case?

    Our primary use case is to analyze source code for software bugs, technical debt, vulnerabilities, and test coverage. It provides an automated gated procedure to ensure that engineers are able to deliver great, secure code to production. 

    We plug this process into our process right from the start enabling the IDE integrations so that engineers can scan their code before submission. Following on from that we run the scans on every change that has been submitted for review. 

    This way we ensure that no core/fundamental issues are added to our codebases. 

    How has it helped my organization?

    It has helped many of the organizations that I have worked at to improve overall security, quality, and test confidence within the codebases. It also provides this in a speed efficient way. Engineers now feel much more proud of their solution as they gain confidence from these scans and their results. 

    Engineers have also learned from the results and have improved themselves as engineers. This will help them with their careers. 

    We are also able to get reports on our suite and generate a quality rating for ourselves utilizing this data and more. 

    What is most valuable?

    By far the quality gate controls. Without this, there would be no way to really utilize the power of this tool. We are able to automatically ensure that no code is delivered to production when it contains severe bugs or vulnerabilities. 

    The tight integration to source control also helps us to keep the engineers in the loop with any follow-up actions for issues reported. 

    Finally, the historical trend analysis gives us great insight into how we are improving based on our decisions, which are now driven by clear data.

    What needs improvement?

    It should keep up with newer technologies. As this is primarily open-source, it does require updates from the community. As such, there is sometimes a delay for new technologies to be covered by this too. 

    Particularly around the languages that the webpages state they support. The big benefit of Sonar is that it handles so many different languages, problems, and static analysis in one place. 

    When that one place has a low coverage for the most basic rules (OWASP top 10 for example) it starts to lose its value add. 

    Buyer's Guide
    SonarQube Server (formerly SonarQube)
    October 2024
    Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
    814,528 professionals have used our research since 2012.

    For how long have I used the solution?

    I have been using SonarQube for five years.

    What do I think about the stability of the solution?

    Good, I have not really had many issues with it. No major ones either. 

    What do I think about the scalability of the solution?

    It all depends on where/how you are hosting it. The tool itself scales well. 

    Which solution did I use previously and why did I switch?

    I have used Checkmarx and also tried a demo of Veracode. 

    Checkmarx was far too heavy-handed and only handled security concerns for a VERY large price tag. 

    Veracode is very good, however, the price vs a free solution was a deciding factor in many cases. 

    How was the initial setup?

    It's very straightforward for a SaaS setup. 

    For a self-hosted setup, it is documented well and fairly easy. 

    What about the implementation team?

    We implemented in-house.

    What's my experience with pricing, setup cost, and licensing?

    SonarQube will incur hosting costs. There are SaaS options available at competitive prices too. 

    Self-hosting SonarQube is subject to its open-source licenses documented on their website. 

    Which other solutions did I evaluate?

    We also evaluated Checkmarx, Veracode and open source solutions specific to each programming language. 

    What other advice do I have?

    Security analysis is a MUST. 

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Lead Engineer at a healthcare company with 10,001+ employees
    Real User
    Great birds-eye view dashboard with detailed code metrics in the drill-down
    Pros and Cons
    • "We have the software metrics that SonarQube gives us, which is something we did not have before. This helps us work towards aiming coding standards to empower us to move in the direction of better code quality. SonarQube provides targets and metrics for that."
    • "We've been using the Community Edition, which means that we get to use it at our leisure, and they're kind enough to literally give it to us. However, it takes a fair amount of effort to figure out how to get everything up and running. Since we didn't go with the professional paid version, we're not entitled to support. Of course that could be self-correcting if we were to make the step to buy into this and really use it. Then their technical support would be available to us to make strides for using it better."

    What is our primary use case?

    We're collecting code quality metrics.

    How has it helped my organization?

    We have the software metrics that SonarQube gives us, which is something we did not have before. This helps us work towards aiming coding standards to empower us to move in the direction of better code quality. SonarQube provides targets and metrics for that.

    What is most valuable?

    I like the dashboard it shows by default, where you can see things at a glance. At the same time, you can also drill way down and see a lot of stuff about your code, like complexity metrics, and things like that. It gives you a nice dashboard where you can just look at a birds-eye view.

    What needs improvement?

    We've been using the Community Edition, which means that we get to use it at our leisure, and they're kind enough to literally give it to us. However, it takes a fair amount of effort to figure out how to get everything up and running. Since we didn't go with the professional paid version, we're not entitled to support. Of course, that could be self-correcting if we were to make the step to buy into this and really use it. Then their technical support would be available to us to make strides for using it better.

    On the other hand, there are published books available. However, the one problem I ran into is they were a little bit out of date. They're still very helpful, but we had to kind of translate from the previous version that was covered in the published books to what's actually available now.

    An improvement I would like to see would be on the part of the authors to come out with a new edition or revision that covers some of the newer features of SonarQube and newer configurations. I'd buy a copy.

    In terms of additional features, it's actually a very complete solution from what we have seen. Again, I would like the authors to revise their books. I think even ordinary people that are using the licensed model with direct support could walk through some different use cases, just from having been around the block a few times. There are enough things that the software does that this could be very beneficial. Even beyond the technical issues of installation, there are further use cases that could be helpful. For instance, how to get the big bang from the buck out of it.

    For how long have I used the solution?

    We've been using SonarQube for around eight months.

    What do I think about the stability of the solution?

    We use C++ and a lot of Python. Another group in our company is using Java. SonarQube is more directly suited for Java, being almost built into it, whereas C++ requires some extensions. The Java group is using a newer version. We were kind of hoping to piggyback on theirs but SonarQube did not create newer versions of the C++ interfaces as open source. It's starts costing money so we haven't crossed that threshold yet. We haven't established a clear path.

    What do I think about the scalability of the solution?

    I think if you're going to get the paid model, I get the impression it would do pretty much everything you need as far as metrics go.

    A colleague of mine did some work looking at some plugins for Visual Studio and things like that, but they weren't going to work out, so we did take a look at some other options where they could have everything done on the desktop. Our solution in place now requires an infrastructure where it doesn't look at your code, but rather the code that you last checked in, which takes some levels of complexity that we've kind of built-in anyway. It's a little less intuitive how it works to the casual observer. It's set up now to where they don't have to know how it works, they can just go to the web interface and see it.

    There are about eight programmers in our section of the solution. So we're kind of a smaller shop compared to some, but larger than many.

    Certainly right now I think SonarQube is being underutilized, just because old habits die hard. If I had any say I would like to change that. We had coding standards in place, but they were written documents, whereas SonarQube takes that to another level and you had to look at the specification to see what you said you were going to do. It also tells you what the industry norms are, and whether or not you're meeting them. We have had some discussions about which we want to do. If we want it to happen automatically or if we want to go look for it again ourselves. I cast my vote in the automatic way because the research has already been done by the SonarQube community to come up with these roles, rules, coding standards, etc.

    It wasn't done in a vacuum. The agile community has been beating on issues like this for a long time, and they're getting to a point that it's becoming a self-sustaining method.

    How are customer service and technical support?

    They do have a lot of information on their website for the parts that they're offering free. We don't have licensing but there is a lot of information, it's just a matter of digging for it and you have to infer a few things. With the proper amount of agony we've managed to get there. There are some subtleties as far as configuration parameters. It does it one way, but we'd really like to do it a different way. Finding that magic incantation to flip that switch is not always in bold print so to speak.

    Even for the freebie community which we're in, they haven't held back information. The information is out there to do some amazing stuff with it, but you've got to get your shovel and go dig it up.

    We do have some other licensed software and when you look for information on their product, all roads lead to them and when you get there, you log in with your account that costs tens of thousands of dollars. SonarQube isn't like that. They don't hold the information back but you just have to go find it on their website by yourself.

    Which solution did I use previously and why did I switch?

    We didn't have a previous solution other than paper systems that we never got in the habit of going back to referring to. We didn't switch, we started fresh.

    How was the initial setup?

    The initial setup was complex because we were using the Community Edition. We did have some issues with the compatibility of the different components. For example, there is the server itself, but then you can plug in different packages, like the C++ package. We've also experimented a little bit with Python metrics, but unfortunately we don't have a project that's really under that control yet, to really get a feel for how that works.

    Configuration issues were pretty complicated, but once we got things up and running, it's been extremely stable, it was kind of maintenance-free, now, although we have a time issue. Of the scans that it does, it could be somewhat time-consuming, so originally some of the developers would say, "Well we want to be able to do that on our desktop." I told them, "I don't think you know what you're asking for, here." But as an alternative, we have it set up with our continuous integration server, which we use in TeamCity by the way. In the middle of the night, it automatically runs a scan for them, while they're in bed at home asleep so their results will be ready the next morning. This way, whatever they have most recently checked in, they can see the results right there. And then it runs in the background so it doesn't matter how long it takes per se, it gets it done by the next time they come in. That's part of what continuous integration does, it does things for you that years ago people would do themselves, and never get around to it.

    What about the implementation team?

    We spent a couple of weeks getting things figured out. I worked with an apprentice, who was kind of going through the motions.

    We chose to use a Red Hat operating system for the base. It's running on a Red Hat 7 server which contributes to the stability from the foundation, then installed the actual SonarQube server on Red Hat. That's when we had the compatibility issues and so on when we started installing the scan engines on top of that. That's when things were not compatible with each other and we had to fall back and figure out why things weren't plugging and playing. However, they did have on their website a sheet that had a little chart that showed the compatibility between the different versions and once we discovered that I was able to see which version can work with which.

    We didn't have to change the OS or the SonarQube's service itself, but the C++ extension. The version of the C++ extension we were using was not compatible with the Community Edition we had.

    We've had a consultant at one point, not to look specifically at SonarQube, but rather at our firmer development processes as a whole. He's the one that played us towards SonarQube being a reasonable option. In fact, he was the one that helped us in finding the compatibility chart.

    It's been mostly me doing the implementation on my own. I haven't been full time on it, but about half of my time is devoted to this. I do take some breaks and write some code and do some refactoring on occasion.

    As far as time on SonarQube itself, only about a tenth of a person is devoted to this. It's part of an infrastructure. I have a whole family of virtual machines that do different things: build, test, etc..

    Which other solutions did I evaluate?

    We had looked at other code quality systems. We had looked at a number of them. I don't remember them all, but Clockwork was on that list. I think it comes down to picking one and getting used to how it works because they all do mostly the same thing. Some of them focus more on Java, some more on C++. I think Java seems to be the favorite. As far as what they can really do for you, there didn't seem to be any one of them that does ten times what another does. There were some differences, but not no show-stoppers that I recall. I guess the advice would be that one of several tools could do a good job for you, but you still have to manage it and manage the behavior that goes along with it.

    What other advice do I have?

    I would rate SonarQube as a nine out of ten.

    Once you start drilling down through the menus, it tells you a lot of stuff about your code in one view. That's really quite neat. That shows you a view of maintainability. They have a maintainability view that shows bubbles for all the different code modules, and yours is beside the bubble. This represents the amount of "code smells," which is actually kind of a common definition. The bigger the bubble, the more your code smells. This shows where more attention is needed or it's a bubble that's kind of drifting out of control.

    I have one graph here where there are probably 50 bubbles. There's one axis that shows technical death, meaning the amount of work that it's going to take to get the smells under control. The other axis is lines of code, which is obviously a very common thing to look at. On this particular graph, there are a whole bunch of bubbles down in the lower-left corner, which means you have a lot of small manageable things. 

    If you hover over the bubble, it tells you what module it is. How many lines of code. Technical death and manpower estimate, things like that.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Buyer's Guide
    SonarQube Server (formerly SonarQube)
    October 2024
    Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
    814,528 professionals have used our research since 2012.
    DevOps Lead at a marketing services firm with 1,001-5,000 employees
    Real User
    Top 20
    Used for code quality testing and helps streamline coding practices in an organization
    Pros and Cons
    • "The integrations SonarQube provides with our software delivery pipeline are very seamless."
    • "SonarQube could improve its static application security testing as per the industry standard."

    What is our primary use case?

    We use SonarQube mostly for code quality testing.

    What is most valuable?

    The integrations SonarQube provides with our software delivery pipeline are very seamless. The main benefit of using SonarQube in our organization was having a clean code with fewer static vulnerabilities within the application.

    What needs improvement?

    SonarQube could improve its static application security testing as per the industry standard. It would be really great if I could extract the overall report that I see in the dashboard.

    For how long have I used the solution?

    I have been using SonarQube for a few years.

    What do I think about the stability of the solution?

    SonarQube is a stable solution.

    What do I think about the scalability of the solution?

    Around 20 to 25 people use the solution in my team.

    How was the initial setup?

    The solution’s initial setup is straightforward.

    What about the implementation team?

    The solution can be deployed within a couple of days. We don’t need many people to deploy SonarQube. It is not difficult to maintain the solution.

    What other advice do I have?

    We use the API call for SonarQube to integrate it into our development workflow. It's a continuous process for us to review the reports and remediate any findings we get from SonarQube. The quality gates and quality profiles are helpful in establishing the required gates and governance that we may need. SonarQube has impacted our team's productivity and code quality over time.

    I would recommend SonarQube to other users evaluating it because it helps streamline some of the coding practices. The solution helps teams within the organization get into a good habit of writing clean code. The solution is helpful from a long-term sustainability standpoint.

    I would recommend users to try out the open source version of SonarQube. If that doesn't suffice their needs, then they can go for an enterprise version.

    Overall, I rate SonarQube an eight out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Sr DevOps Engineer at incatech
    Real User
    Open-source with great extensions and great for identifying bugs
    Pros and Cons
    • "It helps our developers work more efficiently as we can identify things in a code prior to it being pushed to where it needs to go."
    • "You may need to purchase add-ons to get the useability you desire."

    What is our primary use case?

    We use the product in our pipeline. We primarily use it for development testing tool.

    How has it helped my organization?

    We can see what's being flagged by whatever requirements in the environment that we're going to. SonarCube has these rules that you set up. You can set the rules and adjust them. It allows us to either be at 80% or whatever the case may be. If you set up these conditions that can tighten down the developer's coding.

    What is most valuable?

    It's convenient due to the fact that it's open-source. 

    We're able to identify bugs and those kinds of things before we actually push anything into a staging or production area. It helps our developers work more efficiently as we can identify things in a code prior to it being pushed to where it needs to go. It's a great little loop. You see this, fix it, take it back. Versus, putting something into an environment and then everything is all broken. It's a good development test tool. 

    Nowadays you can add extensions, similar to what you can do with the Jenkins tool, the CICB tool, the build tool. Jenkins can have a lot of plugins that interface with a lot of vendors or it can do a lot of things. Just like Google Chrome where you can bring in an extension, you can do the same here. In SonarQube, you can add something by just adding an extension that you may have to pay extra for, However, that add-on has additional functionality that the base software may not necessarily have in its core.

    For example, Fortify has some kind of special capability that they have for checking and SonarQube has created an extension that allows the Fortify extensions. Right now, I have Fortify, however, it's in this product at a very modular level.

    What needs improvement?

    The solution is still maturing a bit.

    You may need to purchase add-ons to get the useability you desire.

    For how long have I used the solution?

    We've been using the solution for about two years at this point.

    What's my experience with pricing, setup cost, and licensing?

    The solution is open-source. It's free to use. 

    What other advice do I have?

    Not everybody uses SonarQube. However, if they do use SonarQube and they're trying to look for functionality, then an extension into SonarQube is the way to go. We, for example, love how we can have Fortify functionality via this product. I can't speak for all the other shops, right. That's just our workflow.

    I'd rate the solution at a perfect ten out of ten. For what it does as far as static code analysis, it's pretty good.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Daniel Antonio Jimenez Quintana - PeerSpot reviewer
    IT Systems Architect at Banco Ripley
    Real User
    Open-source, secure static testing, but cannot be used for dynamic testing
    Pros and Cons
    • "It provides the security that is required from a solution for financial businesses."
    • "We found a solution with dynamic testing, and are looking to find a solution that can be used for both types of testing."

    What is our primary use case?

    We use SonarQube for testing and quality assurance. We use this in banks for testing.

    We also use SonarQube for security static testing.

    What is most valuable?

    It provides the security that is required from a solution for financial businesses.

    What needs improvement?

    SonarQube is used for static testing, not for dynamic. We found a solution with dynamic testing, and are looking to find a solution that can be used for both types of testing.

    I would like to see software included that can be used with Waterfall projects.

    Which solution did I use previously and why did I switch?

    We try to primarily use open-source solutions. The organization tries not to spend money for the moment. Many clients do not want to pay for solutions during this time, especially in the case of products that are expensive.

    What's my experience with pricing, setup cost, and licensing?

    We have partnered with B2B American to help with the purchasing of the license.

    We have just been approved to purchase SonarQube Developer Edition.

    We have a license with 125,000 lines of code. We did not purchase a lot of lines but it is specific to our code environment.

    It's an open-source solution.

    Which other solutions did I evaluate?

    We are currently evaluating other solutions that are open-source. The company is trying to reduce the amount of money spent on solutions.

    We are looking for the newest technologies but the biggest stopper for us is money.

    What other advice do I have?

    For the units of architecture, we have tried to find the newest technology that would benefit the manifest of their orientation.

    It has been very difficult. Last year many projects stopped.

    I would rate SonarQube a six out of ten.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Country Manager Senegal at a financial services firm with 10,001+ employees
    Real User
    Ensures a high quality of code, but would be improved with better support for security
    Pros and Cons
    • "SonarQube is good for checking and maintaining code quality."
    • "I would like to see more options for security, beyond the basics like SQL injection."

    What is our primary use case?

    We are working on a payment system, and we need it to be secure. We use this solution to analyze our code to ensure that it is clean, easy to understand and maintain, and secure.

    What is most valuable?

    SonarQube is good for checking and maintaining code quality.

    What needs improvement?

    It would be nice is SonarQube analyzed external libraries, in addition to our current code.

    I would like to see more options for security, beyond the basics like SQL injection.

    For how long have I used the solution?

    Five years.

    What do I think about the stability of the solution?

    The stability of this solution is quite good.

    What do I think about the scalability of the solution?

    I think that scalability is fine. We have a large number of users at my company.

    The majority of the users for this solution are architects, but some technical managers use it too.

    Which solution did I use previously and why did I switch?

    We use this solution in parallel with Checkmarx because both of them are good for different things. SonarQube is good for code quality, whereas Checkmarx is more for security.

    How was the initial setup?

    This initial setup of this solution is not basic, but it is not complex. If you have some experience in IT then you should be able to do it.

    We have this tool integrated with Jenkins.

    One or two days is enough for deployment. There is some configuration to do, which takes time, but it is not difficult to deploy.

    Three or four staff are enough for deployment and maintenance.

    What was our ROI?

    We have seen a return of investment, for sure. It is integrated with jobs on Jenkins and helps to provide stability. 

    Which other solutions did I evaluate?

    We did not evaluate other options before choosing this solution.

    What other advice do I have?

    This is a very nice product and I would recommend it. It is one of the best tools on the market to analyze your code.

    If more rules for security were added then we would not have to use Checkmarx or other tools. SonarQube is very nice, but just missing some security rules.

    I would rate this solution a seven out of ten.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Infosec Consultant at Anzen Technologies
    Consultant
    Top 10
    Has a user-friendly UI and can be used for secure code review
    Pros and Cons
    • "The solution's user interface is very user-friendly."
    • "It would be a great add-on if SonarQube could update its database for vulnerabilities or plugging parts."

    What is our primary use case?

    We used SonarQube for secure code review.

    What is most valuable?

    The solution's user interface is very user-friendly. The solution also provides good efficiency.

    What needs improvement?

    It would be a great add-on if SonarQube could update its database for vulnerabilities or plugging parts.

    For how long have I used the solution?


    What do I think about the stability of the solution?

    I rate the solution a seven out of ten for stability.

    What do I think about the scalability of the solution?

    I rate the solution a nine out of ten for scalability.

    How was the initial setup?

    On a scale from one to ten, where one is difficult and ten is easy, I rate the solution's initial setup an eight out of ten.

    What about the implementation team?

    It takes around one hour to deploy SonarQube.

    What's my experience with pricing, setup cost, and licensing?

    SonarQube is a fairly affordable solution for a larger scale if you have a specific role or specific department for secure code. We didn't pay for SonarQube. We used a free version of the solution because we had a small amount of code.

    What other advice do I have?

    We used SonarQube for one project. To improve code quality, we do vulnerability assessment. We have an R&D department, and we collaborate with other teams to do any work related to secure code.

    SonarQube simplified our code review process. Since we are new to secure code review, we mostly use freely available or impactful applications. That's why our R&D team suggested using SonarQube.

    We use SonarQube to find vulnerabilities in the application code. The code is related to the application used by our client. We find vulnerabilities in their application, and we suggest solutions.

    We have experienced challenges related to the client-side code. Sometimes, the server faces downtime, and our R&D team knows how to resolve such errors. It is easy to maintain the solution.

    Overall, I rate the solution a nine out of ten.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Program Manager at a computer software company with 1,001-5,000 employees
    Real User
    Stable, beneficial code review, and efficient
    Pros and Cons
    • "The most valuable feature of SonarQube I have found to be the configuration that has allowed us to can make adjusts to the demands of the code review. It gives a specified classification regarding the skill, prioritization, and it is easy for me to review and make my code."
    • "The time it took for me to do the whole process was approximately two hours because I had to download, read the documentation, and do the configurations."

    What is our primary use case?

    We are using SonarQube for code reviews. 

    How has it helped my organization?

    Code quality improvement, Secure coding pracitices 

    What is most valuable?

    The most valuable feature of SonarQube I have found to be the configuration that has allowed us to can make adjusts to the demands of the code review. It gives a specified classification regarding the skill, prioritization, and it is easy for me to review and make my code.

    What needs improvement?

    NA

    For how long have I used the solution?

    I have been using SonarQube for approximately five years.

    What do I think about the stability of the solution?

    The solution is stable.

    How are customer service and support?

    I have not needed to use technical support.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    I have used some tools previously, such as Eclipse and Checkmarx. I used some tools directly linked with Eclipse, but SonarQube is much better. It has a better ability to link with Eclipse as well as the standalone features for a code review I have found the SonarQube most efficient.

    How was the initial setup?

    I deployed SonarQube on my laptop. I found it to be straightforward and easy. I wanted my technical team to do implement it but since they didn't have time I took the initiative and did it myself. I am not exactly from a technical background, and it was very easy for me.

    The time it took for me to do the whole process was approximately two hours because I had to download, read the documentation, and do the configurations.

    What about the implementation team?

    The solution does not require any maintenance.

    What other advice do I have?

    SonarQube fits my purpose. It doesn't cause any hassles for me.

    I rate SonarQube a nine out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Buyer's Guide
    Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros sharing their opinions.
    Updated: October 2024
    Buyer's Guide
    Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros sharing their opinions.