SonarQube Server (formerly SonarQube) Reviews

Our primary use case is to analyze source code for software bugs, technical debt, vulnerabilities, and test coverage. It provides an automated gated procedure to ensure that engineers are able to deliver great, secure code to production. 

We plug this process into our process right from the start enabling the IDE integrations so that engineers can scan their code before submission. Following on from that we run the scans on every change that has been submitted for review. 

This way we ensure that no core/fundamental issues are added to our codebases. 

It has helped many of the organizations that I have worked at to improve overall security, quality, and test confidence within the codebases. It also provides this in a speed efficient way. Engineers now feel much more proud of their solution as they gain confidence from these scans and their results. 

Engineers have also learned from the results and have improved themselves as engineers. This will help them with their careers. 

We are also able to get reports on our suite and generate a quality rating for ourselves utilizing this data and more. 

By far the quality gate controls. Without this, there would be no way to really utilize the power of this tool. We are able to automatically ensure that no code is delivered to production when it contains severe bugs or vulnerabilities. 

The tight integration to source control also helps us to keep the engineers in the loop with any follow-up actions for issues reported. 

Finally, the historical trend analysis gives us great insight into how we are improving based on our decisions, which are now driven by clear data.

It should keep up with newer technologies. As this is primarily open-source, it does require updates from the community. As such, there is sometimes a delay for new technologies to be covered by this too. 

Particularly around the languages that the webpages state they support. The big benefit of Sonar is that it handles so many different languages, problems, and static analysis in one place. 

When that one place has a low coverage for the most basic rules (OWASP top 10 for example) it starts to lose its value add. 

I have been using SonarQube for five years.

Good, I have not really had many issues with it. No major ones either. 

It all depends on where/how you are hosting it. The tool itself scales well. 

I have used Checkmarx and also tried a demo of Veracode. 

Checkmarx was far too heavy-handed and only handled security concerns for a VERY large price tag. 

Veracode is very good, however, the price vs a free solution was a deciding factor in many cases. 

It's very straightforward for a SaaS setup. 

For a self-hosted setup, it is documented well and fairly easy. 

We implemented in-house.

SonarQube will incur hosting costs. There are SaaS options available at competitive prices too. 

Self-hosting SonarQube is subject to its open-source licenses documented on their website. 

We also evaluated Checkmarx, Veracode and open source solutions specific to each programming language. 

Security analysis is a MUST. 

We're collecting code quality metrics.

We have the software metrics that SonarQube gives us, which is something we did not have before. This helps us work towards aiming coding standards to empower us to move in the direction of better code quality. SonarQube provides targets and metrics for that.

I like the dashboard it shows by default, where you can see things at a glance. At the same time, you can also drill way down and see a lot of stuff about your code, like complexity metrics, and things like that. It gives you a nice dashboard where you can just look at a birds-eye view.

We've been using the Community Edition, which means that we get to use it at our leisure, and they're kind enough to literally give it to us. However, it takes a fair amount of effort to figure out how to get everything up and running. Since we didn't go with the professional paid version, we're not entitled to support. Of course, that could be self-correcting if we were to make the step to buy into this and really use it. Then their technical support would be available to us to make strides for using it better.

On the other hand, there are published books available. However, the one problem I ran into is they were a little bit out of date. They're still very helpful, but we had to kind of translate from the previous version that was covered in the published books to what's actually available now.

An improvement I would like to see would be on the part of the authors to come out with a new edition or revision that covers some of the newer features of SonarQube and newer configurations. I'd buy a copy.

In terms of additional features, it's actually a very complete solution from what we have seen. Again, I would like the authors to revise their books. I think even ordinary people that are using the licensed model with direct support could walk through some different use cases, just from having been around the block a few times. There are enough things that the software does that this could be very beneficial. Even beyond the technical issues of installation, there are further use cases that could be helpful. For instance, how to get the big bang from the buck out of it.

We use C++ and a lot of Python. Another group in our company is using Java. SonarQube is more directly suited for Java, being almost built into it, whereas C++ requires some extensions. The Java group is using a newer version. We were kind of hoping to piggyback on theirs but SonarQube did not create newer versions of the C++ interfaces as open source. It's starts costing money so we haven't crossed that threshold yet. We haven't established a clear path.

I think if you're going to get the paid model, I get the impression it would do pretty much everything you need as far as metrics go.

A colleague of mine did some work looking at some plugins for Visual Studio and things like that, but they weren't going to work out, so we did take a look at some other options where they could have everything done on the desktop. Our solution in place now requires an infrastructure where it doesn't look at your code, but rather the code that you last checked in, which takes some levels of complexity that we've kind of built-in anyway. It's a little less intuitive how it works to the casual observer. It's set up now to where they don't have to know how it works, they can just go to the web interface and see it.

There are about eight programmers in our section of the solution. So we're kind of a smaller shop compared to some, but larger than many.

Certainly right now I think SonarQube is being underutilized, just because old habits die hard. If I had any say I would like to change that. We had coding standards in place, but they were written documents, whereas SonarQube takes that to another level and you had to look at the specification to see what you said you were going to do. It also tells you what the industry norms are, and whether or not you're meeting them. We have had some discussions about which we want to do. If we want it to happen automatically or if we want to go look for it again ourselves. I cast my vote in the automatic way because the research has already been done by the SonarQube community to come up with these roles, rules, coding standards, etc.

It wasn't done in a vacuum. The agile community has been beating on issues like this for a long time, and they're getting to a point that it's becoming a self-sustaining method.

They do have a lot of information on their website for the parts that they're offering free. We don't have licensing but there is a lot of information, it's just a matter of digging for it and you have to infer a few things. With the proper amount of agony we've managed to get there. There are some subtleties as far as configuration parameters. It does it one way, but we'd really like to do it a different way. Finding that magic incantation to flip that switch is not always in bold print so to speak.

Even for the freebie community which we're in, they haven't held back information. The information is out there to do some amazing stuff with it, but you've got to get your shovel and go dig it up.

We do have some other licensed software and when you look for information on their product, all roads lead to them and when you get there, you log in with your account that costs tens of thousands of dollars. SonarQube isn't like that. They don't hold the information back but you just have to go find it on their website by yourself.

We didn't have a previous solution other than paper systems that we never got in the habit of going back to referring to. We didn't switch, we started fresh.

The initial setup was complex because we were using the Community Edition. We did have some issues with the compatibility of the different components. For example, there is the server itself, but then you can plug in different packages, like the C++ package. We've also experimented a little bit with Python metrics, but unfortunately we don't have a project that's really under that control yet, to really get a feel for how that works.

Configuration issues were pretty complicated, but once we got things up and running, it's been extremely stable, it was kind of maintenance-free, now, although we have a time issue. Of the scans that it does, it could be somewhat time-consuming, so originally some of the developers would say, "Well we want to be able to do that on our desktop." I told them, "I don't think you know what you're asking for, here." But as an alternative, we have it set up with our continuous integration server, which we use in TeamCity by the way. In the middle of the night, it automatically runs a scan for them, while they're in bed at home asleep so their results will be ready the next morning. This way, whatever they have most recently checked in, they can see the results right there. And then it runs in the background so it doesn't matter how long it takes per se, it gets it done by the next time they come in. That's part of what continuous integration does, it does things for you that years ago people would do themselves, and never get around to it.

We spent a couple of weeks getting things figured out. I worked with an apprentice, who was kind of going through the motions.

We chose to use a Red Hat operating system for the base. It's running on a Red Hat 7 server which contributes to the stability from the foundation, then installed the actual SonarQube server on Red Hat. That's when we had the compatibility issues and so on when we started installing the scan engines on top of that. That's when things were not compatible with each other and we had to fall back and figure out why things weren't plugging and playing. However, they did have on their website a sheet that had a little chart that showed the compatibility between the different versions and once we discovered that I was able to see which version can work with which.

We didn't have to change the OS or the SonarQube's service itself, but the C++ extension. The version of the C++ extension we were using was not compatible with the Community Edition we had.

We've had a consultant at one point, not to look specifically at SonarQube, but rather at our firmer development processes as a whole. He's the one that played us towards SonarQube being a reasonable option. In fact, he was the one that helped us in finding the compatibility chart.

It's been mostly me doing the implementation on my own. I haven't been full time on it, but about half of my time is devoted to this. I do take some breaks and write some code and do some refactoring on occasion.

As far as time on SonarQube itself, only about a tenth of a person is devoted to this. It's part of an infrastructure. I have a whole family of virtual machines that do different things: build, test, etc..

We had looked at other code quality systems. We had looked at a number of them. I don't remember them all, but Clockwork was on that list. I think it comes down to picking one and getting used to how it works because they all do mostly the same thing. Some of them focus more on Java, some more on C++. I think Java seems to be the favorite. As far as what they can really do for you, there didn't seem to be any one of them that does ten times what another does. There were some differences, but not no show-stoppers that I recall. I guess the advice would be that one of several tools could do a good job for you, but you still have to manage it and manage the behavior that goes along with it.

I would rate SonarQube as a nine out of ten.

Once you start drilling down through the menus, it tells you a lot of stuff about your code in one view. That's really quite neat. That shows you a view of maintainability. They have a maintainability view that shows bubbles for all the different code modules, and yours is beside the bubble. This represents the amount of "code smells," which is actually kind of a common definition. The bigger the bubble, the more your code smells. This shows where more attention is needed or it's a bubble that's kind of drifting out of control.

I have one graph here where there are probably 50 bubbles. There's one axis that shows technical death, meaning the amount of work that it's going to take to get the smells under control. The other axis is lines of code, which is obviously a very common thing to look at. On this particular graph, there are a whole bunch of bubbles down in the lower-left corner, which means you have a lot of small manageable things. 

If you hover over the bubble, it tells you what module it is. How many lines of code. Technical death and manpower estimate, things like that.

We use SonarQube mostly for code quality testing.

The integrations SonarQube provides with our software delivery pipeline are very seamless. The main benefit of using SonarQube in our organization was having a clean code with fewer static vulnerabilities within the application.

SonarQube could improve its static application security testing as per the industry standard. It would be really great if I could extract the overall report that I see in the dashboard.

I have been using SonarQube for a few years.

SonarQube is a stable solution.

Around 20 to 25 people use the solution in my team.

The solution’s initial setup is straightforward.

The solution can be deployed within a couple of days. We don’t need many people to deploy SonarQube. It is not difficult to maintain the solution.

We use the API call for SonarQube to integrate it into our development workflow. It's a continuous process for us to review the reports and remediate any findings we get from SonarQube. The quality gates and quality profiles are helpful in establishing the required gates and governance that we may need. SonarQube has impacted our team's productivity and code quality over time.

I would recommend SonarQube to other users evaluating it because it helps streamline some of the coding practices. The solution helps teams within the organization get into a good habit of writing clean code. The solution is helpful from a long-term sustainability standpoint.

I would recommend users to try out the open source version of SonarQube. If that doesn't suffice their needs, then they can go for an enterprise version.

Overall, I rate SonarQube an eight out of ten.

We use the product in our pipeline. We primarily use it for development testing tool.

We can see what's being flagged by whatever requirements in the environment that we're going to. SonarCube has these rules that you set up. You can set the rules and adjust them. It allows us to either be at 80% or whatever the case may be. If you set up these conditions that can tighten down the developer's coding.

It's convenient due to the fact that it's open-source. 

We're able to identify bugs and those kinds of things before we actually push anything into a staging or production area. It helps our developers work more efficiently as we can identify things in a code prior to it being pushed to where it needs to go. It's a great little loop. You see this, fix it, take it back. Versus, putting something into an environment and then everything is all broken. It's a good development test tool. 

Nowadays you can add extensions, similar to what you can do with the Jenkins tool, the CICB tool, the build tool. Jenkins can have a lot of plugins that interface with a lot of vendors or it can do a lot of things. Just like Google Chrome where you can bring in an extension, you can do the same here. In SonarQube, you can add something by just adding an extension that you may have to pay extra for, However, that add-on has additional functionality that the base software may not necessarily have in its core.

For example, Fortify has some kind of special capability that they have for checking and SonarQube has created an extension that allows the Fortify extensions. Right now, I have Fortify, however, it's in this product at a very modular level.

The solution is still maturing a bit.

You may need to purchase add-ons to get the useability you desire.

We've been using the solution for about two years at this point.

The solution is open-source. It's free to use. 

Not everybody uses SonarQube. However, if they do use SonarQube and they're trying to look for functionality, then an extension into SonarQube is the way to go. We, for example, love how we can have Fortify functionality via this product. I can't speak for all the other shops, right. That's just our workflow.

I'd rate the solution at a perfect ten out of ten. For what it does as far as static code analysis, it's pretty good.

We use SonarQube for testing and quality assurance. We use this in banks for testing.

We also use SonarQube for security static testing.

It provides the security that is required from a solution for financial businesses.

SonarQube is used for static testing, not for dynamic. We found a solution with dynamic testing, and are looking to find a solution that can be used for both types of testing.

I would like to see software included that can be used with Waterfall projects.

We try to primarily use open-source solutions. The organization tries not to spend money for the moment. Many clients do not want to pay for solutions during this time, especially in the case of products that are expensive.

We have partnered with B2B American to help with the purchasing of the license.

We have just been approved to purchase SonarQube Developer Edition.

We have a license with 125,000 lines of code. We did not purchase a lot of lines but it is specific to our code environment.

It's an open-source solution.

We are currently evaluating other solutions that are open-source. The company is trying to reduce the amount of money spent on solutions.

We are looking for the newest technologies but the biggest stopper for us is money.

For the units of architecture, we have tried to find the newest technology that would benefit the manifest of their orientation.

It has been very difficult. Last year many projects stopped.

I would rate SonarQube a six out of ten.

We are working on a payment system, and we need it to be secure. We use this solution to analyze our code to ensure that it is clean, easy to understand and maintain, and secure.

SonarQube is good for checking and maintaining code quality.

It would be nice is SonarQube analyzed external libraries, in addition to our current code.

I would like to see more options for security, beyond the basics like SQL injection.

The stability of this solution is quite good.

I think that scalability is fine. We have a large number of users at my company.

The majority of the users for this solution are architects, but some technical managers use it too.

We use this solution in parallel with Checkmarx because both of them are good for different things. SonarQube is good for code quality, whereas Checkmarx is more for security.

This initial setup of this solution is not basic, but it is not complex. If you have some experience in IT then you should be able to do it.

We have this tool integrated with Jenkins.

One or two days is enough for deployment. There is some configuration to do, which takes time, but it is not difficult to deploy.

Three or four staff are enough for deployment and maintenance.

We have seen a return of investment, for sure. It is integrated with jobs on Jenkins and helps to provide stability. 

We did not evaluate other options before choosing this solution.

This is a very nice product and I would recommend it. It is one of the best tools on the market to analyze your code.

If more rules for security were added then we would not have to use Checkmarx or other tools. SonarQube is very nice, but just missing some security rules.

I would rate this solution a seven out of ten.

We used SonarQube for secure code review.

The solution's user interface is very user-friendly. The solution also provides good efficiency.

It would be a great add-on if SonarQube could update its database for vulnerabilities or plugging parts.

I rate the solution a seven out of ten for stability.

I rate the solution a nine out of ten for scalability.

On a scale from one to ten, where one is difficult and ten is easy, I rate the solution's initial setup an eight out of ten.

It takes around one hour to deploy SonarQube.

SonarQube is a fairly affordable solution for a larger scale if you have a specific role or specific department for secure code. We didn't pay for SonarQube. We used a free version of the solution because we had a small amount of code.

We used SonarQube for one project. To improve code quality, we do vulnerability assessment. We have an R&D department, and we collaborate with other teams to do any work related to secure code.

SonarQube simplified our code review process. Since we are new to secure code review, we mostly use freely available or impactful applications. That's why our R&D team suggested using SonarQube.

We use SonarQube to find vulnerabilities in the application code. The code is related to the application used by our client. We find vulnerabilities in their application, and we suggest solutions.

We have experienced challenges related to the client-side code. Sometimes, the server faces downtime, and our R&D team knows how to resolve such errors. It is easy to maintain the solution.

Overall, I rate the solution a nine out of ten.

We are using SonarQube for code reviews. 

Code quality improvement, Secure coding pracitices 

The most valuable feature of SonarQube I have found to be the configuration that has allowed us to can make adjusts to the demands of the code review. It gives a specified classification regarding the skill, prioritization, and it is easy for me to review and make my code.

NA

I have been using SonarQube for approximately five years.

The solution is stable.

I have not needed to use technical support.

Positive

I have used some tools previously, such as Eclipse and Checkmarx. I used some tools directly linked with Eclipse, but SonarQube is much better. It has a better ability to link with Eclipse as well as the standalone features for a code review I have found the SonarQube most efficient.

I deployed SonarQube on my laptop. I found it to be straightforward and easy. I wanted my technical team to do implement it but since they didn't have time I took the initiative and did it myself. I am not exactly from a technical background, and it was very easy for me.

The time it took for me to do the whole process was approximately two hours because I had to download, read the documentation, and do the configurations.

The solution does not require any maintenance.

SonarQube fits my purpose. It doesn't cause any hassles for me.

I rate SonarQube a nine out of ten.