It prevents some vulnerabilities in the production environment.
Test Expert at Saudi Telecom Company
Prevents vulnerabilities, supports most languages and built-in procedures
Pros and Cons
- "I like that it covers most programming languages for source code review."
- "The BPM language is important and should be considered in SonarQube."
How has it helped my organization?
What is most valuable?
I like that it covers most programming languages for source code review.
I also like the procedures that are already built-in that cover most of the items that already exist.
What needs improvement?
SonarQube does not cover BPM programming language. It only covers the Java layer from BPM WebMethods. When we were faced with this issue with one of your applications, we found that we were not able to scan the BPM code for configurations generated from the WebMethod.
The BPM language is important and should be considered in SonarQube.
It utilizes a lot of resources from the servers. I think this issue should be resolved because it takes approx 20% of the CPU utilization.
Reporting related to SonarQube only exists in the enterprise edition, and not in the Community Edition.
There are no limitations in the lines of code with the Community Edition, but with the Enterprise Version, there are limitations related to the lines of code.
I don't understand why you can use an infinite line code amount with the Community Edition and the Enterprise Edition is limited.
For how long have I used the solution?
We have been dealing with SonarQube for more than one year.
Buyer's Guide
SonarQube Server (formerly SonarQube)
October 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
816,406 professionals have used our research since 2012.
What do I think about the stability of the solution?
It is stable in the system environment processes.
What do I think about the scalability of the solution?
We haven't used it with the microservices or containers to check the scalability. We have used it on a Windows Server or Linux Server.
How are customer service and support?
We contacted technical support about the BPM and WebMethod programming language. They supported us with a fast response and provided us with a solution that was not covered on SonarQube.
Which solution did I use previously and why did I switch?
We only use SonarQube with SonarScanner.
How was the initial setup?
The initial setup is simple and straightforward.
What about the implementation team?
I am a consultant and my team completed the system server.
What's my experience with pricing, setup cost, and licensing?
I requested this license for one million lines of code and they accepted this.
I don't know what was already paid.
Which other solutions did I evaluate?
We evaluated Micro Focus Fortify. From a cost perspective, we selected SonarQube. Now we are using the enterprise license as well.
What other advice do I have?
We are telecommunication customers, who have purchased a license. We are the largest telecommunications company in Saudi Arabia.
I would rate SonarQube an eight out of ten.
Which deployment model are you using for this solution?
Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Software Engineering Manager at Hill
A stable solution for analysis and security vulnerability checking
Pros and Cons
- "It is a very good tool for analysis and security vulnerability checking."
- "The scanning part could be improved in SonarQube. We have used Coverity for scanning, and we have the critical issues reported by Coverity. When we used SonarQube for scanning and looked at the results, it seems that some of them have incorrect input. This part can be improved for C and C++ languages."
What is our primary use case?
We use SonarQube to scan our security protection.
What is most valuable?
It is a very good tool for analysis and security vulnerability checking.
What needs improvement?
The scanning part could be improved in SonarQube. We have used Coverity for scanning, and we have the critical issues reported by Coverity. When we used SonarQube for scanning and looked at the results, it seems that some of them have incorrect input. This part can be improved for C and C++ languages.
For how long have I used the solution?
I have been using this solution for a couple of weeks.
What do I think about the stability of the solution?
It is stable.
What do I think about the scalability of the solution?
We haven't evaluated its scalability.
How are customer service and technical support?
I just use our internal IT to get support for SonarQube. That is enough for me.
Which solution did I use previously and why did I switch?
We were previously using Coverity. We used it for three years or so.
How was the initial setup?
We just use the Enterprise SonarQube instance provided by our company.
What other advice do I have?
I would recommend this solution. I would rate SonarQube an eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
SonarQube Server (formerly SonarQube)
October 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
816,406 professionals have used our research since 2012.
Director Product Development at Mycom Osi
Reasonably priced, provides good code coverage and improves quality
Pros and Cons
- "The code coverage feature is very good."
- "If the product could assist us with fixing issues by giving us more pointers then it would help to resolve more of the warnings without such a commitment in terms of time."
What is our primary use case?
We use SonarQube for determining code coverage, finding bugs, and searching for security-related issues in our development environment.
What is most valuable?
The code coverage feature is very good.
What needs improvement?
When performing the code coverage function, there are a lot of warnings that come up and you may not have time to solve them. You need to have the ability to overrule warnings or issues because it may not be possible to commit the time to resolve them immediately. If the product could assist us with fixing issues by giving us more pointers then it would help to resolve more of the warnings without such a commitment in terms of time.
SonarQube needs some improvement in its ability to find security-related issues.
For how long have I used the solution?
I have been using SonarQube for the past seven or eight years.
What do I think about the stability of the solution?
We have not found any bugs or had trouble with stability. We have had some minor hiccups, here and there, but otherwise, we are fine.
What do I think about the scalability of the solution?
We have not found any issues with respect to scalability.
How are customer service and technical support?
I have not personally been in contact with technical support. I believe that our team recently had contact with them when we migrated to the newer version, and we received help from their support agent.
Which solution did I use previously and why did I switch?
I have also used Veracode and when comparing the two, I find that Veracode is better at finding security-related issues during the static code analysis. At the same time, during my PoC with Veracode, they did not claim to be able to provide everything that SonarQube does.
How was the initial setup?
I was not involved in the initial setup. However, I do know that it can be set up within one or two days.
What about the implementation team?
We have an in-house team for deployment and maintenance.
What's my experience with pricing, setup cost, and licensing?
I am satisfied with the pricing.
What other advice do I have?
In general, I am very satisfied with SonarQube and I highly recommend it. If you are looking for full coverage and quality improvement then it is the best product to use.
I would rate this solution a nine out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
CTO at FPT Telecom
Automatically scans for code, detects vulnerabilities, and generates daily reports
Pros and Cons
- "It automatically scans for code, detects vulnerabilities, and generates daily reports."
- "After scanning our code and generating a report, it would be helpful if SonarQube could also generate a solution to fix vulnerabilities in the report."
What is our primary use case?
We used SonarQube during the development period and AppScan after the system was deployed on the production site.
What is most valuable?
SonarQube is integrated with the CI/CD infrastructure. It automatically scans for code, detects vulnerabilities, and generates daily reports. SonarQube's integration with the CI/CD infrastructure helps us reduce the effort to scan the code manually.
What needs improvement?
After scanning our code and generating a report, it would be helpful if SonarQube could also generate a solution to fix vulnerabilities in the report.
For how long have I used the solution?
I have been using SonarQube for six to seven years.
What do I think about the stability of the solution?
We haven’t faced any issues with the solution’s performance or stability.
How are customer service and support?
We don't have a support license for SonarQube. We currently use the open-source community, which provides us with much support from communities worldwide.
How was the initial setup?
The solution's initial setup is very easy. We have a team that handles the maintenance of SonarQube in the CI/CD environment.
What about the implementation team?
The solution's deployment takes about two weeks. We have a new software development project, and integrating it into the CI/CD system took about half a working day.
What's my experience with pricing, setup cost, and licensing?
We use the solution free of cost. SonarQube is a cost-efficient solution.
What other advice do I have?
I would recommend the solution to other users.
Overall, I rate the solution ten out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Apr 29, 2024
Flag as inappropriateLead Security Architect at a comms service provider with 1,001-5,000 employees
Code quality assurance solution that supports many coding languages
Pros and Cons
- "This solution has helped with the integration and building of our CICD pipeline."
- "For improvement, this solution could be offered on Docker and the cloud and the support for this solution could be improved. Customizing rules could also be made simpler."
What is our primary use case?
We use this solution to configure our pipeline using Jenkins. From an integration perspective, it encompasses many languages and this is very useful.
How has it helped my organization?
This solution has helped with the integration and building of our CICD pipeline. Without any scans or assessments, the pipeline and build are not complete. One of the good features of SonarQube is the many languages it supports including Java, dotNET, Typescript and HTML CSS. It also allows us to set custom quality gates and rules.
What needs improvement?
This solution could be offered on Docker and the cloud. The support for this solution could be improved and the customization rules could also be made simpler.
For how long have I used the solution?
I have used this solution for three years.
What do I think about the stability of the solution?
This is a stable solution.
What do I think about the scalability of the solution?
This solution could be scalable, specifically from a reporting perspective.
How are customer service and support?
I would rate the customer support for this solution a seven out of ten.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
I have previously used Checkmarx, Blackbelt and WhiteSource.
What was our ROI?
We have experienced a good return on investment using this solution.
What other advice do I have?
This is a good solution if you are looking for good coverage, quality, and vulnerabilities to be highlighted. That being said, there are better solutions in the market when it comes to SAST scanning.
I would rate this solution an eight out of ten.
Which deployment model are you using for this solution?
Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Product Manager at a financial services firm with 10,001+ employees
Less false positive scans, covers entire developer community, but support could improve
Pros and Cons
- "When comparing other static code analysis tools, SonarQube has fewer false-positive issues being reported. They have a lot of support for different tech stacks. It covers the entire developer community which includes Salesforce or it could be the regular Java.net project. It has actually sufficed all the needs in one tool for static code analysis."
- "SonarQube needs to improve its support model. They do not work 24/7, and they do not provide weekend support in case things go wrong. They only have a standard 8:00 am to 5:00 pm support model in which you have to raise a support ticket and wait. The support model is not effective for premium customers."
What is our primary use case?
SonarQube delivers a continuous inspection of code quality.
What is most valuable?
When comparing other static code analysis tools, SonarQube has fewer false-positive issues being reported. They have a lot of support for different tech stacks. It covers the entire developer community which includes Salesforce or it could be the regular Java.net project. It has actually sufficed all the needs in one tool for static code analysis.
For how long have I used the solution?
I have been using SonarQube for approximately two years.
What do I think about the stability of the solution?
The stability of SonarQube is good.
What do I think about the scalability of the solution?
I have found SonarQube to be scalable.
How are customer service and support?
SonarQube needs to improve its support model. They do not work 24/7, and they do not provide weekend support in case things go wrong. They only have a standard 8:00 am to 5:00 pm support model in which you have to raise a support ticket and wait. The support model is not effective for premium customers.
How was the initial setup?
SonarQube is very user-friendly and it works for all tech stacks. It should be easy for any kind of integrations that you need to build. Additionally, SonarQube comes with a lot of in-house APIs.
What other advice do I have?
I rate SonarQube a seven out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Engineer at a pharma/biotech company with 201-500 employees
Good static code analysis and benchmarking but the library could support more languages
Pros and Cons
- "The most valuable features are the segregation containment and the suspension of product services."
- "I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production."
What is our primary use case?
The primary use case of this solution is for static code analysis, and benchmarking our code standards according to our preferences.
Our builds process through SonarQube and if it passes the required set of requirements we have set, it will then go through to production.
What is most valuable?
The most valuable features are the segregation containment and the suspension of product services. Also, the library that SonarQube covers is good.
What needs improvement?
The library could have more languages that are supported. It would be helpful.
There are a few clauses that are specific to our organization, and it needs to improve. It's the reason that were are evaluating other solutions. It creates the ability for the person who releases the authorized release, which is not good. We would like to be able to expand on our work.
MicroFocus, as an example, would be helping us with that area or creating a dependency tree of the code from where it deployed and branching it into your entire code base. This would be something that is very helpful and has helped in identifying the gaps.
It would be great to have a dependency tree with each line of your code based on an OS top ten plugin that needs to be scanned. For example, a line or branch of code used in a particular site that needs to be branched into my entire codebase, and direct integration with Jira in order to assign that particular root to a developer would be really good.
Automated patching for my library, variable audience, and support for the client in the CICD pipeline is all done with a set of different tools, but it would be nice to have it like a one-stop-shop.
I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production. We would also need the ability to edit those rules.
For how long have I used the solution?
I have been using SonarQube for approximately two years.
What do I think about the stability of the solution?
The stability is good.
The branch advanced analysis pull request declarations, they are good and highly valuable, but they are not part of the free edition. They are only available as part of the licensed one.
What do I think about the scalability of the solution?
Currently, we have 1.2 to 1.5 million lines of code. Certainly, if that increases, so would the costs expediently.
We have 50 developers' licenses.
There is quite a bit of maintenance that is needed. We have a couple of people from our operations team to do the maintaining.
It is integrated with our CICD department and is being used extensively.
We do have plans to increase the usage of SonarQube.
Which solution did I use previously and why did I switch?
We have used open-source origins of the tools.
PCI is an open-source solution that we used before, and we used Snyk as well.
How was the initial setup?
The initial setup is straightforward.
What about the implementation team?
We did not use a vendor team, it was done by us.
What's my experience with pricing, setup cost, and licensing?
The developer edition is based on cost per lines of code.
Which other solutions did I evaluate?
Now we are looking for a more mature solution and evaluating other products. We want a complete code analysis platform that is more mature.
We will either go with the paid Developer active license or solutions such as Checkmarx or MicroFocus.
What other advice do I have?
The community edition is quite informative for engineers. The actual code analysis is not conducted on the GitLab flow, but the build pipeline would show the core quantity steps which is part of the criteria.
The trial gives you a way to implement the POC and check if it can be integrated with your own stack. Once the trial expires, you can continue with the same setup for getting the license.
I would rate this solution a six out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Good ROI, easy to install but it could use more functionality, and faster updates
Pros and Cons
- "The most valuable feature of this solution is that it is free."
- "There could be better integration with other products."
What is our primary use case?
We use SonarQube to find vulnerabilities in the source code, for better code quality, and code security.
What is most valuable?
The most valuable feature of this solution is that it is free.
What needs improvement?
There could be better integration with other products.
It could have more functionality, and the updates could be faster.
People must be trained extensively before they can use it.
For how long have I used the solution?
I have been using SonarQube for three years.
It's a software as a service that you can access from on-premise.
What do I think about the stability of the solution?
The stability is fine. With any software, you must ensure that you keep up to date with the software. As a result, when there are new ways to attack you, the software detects it. You must be prepared. You can't just put it in and forget about it, you have to stay current.
What do I think about the scalability of the solution?
More than just an environment, it was a project. There were about a dozen developers and five testers to ensure that the developers used the tool before handing it over to the testers. To ensure that everything was in order.
How are customer service and support?
I have not contacted technical support.
Which solution did I use previously and why did I switch?
Previously, we used Fortify. The company that I worked for owned Fortify. We then sold Fortify to another company. We could look at other products to do the job.
How was the initial setup?
The initial setup was straightforward. It only took about two weeks to deploy.
Like in anything, if you're too restricted, it can result in being problematic, the same if you are too loose. In terms of the length of time it takes to deploy, we try to find a happy medium. Two weeks is reasonable.
What about the implementation team?
I am the team leader, and I was assisted with the deployment by another very knowledgeable individual. We are a team of two.
What was our ROI?
We have seen a return on investment. It finds potential vulnerabilities inside a program's code. If you catch it and you fix it, it's good.
What's my experience with pricing, setup cost, and licensing?
It's an open-source solution, with no additional costs.
Which other solutions did I evaluate?
We evaluated other products such as Veracode, Checkmarx as well as SonarQube.
The main difference is that SonarQube is free.
What other advice do I have?
I am an expert in so many things, including security experts. We looked at the various products and chose one. And the reason was that any tool, any automated tool that can detect errors, is preferable to none at all.
Most systems are vulnerable at the application level, which means that people who program in Java or.NET may be brilliant, but they don't know about the security. The advice is that those who work in development must also understand security. They must test for security in the same way they test for whether something is red or blue. My recommendation is to have some type of training and to be aware that the application level is the place where most people attack.
I would rate SonarQube a six out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros
sharing their opinions.
Updated: October 2024
Product Categories
Application Security Tools Static Application Security Testing (SAST) Software Development AnalyticsPopular Comparisons
Fortify on Demand
Sonatype Lifecycle
CrowdStrike Falcon Cloud Security
PortSwigger Burp Suite Professional
GitHub Advanced Security
Qualys Web Application Scanning
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Is SonarQube the best tool for static analysis?
- Which gives you more for your money - SonarQube or Veracode?
- What Is The Biggest Difference Between Fortify on Demand And SonarQube?
- What is the biggest difference between Checkmarx and SonarQube?
- Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
- How does SonarQube instance relate to the license?
- Which software is ideal for code quality and security?
- What is the difference between Coverity and SonarQube?
- What is the biggest difference between Coverity and SonarQube?
- How would you decide between Coverity and Sonarqube?