We use SonarQube to scan our security protection.
Senior Software Engineering Manager at Hill
A stable solution for analysis and security vulnerability checking
Pros and Cons
- "It is a very good tool for analysis and security vulnerability checking."
- "The scanning part could be improved in SonarQube. We have used Coverity for scanning, and we have the critical issues reported by Coverity. When we used SonarQube for scanning and looked at the results, it seems that some of them have incorrect input. This part can be improved for C and C++ languages."
What is our primary use case?
What is most valuable?
It is a very good tool for analysis and security vulnerability checking.
What needs improvement?
The scanning part could be improved in SonarQube. We have used Coverity for scanning, and we have the critical issues reported by Coverity. When we used SonarQube for scanning and looked at the results, it seems that some of them have incorrect input. This part can be improved for C and C++ languages.
For how long have I used the solution?
I have been using this solution for a couple of weeks.
Buyer's Guide
SonarQube Server (formerly SonarQube)
November 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
824,067 professionals have used our research since 2012.
What do I think about the stability of the solution?
It is stable.
What do I think about the scalability of the solution?
We haven't evaluated its scalability.
How are customer service and support?
I just use our internal IT to get support for SonarQube. That is enough for me.
Which solution did I use previously and why did I switch?
We were previously using Coverity. We used it for three years or so.
How was the initial setup?
We just use the Enterprise SonarQube instance provided by our company.
What other advice do I have?
I would recommend this solution. I would rate SonarQube an eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Director Product Development at Mycom Osi
Reasonably priced, provides good code coverage and improves quality
Pros and Cons
- "The code coverage feature is very good."
- "If the product could assist us with fixing issues by giving us more pointers then it would help to resolve more of the warnings without such a commitment in terms of time."
What is our primary use case?
We use SonarQube for determining code coverage, finding bugs, and searching for security-related issues in our development environment.
What is most valuable?
The code coverage feature is very good.
What needs improvement?
When performing the code coverage function, there are a lot of warnings that come up and you may not have time to solve them. You need to have the ability to overrule warnings or issues because it may not be possible to commit the time to resolve them immediately. If the product could assist us with fixing issues by giving us more pointers then it would help to resolve more of the warnings without such a commitment in terms of time.
SonarQube needs some improvement in its ability to find security-related issues.
For how long have I used the solution?
I have been using SonarQube for the past seven or eight years.
What do I think about the stability of the solution?
We have not found any bugs or had trouble with stability. We have had some minor hiccups, here and there, but otherwise, we are fine.
What do I think about the scalability of the solution?
We have not found any issues with respect to scalability.
How are customer service and technical support?
I have not personally been in contact with technical support. I believe that our team recently had contact with them when we migrated to the newer version, and we received help from their support agent.
Which solution did I use previously and why did I switch?
I have also used Veracode and when comparing the two, I find that Veracode is better at finding security-related issues during the static code analysis. At the same time, during my PoC with Veracode, they did not claim to be able to provide everything that SonarQube does.
How was the initial setup?
I was not involved in the initial setup. However, I do know that it can be set up within one or two days.
What about the implementation team?
We have an in-house team for deployment and maintenance.
What's my experience with pricing, setup cost, and licensing?
I am satisfied with the pricing.
What other advice do I have?
In general, I am very satisfied with SonarQube and I highly recommend it. If you are looking for full coverage and quality improvement then it is the best product to use.
I would rate this solution a nine out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
SonarQube Server (formerly SonarQube)
November 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
824,067 professionals have used our research since 2012.
CTO at FPT Telecom
Automatically scans for code, detects vulnerabilities, and generates daily reports
Pros and Cons
- "It automatically scans for code, detects vulnerabilities, and generates daily reports."
- "After scanning our code and generating a report, it would be helpful if SonarQube could also generate a solution to fix vulnerabilities in the report."
What is our primary use case?
We used SonarQube during the development period and AppScan after the system was deployed on the production site.
What is most valuable?
SonarQube is integrated with the CI/CD infrastructure. It automatically scans for code, detects vulnerabilities, and generates daily reports. SonarQube's integration with the CI/CD infrastructure helps us reduce the effort to scan the code manually.
What needs improvement?
After scanning our code and generating a report, it would be helpful if SonarQube could also generate a solution to fix vulnerabilities in the report.
For how long have I used the solution?
I have been using SonarQube for six to seven years.
What do I think about the stability of the solution?
We haven’t faced any issues with the solution’s performance or stability.
How are customer service and support?
We don't have a support license for SonarQube. We currently use the open-source community, which provides us with much support from communities worldwide.
How was the initial setup?
The solution's initial setup is very easy. We have a team that handles the maintenance of SonarQube in the CI/CD environment.
What about the implementation team?
The solution's deployment takes about two weeks. We have a new software development project, and integrating it into the CI/CD system took about half a working day.
What's my experience with pricing, setup cost, and licensing?
We use the solution free of cost. SonarQube is a cost-efficient solution.
What other advice do I have?
I would recommend the solution to other users.
Overall, I rate the solution ten out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Apr 29, 2024
Flag as inappropriateLead Security Architect at a comms service provider with 1,001-5,000 employees
Code quality assurance solution that supports many coding languages
Pros and Cons
- "This solution has helped with the integration and building of our CICD pipeline."
- "For improvement, this solution could be offered on Docker and the cloud and the support for this solution could be improved. Customizing rules could also be made simpler."
What is our primary use case?
We use this solution to configure our pipeline using Jenkins. From an integration perspective, it encompasses many languages and this is very useful.
How has it helped my organization?
This solution has helped with the integration and building of our CICD pipeline. Without any scans or assessments, the pipeline and build are not complete. One of the good features of SonarQube is the many languages it supports including Java, dotNET, Typescript and HTML CSS. It also allows us to set custom quality gates and rules.
What needs improvement?
This solution could be offered on Docker and the cloud. The support for this solution could be improved and the customization rules could also be made simpler.
For how long have I used the solution?
I have used this solution for three years.
What do I think about the stability of the solution?
This is a stable solution.
What do I think about the scalability of the solution?
This solution could be scalable, specifically from a reporting perspective.
How are customer service and support?
I would rate the customer support for this solution a seven out of ten.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
I have previously used Checkmarx, Blackbelt and WhiteSource.
What was our ROI?
We have experienced a good return on investment using this solution.
What other advice do I have?
This is a good solution if you are looking for good coverage, quality, and vulnerabilities to be highlighted. That being said, there are better solutions in the market when it comes to SAST scanning.
I would rate this solution an eight out of ten.
Which deployment model are you using for this solution?
Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Product Manager at a financial services firm with 10,001+ employees
Less false positive scans, covers entire developer community, but support could improve
Pros and Cons
- "When comparing other static code analysis tools, SonarQube has fewer false-positive issues being reported. They have a lot of support for different tech stacks. It covers the entire developer community which includes Salesforce or it could be the regular Java.net project. It has actually sufficed all the needs in one tool for static code analysis."
- "SonarQube needs to improve its support model. They do not work 24/7, and they do not provide weekend support in case things go wrong. They only have a standard 8:00 am to 5:00 pm support model in which you have to raise a support ticket and wait. The support model is not effective for premium customers."
What is our primary use case?
SonarQube delivers a continuous inspection of code quality.
What is most valuable?
When comparing other static code analysis tools, SonarQube has fewer false-positive issues being reported. They have a lot of support for different tech stacks. It covers the entire developer community which includes Salesforce or it could be the regular Java.net project. It has actually sufficed all the needs in one tool for static code analysis.
For how long have I used the solution?
I have been using SonarQube for approximately two years.
What do I think about the stability of the solution?
The stability of SonarQube is good.
What do I think about the scalability of the solution?
I have found SonarQube to be scalable.
How are customer service and support?
SonarQube needs to improve its support model. They do not work 24/7, and they do not provide weekend support in case things go wrong. They only have a standard 8:00 am to 5:00 pm support model in which you have to raise a support ticket and wait. The support model is not effective for premium customers.
How was the initial setup?
SonarQube is very user-friendly and it works for all tech stacks. It should be easy for any kind of integrations that you need to build. Additionally, SonarQube comes with a lot of in-house APIs.
What other advice do I have?
I rate SonarQube a seven out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Engineer at a pharma/biotech company with 201-500 employees
Good static code analysis and benchmarking but the library could support more languages
Pros and Cons
- "The most valuable features are the segregation containment and the suspension of product services."
- "I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production."
What is our primary use case?
The primary use case of this solution is for static code analysis, and benchmarking our code standards according to our preferences.
Our builds process through SonarQube and if it passes the required set of requirements we have set, it will then go through to production.
What is most valuable?
The most valuable features are the segregation containment and the suspension of product services. Also, the library that SonarQube covers is good.
What needs improvement?
The library could have more languages that are supported. It would be helpful.
There are a few clauses that are specific to our organization, and it needs to improve. It's the reason that were are evaluating other solutions. It creates the ability for the person who releases the authorized release, which is not good. We would like to be able to expand on our work.
MicroFocus, as an example, would be helping us with that area or creating a dependency tree of the code from where it deployed and branching it into your entire code base. This would be something that is very helpful and has helped in identifying the gaps.
It would be great to have a dependency tree with each line of your code based on an OS top ten plugin that needs to be scanned. For example, a line or branch of code used in a particular site that needs to be branched into my entire codebase, and direct integration with Jira in order to assign that particular root to a developer would be really good.
Automated patching for my library, variable audience, and support for the client in the CICD pipeline is all done with a set of different tools, but it would be nice to have it like a one-stop-shop.
I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production. We would also need the ability to edit those rules.
For how long have I used the solution?
I have been using SonarQube for approximately two years.
What do I think about the stability of the solution?
The stability is good.
The branch advanced analysis pull request declarations, they are good and highly valuable, but they are not part of the free edition. They are only available as part of the licensed one.
What do I think about the scalability of the solution?
Currently, we have 1.2 to 1.5 million lines of code. Certainly, if that increases, so would the costs expediently.
We have 50 developers' licenses.
There is quite a bit of maintenance that is needed. We have a couple of people from our operations team to do the maintaining.
It is integrated with our CICD department and is being used extensively.
We do have plans to increase the usage of SonarQube.
Which solution did I use previously and why did I switch?
We have used open-source origins of the tools.
PCI is an open-source solution that we used before, and we used Snyk as well.
How was the initial setup?
The initial setup is straightforward.
What about the implementation team?
We did not use a vendor team, it was done by us.
What's my experience with pricing, setup cost, and licensing?
The developer edition is based on cost per lines of code.
Which other solutions did I evaluate?
Now we are looking for a more mature solution and evaluating other products. We want a complete code analysis platform that is more mature.
We will either go with the paid Developer active license or solutions such as Checkmarx or MicroFocus.
What other advice do I have?
The community edition is quite informative for engineers. The actual code analysis is not conducted on the GitLab flow, but the build pipeline would show the core quantity steps which is part of the criteria.
The trial gives you a way to implement the POC and check if it can be integrated with your own stack. Once the trial expires, you can continue with the same setup for getting the license.
I would rate this solution a six out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Head of IT Security Department at a energy/utilities company with 5,001-10,000 employees
Simple implementation, effective scanning, and tracking
Pros and Cons
- "SonarQube is useful for controlling all of our Azure task tracking and scanning."
- "SonarQube could improve by adding automatic creation of tasks after scanning and more support for the Czech language."
What is our primary use case?
We are using SonarQube for static analyzing and finding vulnerabilities in our code.
What is most valuable?
Easy installation. Very accurate finding of vulnerabilities and a minimum of false positives.
What needs improvement?
SonarQube could improve by adding automatic creation of tasks after scanning and more supported languages.
For how long have I used the solution?
I have been using SonarQube for approximately two years.
What do I think about the stability of the solution?
SonarQube is a highly stable solution.
What do I think about the scalability of the solution?
I have found SonarQube to be scalable.
We have 20 to 25 specialists using SonarQube in my organization.
We have plans to increase the usage of the solution.
How are customer service and support?
We search Google for solutions to any problems we may face.
How was the initial setup?
The solution is easy to implement in our process of continuous integration, continuous delivery, and continuous deployment(CI/CD).
What about the implementation team?
We did the implementation of the solution ourselves.
We have assigned each project one DevOps, and each DevOps is deploying SonarQube in their project and we have in total about 20 projects.
What's my experience with pricing, setup cost, and licensing?
The free version of SonarQube does everything that we need it to.
Licenses of this solution can be purchased annually. We plan to buy the maximum license enterprise edition of the solution.
What other advice do I have?
I highly recommend this solution to others.
I rate SonarQube a nine out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Director IT Security, CISO at a transportation company with 10,001+ employees
Cost-effective with good out-of-the-box features
Pros and Cons
- "I like the by-default policies that are they, as they seem to cover most of what I need."
- "The interface could be a little better and should be enhanced."
What is our primary use case?
I have used SonarQube for static code analysis. I am using it to assess my internal applications.
What is most valuable?
I like the by-default policies that are they, as they seem to cover most of what I need. I see that as an essential feature.
What needs improvement?
The interface could be a little better and should be enhanced.
More support for integration with third-party products would be an improvement.
For how long have I used the solution?
I have been using SonarQube for more than five years.
What do I think about the stability of the solution?
I have not faced any bugs or glitches in SonarQube.
How are customer service and technical support?
I have not been in contact with technical support, although my teams would have definitely reached out.
How was the initial setup?
I would not say that the initial setup was complex, although it was not smooth enough. This was a mixed, hybrid set up because every environment has its own applications to deploy. That said, it was not so critical that we were no able to manage it.
What about the implementation team?
We have an in-house team in charge of maintenance. I have four people who are on payroll and an augmented staff of three more.
What's my experience with pricing, setup cost, and licensing?
SonarQube is an open-source product that can be used free of charge. It is a cost-effective solution.
Which other solutions did I evaluate?
You cannot really compare this product to commercial solutions. However, the features that it provides out of the box are very good.
When it comes to other technologies, such as the Checkmarx of the world, they are better than SonarQube. This is something that they should look at as this project evolves.
What other advice do I have?
This product is leading its class in the open-source community. It is absolutely a product that I can recommend. I think that digital organizations that have budget constraints should look at this technology, and then they can evolve it as per their needs.
In the future, I may look into deploying SonarQube in a hybrid model.
I would rate this solution an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2024
Product Categories
Application Security Tools Static Application Security Testing (SAST) Software Development AnalyticsPopular Comparisons
Fortify on Demand
Sonatype Lifecycle
CrowdStrike Falcon Cloud Security
PortSwigger Burp Suite Professional
GitHub Advanced Security
Qualys Web Application Scanning
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Is SonarQube the best tool for static analysis?
- Which gives you more for your money - SonarQube or Veracode?
- What Is The Biggest Difference Between Fortify on Demand And SonarQube?
- What is the biggest difference between Checkmarx and SonarQube?
- Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
- How does SonarQube instance relate to the license?
- Which software is ideal for code quality and security?
- What is the difference between Coverity and SonarQube?
- What is the biggest difference between Coverity and SonarQube?
- How would you decide between Coverity and Sonarqube?