We primarily use this solution for code quality purposes. We have a CICD environment, without a lot of manual steps.
Vice President at a financial services firm with 1,001-5,000 employees
Good reporting and works well for code timing, but is lacking in the security space
Pros and Cons
- "If you want to have your code scanned and timed then this is a good tool."
- "The reporting is good, but I am not able to download a specific report as a PDF, so downloading reports is something that should be looked at."
What is our primary use case?
How has it helped my organization?
This solution figures out and tells you when there are code quality issues.
What is most valuable?
The quantification and reporting features are really good.
What needs improvement?
The security portion of this solution needs to be improved. They do have a few rules, but I don't think that they are of much use because you cannot position it as a security scanner. I think that there is a lot more that can be done in the security space. I would like to see, for example, more security updates as part of the scan.
The reporting is good, but I am not able to download a specific report as a PDF, so downloading reports is something that should be looked at.
We would like to be able to perform differential scans for a few modules or a few lines, rather than for the whole source code each time.
Buyer's Guide
SonarQube Server (formerly SonarQube)
November 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
824,067 professionals have used our research since 2012.
For how long have I used the solution?
Two years.
What do I think about the stability of the solution?
We have been using this for quite a number of applications, and its stability is very good. The scan time is very fast because it is a text-based scan.
What do I think about the scalability of the solution?
We have not had any problems with scalability. We have a big organization with a lot of applications and all of our critical applications are on this platform. We are planning to increase the scope by adding less critical applications over time.
Which solution did I use previously and why did I switch?
We were using some other products, but not on an enterprise level. There were several locally developed applications, but when we tried to consolidate all of these into an enterprise-level solution, we opted for this.
How was the initial setup?
The initial setup was not complex. It is pretty simple and straightforward.
What's my experience with pricing, setup cost, and licensing?
The costs for this application, for the kind of job it does, are pretty decent.
What other advice do I have?
This product is good but it is not meant to be a single solution for all issues.
If you want to have your code scanned and timed then this is a good tool. If you want security to be part of it then you may need multiple tools. Overall, my advice is to use this tool in areas where it is strong.
I would rate this solution a six out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Automation Tool Specialist at a comms service provider with 1,001-5,000 employees
It easily ties into our continuous integration pipeline, but it is light on the security side
Pros and Cons
- "It is very good at identifying technical debt."
- "It easily ties into our continuous integration pipeline."
- "I find it is light on the security side."
What is our primary use case?
Primary use is code standards, or code quality. It's worked out okay. I find it is light on the security side though.
We brought into our CI pipeline to see if we could help our developers fix issues and identify issues sooner.
How has it helped my organization?
- Higher code quality.
- Faster to market.
- Less errors.
What is most valuable?
- The issues it identifies.
- How easily it ties into our continuous integration pipeline.
- It is very good at identifying technical debt.
What needs improvement?
As far as code quality goes, I like it. It doesn't seem to do well when it comes to vulnerabilities on the security side. It may be that we don't have the right plugins, or we don't have the right add-ons.
For how long have I used the solution?
Less than one year.
What do I think about the stability of the solution?
It seems to be very stable. I haven't had many issues with it.
We just upgraded to the 6.7 version, which has been performing well.
What do I think about the scalability of the solution?
We haven't had any issues to date. We haven't had a huge number of projects to date. We're slowly slowing the uptake from some of our internal teams, but it seems to be fairly scalable.
How is customer service and technical support?
I haven't had to use technical support.
How was the initial setup?
The initial setup was fairly straightforward.
What's my experience with pricing, setup cost, and licensing?
The price point on SonarQube is good.
Which other solutions did I evaluate?
We are looking into corporate security and a couple different tooling options for doing data code analysis and security scanning.
We have looked into a few options:
- We are looking at IBM AppScan.
- I am going to be running a small PoC next week with Veracode. I started doing a bit of research on Veracode, and I saw how it ties in compared with SonarQube.
What other advice do I have?
We are looking at using another product to compliment it for security reasons.
Most important criteria when selecting a vendor:
- Usability of the product
- Responsiveness when we have issues.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
SonarQube Server (formerly SonarQube)
November 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
824,067 professionals have used our research since 2012.
Technical Architect at a insurance company with 1,001-5,000 employees
An open-source platform for the continuous inspection of code quality with a useful code security feature
Pros and Cons
- "I like that it helps us maintain our work quality and code security."
- "Code security could be better. They are already focusing on it, but I see a lot of improvement opportunities over there. I can see a lot of false positives in terms of security. They need to make the tests more accurate so that the false positives are not detected so frequently. It would also help if they provided us with an installer."
What is our primary use case?
We are application support vendors, and we develop applications for our clients. To maintain code quality, we were using SonarQube, and then we presented that to our clients in order to purchase that. That's where this whole thing got started.
One thing that we were using it majorly for was our work quality. It usually helped us in automating the review and making it more gate-oriented. Recently we were able to see the latest features like security hotspots and all that.
We were trying to serve two purposes; work quality and code security, with one tool. That's where our inclination was more towards Sonar because other tools generally target code security only.
What is most valuable?
I like that it helps us maintain our work quality and code security.
What needs improvement?
Code security could be better. They are already focusing on it, but I see a lot of improvement opportunities over there. I can see a lot of false positives in terms of security. They need to make the tests more accurate so that the false positives are not detected so frequently. It would also help if they provided us with an installer.
For how long have I used the solution?
I have been using SonarQube for about three or four years. However, in this organization, we have been using it for the last year or so.
What do I think about the scalability of the solution?
In Community Edition, I don't think that we have enough scalability options because it runs only on one instance, plus it runs only one scan at a time. It doesn't even provide a settings capability where multiple scans are running simultaneously. That's why we want to move to the Enterprise Edition because it gives you a possibility of parallel analysis of reports, and that could speed up things.
How are customer service and technical support?
We're using the Community Edition, and I think support comes only with the paid version. But we had an initial conversation with them, and we got our answers clarified. I certainly look forward to getting in touch with somebody from SonarCloud because I hear that they are separate entities. SonarSource people don't talk about SonarCloud. We want a contact whom we can speak to regarding our security-related concerns, privacy-related concerns, and how we can secure our code in their environment.
How was the initial setup?
The initial setup on-premise may take a while because you have to procure all the servers and do the reconfiguration yourself. But I think they have provided their steps very elaborately, and that certainly helps. However, you need to make an effort to set it up. It doesn't come with an installer, and you have to download it, extract it, then configure it to run on your server automatically with every server system. If they could have provided us with an installer setup, it could have made it much easier.
What's my experience with pricing, setup cost, and licensing?
We're using the Community Edition, and we don't pay for anything.
What other advice do I have?
On a scale from one to ten, I would give SonarQube a nine.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Backend Architect at Sngular
It has very good scalability and stability
Pros and Cons
- "It has very good scalability and stability."
- "We also use Fortify, which is another tool to find security errors. Fortify is a better security tool. It is better than SonarQube in finding errors. Sometimes, SonarQube doesn't find some of the errors that Fortify is able to find. Fortify also has a community, which SonarQube doesn't have. Its installation is a little bit complex. We need to install a database, install the product, and specify the version of the database and the product. They can simplify the installation and make it easier. We use docker for the installation because it is easier to use. Its dashboard needs to be improved. It is not intuitive. It is hard to understand the interface, and it can be improved to provide a better user experience."
What is our primary use case?
We usually do the development in Java, and when we finish the development, we usually run the SonarQube tests and review the critical level, bugs, and security issues. We also review the license and the web issues and try to solve them, and then pass again through SonarQube.
We usually deploy it in the cloud, but sometimes we also have on-premises solutions.
What is most valuable?
It has very good scalability and stability.
What needs improvement?
We also use Fortify, which is another tool to find security errors. Fortify is a better security tool. It is better than SonarQube in finding errors. Sometimes, SonarQube doesn't find some of the errors that Fortify is able to find. Fortify also has a community, which SonarQube doesn't have.
Its installation is a little bit complex. We need to install a database, install the product, and specify the version of the database and the product. They can simplify the installation and make it easier. We use docker for the installation because it is easier to use.
Its dashboard needs to be improved. It is not intuitive. It is hard to understand the interface, and it can be improved to provide a better user experience.
For how long have I used the solution?
I have been using SonarQube for two years.
What do I think about the stability of the solution?
Its stability is very good.
What do I think about the scalability of the solution?
It has very good scalability. In my company, we have less than 15 users. They are mostly developers.
How are customer service and technical support?
I have not used the support.
Which solution did I use previously and why did I switch?
I have used Codestyle and a few other tools. SonarQube is similar to other tools.
How was the initial setup?
Its installation is a little bit complex. They can simplify the installation and make it easier.
Which other solutions did I evaluate?
We didn't evaluate other options.
What other advice do I have?
I would rate SonarQube a nine out of ten.
Which deployment model are you using for this solution?
Private Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Technical Architect at Dwr Cymru Welsh Water
Ensures that quality is not compromised between builds
Pros and Cons
- "The most valuable features are the wide array of languages, multiple languages per project, the breakdown of bugs, and the description of vulnerabilities and code smells (best practices)."
- "A robust credential scanner would be a huge bonus as it would remove the need for yet another niche product."
What is our primary use case?
Our primary use case is to provide more coverage and reduce the reliance on code reviews alone. It also provides confidence and helps begin a path towards continuous improvement.
How has it helped my organization?
This has improved our process because it allows us to pick up on a lot of the smaller best practices that might otherwise be missed, in addition to ensuring code quality is not compromised between builds.
What is most valuable?
The most valuable features are the wide array of languages, multiple languages per project, the breakdown of bugs, and the description of vulnerabilities and code smells (best practices).
What needs improvement?
A robust credential scanner would be a huge bonus as it would remove the need for yet another niche product with additional cost, also gives the benefit of a single pane of glass view, although we still need white source bolt for 3rd part library scanning. The integration into docker builds could be better as pulling the latest version of the scanner, setting the path and then invoking the scan is an extra overhead to manage between versions of the scanner. An apt-get and scan start with the key passed as a variable would be a nicer implementation. Have not looked into SSL for the management page yet but hoping that goes smoothly.
For how long have I used the solution?
Trial/evaluations only.
What do I think about the stability of the solution?
We have only used this solution for a few weeks, but so far we have had no issues at all.
What do I think about the scalability of the solution?
My impression of the scalability is good, as it appears that it can support a much larger number of projects than we have.
How are customer service and technical support?
We have had no need to contact technical support.
Which solution did I use previously and why did I switch?
I did not use another solution prior to this one.
How was the initial setup?
The setup took a bit of work, but that was because we were combining Docker, Kubernetes, Azure Key Vault, and the Azure PaaS SQL Server.
What about the implementation team?
We took care of the implementation in-house.
What was our ROI?
In terms of ROI, it is difficult to put a number against code quality. For the cost of hosting it, I would say very good if you do not have a solution to start with.
What's my experience with pricing, setup cost, and licensing?
A self-hosted SonarQube on a Kubernetes cluster is very cost efficient if you already have the infrastructure and don’t need the premium features.
Which other solutions did I evaluate?
We evaluated the Checkmark Software Exposure Platform and Veracode, but they were expensive for a first go.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Director of Software Engineering at a computer software company with 201-500 employees
Helps to monitor and manage violations but improvement is needed in integration with third-party platforms and scalability
Pros and Cons
- "The tool helps us to monitor and manage violations. It manages the bugs and security violations."
- "SonarQube needs to improve its ease of use, integration with third-party platforms, and scalability."
What is most valuable?
The tool helps us to monitor and manage violations. It manages the bugs and security violations.
What needs improvement?
SonarQube needs to improve its ease of use, integration with third-party platforms, and scalability.
For how long have I used the solution?
I have been using the product for five years.
What do I think about the stability of the solution?
I rate the tool's stability a six out of ten.
What do I think about the scalability of the solution?
My company has 150 users for SonarQube.
How was the initial setup?
The tool's deployment is complex.
What's my experience with pricing, setup cost, and licensing?
The tool's pricing is reasonable.
What other advice do I have?
I rate the overall product a seven out of ten and would recommend it to others.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Apr 29, 2024
Flag as inappropriateStable, beneficial code review, and efficient
Pros and Cons
- "The most valuable feature of SonarQube I have found to be the configuration that has allowed us to can make adjusts to the demands of the code review. It gives a specified classification regarding the skill, prioritization, and it is easy for me to review and make my code."
- "The time it took for me to do the whole process was approximately two hours because I had to download, read the documentation, and do the configurations."
What is our primary use case?
We are using SonarQube for code reviews.
How has it helped my organization?
Code quality improvement, Secure coding pracitices
What is most valuable?
The most valuable feature of SonarQube I have found to be the configuration that has allowed us to can make adjusts to the demands of the code review. It gives a specified classification regarding the skill, prioritization, and it is easy for me to review and make my code.
What needs improvement?
NA
For how long have I used the solution?
I have been using SonarQube for approximately five years.
What do I think about the stability of the solution?
The solution is stable.
How are customer service and support?
I have not needed to use technical support.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I have used some tools previously, such as Eclipse and Checkmarx. I used some tools directly linked with Eclipse, but SonarQube is much better. It has a better ability to link with Eclipse as well as the standalone features for a code review I have found the SonarQube most efficient.
How was the initial setup?
I deployed SonarQube on my laptop. I found it to be straightforward and easy. I wanted my technical team to do implement it but since they didn't have time I took the initiative and did it myself. I am not exactly from a technical background, and it was very easy for me.
The time it took for me to do the whole process was approximately two hours because I had to download, read the documentation, and do the configurations.
What about the implementation team?
The solution does not require any maintenance.
What other advice do I have?
SonarQube fits my purpose. It doesn't cause any hassles for me.
I rate SonarQube a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Digital Solutions Architect at a tech services company with 1,001-5,000 employees
Effective security scanning, uncomplicated installation , and reliable
Pros and Cons
- "The fact that the solution does security scanning is valuable."
- "Having performance regression would be a helpful add on or ability to be able to do during the scan."
What is our primary use case?
We are a $4 billion valuation large company and we use the solution for status security, scanning, and code quality. I am currently in the process of building a pipeline for one of my customers and for that we are utilizing this solution for the static analysis.
What is most valuable?
The fact that the solution does security scanning is valuable. This is primarily why we use it. For code quality, we could utilize other tools, such as unit test coverage, which it gives you too, but having a more comprehensive tool is useful.
What needs improvement?
Having a tool that is comprehensive in nature is very useful because otherwise, we have to run through multiple tools in order to get the entire viewpoint of a particular set of code. For example, we use SonarQube in combination with Nexus, which is another product that gives us some other information. I guess when it comes to the gamut of things that we are looking for including static code quality, static testing, and dynamic testing of security. Having performance regression would be a helpful add on or ability to be able to do during the scan.
In an upcoming release, I would like to see the dynamic security testing feature available. I would like to point out that they could already offer this feature but I have not been that deep into the solution to know yet.
For how long have I used the solution?
I have been using the solution for approximately one year.
What do I think about the stability of the solution?
I have not run into any bugs or glitches. However, I have only been using it for a short time.
What do I think about the scalability of the solution?
The pipeline that I am currently building is being used by the platforms team, which is approximately three people. We use the solution as part of the automated code review process. As far as a larger perspective of who is actually benefiting from it, the development team is about 35 people.
How are customer service and technical support?
I have not needed to use technical support.
How was the initial setup?
The set up was very easy.
What other advice do I have?
I would recommend to those wanting to implement this solution to read the documentation, they are clear and easy to follow.
I rate SonarQube a nine out of ten.
Which deployment model are you using for this solution?
Private Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2024
Product Categories
Application Security Tools Static Application Security Testing (SAST) Software Development AnalyticsPopular Comparisons
Fortify on Demand
Sonatype Lifecycle
CrowdStrike Falcon Cloud Security
PortSwigger Burp Suite Professional
GitHub Advanced Security
Qualys Web Application Scanning
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Is SonarQube the best tool for static analysis?
- Which gives you more for your money - SonarQube or Veracode?
- What Is The Biggest Difference Between Fortify on Demand And SonarQube?
- What is the biggest difference between Checkmarx and SonarQube?
- Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
- How does SonarQube instance relate to the license?
- Which software is ideal for code quality and security?
- What is the difference between Coverity and SonarQube?
- What is the biggest difference between Coverity and SonarQube?
- How would you decide between Coverity and Sonarqube?