SonarQube Server (formerly SonarQube) Reviews

The tool helps us to monitor and manage violations. It manages the bugs and security violations. 

SonarQube needs to improve its ease of use, integration with third-party platforms, and scalability. 

I have been using the product for five years. 

I rate the tool's stability a six out of ten. 

My company has 150 users for SonarQube. 

The tool's deployment is complex. 

The tool's pricing is reasonable. 

I rate the overall product a seven out of ten and would recommend it to others. 

We use this solution to configure our pipeline using Jenkins. From an integration perspective, it encompasses many languages and this is very useful.

This solution has helped with the integration and building of our CICD pipeline. Without any scans or assessments, the pipeline and build are not complete. One of the good features of SonarQube is the many languages it supports including Java, dotNET, Typescript and HTML CSS. It also allows us to set custom quality gates and rules.

This solution could be offered on Docker and the cloud. The support for this solution could be improved and the customization rules could also be made simpler. 

I have used this solution for three years. 

This is a stable solution. 

This solution could be scalable, specifically from a reporting perspective. 

I would rate the customer support for this solution a seven out of ten. 

Neutral

I have previously used Checkmarx, Blackbelt and WhiteSource.

We have experienced a good return on investment using this solution. 

This is a good solution if you are looking for good coverage, quality, and vulnerabilities to be highlighted. That being said, there are better solutions in the market when it comes to SAST scanning.

I would rate this solution an eight out of ten. 

We are using SonarQube for static analyzing and finding vulnerabilities in our code.

Easy installation. Very accurate finding of vulnerabilities and a minimum of false positives.

SonarQube could improve by adding automatic creation of tasks after scanning and more supported languages.

I have been using SonarQube for approximately two years.

SonarQube is a highly stable solution.

I have found SonarQube to be scalable.

We have 20 to 25 specialists using SonarQube in my organization.

We have plans to increase the usage of the solution.

We search Google for solutions to any problems we may face.

The solution is easy to implement in our process of continuous integration, continuous delivery, and continuous deployment(CI/CD). 

We did the implementation of the solution ourselves.

We have assigned each project one DevOps, and each DevOps is deploying SonarQube in their project and we have in total about 20 projects.

The free version of SonarQube does everything that we need it to.

Licenses of this solution can be purchased annually. We plan to buy the maximum license enterprise edition of the solution.

I highly recommend this solution to others.

I rate SonarQube a nine out of ten.

We're using the enterprise edition of SonarQube. I'm the head of DevOps engineering and we are customers of SonarQube. 

The most important feature is the software quality gate. When that's implemented we're able to streamline the product's quality. The other good features are SonarQube's code quality scanning and code coverage. If we use it effectively, we can capture the software code bugs early in the software development. It also helps us to identify the test coverage for the code that we're writing. It's a very, very important feature for the software developers and testers. 

There is room for improvement in the code security space which is not as extensive as it could be. There are other products on the market which are much better in terms of code security scanning. I'd also like to see improvement in support which is quite expensive. 

I've been using this solution for six years. 

The product is stable although maintenance is a little cumbersome. 

The product is scalable but there are some concerns. You need to regularly do a cleanup of the lines of codes that are being scanned, otherwise the license will run out. We were not initially aware of having to do that. We have around 700 users in the company and we have three or four people involved with maintenance. 

There's a problem with the technical support because it's offered as a separate paid package and doesn't come by default with the license. Most other products in the market include  technical support with the software. There are various other products in the market, which are much better and offer support without any additional costs.

Licensing costs could be lower. We paid around 60,000 Singapore Dollars for our 20 million lines of code.

SonarQube is a very good tool for code quality.

I rate this solution a seven out of 10.  

We use SonarQube for testing and quality assurance. We use this in banks for testing.

We also use SonarQube for security static testing.

It provides the security that is required from a solution for financial businesses.

SonarQube is used for static testing, not for dynamic. We found a solution with dynamic testing, and are looking to find a solution that can be used for both types of testing.

I would like to see software included that can be used with Waterfall projects.

We try to primarily use open-source solutions. The organization tries not to spend money for the moment. Many clients do not want to pay for solutions during this time, especially in the case of products that are expensive.

We have partnered with B2B American to help with the purchasing of the license.

We have just been approved to purchase SonarQube Developer Edition.

We have a license with 125,000 lines of code. We did not purchase a lot of lines but it is specific to our code environment.

It's an open-source solution.

We are currently evaluating other solutions that are open-source. The company is trying to reduce the amount of money spent on solutions.

We are looking for the newest technologies but the biggest stopper for us is money.

For the units of architecture, we have tried to find the newest technology that would benefit the manifest of their orientation.

It has been very difficult. Last year many projects stopped.

I would rate SonarQube a six out of ten.

We usually do the development in Java, and when we finish the development, we usually run the SonarQube tests and review the critical level, bugs, and security issues. We also review the license and the web issues and try to solve them, and then pass again through SonarQube.

We usually deploy it in the cloud, but sometimes we also have on-premises solutions.

It has very good scalability and stability.

We also use Fortify, which is another tool to find security errors. Fortify is a better security tool. It is better than SonarQube in finding errors. Sometimes, SonarQube doesn't find some of the errors that Fortify is able to find. Fortify also has a community, which SonarQube doesn't have.

Its installation is a little bit complex. We need to install a database, install the product, and specify the version of the database and the product. They can simplify the installation and make it easier. We use docker for the installation because it is easier to use.

Its dashboard needs to be improved. It is not intuitive. It is hard to understand the interface, and it can be improved to provide a better user experience.

I have been using SonarQube for two years.

Its stability is very good.

It has very good scalability. In my company, we have less than 15 users. They are mostly developers.

I have not used the support.

I have used Codestyle and a few other tools. SonarQube is similar to other tools.

Its installation is a little bit complex. They can simplify the installation and make it easier.

We didn't evaluate other options. 

I would rate SonarQube a nine out of ten.

I have used SonarQube for static code analysis. I am using it to assess my internal applications.

I like the by-default policies that are they, as they seem to cover most of what I need. I see that as an essential feature.

The interface could be a little better and should be enhanced.

More support for integration with third-party products would be an improvement.

I have been using SonarQube for more than five years.

I have not faced any bugs or glitches in SonarQube.

I have not been in contact with technical support, although my teams would have definitely reached out.

I would not say that the initial setup was complex, although it was not smooth enough. This was a mixed, hybrid set up because every environment has its own applications to deploy. That said, it was not so critical that we were no able to manage it.

We have an in-house team in charge of maintenance. I have four people who are on payroll and an augmented staff of three more.

SonarQube is an open-source product that can be used free of charge. It is a cost-effective solution.

You cannot really compare this product to commercial solutions. However, the features that it provides out of the box are very good.

When it comes to other technologies, such as the Checkmarx of the world, they are better than SonarQube. This is something that they should look at as this project evolves.

This product is leading its class in the open-source community. It is absolutely a product that I can recommend. I think that digital organizations that have budget constraints should look at this technology, and then they can evolve it as per their needs.

In the future, I may look into deploying SonarQube in a hybrid model.

I would rate this solution an eight out of ten.

We are application support vendors, and we develop applications for our clients. To maintain code quality, we were using SonarQube, and then we presented that to our clients in order to purchase that. That's where this whole thing got started. 

One thing that we were using it majorly for was our work quality. It usually helped us in automating the review and making it more gate-oriented. Recently we were able to see the latest features like security hotspots and all that.

We were trying to serve two purposes; work quality and code security, with one tool. That's where our inclination was more towards Sonar because other tools generally target code security only.

I like that it helps us maintain our work quality and code security.

Code security could be better. They are already focusing on it, but I see a lot of improvement opportunities over there. I can see a lot of false positives in terms of security. They need to make the tests more accurate so that the false positives are not detected so frequently. It would also help if they provided us with an installer. 

I have been using SonarQube for about three or four years. However, in this organization, we have been using it for the last year or so.

In Community Edition, I don't think that we have enough scalability options because it runs only on one instance, plus it runs only one scan at a time. It doesn't even provide a settings capability where multiple scans are running simultaneously. That's why we want to move to the Enterprise Edition because it gives you a possibility of parallel analysis of reports, and that could speed up things.

We're using the Community Edition, and I think support comes only with the paid version. But we had an initial conversation with them, and we got our answers clarified. I certainly look forward to getting in touch with somebody from SonarCloud because I hear that they are separate entities. SonarSource people don't talk about SonarCloud. We want a contact whom we can speak to regarding our security-related concerns, privacy-related concerns, and how we can secure our code in their environment.

The initial setup on-premise may take a while because you have to procure all the servers and do the reconfiguration yourself. But I think they have provided their steps very elaborately, and that certainly helps. However, you need to make an effort to set it up. It doesn't come with an installer, and you have to download it, extract it, then configure it to run on your server automatically with every server system. If they could have provided us with an installer setup, it could have made it much easier.

We're using the Community Edition, and we don't pay for anything.

On a scale from one to ten, I would give SonarQube a nine.