SonarQube Server (formerly SonarQube) Reviews

Our primary use case is to analyze source code for software bugs, technical debt, vulnerabilities, and test coverage. It provides an automated gated procedure to ensure that engineers are able to deliver great, secure code to production. 

We plug this process into our process right from the start enabling the IDE integrations so that engineers can scan their code before submission. Following on from that we run the scans on every change that has been submitted for review. 

This way we ensure that no core/fundamental issues are added to our codebases. 

It has helped many of the organizations that I have worked at to improve overall security, quality, and test confidence within the codebases. It also provides this in a speed efficient way. Engineers now feel much more proud of their solution as they gain confidence from these scans and their results. 

Engineers have also learned from the results and have improved themselves as engineers. This will help them with their careers. 

We are also able to get reports on our suite and generate a quality rating for ourselves utilizing this data and more. 

By far the quality gate controls. Without this, there would be no way to really utilize the power of this tool. We are able to automatically ensure that no code is delivered to production when it contains severe bugs or vulnerabilities. 

The tight integration to source control also helps us to keep the engineers in the loop with any follow-up actions for issues reported. 

Finally, the historical trend analysis gives us great insight into how we are improving based on our decisions, which are now driven by clear data.

It should keep up with newer technologies. As this is primarily open-source, it does require updates from the community. As such, there is sometimes a delay for new technologies to be covered by this too. 

Particularly around the languages that the webpages state they support. The big benefit of Sonar is that it handles so many different languages, problems, and static analysis in one place. 

When that one place has a low coverage for the most basic rules (OWASP top 10 for example) it starts to lose its value add. 

I have been using SonarQube for five years.

Good, I have not really had many issues with it. No major ones either. 

It all depends on where/how you are hosting it. The tool itself scales well. 

I have used Checkmarx and also tried a demo of Veracode. 

Checkmarx was far too heavy-handed and only handled security concerns for a VERY large price tag. 

Veracode is very good, however, the price vs a free solution was a deciding factor in many cases. 

It's very straightforward for a SaaS setup. 

For a self-hosted setup, it is documented well and fairly easy. 

We implemented in-house.

SonarQube will incur hosting costs. There are SaaS options available at competitive prices too. 

Self-hosting SonarQube is subject to its open-source licenses documented on their website. 

We also evaluated Checkmarx, Veracode and open source solutions specific to each programming language. 

Security analysis is a MUST. 

The tool helps us to monitor and manage violations. It manages the bugs and security violations. 

SonarQube needs to improve its ease of use, integration with third-party platforms, and scalability. 

I have been using the product for five years. 

I rate the tool's stability a six out of ten. 

My company has 150 users for SonarQube. 

The tool's deployment is complex. 

The tool's pricing is reasonable. 

I rate the overall product a seven out of ten and would recommend it to others. 

We used SonarQube for secure code review.

The solution's user interface is very user-friendly. The solution also provides good efficiency.

It would be a great add-on if SonarQube could update its database for vulnerabilities or plugging parts.

I rate the solution a seven out of ten for stability.

I rate the solution a nine out of ten for scalability.

On a scale from one to ten, where one is difficult and ten is easy, I rate the solution's initial setup an eight out of ten.

It takes around one hour to deploy SonarQube.

SonarQube is a fairly affordable solution for a larger scale if you have a specific role or specific department for secure code. We didn't pay for SonarQube. We used a free version of the solution because we had a small amount of code.

We used SonarQube for one project. To improve code quality, we do vulnerability assessment. We have an R&D department, and we collaborate with other teams to do any work related to secure code.

SonarQube simplified our code review process. Since we are new to secure code review, we mostly use freely available or impactful applications. That's why our R&D team suggested using SonarQube.

We use SonarQube to find vulnerabilities in the application code. The code is related to the application used by our client. We find vulnerabilities in their application, and we suggest solutions.

We have experienced challenges related to the client-side code. Sometimes, the server faces downtime, and our R&D team knows how to resolve such errors. It is easy to maintain the solution.

Overall, I rate the solution a nine out of ten.

We use the tool to check our code. It's used for static quality checks. 

The product is simple. 

The product's pricing could be lower. 

I have been using the product for two years. 

The tool is stable. 

The product is easy to deploy and update. 

We use the tool's community edition. 

I would rate the product an eight out of ten. 

We use this solution for qualitative coding. We make use of the SonarLint plugin as well as the dashboard.

We previously experienced issues with security but a segregated security violation has been implemented and the issues we experienced are being fixed. We have also experienced duplications of rules within the system as well as code samples that are short of ten numbers. 

This is a stable solution.

This is a scalable solution. 

The initial setup was straightforward. 

Most of the deployment was done by me. Once a certain level of complexity was involved, a team was used to validate and deploy those parts of the solution. 

I would recommend SonarQube to other users as it is a good solution and the security issues we experienced are being fixed. 
I would rate this solution an eight out of ten. 

We are using SonarQube for scanning our services for issues as part of our IT department.

SonarQube has a lot of value, it reviews the basic coding standards and security vulnerabilities of code that help to reduce issues. 

SonarQube can improve by scanning the internal library which currently it does not do. We are looking for a solution for this.

I have been using SonarQube for approximately three years.

SonarQube is a stable solution.

I have found SonarQube to be stable. However, we have not tested it with more than one million lines of code.

We have a server that SonarQube is running on and we have approximately 50 people using it.

We have used technical support in the past but not recently.

I would rate the support from SonarQube a four out of five.

I have used Veracode previously.

The initial setup is straightforward for SonarQube.

We did the implementation in-house.

The DevOps team handles the maintenance of SonarQube.

We are using the Developer Edition and the cost is based on the amount of code that is being processed.

If SonarQube meets the needs of your use case then I use it.

I rate SonarQube an eight out of ten.

We find it very similar to Fortify and has the same advantages. 

The web interface is very good. 

We have found the solution to be stable. 

The solution offers a very good community edition.

There isn't a very good enterprise report. They also do not have an application report. We'd like for them to work on this aspect.

I've used the solution for three years. I've used it for a while now. 

In terms of stability, the solution is reliable and the performance is good. There are no bugs. It's not glitchy. It doesn't crash or freeze. 

I've never used technical support. I can't talk about how helpful they are, never spoken with them personally.

If I do need to troubleshoot, I tend to rely on the community and search for answers there. 

We've also used Fortify.

I didn't participate in the installation process. I can't speak to how easy or difficult the process was. 

I use the community version of the product.

We are a customer and an end-user.

I'd rate the solution at a seven out of ten. It's mostly reliable. 

It is mainly used as part of the CI/CD pipeline through Azure DevOps and Jenkins to do static code analysis.

We have the enterprise version. In terms of deployment, on-premise is the best description because they have their own cloud, but it is not a real cloud. It is like VMware.

In some instances, the project stakeholders were able to implement quality gate control for code coverage, security alerts, and things like that. It greatly improved the quality of the product. If our test code coverage is 80% and a person commits a change that brings the code coverage to below 80%, that code cannot be merged. We've been able to improve the quality of the products that we produce by using SonarQube. We are using it as a gate.

It is a great tool in a situation where you have a dynamic team, and you sometimes hire staff or subcontractors from other companies. It provided us with the ability to implement quality gates in our project. We could look at the data and see which developers were producing quality code and which developers were not too worried about the quality. It helped us out with our junior devs. I know of a few cases where having this system helped our junior devs in taking their skills one level up because we had set up a hard quality gate.

My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it.

A little bit more emphasis on security and a bit more security scanning features would be nice. 

It would also be nice if the discrepancy between the basic or free version and the enterprise version was less. In my opinion, some of the base functionality in the enterprise version should be in the basic version.

Currently, we have static code scanning, and we have the scanning of the Docker containers. It would be great if some sort of penetration testing could easily be implemented in SonarQube for deploying something and doing some basic security scans. Currently, we have to use third-party tools for that. If everything was all under one roof, it would be more comfortable, but I don't know if it is possible or feasible. It is a typical issue of centralization versus distribution. In our particular case, because we're using SonarQube for almost every other project, it would make sense, but that doesn't necessarily mean that it is the same case with everybody else.

I have been using this solution for four years in my current job.

I don't think I ever had a problem.

We haven't reached a point where it is anywhere near saturation. We haven't scaled it yet, and I don't know if it will ever happen. The way it is implemented right now is more than enough for what we need. 

We have used it in almost all projects of our client. It is a part of their process. It is used extensively, and it will be used for any future work that they might have where they develop any code that can be analyzed with SonarQube.

We probably have 30 or 40 users. Their roles are developer team leads, developers, and DevOps people. These are the three roles of people who use it on a daily basis and look at the reports and work with the system. At some point, the data might be shown to the actual client or somebody else.

I've never been in a situation where I needed their support.

I don't think that we used anything else previously. SonarQube was the first one.

It was straightforward. I wasn't technically involved in the deployment of SonarQube, but as far as I know, it was a matter of a few days.

We probably just bought the license and did it ourselves. For its deployment and maintenance, we don't have a dedicated person. It is one of the many systems that our internal IT team manages.

I don't have that data. I don't think that we've ever calculated that. 

My guess is that we have a yearly subscription. We use it quite extensively, so a monthly license wouldn't make sense. Yearly subscriptions are usually cheaper. 

In addition to the standard licensing fee, there is just the cost of running the hardware where it is hosted.

It is pretty straightforward, but if you don't intend to use it as a gate, it would just be a waste of time. You should invest in implementing such tools only when you have a clear understanding of how their results are going to be a part of a business process.

I would rate it a 10 out of 10. I've never had any kind of problems with it. I have some products because of which I have had a bad day, but I never had a bad day because of it.