We use the tool to check our code. It's used for static quality checks.
Software Architect Sales Systems at SV Informatik GmbH
A simple solution that helps with the static quality checks of codes
Pros and Cons
- "The product is simple."
- "The product's pricing could be lower."
What is our primary use case?
What is most valuable?
The product is simple.
What needs improvement?
The product's pricing could be lower.
For how long have I used the solution?
I have been using the product for two years.
Buyer's Guide
SonarQube Server (formerly SonarQube)
November 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
824,067 professionals have used our research since 2012.
What do I think about the stability of the solution?
The tool is stable.
How was the initial setup?
The product is easy to deploy and update.
What's my experience with pricing, setup cost, and licensing?
We use the tool's community edition.
What other advice do I have?
I would rate the product an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Systems Analyst at a manufacturing company with 5,001-10,000 employees
Frees up time to focus on daily tasks, meet delivery requirements and deliver more reliable code
Pros and Cons
- "SonarQube is a fantastic tool which saves us precious time."
- "We did have some trouble with the LDAP integration for the console."
What is our primary use case?
We use the solution to do quality code analysis for keeping track of security hotspots. We also use it to avoid the delivery of problems as the result of new code from our partners who may be developing software for systems, making improvements and carrying out bug corrections. These are the features of SonarQube of which I am aware.
What is most valuable?
SonarQube is a fantastic tool which saves us precious time. Prior to using the solution, all our code analysis was manual and this was very time consuming. The increase in the number of projects, including those involving the development team, meant that it was becoming increasingly challenging to keep up with our delivery schedules. SonarQube helped a lot in this regard. So too, the wonderful tool from Eclipse, SonarLint, was very helpful. These solutions allow the partners who develop our system, our code, to receive on-the-fly analysis of their computers. This affords delivery of a much more reliable code, something which allows us to focus our work on more aggregated value operations.
What needs improvement?
I am struggling to come up with an area needing improvement. I am a big fan of SonarQube. I do have familiarity with the solution, but not extensively on a daily basis in respect of development.
This said, we did have some trouble with the LDAP integration for the console.
For how long have I used the solution?
As our company is not primarily IT-related we are late comers when it comes to adopting new technology. As such, we started using the community version of SonarQube around eight to ten months ago.
What about the implementation team?
I have limited personal experience working with the solution. I have a colleague who works with me and she is actually engaged in its operation. My role is to provide guidance in how to implement products.
She works more in implementing the installation of the solution, in deploying the projects on SonarQube. But, I have a little more context with this tool.
What other advice do I have?
I am a customer of SonarQube.
At the moment, SonarQube is deployed on-premises. We have an installation running in one of our servers.
When we deploy on-cloud, we normally use Amazon Web Services.
I rate SonarQube as a ten out of ten, easily. I think its fantastic, a wonderful tool. Even if I don't use it directly, it frees me up to focus on other tasks in my daily routine.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
SonarQube Server (formerly SonarQube)
November 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
824,067 professionals have used our research since 2012.
Information Technology Technical Architect at a insurance company with 51-200 employees
Open-Source, easy to use interface with minimal coding required
Pros and Cons
- "The product has a friendly UI that is easy to use and understand."
- "The documentation is not clear and it needs to be updated."
What is our primary use case?
SonarQube can be used for any missing components or component vulnerabilities.
How has it helped my organization?
Sonarqube has improved our best practice of pair programming that aligned with the CI pipeline.
What is most valuable?
The product has a friendly UI that is easy to use and understand. Especially, the admin's control panel is very good and It's not really difficult to get through the settings.
With minimal coding experience, we can build many rules that apply for each programming language, for example, CSS, and Java. You can easily set up rules. We are luckily able to do this with the community version.
With other community versions, you are not always allowed to customize the profile for example. With the SonarQube Community Edition, it's authorized.
What needs improvement?
Since we are using the community version, we have had some issues. For example, we have had some difficulties with the Single Sign-On (SSO) login. We tried to integrate with our Azure ID to have access to login, but it doesn't always update. We have to search for more forums, or in other communities for technical IT.
The documentation is not clear and it needs to be updated. As it is the community version we don't have team support and rely on the documentation that is available. We are creating more disciplines to do peer reviews on SonarQube. There is time spent on creating the tools but not the documentation that is needed for support.
It takes time to configure and create profiles. We need to improvise the way we introduce new tools.
We have only integrated the source code, but there are things that are not being utilized because it is product-driven and there needs to be more path and delivery.
Since we are now certified, we are utilizing more and we are creating an environment for security. We need more emphasis on the security side.
Support needs to improve with their response time.
There is a lack of local partners/vendors in our region and we are having difficulties finding vendors looking for another partner.
In the next release, I would like to see some automation scripts. At times by default, you have to configure some of the rules in the detection. You need some parameters to be set that define the source code, such as those required to eliminate a false positive.
They advance their product without addressing security or internal codes.
For how long have I used the solution?
SonarQube has been in place for one year, but we have only been using it for the last three months.
What do I think about the scalability of the solution?
It's a scalable product. We have approximately 40 users.
How are customer service and technical support?
We have contacted support but it's not mandatory operating support and takes some time to get a reply.
Which solution did I use previously and why did I switch?
We have not used any other solution, but we did some comparisons and decided to go with SonarQube because it was open-source.
How was the initial setup?
The initial setup is straightforward.
It takes a week to complete the deployment.
What's my experience with pricing, setup cost, and licensing?
We are using the open-source community version, but there are enterprise licenses available.
What other advice do I have?
I am a user of SonarQube and I am responsible for the information security.
I'm the principle of security in the office. I advise others of enhancing and incorporating security aspects into the IP.
We are currently using the community version. We are not quite ready for the licensed version as we need more discipline for our developers to do it correctly. Our team is growing, now we will need behavior discipline of security, and then we can upgrade the license. We have passed the ISO certificate and encourage the use of tools for peer reviews for the developers.
It is better to have a technical review before deployment to production. Developers must review before going into production.
It's a great tool but you have to have a good project plan before being introduced to the tools. For us, it is unfortunate that SonarQube was introduced at the end of the project phase, and the team is still having to learn it.
Before introducing any application tools, know the visibility of the project.
I would recommend using the SonarQube open-source version to get used to it before purchasing the license. Before we go with an enterprise product, we have to know the terms and how things are done to run software quality. We had reached out to sales support and asked for the enterprise license as a trial but unfortunately, we had to halt the program.
It's also a part of corporate policy to know everything before it is published into the CI pipeline.
There are other alternatives that provide end-to-end analysis from the static, dynamic, interactive, and SaaS.
I would recommend SonarQube to be on your initial plan for perfect quality.
I would rate SonarQube an eight out of ten.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
SW Automation Team Leader at a tech services company with 201-500 employees
An actual RuntimeException bug was discovered and immediately fixed.
Pros and Cons
- "SonarQube: Recording of issues over a period of time, with an indication of the addition in the new issues or the reduction of existing issues (which were fixed)."
- "There is need for support for the additional languages and ease of use in adding new rules for detecting issues."
How has it helped my organization?
SonarQube and SonarLint were adapted as part of the CI development process, i.e., the developers who committed to high severity issues in the repository were immediately notified via mail/Jenkins.
An actual RuntimeException bug was discovered and immediately fixed by using SonarQube with CI.
What is most valuable?
SonarLint: It gives code smell check during development, via linting in IntelliJ (it helped with best practices and in discovering the early potential bugs).
SonarQube: Recording of issues over a period of time, with an indication of the addition in the new issues or the reduction of existing issues (which were fixed).
What needs improvement?
There is need for support for the additional languages and ease of use in adding new rules for detecting issues. Some issues that were detected after committing to the CSM by SonarQube were not displayed in SonarLint scans (hopefully this was fixed in later versions).
What do I think about the stability of the solution?
A single developer claimed that the SonarLint plugin caused performance issues on his IntelliJ IDEA. However, this issue was not encountered by the other developers.
What do I think about the scalability of the solution?
There were no scalability issues but we did not use SonarQube/SonarLint on very large code bases.
How are customer service and technical support?
They have very good documentation at the SonarQube site; during inquiries on possible purchases, the SonarSource team was very responsive.
Which solution did I use previously and why did I switch?
We did not use a different solution in the past.
How was the initial setup?
The initial setup was relatively simple (raising a dedicated VM server for SonarQube, configuring a Jenkins job to interact with the SQ server on several CSMs).
The SonarLint setup is extremely simple in IntelliJ.
What's my experience with pricing, setup cost, and licensing?
We did not purchase a license (required for C++ support), but this option was considered.
The Java SonarQube version, which is free to use, was extremely helpful and I suggested to my managers that we purchase a license.
Which other solutions did I evaluate?
We did not evaluate other static code analysis solutions.
What other advice do I have?
I would recommend adopting the usage of SonarLint at the very least for Java development since it is a very good tool for helping to ensure high code quality.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Assistant Director Implementation Services at a financial services firm with 5,001-10,000 employees
It's helped with best practices in writing test cases, and each test should pass given all numbers are highlighted on it.
What is most valuable?
The rich graphical representation of numbers which are meaningful to dev leads/managers and top management .
How has it helped my organization?
It was brought in to help with best practices in writing test cases, and each test should pass given all numbers are highlighted on SonarQube.
Executing sonar analysis on a big chunk of code - with an Oracle database does take up a lot of time.
What needs improvement?
Widgets - as the world of development expands, SonarQube should have plug-ins to cater to different technologies.
For how long have I used the solution?
I've used it for three years.
What was my experience with deployment of the solution?
No issues encountered.
What do I think about the stability of the solution?
No issues encountered.
What do I think about the scalability of the solution?
No issues encountered.
How are customer service and technical support?
It's very good, and I have personally had conversations with the SonarQube guys regarding plug-ins and modifications.
Which solution did I use previously and why did I switch?
No previous solution was used.
How was the initial setup?
The documentation is good . It should be fairly simple for someone with database knowledge.
What about the implementation team?
We did it in-house.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Product Manager | Senior Software Developer at RedShift II - Solutions
Coding quality assurance tool that comes with good DevOps implementation
Pros and Cons
- "This solution has the capability to analyze source code in almost all the languages in the market."
- "This is a well-rounded solution, however, some features could be made available on the free version. The price of the solution could be reduced."
What is our primary use case?
This solution has the capability to analyze source code in almost all the languages in the market.
What needs improvement?
This is a well-rounded solution, however, some features could be made available on the free version. The price of the solution could be reduced.
For how long have I used the solution?
I have used this solution for ten years.
What do I think about the stability of the solution?
This is a stable solution.
What do I think about the scalability of the solution?
This is a scalable solution. We have been using it for all of our critical projects.
What was our ROI?
I have never made the calculations to understand the real value of this solution but I know that the return of investment is very good. If not, we wouldn't have continued to use it for the past 10 years.
What's my experience with pricing, setup cost, and licensing?
As a user and a consumer of this solution, it can be pricey for my company to support and use, even though there are many benefits. For this reason, we use the free version. In the future, as our product cycles develop and evolve at a more steady pace, we hope to invest in the licensing for this tool.
What other advice do I have?
This solution has evolved a lot in the last ten years.
It comes with good DevOps implementation and security, which is a big problem today.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
A stable open-source code quality inspection tool with a nice dashboard
Pros and Cons
- "I like that it has a better dashboard compared to Clockwork. It's also stable."
- "Technical support and the price could be better."
What is most valuable?
I like that it has a better dashboard compared to Clockwork. It's also stable.
What needs improvement?
Technical support and the price could be better.
For how long have I used the solution?
I have been using SonarQube for seven or eight years.
What do I think about the stability of the solution?
SonarQube is quite good in terms of stability.
How are customer service and support?
Technical support could be better. If we request support, it's a little bit delayed, and it's not consistent on email.
What's my experience with pricing, setup cost, and licensing?
SonarQube price is a little bit higher than Kiuwan's. Kiuwan also gives a little bit of flexibility in terms of pricing.
What other advice do I have?
On a scale from one to ten, I would give SonarQube an eight.
Disclosure: My company has a business relationship with this vendor other than being a customer: reseller
Senior System Analyst at a tech services company with 1,001-5,000 employees
User-friendly, easy to access, and it has good training documentation
Pros and Cons
- "The most valuable features are that it is user-friendly, easy to access, and they provide good training files."
- "Monitoring is a feature that can be improved in the next version."
What is our primary use case?
We are using this solution for analyzing sales, profit, and FI documents. We are using the HR section as well.
How has it helped my organization?
SonarQube simplified some of the processes and made others more complex.
What is most valuable?
The most valuable features are that it is user-friendly, easy to access, and they provide good training files. Ability to manage and customize reports. Sonar also models the relationship between packages and classes
What needs improvement?
It would be better if the users could have quick access to the features.
Monitoring is a feature that can be improved in the next version.
For how long have I used the solution?
I have been using SonarQube for three years.
What do I think about the stability of the solution?
This solution is stable. Stability is not an issue for us.
What do I think about the scalability of the solution?
It's scalable. Scaling is not a problem.
How are customer service and technical support?
Because of the sanctions in our country, we cannot contact technical support directly.
Which solution did I use previously and why did I switch?
How was the initial setup?
The initial setup was straightforward. It was a normal installation.
It took approximately five days to deploy.
What's my experience with pricing, setup cost, and licensing?
It's a bit expensive for us. The currency rate of the dollar is a problem but it may be fine for other countries.
This solution provides good features for users.
What other advice do I have?
Before implementing, they should have more knowledge about the performance, and the features. It will be helpful in learning the hardware also.
If you have good resources for the performance, you won't worry about it. It will also be dependent on your information, and how much knowledge you have.
I would rate SonarQube an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2024
Product Categories
Application Security Tools Static Application Security Testing (SAST) Software Development AnalyticsPopular Comparisons
Fortify on Demand
Sonatype Lifecycle
CrowdStrike Falcon Cloud Security
PortSwigger Burp Suite Professional
GitHub Advanced Security
Qualys Web Application Scanning
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Is SonarQube the best tool for static analysis?
- Which gives you more for your money - SonarQube or Veracode?
- What Is The Biggest Difference Between Fortify on Demand And SonarQube?
- What is the biggest difference between Checkmarx and SonarQube?
- Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
- How does SonarQube instance relate to the license?
- Which software is ideal for code quality and security?
- What is the difference between Coverity and SonarQube?
- What is the biggest difference between Coverity and SonarQube?
- How would you decide between Coverity and Sonarqube?