SonarQube Server (formerly SonarQube) Reviews

We are using the free version of the SonarQube product. Be warned if you choose this version because it is lacking some of the capabilities and support. It is for this reason that we are currently considering migrating to a commercial solution.  

The main factor that makes the product valuable for us is that it is free because budget is always an issue. We do not have to pay for it, but there are many cons to using a free product at times. It is a very good tool even if it is free. The dashboard and the media that it provides are all quite helpful.  

We are always using SonarQube. But currently, we were trying to evaluate some more tools because Sonar in the free version has around 10 to 15 languages. If we go to the commercial version, they support 27 languages and there are a lot of limitations in the resources for traditional support which is not available for the free license users of Sonar.  

Integration is there with most of the tools, but we do not have full integration with the free version. That is why we were planning to go ahead and plan to work with some other commercial tools. But as a whole, Sonar will do what we need it to.  

Integration could be better in SonarQube in the free version. It does not have any bug tracking tool, like Jira. They are not integrated with enough additional programming tools.  

There is one issue with the dashboard. The dashboard which is there is okay. But sometimes if we have to work on multiple issues the application is giving us errors. Say we have five issues. All five issues might not be very important, so in cases where there are multiple issues, we would just want it to give us a warning about the important issue. It may be we will get to work on the things of greater importance and over-all have a better solution and we do not have to fix all five. Something like that would be good to help us to prioritize things so then we do not have to go into all the issues and fix them.  

We do have this categorization for major and minor issues, but let's say, again, if there are five major issues. I would like to maybe get a score involving the prioritization of these. Out of these five major issues, we should know which issue should be fixed first. This would give us a backup for planning and organizing the prioritization. It is that kind of data that we do not get on the dashboard. If we could, that would be helpful to give priority to the correct issues.  

We have been using SonarQube for maybe for a year or so. A little more than that.  

The stability is good. We are not having problems with the product failing.  

The stability of SonarQube is good. The scaling part is the problem. We cannot scale to all the other products that we want to use and we cannot improve and scale to other languages.  

The language issue is one that we are facing. If you want to use some languages like maybe tool languages or something people want to use, they are not all available in Sonar. In the commercial version of Sonar they may be available. But the free version, there are some limitations.  

So we do understand the limitations of the scalability. The free tool comes with its own advantages and disadvantages and limitations on scalability is one of the disadvantages.  

We do not really have very much contact at all with technical support because SonarQube quite user friendly and intuitive. Technical support is not actually available with the free product, but we do have access to community tools online.   

There was this one issue that we had where we had raised a question in the community. We found that if we scanned our project with SonarLint and if we scanned our project with SonarQube, it was giving some different results. SonarQube was showing some issues and SonarLint was not showing any issues at all. There was a clear difference in the report. But when we Googled this issue and looked on the support web site, we found now that SonarLint does not give you the errors around integration. When it comes to SonarQube, it automatically integrates with other processes and scans your port to that. SolarLint does not do this in the same way. This is why SonarQube might give you some errors that SolarLint does not.  

So we are not in contact the company support. When there are times when we do have an issue, we see what we can Google or the SonarQube community. Usually, we do find out our answers.  

The initial setup is quite straightforward. The setup process is very reasonable as far as it is logical and very simple. It doesn't take much time.  

We are using Sonar, and we also evaluated Checkmarx. The version of Sonar we are using is the free version of it. Checkmarx is quite a bit different and more helpful compared to Sonar. There are a lot of features missing in the free version of SonarQube that I want to have that already exist in Checkmarx.  

Anyone considering SonarQube should initially start with a free trial and then start doing an evaluation. If you have a list of target requirements which you are looking for and you can accomplish these things with Sonar, then you can go ahead and use Sonar. If you are looking for something for diving more deeply into your application security, then you can possibly start with it and scale it or use some other complementary tools. If you want to see your reports, and how your development is performing, Sonar is the best tool, I think.  

On a scale from one to ten, where one is the worst and ten is the best, I would rate SonarQube as a seven-out-of-ten.  

We use the tool to check our code. It's used for static quality checks. 

The product is simple. 

The product's pricing could be lower. 

I have been using the product for two years. 

The tool is stable. 

The product is easy to deploy and update. 

We use the tool's community edition. 

I would rate the product an eight out of ten. 

There are two versions: a free, open-source community version, and a subscription-based version.We use the community version, not the enterprise version.

We are a very small organization. In total, there are four of us who use this solution. We will keep using SonarQube, with some additions,  in the future.

Firstly, we use SonarQube to evaluate code for M&A projects. Secondly, we use it to detect vulnerabilities while performing security audits. Our third use case is the detection of violation of programming practices towards code refactoring and code maintenance. 

The results of exporting capability could be improved. Currently, exporting is a bit messy and fully dependent on the SonarQube environment. Sonar Qube offers REST API and you could export the results programmatically, but the process is quite slow and limited. You could extract the maximum 10000 results per query, which increases the overall execution process tremendously. I guess the majority of the users are based on Sonar Qube presentation capabilities, which is very restrictive for some use cases.

I have been using SonarQube, every day, for more than two years. 

SonarQube is stable.

I wouldn't say that isn't fully scalable. It's damn slow. It takes a lot of time parsing an average size codebase. If you'd like to scale up and deploy it on a cloud environment, it's a completely different scale of difficulty. We have done this but it's really hard.

As we are using the community version, there is no technical support.

I have used a wide variety of tools.SonarQube covers a wide variety of issues and it is well well designed robust framework.

To be honest, for me, the initial setup was a piece of cake; however, other colleagues and clients of mine have said that it's damn difficult to install it and extract the results, at least the first time. Initially, It took me some time to go through the process. It is not straightforward at all, it's quite complicated — it's a tool developed by developers for developers. If you are not a core developer, and I am not, it's super difficult to figure out the installation process thanks to the multiple steps involved. The autogenerated script, isn't functional, it needs some tweaking.

My clients report that it takes about a week to install it properly, and you need about two weeks more to configure it, let alone the performance optimization.

The installation should be much simpler. There are competitive tools that come with a self-contained installation and configuration process. It requires a time investment to configure it properly. . In short, it should come with a self-contained functional configuration set.

Overall, the initial setup should be easier.

Currently, I could configure SonarQube by myself. Only one person, knowledgeable enough, is required to deploy it.

Unless you use a tech stack that is not supported, use the community version; there are no hidden costs or licensing required.

Yes, we have evaluated plenty of alternatives nothing really comparable.

I would recommend this solution to others. It easily outperforms other static code tools — It's perfect as a static code analysis tool.

Overall, on a scale from one to ten, I would give SonarQube a rating of eight.

Our primary use for this solution is to improve code quality and reduce technical debt.

This solution is part of our pipeline. We use GitLab for source control and Jenkins to build management. Jenkins kicks off our SonarQube scans, we use Checkmarx for static code analysis, UrbanCode Deploy, and UrbanCode Release.

Using SonarQube has helped us to identify areas of technical debt to work on, resulting in better code, fewer vulnerabilities, and fewer bugs.

The most valuable feature is that it lays everything out and breaks it down, making it very easy to find and identify issues.

SonarQube is really good for finding coding standards when people deviate from what we have set corporately.

I find that some of the graphs around the measures are too fancy, and they do not mean a whole lot to me.

The solution is a bit lacking on the security side, in terms of finding and identifying vulnerabilities. By comparison, we run the same piece of code through both SonarQube and Checkmarx and there is no comparison between the vulnerabilities that each finds. Checkmarx may find fifty, whereas SonarQube will only find fifteen or twenty.

I haven't had any issues with stability and we see it as quite stable.

The only time we had an issue was because we used a third-party plugin for it to integrate with another piece of software and there was a versioning issue. Other than that, we haven't had any trouble. We've had to integrate it with our LDAP and everything seems to run quite smoothly.

We are in the process of bringing on more projects right now. We are running probably forty-five right now, and we haven't had an issue.

We have approximately one hundred users. There are some developers, but mainly product managers who are using it to track the numbers, and see if they're moving in the right direction or not. We have it integrated with some of our IDEs that we use corporately, and the developers are using it to check for bugs before they check code in.

Right now it's a small subset of the company that is using this solution, and there are plans to increase it. They are already starting to onboard more teams. Our DevOps manager is starting to push it upon more and more projects.

We haven't really had any issues, so I can't speak much about technical support. There is also a large community out there who uses it.

We were not using another solution prior to this one. As we've evolved, this is one of the tools that we decided to go with.

The initial setup was fairly straightforward. It's well documented and the documentation is easy to read.

We rolled it out to one server that was used as a POC, which was later moved into a production environment. We then rolled out a second one for Dev to test doing upgrades, which we do on a regular basis. Every time a new LTS (Long Term Support) version comes out then we run an upgrade.

Only one person is required in order to handle the maintenance. It is easy to maintain.

We handled the deployment in-house.

I do not know the metrics, but they are being tracked for the projects. Better code is being built with fewer defects, bugs, and issues. Our DevOps manager is increasing its usage, so he definitely sees value in it. 

My advice for anybody interested in implementing this solution is to start with the community version and try it out. It doesn't take long to see value in it, and it's very straightforward, easy, and intuitive to use.

There are add-ons that are available for purchase that we have not tried, although we're quite content with what we have right now.

I would rate this solution an eight out of ten.

SonarQube ensures that we release a good quality of code to our customers. We have incorporated test driven development within the organization. It is also very helpful to bring a DevOps culture within the organisation.

I follow Quality Gate's graduation model within organization, and it is extremely helpful for me to benchmark products.

Well, load balancing is something we expect it to have. Also, sometimes the loading dashboards are a little slow. When we have a thousand products published over it, we expect it to be more efficient in terms of serving requests from the browser.

No.

Yes, a little bit.

Good.

Previously, we used to use regular code review (static analysis, coverage tools) without much into single dashboard. SonarQube helped to put everything together into place supporting almost all languages, or quality profiles.

Simple to setup.

People can try the free licenses and later can seek buying plugins/support, etc. once they started liking it.

Not really.

SonarQube provides easy upgrade mechanisms, and I rarely found any issues.

Use a good VM for hosting, which can serve large requests on the fly with Oracle DB, etc.

I like that it has a better dashboard compared to Clockwork. It's also stable.

Technical support and the price could be better.

I have been using SonarQube for seven or eight years.

SonarQube is quite good in terms of stability.

Technical support could be better. If we request support, it's a little bit delayed, and it's not consistent on email.

SonarQube price is a little bit higher than Kiuwan's. Kiuwan also gives a little bit of flexibility in terms of pricing.

On a scale from one to ten, I would give SonarQube an eight.

We generally use the solution in order to do static code analysis.

What I like about SonarQube is the integration of the pipelines. It is pretty easy. 

The reporting and the results are quick. It gets integrated within the pipeline well.

The solution is very stable.

The scalability is very good.

We found the initial setup to be straightforward.

The solution has a very shallow SAST scanning. That is something that can be improved. 

I'm not sure if there is any plan for having DAST, as well, which is the dynamic scanning. If they offered that in SonarQube that would be ideal. I'd like to know if there is a plan or roadmap for Sonar to have that included. However, right now, at least, from the SAST perspective, it can improve.

The pricing could be reduced a bit. It's a little expensive.

We've been using the solution for the past two years or so. It's been a while.

The solution is pretty much stable. Sometimes we have observed some issues when there are a lot of services getting deployed together. We have noticed some resource constraints sometimes. Occasionally the CPU and memory get affected. That was the only thing. It could be due to the resources that we have provided and maybe not the fault of the product itself.

I don't have the user count, however, from the application perspective, we have around 30 to 50 applications, which are on SonarQube. All of the teams that are managing those applications have access to that.

It is integrated within our pipelines. It gets used every day.

Right now we are not scaling the solution. It is just one server that we have. It is static of sizing and we do not scale it.

We do have an enterprise version, however, that does not include the support right now.

If we have any issues we're trying to resolve them on your own. So far, that has been sufficient.

We are also onboarding Checkmarx. We use both solutions.

We are not replacing anything. Maybe we will use both in conjunction. Checkmarx provides DAST, whereas this product does not. 

The initial setup is pretty simple.

I do not recall the exact amount of time it took to deploy the solution.

It does not require a lot of maintenance. It's just that whenever any latest version is coming in, we just have to upgrade it.

We did the installation on our own. We did not need the assistance of any outside resources such as consultants or integrtors. It was all handled in-house.

What we are looking at in the future is a bit of a price reduction. The pricing that we have been quoted for the next version is a little expensive. The pricing could be also a bit reduced.

We are just a customer and an end-user.

While we installed the solution on the cloud, we host it on our machines.

I would recommend the product to the companies or the teams who are building from scratch, and they don't have anything for doing the scanning of their products. That is something where SonarQube can be pretty helpful.

It's good for a very small company with a limited number of products, which do not have a lot of compliance and security-related requirements that big enterprises might have.

I would rate the solution at a six out of ten.

We are using this solution for analyzing sales, profit, and FI documents. We are using the HR section as well.

SonarQube simplified some of the processes and made others more complex.

The most valuable features are that it is user-friendly, easy to access, and they provide good training files. Ability to manage and customize reports. Sonar also models the relationship between packages and classes

It would be better if the users could have quick access to the features.

Monitoring is a feature that can be improved in the next version.

I have been using SonarQube for three years.

This solution is stable. Stability is not an issue for us.

It's scalable. Scaling is not a problem.

Because of the sanctions in our country, we cannot contact technical support directly.

The initial setup was straightforward. It was a normal installation.

It took approximately five days to deploy.

It's a bit expensive for us. The currency rate of the dollar is a problem but it may be fine for other countries.

This solution provides good features for users.

Before implementing, they should have more knowledge about the performance, and the features. It will be helpful in learning the hardware also.

If you have good resources for the performance, you won't worry about it. It will also be dependent on your information, and how much knowledge you have.

I would rate SonarQube an eight out of ten.