SonarQube ensures that we release a good quality of code to our customers. We have incorporated test driven development within the organization. It is also very helpful to bring a DevOps culture within the organisation.
Devops Engineer at a healthcare company with 10,001+ employees
Ensures A Good Quality Of Code Is Released To Customers
Pros and Cons
- "I follow Quality Gate's graduation model within organization, and it is extremely helpful for me to benchmark products."
- "When we have a thousand products published over it, we expect it to be more efficient in terms of serving requests from the browser."
How has it helped my organization?
What is most valuable?
I follow Quality Gate's graduation model within organization, and it is extremely helpful for me to benchmark products.
What needs improvement?
Well, load balancing is something we expect it to have. Also, sometimes the loading dashboards are a little slow. When we have a thousand products published over it, we expect it to be more efficient in terms of serving requests from the browser.
What do I think about the stability of the solution?
No.
Buyer's Guide
SonarQube Server (formerly SonarQube)
October 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,528 professionals have used our research since 2012.
What do I think about the scalability of the solution?
Yes, a little bit.
How are customer service and support?
Good.
Which solution did I use previously and why did I switch?
Previously, we used to use regular code review (static analysis, coverage tools) without much into single dashboard. SonarQube helped to put everything together into place supporting almost all languages, or quality profiles.
How was the initial setup?
Simple to setup.
What's my experience with pricing, setup cost, and licensing?
People can try the free licenses and later can seek buying plugins/support, etc. once they started liking it.
Which other solutions did I evaluate?
Not really.
What other advice do I have?
SonarQube provides easy upgrade mechanisms, and I rarely found any issues.
Use a good VM for hosting, which can serve large requests on the fly with Oracle DB, etc.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Software Architect Sales Systems at SV Informatik GmbH
A simple solution that helps with the static quality checks of codes
Pros and Cons
- "The product is simple."
- "The product's pricing could be lower."
What is our primary use case?
We use the tool to check our code. It's used for static quality checks.
What is most valuable?
The product is simple.
What needs improvement?
The product's pricing could be lower.
For how long have I used the solution?
I have been using the product for two years.
What do I think about the stability of the solution?
The tool is stable.
How was the initial setup?
The product is easy to deploy and update.
What's my experience with pricing, setup cost, and licensing?
We use the tool's community edition.
What other advice do I have?
I would rate the product an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
SonarQube Server (formerly SonarQube)
October 2024
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,528 professionals have used our research since 2012.
Development Team Lead at a financial services firm with 1,001-5,000 employees
IDE plugins are easy to use and integrate
Pros and Cons
- "Some of the most valuable features have been the latest up-to-date of the OWASP, the monitoring, the reporting, and the ease of use with the IDE plugins, in terms of integration."
- "SonarQube's detail in the security could be improved. It may be helpful to have additional details, with regards to Oracle PL/SQL. For example, it's neither as built nor as thorough as Java. For now, this is the only additional feature I would like to see."
What is our primary use case?
I use SonarQube for Google's web services, from a security perspective, as well as Oracle Forms, HTML Forms, and script.
SonarQube is deployed on-premises.
What is most valuable?
Some of the most valuable features have been the latest up-to-date of the OWASP, the monitoring, the reporting, and the ease of use with the IDE plugins, in terms of integration.
What needs improvement?
SonarQube's detail in the security could be improved. It may be helpful to have additional details, with regards to Oracle PL/SQL. For example, it's neither as built nor as thorough as Java. For now, this is the only additional feature I would like to see.
For how long have I used the solution?
I have been working with the Community Edition for at least ten years, and I have been working with the Enterprise version for about a year.
What do I think about the stability of the solution?
So far, we are happy and haven't had any issues with stability.
The only maintenance this product needs, for now, is just updates and patches.
SonarQube is an auditing requirement from our side and for our SDLC, so it is a gate in our SDLC.
What do I think about the scalability of the solution?
SonarQube is easy to scale. As we've opted for the Docker builds, we haven't had issues yet.
At this point, there are at least 300 people in my company who are working with SonarQube.
Which solution did I use previously and why did I switch?
I have minor experience with Q One. The main difference is in the licensing structure, with regards to lines of code. We have noticed that Q One has a bit more details, but support for various languages is lacking.
How was the initial setup?
The setup process of SonarQube is straightforward. Deployment took about a week, but the integration of the multiple teams—introducing them and getting them on board—took about a month.
What about the implementation team?
We implemented this solution through an in-house team.
What's my experience with pricing, setup cost, and licensing?
Compared to similar solutions, SonarQube was more accessible to us and had more benefits, with regards to size of the code base and supported languages. Apart from the Enterprise licensing fee, there are no additional costs.
What other advice do I have?
I rate SonarQube an eight out of ten.
To anyone who is looking into implementing SonarQube, I would recommend they look at what their requirements are, with regards to languages. If it's just Java, then the Community Edition is fine, but if there are any additional languages, then I would recommend Enterprise.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Systems Analyst at a manufacturing company with 5,001-10,000 employees
Frees up time to focus on daily tasks, meet delivery requirements and deliver more reliable code
Pros and Cons
- "SonarQube is a fantastic tool which saves us precious time."
- "We did have some trouble with the LDAP integration for the console."
What is our primary use case?
We use the solution to do quality code analysis for keeping track of security hotspots. We also use it to avoid the delivery of problems as the result of new code from our partners who may be developing software for systems, making improvements and carrying out bug corrections. These are the features of SonarQube of which I am aware.
What is most valuable?
SonarQube is a fantastic tool which saves us precious time. Prior to using the solution, all our code analysis was manual and this was very time consuming. The increase in the number of projects, including those involving the development team, meant that it was becoming increasingly challenging to keep up with our delivery schedules. SonarQube helped a lot in this regard. So too, the wonderful tool from Eclipse, SonarLint, was very helpful. These solutions allow the partners who develop our system, our code, to receive on-the-fly analysis of their computers. This affords delivery of a much more reliable code, something which allows us to focus our work on more aggregated value operations.
What needs improvement?
I am struggling to come up with an area needing improvement. I am a big fan of SonarQube. I do have familiarity with the solution, but not extensively on a daily basis in respect of development.
This said, we did have some trouble with the LDAP integration for the console.
For how long have I used the solution?
As our company is not primarily IT-related we are late comers when it comes to adopting new technology. As such, we started using the community version of SonarQube around eight to ten months ago.
What about the implementation team?
I have limited personal experience working with the solution. I have a colleague who works with me and she is actually engaged in its operation. My role is to provide guidance in how to implement products.
She works more in implementing the installation of the solution, in deploying the projects on SonarQube. But, I have a little more context with this tool.
What other advice do I have?
I am a customer of SonarQube.
At the moment, SonarQube is deployed on-premises. We have an installation running in one of our servers.
When we deploy on-cloud, we normally use Amazon Web Services.
I rate SonarQube as a ten out of ten, easily. I think its fantastic, a wonderful tool. Even if I don't use it directly, it frees me up to focus on other tasks in my daily routine.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Information Technology Technical Architect at a insurance company with 51-200 employees
Open-Source, easy to use interface with minimal coding required
Pros and Cons
- "The product has a friendly UI that is easy to use and understand."
- "The documentation is not clear and it needs to be updated."
What is our primary use case?
SonarQube can be used for any missing components or component vulnerabilities.
How has it helped my organization?
Sonarqube has improved our best practice of pair programming that aligned with the CI pipeline.
What is most valuable?
The product has a friendly UI that is easy to use and understand. Especially, the admin's control panel is very good and It's not really difficult to get through the settings.
With minimal coding experience, we can build many rules that apply for each programming language, for example, CSS, and Java. You can easily set up rules. We are luckily able to do this with the community version.
With other community versions, you are not always allowed to customize the profile for example. With the SonarQube Community Edition, it's authorized.
What needs improvement?
Since we are using the community version, we have had some issues. For example, we have had some difficulties with the Single Sign-On (SSO) login. We tried to integrate with our Azure ID to have access to login, but it doesn't always update. We have to search for more forums, or in other communities for technical IT.
The documentation is not clear and it needs to be updated. As it is the community version we don't have team support and rely on the documentation that is available. We are creating more disciplines to do peer reviews on SonarQube. There is time spent on creating the tools but not the documentation that is needed for support.
It takes time to configure and create profiles. We need to improvise the way we introduce new tools.
We have only integrated the source code, but there are things that are not being utilized because it is product-driven and there needs to be more path and delivery.
Since we are now certified, we are utilizing more and we are creating an environment for security. We need more emphasis on the security side.
Support needs to improve with their response time.
There is a lack of local partners/vendors in our region and we are having difficulties finding vendors looking for another partner.
In the next release, I would like to see some automation scripts. At times by default, you have to configure some of the rules in the detection. You need some parameters to be set that define the source code, such as those required to eliminate a false positive.
They advance their product without addressing security or internal codes.
For how long have I used the solution?
SonarQube has been in place for one year, but we have only been using it for the last three months.
What do I think about the scalability of the solution?
It's a scalable product. We have approximately 40 users.
How are customer service and technical support?
We have contacted support but it's not mandatory operating support and takes some time to get a reply.
Which solution did I use previously and why did I switch?
We have not used any other solution, but we did some comparisons and decided to go with SonarQube because it was open-source.
How was the initial setup?
The initial setup is straightforward.
It takes a week to complete the deployment.
What's my experience with pricing, setup cost, and licensing?
We are using the open-source community version, but there are enterprise licenses available.
What other advice do I have?
I am a user of SonarQube and I am responsible for the information security.
I'm the principle of security in the office. I advise others of enhancing and incorporating security aspects into the IP.
We are currently using the community version. We are not quite ready for the licensed version as we need more discipline for our developers to do it correctly. Our team is growing, now we will need behavior discipline of security, and then we can upgrade the license. We have passed the ISO certificate and encourage the use of tools for peer reviews for the developers.
It is better to have a technical review before deployment to production. Developers must review before going into production.
It's a great tool but you have to have a good project plan before being introduced to the tools. For us, it is unfortunate that SonarQube was introduced at the end of the project phase, and the team is still having to learn it.
Before introducing any application tools, know the visibility of the project.
I would recommend using the SonarQube open-source version to get used to it before purchasing the license. Before we go with an enterprise product, we have to know the terms and how things are done to run software quality. We had reached out to sales support and asked for the enterprise license as a trial but unfortunately, we had to halt the program.
It's also a part of corporate policy to know everything before it is published into the CI pipeline.
There are other alternatives that provide end-to-end analysis from the static, dynamic, interactive, and SaaS.
I would recommend SonarQube to be on your initial plan for perfect quality.
I would rate SonarQube an eight out of ten.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
SW Automation Team Leader at a tech services company with 201-500 employees
An actual RuntimeException bug was discovered and immediately fixed.
Pros and Cons
- "SonarQube: Recording of issues over a period of time, with an indication of the addition in the new issues or the reduction of existing issues (which were fixed)."
- "There is need for support for the additional languages and ease of use in adding new rules for detecting issues."
How has it helped my organization?
SonarQube and SonarLint were adapted as part of the CI development process, i.e., the developers who committed to high severity issues in the repository were immediately notified via mail/Jenkins.
An actual RuntimeException bug was discovered and immediately fixed by using SonarQube with CI.
What is most valuable?
SonarLint: It gives code smell check during development, via linting in IntelliJ (it helped with best practices and in discovering the early potential bugs).
SonarQube: Recording of issues over a period of time, with an indication of the addition in the new issues or the reduction of existing issues (which were fixed).
What needs improvement?
There is need for support for the additional languages and ease of use in adding new rules for detecting issues. Some issues that were detected after committing to the CSM by SonarQube were not displayed in SonarLint scans (hopefully this was fixed in later versions).
What do I think about the stability of the solution?
A single developer claimed that the SonarLint plugin caused performance issues on his IntelliJ IDEA. However, this issue was not encountered by the other developers.
What do I think about the scalability of the solution?
There were no scalability issues but we did not use SonarQube/SonarLint on very large code bases.
How are customer service and technical support?
They have very good documentation at the SonarQube site; during inquiries on possible purchases, the SonarSource team was very responsive.
Which solution did I use previously and why did I switch?
We did not use a different solution in the past.
How was the initial setup?
The initial setup was relatively simple (raising a dedicated VM server for SonarQube, configuring a Jenkins job to interact with the SQ server on several CSMs).
The SonarLint setup is extremely simple in IntelliJ.
What's my experience with pricing, setup cost, and licensing?
We did not purchase a license (required for C++ support), but this option was considered.
The Java SonarQube version, which is free to use, was extremely helpful and I suggested to my managers that we purchase a license.
Which other solutions did I evaluate?
We did not evaluate other static code analysis solutions.
What other advice do I have?
I would recommend adopting the usage of SonarLint at the very least for Java development since it is a very good tool for helping to ensure high code quality.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Assistant Director Implementation Services at a financial services firm with 5,001-10,000 employees
It's helped with best practices in writing test cases, and each test should pass given all numbers are highlighted on it.
What is most valuable?
The rich graphical representation of numbers which are meaningful to dev leads/managers and top management .
How has it helped my organization?
It was brought in to help with best practices in writing test cases, and each test should pass given all numbers are highlighted on SonarQube.
Executing sonar analysis on a big chunk of code - with an Oracle database does take up a lot of time.
What needs improvement?
Widgets - as the world of development expands, SonarQube should have plug-ins to cater to different technologies.
For how long have I used the solution?
I've used it for three years.
What was my experience with deployment of the solution?
No issues encountered.
What do I think about the stability of the solution?
No issues encountered.
What do I think about the scalability of the solution?
No issues encountered.
How are customer service and technical support?
It's very good, and I have personally had conversations with the SonarQube guys regarding plug-ins and modifications.
Which solution did I use previously and why did I switch?
No previous solution was used.
How was the initial setup?
The documentation is good . It should be fairly simple for someone with database knowledge.
What about the implementation team?
We did it in-house.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Product Manager | Senior Software Developer at RedShift II - Solutions
Coding quality assurance tool that comes with good DevOps implementation
Pros and Cons
- "This solution has the capability to analyze source code in almost all the languages in the market."
- "This is a well-rounded solution, however, some features could be made available on the free version. The price of the solution could be reduced."
What is our primary use case?
This solution has the capability to analyze source code in almost all the languages in the market.
What needs improvement?
This is a well-rounded solution, however, some features could be made available on the free version. The price of the solution could be reduced.
For how long have I used the solution?
I have used this solution for ten years.
What do I think about the stability of the solution?
This is a stable solution.
What do I think about the scalability of the solution?
This is a scalable solution. We have been using it for all of our critical projects.
What was our ROI?
I have never made the calculations to understand the real value of this solution but I know that the return of investment is very good. If not, we wouldn't have continued to use it for the past 10 years.
What's my experience with pricing, setup cost, and licensing?
As a user and a consumer of this solution, it can be pricey for my company to support and use, even though there are many benefits. For this reason, we use the free version. In the future, as our product cycles develop and evolve at a more steady pace, we hope to invest in the licensing for this tool.
What other advice do I have?
This solution has evolved a lot in the last ten years.
It comes with good DevOps implementation and security, which is a big problem today.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros
sharing their opinions.
Updated: October 2024
Product Categories
Application Security Tools Static Application Security Testing (SAST) Software Development AnalyticsPopular Comparisons
Tricentis Tosca
SonarQube Cloud (formerly SonarCloud)
Fortify on Demand
OpenText UFT One
Sonatype Lifecycle
CrowdStrike Falcon Cloud Security
PortSwigger Burp Suite Professional
Buyer's Guide
Download our free SonarQube Server (formerly SonarQube) Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Is SonarQube the best tool for static analysis?
- Which gives you more for your money - SonarQube or Veracode?
- What Is The Biggest Difference Between Fortify on Demand And SonarQube?
- What is the biggest difference between Checkmarx and SonarQube?
- Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
- How does SonarQube instance relate to the license?
- Which software is ideal for code quality and security?
- What is the difference between Coverity and SonarQube?
- What is the biggest difference between Coverity and SonarQube?
- How would you decide between Coverity and Sonarqube?