SonarQube Server (formerly SonarQube) Reviews

SonarQube ensures that we release a good quality of code to our customers. We have incorporated test driven development within the organization. It is also very helpful to bring a DevOps culture within the organisation.

I follow Quality Gate's graduation model within organization, and it is extremely helpful for me to benchmark products.

Well, load balancing is something we expect it to have. Also, sometimes the loading dashboards are a little slow. When we have a thousand products published over it, we expect it to be more efficient in terms of serving requests from the browser.

No.

Yes, a little bit.

Good.

Previously, we used to use regular code review (static analysis, coverage tools) without much into single dashboard. SonarQube helped to put everything together into place supporting almost all languages, or quality profiles.

Simple to setup.

People can try the free licenses and later can seek buying plugins/support, etc. once they started liking it.

Not really.

SonarQube provides easy upgrade mechanisms, and I rarely found any issues.

Use a good VM for hosting, which can serve large requests on the fly with Oracle DB, etc.

We use the tool to check our code. It's used for static quality checks. 

The product is simple. 

The product's pricing could be lower. 

I have been using the product for two years. 

The tool is stable. 

The product is easy to deploy and update. 

We use the tool's community edition. 

I would rate the product an eight out of ten. 

I use SonarQube for Google's web services, from a security perspective, as well as Oracle Forms, HTML Forms, and script. 

SonarQube is deployed on-premises. 

Some of the most valuable features have been the latest up-to-date of the OWASP, the monitoring, the reporting, and the ease of use with the IDE plugins, in terms of integration.

SonarQube's detail in the security could be improved. It may be helpful to have additional details, with regards to Oracle PL/SQL. For example, it's neither as built nor as thorough as Java. For now, this is the only additional feature I would like to see. 

I have been working with the Community Edition for at least ten years, and I have been working with the Enterprise version for about a year. 

So far, we are happy and haven't had any issues with stability.

The only maintenance this product needs, for now, is just updates and patches. 

SonarQube is an auditing requirement from our side and for our SDLC, so it is a gate in our SDLC. 

SonarQube is easy to scale. As we've opted for the Docker builds, we haven't had issues yet. 

At this point, there are at least 300 people in my company who are working with SonarQube. 

I have minor experience with Q One. The main difference is in the licensing structure, with regards to lines of code. We have noticed that Q One has a bit more details, but support for various languages is lacking. 

The setup process of SonarQube is straightforward. Deployment took about a week, but the integration of the multiple teams—introducing them and getting them on board—took about a month. 

We implemented this solution through an in-house team. 

Compared to similar solutions, SonarQube was more accessible to us and had more benefits, with regards to size of the code base and supported languages. Apart from the Enterprise licensing fee, there are no additional costs. 

I rate SonarQube an eight out of ten. 

To anyone who is looking into implementing SonarQube, I would recommend they look at what their requirements are, with regards to languages. If it's just Java, then the Community Edition is fine, but if there are any additional languages, then I would recommend Enterprise. 

We use the solution to do quality code analysis for keeping track of security hotspots. We also use it to avoid the delivery of problems as the result of new code from our partners who may be developing software for systems, making improvements and carrying out bug corrections. These are the features of SonarQube of which I am aware. 

SonarQube is a fantastic tool which saves us precious time. Prior to using the solution, all our code analysis was manual and this was very time consuming. The increase in the number of projects, including those involving the development team, meant that it was becoming increasingly challenging to keep up with our delivery schedules. SonarQube helped a lot in this regard. So too, the wonderful tool from Eclipse, SonarLint, was very helpful. These solutions allow the partners who develop our system, our code, to receive on-the-fly analysis of their computers. This affords delivery of a much more reliable code, something which allows us to focus our work on more aggregated value operations.

I am struggling to come up with an area needing improvement. I am a big fan of SonarQube. I do have familiarity with the solution, but not extensively on a daily basis in respect of development. 

This said, we did have some trouble with the LDAP integration for the console. 

As our company is not primarily IT-related we are late comers when it comes to adopting new technology. As such, we started using the community version of SonarQube around eight to ten months ago. 

I have limited personal experience working with the solution. I have a colleague who works with me and she is actually engaged in its operation. My role is to provide guidance in how to implement products. 

She works more in implementing the installation of the solution, in deploying the projects on SonarQube. But, I have a little more context with this tool.

I am a customer of SonarQube. 

At the moment, SonarQube is deployed on-premises. We have an installation running in one of our servers.

When we deploy on-cloud, we normally use Amazon Web Services. 

I rate SonarQube as a ten out of ten, easily. I think its fantastic, a wonderful tool. Even if I don't use it directly, it frees me up to focus on other tasks in my daily routine. 

SonarQube can be used for any missing components or component vulnerabilities.

Sonarqube has improved our best practice of pair programming that aligned with the CI pipeline.

The product has a friendly UI that is easy to use and understand. Especially, the admin's control panel is very good and It's not really difficult to get through the settings.

With minimal coding experience, we can build many rules that apply for each programming language, for example, CSS, and Java. You can easily set up rules. We are luckily able to do this with the community version.

With other community versions, you are not always allowed to customize the profile for example. With the SonarQube Community Edition, it's authorized.

Since we are using the community version, we have had some issues. For example, we have had some difficulties with the Single Sign-On (SSO) login. We tried to integrate with our Azure ID to have access to login, but it doesn't always update. We have to search for more forums, or in other communities for technical IT.

The documentation is not clear and it needs to be updated. As it is the community version we don't have team support and rely on the documentation that is available. We are creating more disciplines to do peer reviews on SonarQube. There is time spent on creating the tools but not the documentation that is needed for support.

It takes time to configure and create profiles. We need to improvise the way we introduce new tools.

We have only integrated the source code, but there are things that are not being utilized because it is product-driven and there needs to be more path and delivery.

Since we are now certified, we are utilizing more and we are creating an environment for security. We need more emphasis on the security side.

Support needs to improve with their response time.

There is a lack of local partners/vendors in our region and we are having difficulties finding vendors looking for another partner.

In the next release, I would like to see some automation scripts. At times by default, you have to configure some of the rules in the detection. You need some parameters to be set that define the source code, such as those required to eliminate a false positive.

They advance their product without addressing security or internal codes.

SonarQube has been in place for one year, but we have only been using it for the last three months.

It's a scalable product. We have approximately 40 users.

We have contacted support but it's not mandatory operating support and takes some time to get a reply.

We have not used any other solution, but we did some comparisons and decided to go with SonarQube because it was open-source.

The initial setup is straightforward.

It takes a week to complete the deployment.

We are using the open-source community version, but there are enterprise licenses available.

I am a user of SonarQube and I am responsible for the information security.

I'm the principle of security in the office. I advise others of enhancing and incorporating security aspects into the IP.

We are currently using the community version. We are not quite ready for the licensed version as we need more discipline for our developers to do it correctly. Our team is growing, now we will need behavior discipline of security, and then we can upgrade the license. We have passed the ISO certificate and encourage the use of tools for peer reviews for the developers.

It is better to have a technical review before deployment to production. Developers must review before going into production.

It's a great tool but you have to have a good project plan before being introduced to the tools. For us, it is unfortunate that SonarQube was introduced at the end of the project phase, and the team is still having to learn it.

Before introducing any application tools, know the visibility of the project.

I would recommend using the SonarQube open-source version to get used to it before purchasing the license. Before we go with an enterprise product, we have to know the terms and how things are done to run software quality. We had reached out to sales support and asked for the enterprise license as a trial but unfortunately, we had to halt the program.

It's also a part of corporate policy to know everything before it is published into the CI pipeline.

There are other alternatives that provide end-to-end analysis from the static, dynamic, interactive, and SaaS.

I would recommend SonarQube to be on your initial plan for perfect quality.

I would rate SonarQube an eight out of ten.

SonarQube and SonarLint were adapted as part of the CI development process, i.e., the developers who committed to high severity issues in the repository were immediately notified via mail/Jenkins.

An actual RuntimeException bug was discovered and immediately fixed by using SonarQube with CI.

SonarLint: It gives code smell check during development, via linting in IntelliJ (it helped with best practices and in discovering the early potential bugs).

SonarQube: Recording of issues over a period of time, with an indication of the addition in the new issues or the reduction of existing issues (which were fixed).

There is need for support for the additional languages and ease of use in adding new rules for detecting issues. Some issues that were detected after committing to the CSM by SonarQube were not displayed in SonarLint scans (hopefully this was fixed in later versions).

A single developer claimed that the SonarLint plugin caused performance issues on his IntelliJ IDEA. However, this issue was not encountered by the other developers.

There were no scalability issues but we did not use SonarQube/SonarLint on very large code bases.

They have very good documentation at the SonarQube site; during inquiries on possible purchases, the SonarSource team was very responsive.

We did not use a different solution in the past.

The initial setup was relatively simple (raising a dedicated VM server for SonarQube, configuring a Jenkins job to interact with the SQ server on several CSMs).

The SonarLint setup is extremely simple in IntelliJ.

We did not purchase a license (required for C++ support), but this option was considered.

The Java SonarQube version, which is free to use, was extremely helpful and I suggested to my managers that we purchase a license.

We did not evaluate other static code analysis solutions.

I would recommend adopting the usage of SonarLint at the very least for Java development since it is a very good tool for helping to ensure high code quality.

The rich graphical representation of numbers which are meaningful to dev leads/managers and top management .

It was brought in to help with best practices in writing test cases, and each test should pass given all numbers are highlighted on SonarQube.

Executing sonar analysis on a big chunk of code - with an Oracle database does take up a lot of time.

Widgets - as the world of development expands, SonarQube should have plug-ins to cater to different technologies.

I've used it for three years.

No issues encountered.

No issues encountered.

No issues encountered.

It's very good, and I have personally had conversations with the SonarQube guys regarding plug-ins and modifications.

No previous solution was used.

The documentation is good . It should be fairly simple for someone with database knowledge.

We did it in-house.

This solution has the capability to analyze source code in almost all the languages in the market.

This is a well-rounded solution, however, some features could be made available on the free version. The price of the solution could be reduced.

I have used this solution for ten years. 

This is a stable solution. 

This is a scalable solution. We have been using it for all of our critical projects. 

I have never made the calculations to understand the real value of this solution but I know that the return of investment is very good. If not, we wouldn't have continued to use it for the past 10 years.

As a user and a consumer of this solution, it can be pricey for my company to support and use, even though there are many benefits. For this reason, we use the free version. In the future, as our product cycles develop and evolve at a more steady pace, we hope to invest in the licensing for this tool. 

This solution has evolved a lot in the last ten years. 

It comes with good DevOps implementation and security, which is a big problem today.