SonarQube provides valuable information regarding vulnerability detection, but it depends on your configuration. Overall, I rate the solution a nine out of ten.
The code quality metrics from the solution help us generate reliable reports on behalf of our company instead of asking questions like whether the codes are scanned, whether they are vulnerable, and whether the code meets all standards. SonarQube is also able to identify to what level the code is secure, making it easier for the developer to check and understand the application. I would rate SonarQube an eight out of ten. I would recommend the solutions to others who are in need to scan their codes and are looking for the support that SonarQube provides through its features, but for core languages like C/C++ they can choose an alternative.
SonarQube has many integrations, even in our development backup environment. While setting up notifications was possible, it was quite complex to manage. However, SonarQube is one of the solutions I would recommend. In terms of code quality, it offers many features compared to other solutions in the market. It has been around for a while and delivers many functionalities. There are different solutions with better detection engines than SonarQube, but in terms of scalability and compliance, SonarQube is superior. Taking all factors into consideration, it is a better option. Overall, I rate the solution an eight-point five out of ten.
I integrate SonarQube into my CI/CD pipeline by running it during the build process for static code analysis. Once the analysis is complete, the results are sent to the dashboard for easy monitoring and tracking of code quality. Using SonarQube for security vulnerability detection offers several benefits such as comprehensive security rule coverage and integration with the dashboard for easy monitoring. Additionally, SonarQube provides features like password handling, eliminating the need for separate tools and enhancing overall code security. SonarQube handles false positives during code analysis by allowing teams to review and exclude them, especially in long-term projects where patterns are familiar. While false positives may occur, experienced teams can easily identify and manage them, ensuring accurate analysis results. For software development, especially in Java-based environments, I highly recommend using SonarQube due to its effectiveness in ensuring code quality and minimizing potential issues. While there are free tools available, SonarQube's comprehensive support for various languages and its benefits make it a valuable choice for developers. Overall, I would rate SonarQube as an eight out of ten.
Learn what your peers think about SonarQube Server (formerly SonarQube). Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
We used SonarQube for one project. To improve code quality, we do vulnerability assessment. We have an R&D department, and we collaborate with other teams to do any work related to secure code. SonarQube simplified our code review process. Since we are new to secure code review, we mostly use freely available or impactful applications. That's why our R&D team suggested using SonarQube. We use SonarQube to find vulnerabilities in the application code. The code is related to the application used by our client. We find vulnerabilities in their application, and we suggest solutions. We have experienced challenges related to the client-side code. Sometimes, the server faces downtime, and our R&D team knows how to resolve such errors. It is easy to maintain the solution. Overall, I rate the solution a nine out of ten.
DevOps Lead at a marketing services firm with 1,001-5,000 employees
Real User
Top 20
2024-02-22T10:50:35Z
Feb 22, 2024
We use the API call for SonarQube to integrate it into our development workflow. It's a continuous process for us to review the reports and remediate any findings we get from SonarQube. The quality gates and quality profiles are helpful in establishing the required gates and governance that we may need. SonarQube has impacted our team's productivity and code quality over time. I would recommend SonarQube to other users evaluating it because it helps streamline some of the coding practices. The solution helps teams within the organization get into a good habit of writing clean code. The solution is helpful from a long-term sustainability standpoint. I would recommend users to try out the open source version of SonarQube. If that doesn't suffice their needs, then they can go for an enterprise version. Overall, I rate SonarQube an eight out of ten.
System Analyst // System Architect at a tech services company with 10,001+ employees
Real User
Top 20
2023-08-28T05:56:03Z
Aug 28, 2023
In the configuration you maintain for the external file used to evaluate the point, the lines should be less than 80 characters long, and the page should have less than 900 lines. The function size should also be split such that the maximum length of one should be less than 30. That's the configuration we are doing with SonarQube. Also, the number of clients we wrote should be covered within the JUnit test cases. When using Mockito for some of the database functionalities like login and authentication, SonarQube will evaluate the test cases passing through it, even when considering Mockito as the data provider for those test cases. And SonarQube covers those test cases. When it comes to external configuration, even if we're changing the format of one field, that should be accommodated everywhere in the file. Discrepancies there could make it take some time to install the solution. If they had a UI for the setup, that would be good. Though the XML configuration can be tough, it could be automated. In the Trivandrum team, we do around one to three microservices, like authentication and inventory. Those are two of the main microservices that I handle. The remaining are handled by some other team from Chennai or somewhere. For us, the coverage with microservices is more than 80%. The authentication service and the inventory services have good coverage. If somebody is looking for good coverage and a good standard code, they should start using SonarQube. When writing the code, they can ensure it is written properly and not missing any code. If there are many lines we are missing or ignoring from the code, there could be cases where vulnerability can happen from those lines. Before you submit any code to any client, you should ensure the code coverage is more than 80% of the application. I rate SonarQube a nine out of ten.
Lead Security Architect at a comms service provider with 1,001-5,000 employees
Real User
2022-04-27T08:20:00Z
Apr 27, 2022
This is a good solution if you are looking for good coverage, quality, and vulnerabilities to be highlighted. That being said, there are better solutions in the market when it comes to SAST scanning. I would rate this solution an eight out of ten.
For a small setup with less number of applications, it is okay because it is easy to deploy and manage with a simple console. When the number of lines of code is high, it takes time, and you have to spend a lot of time in terms of getting the right results. I would rate it a seven out of ten.
I would recommend SonarQube to other users as it is a good solution and the security issues we experienced are being fixed. I would rate this solution an eight out of ten.
Lead Engineer at a healthcare company with 10,001+ employees
Real User
2022-01-28T21:25:20Z
Jan 28, 2022
You have to be willing to invest. For any tool of this magnitude, if you're going to say, "Well, we want to do the least we can possibly do and see what's the least we can get by with," you'll get the least possible benefit. My recommendation is that you do the opposite. You should consider everything it's telling you. You may not want to fix everything, but you should be aware of everything that's showing in your code. After that, you have the opportunity to look at your whole development process and just the way you do things and go back to your roots and look for ways to change things at the beginning that can have an impact. You have a big impact on the output of things towards the end, but maybe change the way you start things. Instead of trying to get the least that you can get with the least amount of effort, partner yourself with it as much as possible. I would rate it an eight out of 10.
Independent Professional at Studio Dott. Ing. Angelo Quaglia
Real User
Top 5
2021-12-21T10:08:00Z
Dec 21, 2021
My advice to others would be to take a look at the community edition of the SonarQube because it might be enough for their use case. I rate SonarQube a nine out of ten.
I rate SonarQube an eight out of ten. To those looking to implement SonarQube, I would advise you not to run it manually—integrate it with tools like Bitbucket and Jenkins, and make it automatic. If you change one line of code, the SonarQube should run automatically and give you the report. Don't go and run it manually and check the reports and all—it should run automatically to the entire code base, not to your particular module. So you need to configure that, as well as your project requirements and what code quality metrics will be achievable—like 85% or 95%—because you want code quality for a better product, without loopholes. You need to configure these things before starting to work with SonarQube.
Development Team Lead at a financial services firm with 1,001-5,000 employees
Real User
2021-12-10T13:11:09Z
Dec 10, 2021
I rate SonarQube an eight out of ten. To anyone who is looking into implementing SonarQube, I would recommend they look at what their requirements are, with regards to languages. If it's just Java, then the Community Edition is fine, but if there are any additional languages, then I would recommend Enterprise.
Staff DevOps Specialist at a computer software company with 201-500 employees
MSP
2021-11-11T06:09:33Z
Nov 11, 2021
It is pretty straightforward, but if you don't intend to use it as a gate, it would just be a waste of time. You should invest in implementing such tools only when you have a clear understanding of how their results are going to be a part of a business process. I would rate it a 10 out of 10. I've never had any kind of problems with it. I have some products because of which I have had a bad day, but I never had a bad day because of it.
Project Manager at a manufacturing company with 1,001-5,000 employees
Real User
2021-11-03T20:00:00Z
Nov 3, 2021
We already linked with the CI/CD pipeline, and everything is working really smoothly. We already got the additional language support also, which was not available in the open-source version. In the developer version, we have six-plus additional language support onboard. That is actually helpful for us. Overall, it's going really well. The overall look and feel, the way of presenting the information, is really nice - including the way we can assign items. Everything looks okay. I also already integrated the APA of SonarQube in my external system and that really works. I don't see any integration problems so far. I would suggest those considering the solution simply go for SonarQube as it works really well for any integration of any software or with any third-party tools, including Azure DevOps. I'd rate the solution at a nine out of ten.
Software Engineer at a tech services company with 11-50 employees
Real User
2021-10-08T20:35:29Z
Oct 8, 2021
This solution is a good static test tool for developers. It helps keep the maintainability and security of software. I rate SonarQube an eight out of ten.
SonarQube is a very nice tool and people can learn to code better from the analysis it provides. We needed to make sure our code is maintained properly and has high quality and this tool helped. The solution has made the developers have more confidence in their code because from the scanning they can fix bugs and problems easily. I rate SonarQube a seven out of ten.
Manager, Software Development Engineering at a computer software company with 51-200 employees
Real User
2021-08-04T16:48:03Z
Aug 4, 2021
I would suggest looking at the pipelines and understanding usage scenarios in terms of what the customer is looking for. For instance, the mitigation persistence through the life cycle of a project is not there. For me, it's like a lack of tracking records of what to mitigate. It's something that you thought would be a part of the basics, but it's not there. I think there's about 40% of the features I'd like to see that are missing in SonarQube, so I'd rate it a six out of 10.
Not everybody uses SonarQube. However, if they do use SonarQube and they're trying to look for functionality, then an extension into SonarQube is the way to go. We, for example, love how we can have Fortify functionality via this product. I can't speak for all the other shops, right. That's just our workflow. I'd rate the solution at a perfect ten out of ten. For what it does as far as static code analysis, it's pretty good.
DevOps Lead at a marketing services firm with 1,001-5,000 employees
Real User
Top 20
2021-04-29T13:02:30Z
Apr 29, 2021
We are just a customer and an end-user. While we installed the solution on the cloud, we host it on our machines. I would recommend the product to the companies or the teams who are building from scratch, and they don't have anything for doing the scanning of their products. That is something where SonarQube can be pretty helpful. It's good for a very small company with a limited number of products, which do not have a lot of compliance and security-related requirements that big enterprises might have. I would rate the solution at a six out of ten.
Digital Solutions Architect at a tech services company with 1,001-5,000 employees
Real User
2021-04-05T15:27:37Z
Apr 5, 2021
I would recommend to those wanting to implement this solution to read the documentation, they are clear and easy to follow. I rate SonarQube a nine out of ten.
For those wanting to implement this solution, I would suggest it is the best tool. It has a big open-source community where you learn any language. There are many extra plugins you can apply to scan in your code. It has support for Android, iOS, COBOL, Java, JavaScript databases, and more. It has everything you need. I rate SonarQube a nine out of ten.
The enterprise version comes with many features. I have not been able to test it all because I am using the evaluation version. After three months of using this solution, I will have a better understanding of it. We plan to continue using SonarQube. Some feel that it is unfair to compare SonarQube with other solutions as it has so many features. I would rate this solution a seven out of ten.
For the units of architecture, we have tried to find the newest technology that would benefit the manifest of their orientation. It has been very difficult. Last year many projects stopped. I would rate SonarQube a six out of ten.
CTO at a computer software company with 11-50 employees
Real User
2021-01-08T15:43:25Z
Jan 8, 2021
I would recommend this solution to others. It easily outperforms other static code tools — It's perfect as a static code analysis tool. Overall, on a scale from one to ten, I would give SonarQube a rating of eight.
Security at a tech services company with 51-200 employees
Real User
2021-01-06T10:11:58Z
Jan 6, 2021
Personally, I can't compare it to other similar solutions like Fortify, but SonarQube does a good job when it comes to making sure our code is compliant with standards and free of any obvious security weaknesses. I would rate SonarQube a six out of ten.
I do recommend SonarQube because it is an easy tool that you can deploy and configure. After that you can measure the history of your obligation and integrate it with other tools like GitLab or GitHub or Azure DevOps to do quality code analysis. On a scale of one to ten, I would give SonarQube an eight. To give it a 10 and not an eight, I would like to see architecture development and the QA area improved.
Project Manager, Senior Architect at a computer software company with 1,001-5,000 employees
Real User
2020-12-24T15:03:00Z
Dec 24, 2020
I would recommend SonarQube. It is a good deal compared to all other tools on the market. It certainly helped us, it is a good tool and should be definitely used. I rate SonarQube a nine out of ten.
Senior System Analyst at a tech services company with 1,001-5,000 employees
Real User
2020-12-07T17:49:08Z
Dec 7, 2020
Before implementing, they should have more knowledge about the performance, and the features. It will be helpful in learning the hardware also. If you have good resources for the performance, you won't worry about it. It will also be dependent on your information, and how much knowledge you have. I would rate SonarQube an eight out of ten.
Director IT Security, CISO at a transportation company with 10,001+ employees
Real User
2020-10-28T21:08:07Z
Oct 28, 2020
This product is leading its class in the open-source community. It is absolutely a product that I can recommend. I think that digital organizations that have budget constraints should look at this technology, and then they can evolve it as per their needs. In the future, I may look into deploying SonarQube in a hybrid model. I would rate this solution an eight out of ten.
Information Technology Technical Architect at a insurance company with 51-200 employees
Real User
2020-10-27T06:39:00Z
Oct 27, 2020
There are so many qualitative tools other than SonarQube, but I think it's the only platform that is open-source; however, it doesn't cover you end-to-end — from the static, dynamic, and interactive source. Once we're done with SonarQube, we will switch to a proprietary tool, like Qualys — something that provides more end-to-end — but before we can do that, we need more people who know how to properly run the software. Overall, I would recommend SonarQube for your initial software quality. On a scale from one to ten, I would give this solution a rating of eight.
Senior/Lead Software Engineer at General Pension Authority
Real User
2020-10-26T15:25:32Z
Oct 26, 2020
We're just customers. We don't have a business relationship with the company. I believe we are using the latest version of the solution, however, I don't know the exact number. I would advise others considering the solution to consider the level of security they need. If they are very concerned about security and the application is very sensitive, then SonarQube may not be the best option and they should seek out other products. Overall, I would rate the solution seven out of ten.
Information Technology Technical Architect at a insurance company with 51-200 employees
Real User
2020-09-06T08:04:35Z
Sep 6, 2020
I am a user of SonarQube and I am responsible for the information security. I'm the principle of security in the office. I advise others of enhancing and incorporating security aspects into the IP. We are currently using the community version. We are not quite ready for the licensed version as we need more discipline for our developers to do it correctly. Our team is growing, now we will need behavior discipline of security, and then we can upgrade the license. We have passed the ISO certificate and encourage the use of tools for peer reviews for the developers. It is better to have a technical review before deployment to production. Developers must review before going into production. It's a great tool but you have to have a good project plan before being introduced to the tools. For us, it is unfortunate that SonarQube was introduced at the end of the project phase, and the team is still having to learn it. Before introducing any application tools, know the visibility of the project. I would recommend using the SonarQube open-source version to get used to it before purchasing the license. Before we go with an enterprise product, we have to know the terms and how things are done to run software quality. We had reached out to sales support and asked for the enterprise license as a trial but unfortunately, we had to halt the program. It's also a part of corporate policy to know everything before it is published into the CI pipeline. There are other alternatives that provide end-to-end analysis from the static, dynamic, interactive, and SaaS. I would recommend SonarQube to be on your initial plan for perfect quality. I would rate SonarQube an eight out of ten.
I would absolutely recommend this solution to another company. On a scale from one to ten, I would give this solution a rating of eight. I would give it a higher rating if the technical debt computation was improved.
Security consultant at a computer software company with 1,001-5,000 employees
Real User
Top 20
2020-09-01T05:25:12Z
Sep 1, 2020
I always talk in favor of secure programming, secure coding. SonarQube is easy for me. I am recruiting buggy code with this, and it is reporting. It shows that this code should not be like this and the reason for it. For example, it shows that you should declare a static function, or why you should or should not initialize a variable. This is an amazing feature. I am enjoying testing SonarQube, but I don't know what is the feedback from a developer's point of view. I highly recommend SonarQube. I would rate this solution a ten out of ten.
Team Lead at a computer software company with 10,001+ employees
Real User
2020-08-30T08:33:32Z
Aug 30, 2020
Anyone considering SonarQube should initially start with a free trial and then start doing an evaluation. If you have a list of target requirements which you are looking for and you can accomplish these things with Sonar, then you can go ahead and use Sonar. If you are looking for something for diving more deeply into your application security, then you can possibly start with it and scale it or use some other complementary tools. If you want to see your reports, and how your development is performing, Sonar is the best tool, I think. On a scale from one to ten, where one is the worst and ten is the best, I would rate SonarQube as a seven-out-of-ten.
DevSecOps Lead at a tech services company with 11-50 employees
MSP
2020-08-20T07:50:18Z
Aug 20, 2020
This product is regularly updated by the open-source community, although the changes are often project-specific and may not help in the general case. I would rate this solution a five out of ten.
Engineer at a pharma/biotech company with 201-500 employees
Real User
2020-07-28T06:50:14Z
Jul 28, 2020
The community edition is quite informative for engineers. The actual code analysis is not conducted on the GitLab flow, but the build pipeline would show the core quantity steps which is part of the criteria. The trial gives you a way to implement the POC and check if it can be integrated with your own stack. Once the trial expires, you can continue with the same setup for getting the license. I would rate this solution a six out of ten.
Awareness about how to use the product is important. It's a very good product for developers because it gives you timely notifications about where the tool has gone wrong or what could go wrong in the future. That's popular for developers. It's very good for the stats about the product for architects The metrics are how the budgeting should be done et cetera. These are the things that they can find out from the dashboard based on the lines of codes. In the next release, I would like to have notifications because now, it is a bit difficult. I think that's a feature which we could add there and it would benefit the users as well. For every full request, they should be able to see their bugs or vulnerability directly on the surface. I would rate it an eight out of ten.
In general, I am very satisfied with SonarQube and I highly recommend it. If you are looking for full coverage and quality improvement then it is the best product to use. I would rate this solution a nine out of ten.
Cyber Security Architect (USDA) at a government with 10,001+ employees
Real User
2019-06-16T07:23:00Z
Jun 16, 2019
SonarQube is a very good tool. It is lightweight and very cost effective as compared to IBM AppScan. The dashboard is really neat and easy to operate. It gives a lot of information that makes it very easy for the developers. You can get it set up as an automated process every time the code is checked in. I would say, however, that it is not a vulnerability assessment tool. The dev and security team use this solution very closely. Fifteen to twenty people in total use it. I would rate this solution an eight out of ten.
IT Infrastructure Head / Facilities Manager - ITIL V3 Certified ,Vmware Vsphere5 at a financial services firm with 51-200 employees
Real User
2019-06-11T11:10:00Z
Jun 11, 2019
I would rate this product somewhere between six and seven. It works for many clients, but if the user need and application is super critical, people should go with commercial products like Micro Focus. If the deployment is less critical, they can go with that as SonarQube, or another open source software solution.
My advice is to focus on quality, not on tools. Work on the quality of your code and get a quality culture, but don't require the use of a tool. SonarQube is an okay tool. I'd suggest it as a default tool, but I wouldn't rave about it. In all of my previous jobs, there has been somebody using SonarQube. They're usually very positive. I don't share that positiveness, but the reasons for that are that I don't believe you can have metrics of code quality based upon code analysis. I don't think it's possible for a computer to do it. I don't rate any tool higher than a five or six, ever. JUnit is the only tool that gets a rating of ten. On a scale of one to ten, where ten is JUnit, I would rate SonarQube as about a five or a six.
Country Manager Senegal at a financial services firm with 10,001+ employees
Real User
2019-05-30T08:12:00Z
May 30, 2019
This is a very nice product and I would recommend it. It is one of the best tools on the market to analyze your code. If more rules for security were added then we would not have to use Checkmarx or other tools. SonarQube is very nice, but just missing some security rules. I would rate this solution a seven out of ten.
Automation Tool Specialist at a comms service provider with 1,001-5,000 employees
Real User
2019-05-28T07:45:00Z
May 28, 2019
My advice for anybody interested in implementing this solution is to start with the community version and try it out. It doesn't take long to see value in it, and it's very straightforward, easy, and intuitive to use. There are add-ons that are available for purchase that we have not tried, although we're quite content with what we have right now. I would rate this solution an eight out of ten.
We advise all of our developers to have this solution in place. That way, whenever they are developing, the will get live tracking with respect to the quality of their code. I would rate this solution a seven out of ten.
Vice President at a financial services firm with 1,001-5,000 employees
Real User
2019-05-22T07:18:00Z
May 22, 2019
This product is good but it is not meant to be a single solution for all issues. If you want to have your code scanned and timed then this is a good tool. If you want security to be part of it then you may need multiple tools. Overall, my advice is to use this tool in areas where it is strong. I would rate this solution a six out of ten.
Lead Engineer at a healthcare company with 10,001+ employees
Real User
2019-05-20T07:59:00Z
May 20, 2019
I would rate SonarQube as a nine out of ten. Once you start drilling down through the menus, it tells you a lot of stuff about your code in one view. That's really quite neat. That shows you a view of maintainability. They have a maintainability view that shows bubbles for all the different code modules, and yours is beside the bubble. This represents the amount of "code smells," which is actually kind of a common definition. The bigger the bubble, the more your code smells. This shows where more attention is needed or it's a bubble that's kind of drifting out of control. I have one graph here where there are probably 50 bubbles. There's one axis that shows technical death, meaning the amount of work that it's going to take to get the smells under control. The other axis is lines of code, which is obviously a very common thing to look at. On this particular graph, there are a whole bunch of bubbles down in the lower-left corner, which means you have a lot of small manageable things. If you hover over the bubble, it tells you what module it is. How many lines of code. Technical death and manpower estimate, things like that.
Application Security Analyst at a agriculture with 501-1,000 employees
Real User
2019-05-16T07:47:00Z
May 16, 2019
I would suggest trying the product. I like its useability because it has a simple approach. We use this solution in conjunction with Jenkins, and we have a two-week deployment cycle. I would rate this solution a seven out of ten.
Senior Architect Information Security & Privacy at a tech services company with 501-1,000 employees
Real User
2019-04-17T08:37:00Z
Apr 17, 2019
On a scale from one to ten with ten being the best, I would rate this product around an 8. If SonarQube makes some improvements with the security features, I would also probably use the product much more.
Automation Tool Specialist at a comms service provider with 1,001-5,000 employees
Real User
2018-07-30T09:01:00Z
Jul 30, 2018
We are looking at using another product to compliment it for security reasons. Most important criteria when selecting a vendor: * Usability of the product * Responsiveness when we have issues.
SonarQube Server enhances code quality and security via static code analysis. It detects vulnerabilities, improves standards, and reduces technical debt, integrating into CI/CD pipelines.SonarQube Server is a comprehensive tool for enhancing code quality and security. It offers static code analysis to identify vulnerabilities, improve coding standards, and reduce technical debt. By integrating into CI/CD pipelines, it provides automated checks for adherence to best practices. Organizations...
SonarQube provides valuable information regarding vulnerability detection, but it depends on your configuration. Overall, I rate the solution a nine out of ten.
The code quality metrics from the solution help us generate reliable reports on behalf of our company instead of asking questions like whether the codes are scanned, whether they are vulnerable, and whether the code meets all standards. SonarQube is also able to identify to what level the code is secure, making it easier for the developer to check and understand the application. I would rate SonarQube an eight out of ten. I would recommend the solutions to others who are in need to scan their codes and are looking for the support that SonarQube provides through its features, but for core languages like C/C++ they can choose an alternative.
I would recommend the solution to other users. Overall, I rate the solution ten out of ten.
I rate the overall product a seven out of ten and would recommend it to others.
SonarQube has many integrations, even in our development backup environment. While setting up notifications was possible, it was quite complex to manage. However, SonarQube is one of the solutions I would recommend. In terms of code quality, it offers many features compared to other solutions in the market. It has been around for a while and delivers many functionalities. There are different solutions with better detection engines than SonarQube, but in terms of scalability and compliance, SonarQube is superior. Taking all factors into consideration, it is a better option. Overall, I rate the solution an eight-point five out of ten.
I integrate SonarQube into my CI/CD pipeline by running it during the build process for static code analysis. Once the analysis is complete, the results are sent to the dashboard for easy monitoring and tracking of code quality. Using SonarQube for security vulnerability detection offers several benefits such as comprehensive security rule coverage and integration with the dashboard for easy monitoring. Additionally, SonarQube provides features like password handling, eliminating the need for separate tools and enhancing overall code security. SonarQube handles false positives during code analysis by allowing teams to review and exclude them, especially in long-term projects where patterns are familiar. While false positives may occur, experienced teams can easily identify and manage them, ensuring accurate analysis results. For software development, especially in Java-based environments, I highly recommend using SonarQube due to its effectiveness in ensuring code quality and minimizing potential issues. While there are free tools available, SonarQube's comprehensive support for various languages and its benefits make it a valuable choice for developers. Overall, I would rate SonarQube as an eight out of ten.
We used SonarQube for one project. To improve code quality, we do vulnerability assessment. We have an R&D department, and we collaborate with other teams to do any work related to secure code. SonarQube simplified our code review process. Since we are new to secure code review, we mostly use freely available or impactful applications. That's why our R&D team suggested using SonarQube. We use SonarQube to find vulnerabilities in the application code. The code is related to the application used by our client. We find vulnerabilities in their application, and we suggest solutions. We have experienced challenges related to the client-side code. Sometimes, the server faces downtime, and our R&D team knows how to resolve such errors. It is easy to maintain the solution. Overall, I rate the solution a nine out of ten.
We use the API call for SonarQube to integrate it into our development workflow. It's a continuous process for us to review the reports and remediate any findings we get from SonarQube. The quality gates and quality profiles are helpful in establishing the required gates and governance that we may need. SonarQube has impacted our team's productivity and code quality over time. I would recommend SonarQube to other users evaluating it because it helps streamline some of the coding practices. The solution helps teams within the organization get into a good habit of writing clean code. The solution is helpful from a long-term sustainability standpoint. I would recommend users to try out the open source version of SonarQube. If that doesn't suffice their needs, then they can go for an enterprise version. Overall, I rate SonarQube an eight out of ten.
I rate SonarQube an eight out of ten.
This solution is simple to use and can be quickly deployed. I would rate the solution an eight out of ten.
In the configuration you maintain for the external file used to evaluate the point, the lines should be less than 80 characters long, and the page should have less than 900 lines. The function size should also be split such that the maximum length of one should be less than 30. That's the configuration we are doing with SonarQube. Also, the number of clients we wrote should be covered within the JUnit test cases. When using Mockito for some of the database functionalities like login and authentication, SonarQube will evaluate the test cases passing through it, even when considering Mockito as the data provider for those test cases. And SonarQube covers those test cases. When it comes to external configuration, even if we're changing the format of one field, that should be accommodated everywhere in the file. Discrepancies there could make it take some time to install the solution. If they had a UI for the setup, that would be good. Though the XML configuration can be tough, it could be automated. In the Trivandrum team, we do around one to three microservices, like authentication and inventory. Those are two of the main microservices that I handle. The remaining are handled by some other team from Chennai or somewhere. For us, the coverage with microservices is more than 80%. The authentication service and the inventory services have good coverage. If somebody is looking for good coverage and a good standard code, they should start using SonarQube. When writing the code, they can ensure it is written properly and not missing any code. If there are many lines we are missing or ignoring from the code, there could be cases where vulnerability can happen from those lines. Before you submit any code to any client, you should ensure the code coverage is more than 80% of the application. I rate SonarQube a nine out of ten.
There are a lot of functions and features in SonarQube. I would recommend the product to others. Overall, I rate the tool an eight out of ten.
I would rate the product an eight out of ten.
This is a good solution if you are looking for good coverage, quality, and vulnerabilities to be highlighted. That being said, there are better solutions in the market when it comes to SAST scanning. I would rate this solution an eight out of ten.
For a small setup with less number of applications, it is okay because it is easy to deploy and manage with a simple console. When the number of lines of code is high, it takes time, and you have to spend a lot of time in terms of getting the right results. I would rate it a seven out of ten.
If SonarQube meets the needs of your use case then I use it. I rate SonarQube an eight out of ten.
I would recommend SonarQube to other users as it is a good solution and the security issues we experienced are being fixed. I would rate this solution an eight out of ten.
I rate SonarQube a seven out of ten.
You have to be willing to invest. For any tool of this magnitude, if you're going to say, "Well, we want to do the least we can possibly do and see what's the least we can get by with," you'll get the least possible benefit. My recommendation is that you do the opposite. You should consider everything it's telling you. You may not want to fix everything, but you should be aware of everything that's showing in your code. After that, you have the opportunity to look at your whole development process and just the way you do things and go back to your roots and look for ways to change things at the beginning that can have an impact. You have a big impact on the output of things towards the end, but maybe change the way you start things. Instead of trying to get the least that you can get with the least amount of effort, partner yourself with it as much as possible. I would rate it an eight out of 10.
We are a customer and an end-user. I'd rate the solution at a seven out of ten. It's mostly reliable.
My advice to others would be to take a look at the community edition of the SonarQube because it might be enough for their use case. I rate SonarQube a nine out of ten.
I rate SonarQube an eight out of ten. To those looking to implement SonarQube, I would advise you not to run it manually—integrate it with tools like Bitbucket and Jenkins, and make it automatic. If you change one line of code, the SonarQube should run automatically and give you the report. Don't go and run it manually and check the reports and all—it should run automatically to the entire code base, not to your particular module. So you need to configure that, as well as your project requirements and what code quality metrics will be achievable—like 85% or 95%—because you want code quality for a better product, without loopholes. You need to configure these things before starting to work with SonarQube.
I rate SonarQube an eight out of ten. To anyone who is looking into implementing SonarQube, I would recommend they look at what their requirements are, with regards to languages. If it's just Java, then the Community Edition is fine, but if there are any additional languages, then I would recommend Enterprise.
It is pretty straightforward, but if you don't intend to use it as a gate, it would just be a waste of time. You should invest in implementing such tools only when you have a clear understanding of how their results are going to be a part of a business process. I would rate it a 10 out of 10. I've never had any kind of problems with it. I have some products because of which I have had a bad day, but I never had a bad day because of it.
We already linked with the CI/CD pipeline, and everything is working really smoothly. We already got the additional language support also, which was not available in the open-source version. In the developer version, we have six-plus additional language support onboard. That is actually helpful for us. Overall, it's going really well. The overall look and feel, the way of presenting the information, is really nice - including the way we can assign items. Everything looks okay. I also already integrated the APA of SonarQube in my external system and that really works. I don't see any integration problems so far. I would suggest those considering the solution simply go for SonarQube as it works really well for any integration of any software or with any third-party tools, including Azure DevOps. I'd rate the solution at a nine out of ten.
This solution is a good static test tool for developers. It helps keep the maintainability and security of software. I rate SonarQube an eight out of ten.
SonarQube is a very nice tool and people can learn to code better from the analysis it provides. We needed to make sure our code is maintained properly and has high quality and this tool helped. The solution has made the developers have more confidence in their code because from the scanning they can fix bugs and problems easily. I rate SonarQube a seven out of ten.
I rate SonarQube a nine out of ten.
I would recommend this solution to others. I would rate SonarQube a nine out of 10.
I would suggest looking at the pipelines and understanding usage scenarios in terms of what the customer is looking for. For instance, the mitigation persistence through the life cycle of a project is not there. For me, it's like a lack of tracking records of what to mitigate. It's something that you thought would be a part of the basics, but it's not there. I think there's about 40% of the features I'd like to see that are missing in SonarQube, so I'd rate it a six out of 10.
I rate SonarQube a six out of ten.
Not everybody uses SonarQube. However, if they do use SonarQube and they're trying to look for functionality, then an extension into SonarQube is the way to go. We, for example, love how we can have Fortify functionality via this product. I can't speak for all the other shops, right. That's just our workflow. I'd rate the solution at a perfect ten out of ten. For what it does as far as static code analysis, it's pretty good.
I rate SonarQube an eight out of ten.
I rate SonarQube a ten out of ten.
SonarQube is a very good tool for code quality. I rate this solution a seven out of 10.
On a scale from one to ten, I would give SonarQube an eight.
We are just a customer and an end-user. While we installed the solution on the cloud, we host it on our machines. I would recommend the product to the companies or the teams who are building from scratch, and they don't have anything for doing the scanning of their products. That is something where SonarQube can be pretty helpful. It's good for a very small company with a limited number of products, which do not have a lot of compliance and security-related requirements that big enterprises might have. I would rate the solution at a six out of ten.
I would recommend to those wanting to implement this solution to read the documentation, they are clear and easy to follow. I rate SonarQube a nine out of ten.
For those wanting to implement this solution, I would suggest it is the best tool. It has a big open-source community where you learn any language. There are many extra plugins you can apply to scan in your code. It has support for Android, iOS, COBOL, Java, JavaScript databases, and more. It has everything you need. I rate SonarQube a nine out of ten.
The enterprise version comes with many features. I have not been able to test it all because I am using the evaluation version. After three months of using this solution, I will have a better understanding of it. We plan to continue using SonarQube. Some feel that it is unfair to compare SonarQube with other solutions as it has so many features. I would rate this solution a seven out of ten.
I would recommend this solution. I would rate SonarQube an eight out of ten.
For the units of architecture, we have tried to find the newest technology that would benefit the manifest of their orientation. It has been very difficult. Last year many projects stopped. I would rate SonarQube a six out of ten.
I would recommend this solution to others. It easily outperforms other static code tools — It's perfect as a static code analysis tool. Overall, on a scale from one to ten, I would give SonarQube a rating of eight.
Personally, I can't compare it to other similar solutions like Fortify, but SonarQube does a good job when it comes to making sure our code is compliant with standards and free of any obvious security weaknesses. I would rate SonarQube a six out of ten.
I do recommend SonarQube because it is an easy tool that you can deploy and configure. After that you can measure the history of your obligation and integrate it with other tools like GitLab or GitHub or Azure DevOps to do quality code analysis. On a scale of one to ten, I would give SonarQube an eight. To give it a 10 and not an eight, I would like to see architecture development and the QA area improved.
I would recommend SonarQube. It is a good deal compared to all other tools on the market. It certainly helped us, it is a good tool and should be definitely used. I rate SonarQube a nine out of ten.
I would rate SonarQube a nine out of ten.
Before implementing, they should have more knowledge about the performance, and the features. It will be helpful in learning the hardware also. If you have good resources for the performance, you won't worry about it. It will also be dependent on your information, and how much knowledge you have. I would rate SonarQube an eight out of ten.
I would rate SonarQube an eight out of 10.
This product is leading its class in the open-source community. It is absolutely a product that I can recommend. I think that digital organizations that have budget constraints should look at this technology, and then they can evolve it as per their needs. In the future, I may look into deploying SonarQube in a hybrid model. I would rate this solution an eight out of ten.
There are so many qualitative tools other than SonarQube, but I think it's the only platform that is open-source; however, it doesn't cover you end-to-end — from the static, dynamic, and interactive source. Once we're done with SonarQube, we will switch to a proprietary tool, like Qualys — something that provides more end-to-end — but before we can do that, we need more people who know how to properly run the software. Overall, I would recommend SonarQube for your initial software quality. On a scale from one to ten, I would give this solution a rating of eight.
We're just customers. We don't have a business relationship with the company. I believe we are using the latest version of the solution, however, I don't know the exact number. I would advise others considering the solution to consider the level of security they need. If they are very concerned about security and the application is very sensitive, then SonarQube may not be the best option and they should seek out other products. Overall, I would rate the solution seven out of ten.
I am a user of SonarQube and I am responsible for the information security. I'm the principle of security in the office. I advise others of enhancing and incorporating security aspects into the IP. We are currently using the community version. We are not quite ready for the licensed version as we need more discipline for our developers to do it correctly. Our team is growing, now we will need behavior discipline of security, and then we can upgrade the license. We have passed the ISO certificate and encourage the use of tools for peer reviews for the developers. It is better to have a technical review before deployment to production. Developers must review before going into production. It's a great tool but you have to have a good project plan before being introduced to the tools. For us, it is unfortunate that SonarQube was introduced at the end of the project phase, and the team is still having to learn it. Before introducing any application tools, know the visibility of the project. I would recommend using the SonarQube open-source version to get used to it before purchasing the license. Before we go with an enterprise product, we have to know the terms and how things are done to run software quality. We had reached out to sales support and asked for the enterprise license as a trial but unfortunately, we had to halt the program. It's also a part of corporate policy to know everything before it is published into the CI pipeline. There are other alternatives that provide end-to-end analysis from the static, dynamic, interactive, and SaaS. I would recommend SonarQube to be on your initial plan for perfect quality. I would rate SonarQube an eight out of ten.
I would absolutely recommend this solution to another company. On a scale from one to ten, I would give this solution a rating of eight. I would give it a higher rating if the technical debt computation was improved.
I always talk in favor of secure programming, secure coding. SonarQube is easy for me. I am recruiting buggy code with this, and it is reporting. It shows that this code should not be like this and the reason for it. For example, it shows that you should declare a static function, or why you should or should not initialize a variable. This is an amazing feature. I am enjoying testing SonarQube, but I don't know what is the feedback from a developer's point of view. I highly recommend SonarQube. I would rate this solution a ten out of ten.
Anyone considering SonarQube should initially start with a free trial and then start doing an evaluation. If you have a list of target requirements which you are looking for and you can accomplish these things with Sonar, then you can go ahead and use Sonar. If you are looking for something for diving more deeply into your application security, then you can possibly start with it and scale it or use some other complementary tools. If you want to see your reports, and how your development is performing, Sonar is the best tool, I think. On a scale from one to ten, where one is the worst and ten is the best, I would rate SonarQube as a seven-out-of-ten.
This product is regularly updated by the open-source community, although the changes are often project-specific and may not help in the general case. I would rate this solution a five out of ten.
The community edition is quite informative for engineers. The actual code analysis is not conducted on the GitLab flow, but the build pipeline would show the core quantity steps which is part of the criteria. The trial gives you a way to implement the POC and check if it can be integrated with your own stack. Once the trial expires, you can continue with the same setup for getting the license. I would rate this solution a six out of ten.
Awareness about how to use the product is important. It's a very good product for developers because it gives you timely notifications about where the tool has gone wrong or what could go wrong in the future. That's popular for developers. It's very good for the stats about the product for architects The metrics are how the budgeting should be done et cetera. These are the things that they can find out from the dashboard based on the lines of codes. In the next release, I would like to have notifications because now, it is a bit difficult. I think that's a feature which we could add there and it would benefit the users as well. For every full request, they should be able to see their bugs or vulnerability directly on the surface. I would rate it an eight out of ten.
I would rate this solution a seven out of ten.
Security analysis is a MUST.
In general, I am very satisfied with SonarQube and I highly recommend it. If you are looking for full coverage and quality improvement then it is the best product to use. I would rate this solution a nine out of ten.
SonarQube is a very good tool. It is lightweight and very cost effective as compared to IBM AppScan. The dashboard is really neat and easy to operate. It gives a lot of information that makes it very easy for the developers. You can get it set up as an automated process every time the code is checked in. I would say, however, that it is not a vulnerability assessment tool. The dev and security team use this solution very closely. Fifteen to twenty people in total use it. I would rate this solution an eight out of ten.
I would rate this product somewhere between six and seven. It works for many clients, but if the user need and application is super critical, people should go with commercial products like Micro Focus. If the deployment is less critical, they can go with that as SonarQube, or another open source software solution.
My advice is to focus on quality, not on tools. Work on the quality of your code and get a quality culture, but don't require the use of a tool. SonarQube is an okay tool. I'd suggest it as a default tool, but I wouldn't rave about it. In all of my previous jobs, there has been somebody using SonarQube. They're usually very positive. I don't share that positiveness, but the reasons for that are that I don't believe you can have metrics of code quality based upon code analysis. I don't think it's possible for a computer to do it. I don't rate any tool higher than a five or six, ever. JUnit is the only tool that gets a rating of ten. On a scale of one to ten, where ten is JUnit, I would rate SonarQube as about a five or a six.
This is a very nice product and I would recommend it. It is one of the best tools on the market to analyze your code. If more rules for security were added then we would not have to use Checkmarx or other tools. SonarQube is very nice, but just missing some security rules. I would rate this solution a seven out of ten.
My advice for anybody interested in implementing this solution is to start with the community version and try it out. It doesn't take long to see value in it, and it's very straightforward, easy, and intuitive to use. There are add-ons that are available for purchase that we have not tried, although we're quite content with what we have right now. I would rate this solution an eight out of ten.
We advise all of our developers to have this solution in place. That way, whenever they are developing, the will get live tracking with respect to the quality of their code. I would rate this solution a seven out of ten.
This product is good but it is not meant to be a single solution for all issues. If you want to have your code scanned and timed then this is a good tool. If you want security to be part of it then you may need multiple tools. Overall, my advice is to use this tool in areas where it is strong. I would rate this solution a six out of ten.
I would rate SonarQube as a nine out of ten. Once you start drilling down through the menus, it tells you a lot of stuff about your code in one view. That's really quite neat. That shows you a view of maintainability. They have a maintainability view that shows bubbles for all the different code modules, and yours is beside the bubble. This represents the amount of "code smells," which is actually kind of a common definition. The bigger the bubble, the more your code smells. This shows where more attention is needed or it's a bubble that's kind of drifting out of control. I have one graph here where there are probably 50 bubbles. There's one axis that shows technical death, meaning the amount of work that it's going to take to get the smells under control. The other axis is lines of code, which is obviously a very common thing to look at. On this particular graph, there are a whole bunch of bubbles down in the lower-left corner, which means you have a lot of small manageable things. If you hover over the bubble, it tells you what module it is. How many lines of code. Technical death and manpower estimate, things like that.
I would suggest trying the product. I like its useability because it has a simple approach. We use this solution in conjunction with Jenkins, and we have a two-week deployment cycle. I would rate this solution a seven out of ten.
From experience, you should just size the scale of what you're trying to do to the maturity of the organization.
On a scale from one to ten with ten being the best, I would rate this product around an 8. If SonarQube makes some improvements with the security features, I would also probably use the product much more.
We are looking at using another product to compliment it for security reasons. Most important criteria when selecting a vendor: * Usability of the product * Responsiveness when we have issues.