SonarQube Reviews

We are using SonarQube for scanning our services for issues as part of our IT department.

SonarQube has a lot of value, it reviews the basic coding standards and security vulnerabilities of code that help to reduce issues. 

SonarQube can improve by scanning the internal library which currently it does not do. We are looking for a solution for this.

I have been using SonarQube for approximately three years.

SonarQube is a stable solution.

I have found SonarQube to be stable. However, we have not tested it with more than one million lines of code.

We have a server that SonarQube is running on and we have approximately 50 people using it.

We have used technical support in the past but not recently.

I would rate the support from SonarQube a four out of five.

I have used Veracode previously.

The initial setup is straightforward for SonarQube.

We did the implementation in-house.

The DevOps team handles the maintenance of SonarQube.

We are using the Developer Edition and the cost is based on the amount of code that is being processed.

If SonarQube meets the needs of your use case then I use it.

I rate SonarQube an eight out of ten.

We find it very similar to Fortify and has the same advantages. 

The web interface is very good. 

We have found the solution to be stable. 

The solution offers a very good community edition.

There isn't a very good enterprise report. They also do not have an application report. We'd like for them to work on this aspect.

I've used the solution for three years. I've used it for a while now. 

In terms of stability, the solution is reliable and the performance is good. There are no bugs. It's not glitchy. It doesn't crash or freeze. 

I've never used technical support. I can't talk about how helpful they are, never spoken with them personally.

If I do need to troubleshoot, I tend to rely on the community and search for answers there. 

We've also used Fortify.

I didn't participate in the installation process. I can't speak to how easy or difficult the process was. 

I use the community version of the product.

We are a customer and an end-user.

I'd rate the solution at a seven out of ten. It's mostly reliable. 

I use SonarQube for Google's web services, from a security perspective, as well as Oracle Forms, HTML Forms, and script. 

SonarQube is deployed on-premises. 

Some of the most valuable features have been the latest up-to-date of the OWASP, the monitoring, the reporting, and the ease of use with the IDE plugins, in terms of integration.

SonarQube's detail in the security could be improved. It may be helpful to have additional details, with regards to Oracle PL/SQL. For example, it's neither as built nor as thorough as Java. For now, this is the only additional feature I would like to see. 

I have been working with the Community Edition for at least ten years, and I have been working with the Enterprise version for about a year. 

So far, we are happy and haven't had any issues with stability.

The only maintenance this product needs, for now, is just updates and patches. 

SonarQube is an auditing requirement from our side and for our SDLC, so it is a gate in our SDLC. 

SonarQube is easy to scale. As we've opted for the Docker builds, we haven't had issues yet. 

At this point, there are at least 300 people in my company who are working with SonarQube. 

I have minor experience with Q One. The main difference is in the licensing structure, with regards to lines of code. We have noticed that Q One has a bit more details, but support for various languages is lacking. 

The setup process of SonarQube is straightforward. Deployment took about a week, but the integration of the multiple teams—introducing them and getting them on board—took about a month. 

We implemented this solution through an in-house team. 

Compared to similar solutions, SonarQube was more accessible to us and had more benefits, with regards to size of the code base and supported languages. Apart from the Enterprise licensing fee, there are no additional costs. 

I rate SonarQube an eight out of ten. 

To anyone who is looking into implementing SonarQube, I would recommend they look at what their requirements are, with regards to languages. If it's just Java, then the Community Edition is fine, but if there are any additional languages, then I would recommend Enterprise. 

It is mainly used as part of the CI/CD pipeline through Azure DevOps and Jenkins to do static code analysis.

We have the enterprise version. In terms of deployment, on-premise is the best description because they have their own cloud, but it is not a real cloud. It is like VMware.

In some instances, the project stakeholders were able to implement quality gate control for code coverage, security alerts, and things like that. It greatly improved the quality of the product. If our test code coverage is 80% and a person commits a change that brings the code coverage to below 80%, that code cannot be merged. We've been able to improve the quality of the products that we produce by using SonarQube. We are using it as a gate.

It is a great tool in a situation where you have a dynamic team, and you sometimes hire staff or subcontractors from other companies. It provided us with the ability to implement quality gates in our project. We could look at the data and see which developers were producing quality code and which developers were not too worried about the quality. It helped us out with our junior devs. I know of a few cases where having this system helped our junior devs in taking their skills one level up because we had set up a hard quality gate.

My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it.

A little bit more emphasis on security and a bit more security scanning features would be nice. 

It would also be nice if the discrepancy between the basic or free version and the enterprise version was less. In my opinion, some of the base functionality in the enterprise version should be in the basic version.

Currently, we have static code scanning, and we have the scanning of the Docker containers. It would be great if some sort of penetration testing could easily be implemented in SonarQube for deploying something and doing some basic security scans. Currently, we have to use third-party tools for that. If everything was all under one roof, it would be more comfortable, but I don't know if it is possible or feasible. It is a typical issue of centralization versus distribution. In our particular case, because we're using SonarQube for almost every other project, it would make sense, but that doesn't necessarily mean that it is the same case with everybody else.

I have been using this solution for four years in my current job.

I don't think I ever had a problem.

We haven't reached a point where it is anywhere near saturation. We haven't scaled it yet, and I don't know if it will ever happen. The way it is implemented right now is more than enough for what we need. 

We have used it in almost all projects of our client. It is a part of their process. It is used extensively, and it will be used for any future work that they might have where they develop any code that can be analyzed with SonarQube.

We probably have 30 or 40 users. Their roles are developer team leads, developers, and DevOps people. These are the three roles of people who use it on a daily basis and look at the reports and work with the system. At some point, the data might be shown to the actual client or somebody else.

I've never been in a situation where I needed their support.

I don't think that we used anything else previously. SonarQube was the first one.

It was straightforward. I wasn't technically involved in the deployment of SonarQube, but as far as I know, it was a matter of a few days.

We probably just bought the license and did it ourselves. For its deployment and maintenance, we don't have a dedicated person. It is one of the many systems that our internal IT team manages.

I don't have that data. I don't think that we've ever calculated that. 

My guess is that we have a yearly subscription. We use it quite extensively, so a monthly license wouldn't make sense. Yearly subscriptions are usually cheaper. 

In addition to the standard licensing fee, there is just the cost of running the hardware where it is hosted.

It is pretty straightforward, but if you don't intend to use it as a gate, it would just be a waste of time. You should invest in implementing such tools only when you have a clear understanding of how their results are going to be a part of a business process.

I would rate it a 10 out of 10. I've never had any kind of problems with it. I have some products because of which I have had a bad day, but I never had a bad day because of it.

I use SonarQube for testing software.

The solution can verify vulnerabilities, code smells, and hotspots. It makes the software more secure and it helps make a junior or novice developer sharper.

The software testing tool capability could improve. It does not always integrate well. You have to use a specific plugin and the plugin does not always go in Apple's applications.

In the next release, they should add the ability to analyze containers.

I have been using SonarQube for approximately three years.

We have mostly software developers using this solution are there are approximately 50 using it.

I have used Snyk and it is more catered to a different audience than SolarQube.SolarQube is more for software developers.

The installation is straightforward, especially with the new Docker implementation.

I did the implementation of the solution myself.

The process of purchasing the solution could improve.

This solution is a good static test tool for developers. It helps keep the maintainability and security of software.

I rate SonarQube an eight out of ten.

SonarQube can be used to analyze application code. We are testing SonarQube with some of our other products. We use the Sonar Link plugin with Teamscale, which is then applied to the main product we are using.

I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla.

We have to combine several products in order to cover as many flaws that might exist in the code. We have to integrate several products to set the security functionality of the product. SonarQube should have better functionality to cover all areas of security limiting our need for other products.

We have tens of millions of code to be analyzed and processed. There can be some performance degradation if we are applying Sonar Link to large code or code that is complex. When the code had to be analyzed is when we ran into the main issues. There were several routines involved to solve those performance issues but this process should be improved.

I have been using this solution for approximately three years.

There can be some stability issues.

I have used Veracode.

I have evaluated many other solutions similar to SonarQube.

I rate SonarQube a six out of ten.

We are using this solution to check and monitor application code to ensure security quality.

The solution has helped us mitigate problems in applications before they were a bigger issue.

The solution could improve by having better-consulting services.

I have been using SonarQube within the last 12 months.

The stability is good.

The installation was straightforward, we have an internal team that does it.

We have a team in our organization that does the implementation, configuration, and maintenance of the solution.

The price of the solution could be reduced.

I rate SonarQube a ten out of ten.

I have used it in my previous company. In my current company, which I have joined recently, we don't use any of these tools. That's why I want to implement something for the company. I have the Community Edition of SonarQube. I am using one version prior to the latest one.

It was integrated with our build pipeline, and we had also customized the rules for the quality gate. For each release that got through SonarQube, it gave the results in terms of whether it was releasable or not. 

SLA was another use case. We internally had a rule that in case there are severity defects, they need to be fixed. If there is a false positive, it needs to be justified. That's the way it was used.

It assists during the development with SonarLint and helps the developer to change his approach or rather improve his coding pattern or style. That's one advantage I've seen. Another advantage is that we can customize the rules. 

I did an evaluation of the Enterprise Edition. It has the Portfolio view, which means you can roll up all your projects to the Portfolio level, and then it gives a visualization of each and every project's state in terms of security and other vulnerabilities.

It is very expensive. That's something that can be improved. 

I'm not sure if the latest vulnerabilities are being updated. When I compare it with Fortify on Demand (FoD), every now and then, they get all the latest and greatest versions for all these vulnerabilities as a rule pack. I'm not very sure about how that works in SonarQube, and how frequently they are updating the vulnerability databases and other things.

Their dashboarding is very limited. They can improve their dashboards for multiple areas, such as security review, maintainability, etc. They have all this information, so they should publish all this information on the dashboard so that the users can view the summary and then analyze it further. This is something that I would like to see in the next version. 

The portfolio-level dashboard is currently available only in the Enterprise Edition. They can have a similar dashboard in the Community Edition or at least in the Developer Edition. The portfolio-level dashboard is also very limited currently. There is hardly one report.

I have been using this solution for four years. 

It looks stable. So far, we haven't found any issues.

I contacted them once or twice. I am very satisfied with their support. I didn't have any concerns in terms of support.

It is straightforward. It takes very little time as compared to the other solutions.

It is very expensive. Its price should be improved.

I have worked on only two tools: one is Fortify on Demand, and the other one is SonarQube. Comparing these two, I would rate SonarQube an eight out of 10.