SonarQube Reviews

SonarCloud's user interface integrates with version control tools like GitLab, showing code smells and commits for code reviews. Within these code reviews, we gain a complete analysis of things like code flow, which was a particularly helpful feature.

SonarCloud is overall a good tool for identifying code smells, bugs, and code duplication, but we've found that using Android Lint is more effective for our needs.

The main advantage of using Android Lint over SonarCloud is its ease of integration. It was a bit tricky to integrate SonarCloud, inside the CI/CD pipeline, which had some integration challenges. No proper documentation existed, making it tough. 

Specifically, when pushing code and creating merge requests, SonarCloud wouldn't generate the merge request or run itself. This felt clunky and required extra configuration. The documentation just wasn't sufficient for integrating with our cloud and Android Lint. Ultimately, it took too long to integrate SonarCloud, leading us to explore other options like Android lint for improving code quality.

So, adding better documentation on integrating SonarCloud's pipeline within GitLab CI/CD would definitely be a valuable addition from my perspective. That's the key takeaway they should work on.

We've been using SonarCloud for a while, inside TruckITAM, stopping about four months ago. We established our pipeline for seamless build sharing with stakeholders, using Android Lint to optimize the pipeline process and costs.

SonarCloud is well-stable. It's a good system. Whenever I used to commit, it gave proper feedback about our code, like duplication or optimization suggestions. 

Overall, the product is stable, but a few features need addressing to improve the user experience. The integration process and overall flow feel a bit clunky. They need to optimize the user experience. 

It requires a bit of work on the user side. It is difficult for non-trained users. If someone untrained reads their documentation, integrating with SonarCoud should be easy. That's the tricky part. They need a good onboarding process and a support team for communication. We're the clients, so they should provide daily updates on new features and address any integration issues on our cloud.

There should be an open-source community available so that they can target small queries. Our cloud community feels a bit small and not very active. I searched for workarounds and how to cancel merge requests, which took forever.

Also, on the GitLab side, working on CI/CD pipeline automation was challenging. Improving the build time of the application was a pain. We had to write XML files and run scripts.

The documentation needs improvement on optimizing build time for seamless CI/CD integration with our Android apps. That's something I noticed for GitLab and researched for a while. We integrated it successfully for the driver side, but the other application timed out. We used BigRise as an alternative, and it optimized the build time to 10 minutes. That's how we successfully integrated our CI/CD pipeline at TaxRise.

Technical support as a whole, it was a while ago, like three months after we stopped using their services, that they emailed us. They should approach users proactively and try to ensure a smooth integration process. 

We already have a lot on our plates, so we don't have time to chase them. Even if we email them and they respond, we have other tasks in the pipeline. They should take ownership and manage the integration. Our SonarCloud integration ended up getting put on the back burner.

So, in terms of technical support, if you're providing a service, you need to be quick to respond to users and grab their attention. These are a few things SonarCloud could improve.

I wouldn't want to discourage their efforts, so I won't rate them a very bad rating. The product itself is still good, so I'd rate their technical support around six and a half out of ten.

And one other thing you can tell the SonarCloud team: they can improve their open-source community. A strong open-source community can significantly reduce the need for technical support. 

If they have good documentation for integrating with various platforms like web applications, back-end applications, server-side applications, Android, iOS, etc., and also GitLab pipelines, their rating could easily go up to eight and a half, maybe even nine.

I currently work with the Android Lint. It's a built-in tool in Android Studio, used for checking errors in the code, code duplication, code smells, and improving code reusability. 

It helps in identifying spelling mistakes, unused variables, and imports, optimizing the code. We chose Android Lint over SonarCloud for similar functionalities, allowing us to improve code quality without relying on a third-party app. 

As an alternative to improve our code quality, we migrated the same functionality to our own cloud environment. This allows us to utilize Android lint for code improvements internally, eliminating reliance on any third-party app.

Some of the good features we found in SonarCloud that were valuable include the user interface integration with version control tools like GitLab. This lets us see code smells and track commits associated with specific code portions for code reviews.

Within these code reviews, we gain a complete analysis of things like code flow, which was a particularly helpful feature. Additionally, we can integrate Android lint directly into our CI/CD pipeline, allowing us to run critical lint checks automatically within the pipeline. This further automates our system and streamlines the development process.

The current pricing is quite cheap. The thousand-line package costs only ten euros per month, which is much cheaper compared to competitors like Veracode, which charge around a hundred or even ninety-nine dollars per month. So, the pricing is good as it is, but if they add features like AI-powered algorithms and core data optimization, they could easily see significant growth.

Overall, I would rate this product around nine out of ten. They're putting a lot of effort into developing the product, and it compares favorably to other options available. Plus, it's free initially with a set limit, making it quite accessible.

One thing SonarCloud could add is a separate AI for comprehensive code analysis. They already suggest improvements and urge users to adopt specific practices, but it could go further. 

For example, imagine using Android Studio and writing some code. SonarCloud's AI could analyze it and suggest algorithm or coding structure improvements.

There are also some application crashes and concurrency issues we encounter due to shared multi-threaded environments. So, another AI check they could offer would be analyzing how to optimize the application's algorithms for better performance. That would be another great improvement for SonarCloud.

We use the product for code-based security scanning.

The platform has fewer false positives. It helps efficient code duplication concentration and integrates well with coverage tooling for generating reports. Its dashboard provides a unified view of various code quality metrics, including code duplication, unit test coverage, and security hotspots.

SonarCloud's UI needs enhancement.

We have been using SonarCloud for five years.

I rate the product's stability a ten out of ten.

We have more than 1000 SonarCloud users in our organization. It scales as per our project requirements. I rate its scalability a nine out of ten.

We have ten dedicated engineers working on the product's deployment and maintenance.

I rate the pricing a five out of ten. It has an expensive on-premise version and a community version as well.

I recommend SonarCloud and rate it an eight out of ten. Sometimes, the updates for the product's beta version are simple.

Our use case of SonarQube is to analyze code quality and to implement quality dates in our build pipelines.

The ability to tweak the rules and feed them into our build pipelines so that they can become an integral part of those pipelines is a valuable feature. This product works really well, the integrations and pipelines are good.

SonarQube currently requires multiple tools. I'd like to have the ability to use one tool overall. 

We've been using this solution for a few years. 

The solution is stable. 

The solution is scalable. 

We pay a very reasonable, annual licensing fee. 

My recommendation is to just go with this out-of-the-box rule set first. Don't try to tweak them and learn what they mean. First learn what the alerts mean and then slowly tweak it to your specific use cases.

We are using SonarCloud for static analysis. We must utilize this tool for code analysis prior to deployment. For instance, it is necessary to check for bugs or inconsistencies in the code and rectify them. SonarCloud can assist in this regard by providing high-quality content.

The most valuable feature of SonarCloud is its overall performance.

The reports could improve by providing more information. We are not able to use the reports in our operation until they are improved. Additionally, if the vendor provided more customization capabilities it would be a benefit.

I have been using SonarCloud for approximately one month.

I rate the stability SonarCloud a nine out of ten.

We have approximately 50 it specialists using this solution across a number of projects.

I rate the scalability of SonarCloud a seven out of ten.

I have not used the support often.

I rate SonarCloud an eight out of ten.

Positive

I have used other solutions prior to SonarCloud.

The initial setup of SonarCloud was done without too many issues. It was able to be done in approximately 10 minutes.

I did the implementation of the solution myself.

I am using the free version of the solution.

One person is enough for the maintenance of the solution.

I would recommend this solution to others.

I rate SonarCloud a nine out of ten.

We have several development streams, so we want to standardize our tooling and not necessarily restrict each tool to one specific purpose. We have CI/CD pipelines, with cloud solutions on one side and solutions like GitHub and Jenkins on the other.  

We use SonarCloud to scan code for vulnerabilities. The idea is to have that in a plan-do-check-act iterative way. Some development teams work in sprints with a scope of two weeks. For example, they define and finish their own user stories. 

Others work in Kanban, which means they work on one user story and only go on to the next when that one is finished. But the underlying thing is we are continuously using SonarCloud to clean out vulnerabilities in software that has been developed in-house.
+

CI/CD pipeline is part of a whole chain of design, development, and production, and it's becoming increasingly crucial to optimize the various tools across different stages. However, it's still a silo approach because the full integration is missing. This isn't just an issue with SonarCloud. It's a general problem with tooling.

We've used SonarCloud for nearly nine months, but we're slowly using it more and more.

The services are small, so scalability is not relevant. If you say that the service is an application, then the functionality of the application is, by definition, small and fit for purpose. The scalability of having lots of increased functionality within a service is not an issue. 

Scalability has more to do with the number of services or the full set of applications. A big company has multiple types of development going on that require SonarCloud. There are several services and applications that need to be scanned on a regular basis completely independently of each other. That's the issue. We're not hitting this threshold at the moment, so that's something we'll discover in the future as we add more to SonarCloud.

I'm not implementing the solutions. However, I've talked to the people who deploy the tools, and they are happy with how easy setting up SonarCloud is.

I can't say what it costs off the top of my head, but I believe the license is based on the number of users and services. Generally, it's considered inexpensive. 

The price is also based on the lines of code scanned. We use another solution instead of SonarCloud to scan third-party software. One thing is unclear. If you want to use SonarCloud for third-party software, you will reuse it for more services, but you only need to scan the latest version. 

You only need to scan once to cover all services that you're developing to minimize the cost of the scans. It doesn't make sense to redo the same scan for the third-party library version, which is used by many services. You only need to do it once.

I rate SonarCloud seven out of 10. That rating is more of an intuitive sense of the product based on many years of experience.

We use this solution to configure our pipeline using Jenkins. From an integration perspective, it encompasses many languages and this is very useful.

This solution has helped with the integration and building of our CICD pipeline. Without any scans or assessments, the pipeline and build are not complete. One of the good features of SonarQube is the many languages it supports including Java, dotNET, Typescript and HTML CSS. It also allows us to set custom quality gates and rules.

This solution could be offered on Docker and the cloud. The support for this solution could be improved and the customization rules could also be made simpler. 

I have used this solution for three years. 

This is a stable solution. 

This solution could be scalable, specifically from a reporting perspective. 

I would rate the customer support for this solution a seven out of ten. 

Neutral

I have previously used Checkmarx, Blackbelt and WhiteSource.

We have experienced a good return on investment using this solution. 

This is a good solution if you are looking for good coverage, quality, and vulnerabilities to be highlighted. That being said, there are better solutions in the market when it comes to SAST scanning.

I would rate this solution an eight out of ten. 

We use SonarQube to find vulnerabilities in the source code, for better code quality, and code security.

The most valuable feature of this solution is that it is free.

There could be better integration with other products.

It could have more functionality, and the updates could be faster.

People must be trained extensively before they can use it.

I have been using SonarQube for three years.

It's a software as a service that you can access from on-premise.

The stability is fine. With any software, you must ensure that you keep up to date with the software. As a result, when there are new ways to attack you, the software detects it. You must be prepared. You can't just put it in and forget about it, you have to stay current.

More than just an environment, it was a project. There were about a dozen developers and five testers to ensure that the developers used the tool before handing it over to the testers. To ensure that everything was in order.

I have not contacted technical support.

Previously, we used Fortify. The company that I worked for owned Fortify. We then sold Fortify to another company. We could look at other products to do the job.

The initial setup was straightforward. It only took about two weeks to deploy.

Like in anything, if you're too restricted, it can result in being problematic, the same if you are too loose. In terms of the length of time it takes to deploy, we try to find a happy medium. Two weeks is reasonable.

I am the team leader, and I was assisted with the deployment by another very knowledgeable individual. We are a team of two.

We have seen a return on investment. It finds potential vulnerabilities inside a program's code. If you catch it and you fix it, it's good.

It's an open-source solution, with no additional costs.

We evaluated other products such as Veracode, Checkmarx as well as SonarQube.

The main difference is that SonarQube is free.

I am an expert in so many things, including security experts. We looked at the various products and chose one. And the reason was that any tool, any automated tool that can detect errors, is preferable to none at all.

Most systems are vulnerable at the application level, which means that people who program in Java or.NET may be brilliant, but they don't know about the security. The advice is that those who work in development must also understand security. They must test for security in the same way they test for whether something is red or blue. My recommendation is to have some type of training and to be aware that the application level is the place where most people attack.

I would rate SonarQube a six out of ten.

We do a lot of development. We were previously doing it internally, and then we hired a couple of development partners. So, day in and day out, a lot of changes were happening. We wanted to ensure that whatever changes happened, they undergo some level of quality assessments. That was one of the reasons why we wanted to use it. 

We have started looking into it from the information security side, but it is being used by the core development team.

We are using the Community edition. So, we don't have to incur any licensing costs. This is the best part.

There is no automation. You need to put the code there and test. You then pull the results and put them back in the development environment. There is no integration with the development environment. We would like it to be integrated with our development environment, which is basically the CI/CD pipeline or the IDE that we have.

It's a stable solution.

It is not scalable if you have a bigger workload. Because it is a Community edition, it has its own restrictions and limitations in terms of the number of lines of codes.

We have 15 to 20 people who are using it.

We don't have any experience with them. We don't have any AMCs, and we don't have any technical support.

It was easy, but because we were using it for the first time, it took some time. I would rate it 3.5 out of five in terms of ease of setup.

We deployed it in-house. In terms of maintenance, there is only one person who is taking care of SonarQube as a platform or the services that are provided by SonarQube.

We are using the Community edition of SonarQube.

For a small setup with less number of applications, it is okay because it is easy to deploy and manage with a simple console. When the number of lines of code is high, it takes time, and you have to spend a lot of time in terms of getting the right results.

I would rate it a seven out of ten.

I have used it to test clients' websites. After testing, it gives a deep overview of website bugs and issues. 

A good point about SonarQube is that it gives you the solutions to resolve your issues. At times, I find the blocker (during times of emergency code deployment) doesn't allow the code to be checked-in to the repository unless the violations are fixed, which should enable the user to bypass the number of lines that should be part of the written method. 

It improved our website's look and feel. 

We consider it a handy tool that helps to resolve our issues immediately. 

It is a good tool for evaluating technical debt and introducing junior developers to codification standards and good practices. There is an amazing code quality application that defines coding standards. 

The tool is pretty much useful for a technical lead to reduce his efforts in reviewing the codes. The tool has integration with several languages. 

SonarQube is a Code Quality Assurance tool that collects and analyzes source code and provides reports on the code quality of your project. It combines static and dynamic analysis tools and enables quality to be measured continuously over time.

The solution's most valuable features are its:

• Code quality
• Release quality code
• Code security
• Security analysis

SonarQube empowers all developers to write cleaner and safer code. You can grow as a developer.

Integrations Analysis results are right where your code lives.

It works well with GitHub.

It should be user-friendly. I keep looking for improvements after every update. 

PeerSpot users give SonarQube an average rating of 8 out of 10. 

SonarQube is most commonly compared to Checkmarx: SonarQube vs Checkmarx.

The SonarQube brand is trusted by many teams and it has been validated. It is one of the most recommended free application security testing solutions. 

SonarQube is really a good tool for SAST with seamless integration to your CI/CD pipeline. We have used it on our website and had good results.

I have been using SonarQube 8.9.7 for a long time (since we had some issues in our software dealing with many critical issues that needed to be resolved for clients). 

I recommend SonarQube as it is beginner-friendly and can resolve your issues with the proper usage of your website.

The dimensional stability of the impression materials depends on the time elapsed between the completion of the impression and their casting, thus storage time is critical to obtaining reliable casts.

Beyond listening, customer service is doing everything in one's power to efficiently and accurately serve each customer.

Positive

We did use another solution, however, we found issues such as:

• Ineffective time management
• Lack of instant communication
• Not receiving timely feedback
• Not receiving clear instructions or expectations
• Share time management apps and resources for students
• Utilize educational technology (“EdTech”)
• There's also a need to increase peer review

The solution is easy to do and understand. It's not complicated and it's easy. It's a relatively straightforward process.

According to conventional wisdom, an annual ROI of approximately 7% or greater is considered a good ROI for an investment in stocks.

We primarily use SonarQube for quality control on the software being deployed in our company. We had to control the open-source software we use. We develop software and have to create builds around it. As part of this process, we want to be sure of the security conformity for each module.

It is installed and plugged into a Kubernetes pipeline build system.

Using SonarQube benefits us because we are able to avoid the inclusion of malware in our applications. We can repair vulnerabilities and exploits from outside of the organization.

The performance is good.

The handling of the contents of Docker container images could be better. We are building microservices using Docker containers, and the image is embedding a lot of software. The verification in the image could be improved because you're able to check the image while building it, but if you are using a prebuilt container image then it's more difficult to do.

I have been using SonarQube for between three and four years.

This solution consumes resources but that's something that is needed. In terms of performance, it's okay. It depends on the power of the hardware and servers that you have.

This is a product that we use on a daily basis. We are constantly developing software and this is used as part of the process.

We have never had problems in terms of scalability, so it's good. We have a license for approximately 250 users.

The technical support is good.

We did not use another similar solution prior to this one.

The initial setup is a little bit complex, although that's because of the type of tooling that it is. It took one person perhaps two months to deploy it.

The main thing that takes time during deployment is to get the users accustomed to it and use it properly. Essentially, the longest part of the deployment is the training time. Change management for people is time-consuming.

We handled the deployment completely in-house.

It is difficult to estimate ROI because this product is similar to insurance. If things were broken then it could cause a lot of damage to the company.

Once we identified the need, I researched different solutions. I tried SonarQube and one or two others.

My advice for anybody who is implementing this solution varies based on the use case and infrastructure that they have. For large scale-deployment, it needs more container images because it's easier to maintain. For a small company, it may be fine without them.

Overall, this is a good product. The only suggestion that I have for improvement is deeper container image analysis. The verification is already good but it depends on the format of the image. If you are speaking about a classical format, like a table or a zip file, it's okay. But, if you are talking about container images, there is room for improvement.

I would rate this solution an eight out of ten.