SonarQube Reviews

I have it integrated with our continuous integration server. On a scheduled basis, typically in the middle of the night, it'll do performance scans so that the results are available and viewable by the developers on the website. The scans are done automatically by using a continuous integration server, which is TeamCity.

We are using version 5.6.6. It is a very old version, but that's what we've been using. We haven't gotten around to updating it.

I like that it's easy to navigate not just in terms of code findings but you can actually see them in the context of your source code because it gives you a copy of your code with the items that it found and highlights them. You can see it directly in your code, so you can easily go back and make the corrections in the code. It basically finds the problems for you and tells you where they are.

The learning curve can be fairly steep at first, but then, it's not an entry-level type of application. It's not like an introduction to C programming. You should know not just C programming and how to make projects but also how to apply its findings to the bigger picture. I've had users who said that they wish it was easier to understand how to configure, but I don't know if that's doable because what it's doing is a very complicated thing. I don't know if it is possible to make a complicated thing trivially simple.

They could improve their documentation. There were some books written about it, but even when we first started using it, the books were out of date. It's more of a plea to some of the authors who have become experts in using it to revise their books. I'd buy a copy of it. SonarQube does a good job of supporting the open-source community, but some of the documentation tends to lag behind. That's not unique to SonarQube. It gives an opportunity to those who have taken the time to learn about it to author books and become resident experts or community experts. It'd be nice if some of those guys made another edition to support the open-source efforts that are there.

In terms of features, at this point, I don't have any requirements. We've been growing into it slowly, and we haven't really exhausted what it already has. When and if we get to a point where we are aggressively applying what it's telling us, we may reach a point where it's like, "If it could tell us this as well, that'd be nice." We haven't reached that point yet. We haven't listened to all of the advice that it's giving us now.

It has been a couple of years.

Any lack of stability is because it's being expanded and updated pretty much constantly. We haven't experienced any crashes or bugs. We do have an opportunity here coming up within the next few weeks of revisiting some of the ways we do things there.

It is definitely scalable. We plan to increase its usage.

Since we're using the open-source components, we use web searches and online resources. Once you get a little used to their website, they have a lot of information. The support, even for an older version, is pretty good. I've been able to find workable solutions. You just have to do a little searching.

We don't have stability issues. It hasn't crashed since we got it up and running, but there are some configurations or different options you can apply when you're scanning. So, you have to learn its language, and the information is available if you search the web.

Way back in the past, we used other static analysis tools like PC-lint or Gimpel Lint. I still have plans to resurrect some of that, but I'm of the mindset that the more opinions you get about your code, the better off you are. You get to look from different angles with different tools. In terms of the automated tool, SonarQube was the first one we had for getting into the DevOps generation of stuff.

We did have some issues, but they were because we didn't understand the relationship between different flavors. You've got the server, and the SonarQube service itself provides an HTTP type input. There are also versions of the scanners for different tools we're using, which are typically C++. We started with a mismatch of that. It may have been the server and the scanner, which runs on your client workstations. We had a mismatch of versions. After we dug into it a little bit and realized that was the problem, it was pretty straightforward. The setup from there was pretty trivial. 

You do need to know how to use a database. I most certainly use MySQL just because it's easily available on a minimal Linux install, CentOS. It's a Red Hat 7. It's BaseOS, a minimal install. It probably needed Java and a few tools that are fairly common. If you know how to set up a MySQL database, you can do it. If you know how to set up Java on Red Hat, which is pretty straightforward other than the fact that some path issues come into play, but that's just part of the game. Once you do that, it installs pretty easily.

We did have a consultant. He was looking at our overall engineering infrastructure, things beyond SonarQube. He was helpful in finding out, or pointing out, that it was the issue with the revisions. The versions of the different pieces weren't matching up. He did help with that, but in terms of putting it in, I did the validation work for validating the installation process and reproducibility for future users in case I leave the company and they need to recreate it. They've got the documentation to do so. So, I did all that. For an application of its complexity, it was fairly straightforward once we resolved the version issue.

Its deployment and maintenance can be done by one engineer.

We're using an older version because it is the open-source flavor of it and we can continue using it at no cost. We're not paying any licensing at all, which was another factor in choosing this route so that we can learn and grow with it and not be committed to licenses and other similar things. If we choose to get something else, we have to relearn, but we don't have to relicense. Basically, we're paying no license costs.

We did look at a lot of other ones. Some of the names I actually can't recall. There were code quality analyzers out there besides that. We did review them and settled on this one because it's very widely used, and the open-source capabilities are pretty well-supported to where you can use it without obligation. None of them are trivial to set up and use because they are doing a very complicated process. They all have their different ways of going about things, but you've got to understand any one of them. We picked this route.

You have to be willing to invest. For any tool of this magnitude, if you're going to say, "Well, we want to do the least we can possibly do and see what's the least we can get by with," you'll get the least possible benefit. My recommendation is that you do the opposite. You should consider everything it's telling you. You may not want to fix everything, but you should be aware of everything that's showing in your code. After that, you have the opportunity to look at your whole development process and just the way you do things and go back to your roots and look for ways to change things at the beginning that can have an impact. You have a big impact on the output of things towards the end, but maybe change the way you start things. Instead of trying to get the least that you can get with the least amount of effort, partner yourself with it as much as possible.

I would rate it an eight out of 10.

We use SonarQube mostly for code quality testing.

The integrations SonarQube provides with our software delivery pipeline are very seamless. The main benefit of using SonarQube in our organization was having a clean code with fewer static vulnerabilities within the application.

SonarQube could improve its static application security testing as per the industry standard. It would be really great if I could extract the overall report that I see in the dashboard.

I have been using SonarQube for a few years.

SonarQube is a stable solution.

Around 20 to 25 people use the solution in my team.

The solution’s initial setup is straightforward.

The solution can be deployed within a couple of days. We don’t need many people to deploy SonarQube. It is not difficult to maintain the solution.

We use the API call for SonarQube to integrate it into our development workflow. It's a continuous process for us to review the reports and remediate any findings we get from SonarQube. The quality gates and quality profiles are helpful in establishing the required gates and governance that we may need. SonarQube has impacted our team's productivity and code quality over time.

I would recommend SonarQube to other users evaluating it because it helps streamline some of the coding practices. The solution helps teams within the organization get into a good habit of writing clean code. The solution is helpful from a long-term sustainability standpoint.

I would recommend users to try out the open source version of SonarQube. If that doesn't suffice their needs, then they can go for an enterprise version.

Overall, I rate SonarQube an eight out of ten.

We use SonarQube to check for vulnerabilities and quality. 

The solution has helped us to find flaws in the Syntax and comply with requirements. 

I have found the most valuable features to be scanning for bugs or fixing the hotspot. These features have helped to improve the code quality. 

I think the code security can be improved. Code security should comply with the standard security list. 

I would like to see the feature of Compliance Reporting added to the solution.

I have been using this solution for two years. 

I would rate the stability a ten out of ten. 

About ten people in my company are using this solution. On average, we use this solution once in a week. 

We chose SonarQube due to its free community edition. After a while, when we will need more features, we will probably purchase the solution next year. 

I would rate the initial setup a ten out of ten. The solution is easy to install and use. It took us only a day to deploy SonarQube. We downloaded the solution and followed the setup process. We simply integrated this solution with Azure DevOps. The maintenance of this solution is handled by one person from the database team. 

We implemented the solution through an in-house application developer. 

This solution is simple to use and can be quickly deployed. I would rate the solution an eight out of ten. 

The product needs to integrate other security tools for security scanning. 

I have been using the product for a year. 

SonarQube is scalable. My company has 50 users. 

I rate SonarQube an eight out of ten. 

It serves as our primary tool for static code analysis, addressing various aspects such as code duplication, code smells, and security concerns. It stands out as an all-encompassing solution and it excels in security analysis and offers robust features for code optimization and duplication detection.

Through SonarCloud, we gain insights, especially in a microservices environment with product-based products. It provides valuable guidance in scenarios where I might not be well-versed in optimizing security for a particular service. It highlights areas for improvement, such as ensuring proper handling of headers and advising on changes needed in the codebase. Moreover, it offers suggestions for code enhancements, pointing out more efficient methods in languages like JavaScript.

Recently, they introduced support for mono reports and microservices, which is a noteworthy development as it provides a more detailed view of each service. Now, we can easily assess which services have more code and identify areas with potential issues. This addition has proven to be the most beneficial feature for our current use case.

There's room for improvement in the configuration process, particularly during the initial setup phase. Setting up features like mono reports can be challenging, and the existing documentation could use improvement in providing clearer instructions. I found myself needing to engage with support multiple times to navigate through certain aspects. Additionally, it would be beneficial if it could streamline the integration process for new features. Enhancing documentation on how to integrate these features seamlessly would go a long way in improving user experience. The introduction of an auto-commit functionality would be a valuable addition. Some other tools offer this feature, allowing for the automatic creation of pull requests to address identified issues. This functionality significantly reduces the manual effort required.

I would rate its stability capabilities ten out of ten.

I would rate it a ten out of ten because I haven't encountered any scalability-related issues. In my current company, we have around fifty users distributed across various organizations, including some smaller groups with around five to six individuals. In my previous job, the user count was higher, ranging from one fifty to two hundred people.

I find the support to be effective. Upon reaching out to them, they responded promptly, actively engaged in addressing the issue, and made efforts to resolve it. I would rate it ten out of ten.

Positive

We have experimented with other solutions simultaneously, but we consistently find this one to be more effective. It possesses an all-in-one capability, which is noteworthy. Typically, one might need separate software for security, another for static code analysis, and so on, but having everything in a single platform makes it advantageous.

The initial setup was challenging. Incorporating an auto-commit function would be a valuable enhancement and would markedly decrease the need for manual intervention and effort. I would rate it seven out of ten.

The deployment process is typically quick, taking about twenty to thirty minutes. For regular services, the setup is straightforward, involving the creation of a client account, installation of the SonarCloud app in GitHub, and linking it to the specific repository. In the case of microservices, the process involves having the GitHub action ready. Once the action is prepared, it's a matter of pasting it, and everything is set up. Updating and creating projects in SonarCloud are the next steps for microservices. The platform also offers the option to create multiple projects simultaneously. The main challenge users encounter when setting up microservices architecture on SonarCloud is the need to create their own GitHub action. The issue arises from inaccuracies in the GitHub action documentation provided by SonarCloud. Ultimately, to resolve the problem, users often have to create their own GitHub action independently, as the documentation does not offer a straightforward solution. Typically, a single individual, whether a DevOps professional or a Cloud Engineer, is sufficient for managing it.

The return on investment is positive as it not only aids in identifying issues but also helps developers gain a better understanding of the code. When facing particular challenges, developers often introspect and subsequently modify their coding practices, making it highly beneficial in that regard. I would rate it ten out of ten.

I would rate the price an eight out of ten because it's reasonable. While not extremely cheap, it aligns well with market standards and offers good value. It's an all-inclusive package where you pay a fixed price.

We examined options such as AWS CodeGuru, Snyk, and DeepScan recently. Despite considering the possibility of switching to another tool for a specific product, none of these options seemed suitable, leading us to retain our current choice.

Opting for SonarCloud is advantageous as it offers a complete package, including static code analysis, security assessments, and code optimization, all within a single tool. Overall, I would rate it nine out of ten.

We wanted a coding standard. We used to get coverage using SonarQube, so once the coding coverage was more than 80%, it was only then we could get Jenkins to start the build. Otherwise, Jenkins would fail from the build process. SonarQube is the point at which we confirm the DI. It is in the JUnit test cases where the coverage of the source code was more than 80%.

The SonarQube dashboard looks great.

Currently, we are doing SonarQube's validations for external configuration via XML. It would be better if SonarQube provided a good UI for external configuration.

I've used SonarQube for three and a half years since I started using the product in 2020.

I have not faced any issues with stability so far.

If you know how to work with the solution, it is scalable. There should be some methodologies other than JUnit test cases. There should be some other area involving the code. Four or five developers are using SonarQube with JUnit test cases. They used to build in Jenkins because once Jenkins is built and SonarQube's code coverage is more than 80%, the build happens successfully. Otherwise, the build fails.

SonarQube's technical support is good.

Positive

Since I know how to install SonarQube, I had no issues. I don't think the installation is a big challenge because it's a one-time installation process. You wouldn't have to repeatedly install the solution.

The time taken to deploy the solution comes down to microservices.

In the configuration you maintain for the external file used to evaluate the point, the lines should be less than 80 characters long, and the page should have less than 900 lines. The function size should also be split such that the maximum length of one should be less than 30. That's the configuration we are doing with SonarQube. Also, the number of clients we wrote should be covered within the JUnit test cases. When using Mockito for some of the database functionalities like login and authentication, SonarQube will evaluate the test cases passing through it, even when considering Mockito as the data provider for those test cases. And SonarQube covers those test cases.

When it comes to external configuration, even if we're changing the format of one field, that should be accommodated everywhere in the file. Discrepancies there could make it take some time to install the solution. If they had a UI for the setup, that would be good. Though the XML configuration can be tough, it could be automated.

In the Trivandrum team, we do around one to three microservices, like authentication and inventory. Those are two of the main microservices that I handle. The remaining are handled by some other team from Chennai or somewhere. For us, the coverage with microservices is more than 80%. The authentication service and the inventory services have good coverage.

If somebody is looking for good coverage and a good standard code, they should start using SonarQube. When writing the code, they can ensure it is written properly and not missing any code. If there are many lines we are missing or ignoring from the code, there could be cases where vulnerability can happen from those lines. Before you submit any code to any client, you should ensure the code coverage is more than 80% of the application. I rate SonarQube a nine out of ten.

We are using SonarCloud for static analysis. We must utilize this tool for code analysis prior to deployment. For instance, it is necessary to check for bugs or inconsistencies in the code and rectify them. SonarCloud can assist in this regard by providing high-quality content.

The most valuable feature of SonarCloud is its overall performance.

The reports could improve by providing more information. We are not able to use the reports in our operation until they are improved. Additionally, if the vendor provided more customization capabilities it would be a benefit.

I have been using SonarCloud for approximately one month.

I rate the stability SonarCloud a nine out of ten.

We have approximately 50 it specialists using this solution across a number of projects.

I rate the scalability of SonarCloud a seven out of ten.

I have not used the support often.

I rate SonarCloud an eight out of ten.

Positive

I have used other solutions prior to SonarCloud.

The initial setup of SonarCloud was done without too many issues. It was able to be done in approximately 10 minutes.

I did the implementation of the solution myself.

I am using the free version of the solution.

One person is enough for the maintenance of the solution.

I would recommend this solution to others.

I rate SonarCloud a nine out of ten.

We use SonarQube to find vulnerabilities in the source code, for better code quality, and code security.

The most valuable feature of this solution is that it is free.

There could be better integration with other products.

It could have more functionality, and the updates could be faster.

People must be trained extensively before they can use it.

I have been using SonarQube for three years.

It's a software as a service that you can access from on-premise.

The stability is fine. With any software, you must ensure that you keep up to date with the software. As a result, when there are new ways to attack you, the software detects it. You must be prepared. You can't just put it in and forget about it, you have to stay current.

More than just an environment, it was a project. There were about a dozen developers and five testers to ensure that the developers used the tool before handing it over to the testers. To ensure that everything was in order.

I have not contacted technical support.

Previously, we used Fortify. The company that I worked for owned Fortify. We then sold Fortify to another company. We could look at other products to do the job.

The initial setup was straightforward. It only took about two weeks to deploy.

Like in anything, if you're too restricted, it can result in being problematic, the same if you are too loose. In terms of the length of time it takes to deploy, we try to find a happy medium. Two weeks is reasonable.

I am the team leader, and I was assisted with the deployment by another very knowledgeable individual. We are a team of two.

We have seen a return on investment. It finds potential vulnerabilities inside a program's code. If you catch it and you fix it, it's good.

It's an open-source solution, with no additional costs.

We evaluated other products such as Veracode, Checkmarx as well as SonarQube.

The main difference is that SonarQube is free.

I am an expert in so many things, including security experts. We looked at the various products and chose one. And the reason was that any tool, any automated tool that can detect errors, is preferable to none at all.

Most systems are vulnerable at the application level, which means that people who program in Java or.NET may be brilliant, but they don't know about the security. The advice is that those who work in development must also understand security. They must test for security in the same way they test for whether something is red or blue. My recommendation is to have some type of training and to be aware that the application level is the place where most people attack.

I would rate SonarQube a six out of ten.