SonarQube Reviews

We use SonarQube mostly for code quality testing.

The integrations SonarQube provides with our software delivery pipeline are very seamless. The main benefit of using SonarQube in our organization was having a clean code with fewer static vulnerabilities within the application.

SonarQube could improve its static application security testing as per the industry standard. It would be really great if I could extract the overall report that I see in the dashboard.

I have been using SonarQube for a few years.

SonarQube is a stable solution.

Around 20 to 25 people use the solution in my team.

The solution’s initial setup is straightforward.

The solution can be deployed within a couple of days. We don’t need many people to deploy SonarQube. It is not difficult to maintain the solution.

We use the API call for SonarQube to integrate it into our development workflow. It's a continuous process for us to review the reports and remediate any findings we get from SonarQube. The quality gates and quality profiles are helpful in establishing the required gates and governance that we may need. SonarQube has impacted our team's productivity and code quality over time.

I would recommend SonarQube to other users evaluating it because it helps streamline some of the coding practices. The solution helps teams within the organization get into a good habit of writing clean code. The solution is helpful from a long-term sustainability standpoint.

I would recommend users to try out the open source version of SonarQube. If that doesn't suffice their needs, then they can go for an enterprise version.

Overall, I rate SonarQube an eight out of ten.

SonarCloud's user interface integrates with version control tools like GitLab, showing code smells and commits for code reviews. Within these code reviews, we gain a complete analysis of things like code flow, which was a particularly helpful feature.

SonarCloud is overall a good tool for identifying code smells, bugs, and code duplication, but we've found that using Android Lint is more effective for our needs.

The main advantage of using Android Lint over SonarCloud is its ease of integration. It was a bit tricky to integrate SonarCloud, inside the CI/CD pipeline, which had some integration challenges. No proper documentation existed, making it tough. 

Specifically, when pushing code and creating merge requests, SonarCloud wouldn't generate the merge request or run itself. This felt clunky and required extra configuration. The documentation just wasn't sufficient for integrating with our cloud and Android Lint. Ultimately, it took too long to integrate SonarCloud, leading us to explore other options like Android lint for improving code quality.

So, adding better documentation on integrating SonarCloud's pipeline within GitLab CI/CD would definitely be a valuable addition from my perspective. That's the key takeaway they should work on.

We've been using SonarCloud for a while, inside TruckITAM, stopping about four months ago. We established our pipeline for seamless build sharing with stakeholders, using Android Lint to optimize the pipeline process and costs.

SonarCloud is well-stable. It's a good system. Whenever I used to commit, it gave proper feedback about our code, like duplication or optimization suggestions. 

Overall, the product is stable, but a few features need addressing to improve the user experience. The integration process and overall flow feel a bit clunky. They need to optimize the user experience. 

It requires a bit of work on the user side. It is difficult for non-trained users. If someone untrained reads their documentation, integrating with SonarCoud should be easy. That's the tricky part. They need a good onboarding process and a support team for communication. We're the clients, so they should provide daily updates on new features and address any integration issues on our cloud.

There should be an open-source community available so that they can target small queries. Our cloud community feels a bit small and not very active. I searched for workarounds and how to cancel merge requests, which took forever.

Also, on the GitLab side, working on CI/CD pipeline automation was challenging. Improving the build time of the application was a pain. We had to write XML files and run scripts.

The documentation needs improvement on optimizing build time for seamless CI/CD integration with our Android apps. That's something I noticed for GitLab and researched for a while. We integrated it successfully for the driver side, but the other application timed out. We used BigRise as an alternative, and it optimized the build time to 10 minutes. That's how we successfully integrated our CI/CD pipeline at TaxRise.

Technical support as a whole, it was a while ago, like three months after we stopped using their services, that they emailed us. They should approach users proactively and try to ensure a smooth integration process. 

We already have a lot on our plates, so we don't have time to chase them. Even if we email them and they respond, we have other tasks in the pipeline. They should take ownership and manage the integration. Our SonarCloud integration ended up getting put on the back burner.

So, in terms of technical support, if you're providing a service, you need to be quick to respond to users and grab their attention. These are a few things SonarCloud could improve.

I wouldn't want to discourage their efforts, so I won't rate them a very bad rating. The product itself is still good, so I'd rate their technical support around six and a half out of ten.

And one other thing you can tell the SonarCloud team: they can improve their open-source community. A strong open-source community can significantly reduce the need for technical support. 

If they have good documentation for integrating with various platforms like web applications, back-end applications, server-side applications, Android, iOS, etc., and also GitLab pipelines, their rating could easily go up to eight and a half, maybe even nine.

Neutral

I currently work with the Android Lint. It's a built-in tool in Android Studio, used for checking errors in the code, code duplication, code smells, and improving code reusability. 

It helps in identifying spelling mistakes, unused variables, and imports, optimizing the code. We chose Android Lint over SonarCloud for similar functionalities, allowing us to improve code quality without relying on a third-party app. 

As an alternative to improve our code quality, we migrated the same functionality to our own cloud environment. This allows us to utilize Android lint for code improvements internally, eliminating reliance on any third-party app.

Some of the good features we found in SonarCloud that were valuable include the user interface integration with version control tools like GitLab. This lets us see code smells and track commits associated with specific code portions for code reviews.

Within these code reviews, we gain a complete analysis of things like code flow, which was a particularly helpful feature. Additionally, we can integrate Android lint directly into our CI/CD pipeline, allowing us to run critical lint checks automatically within the pipeline. This further automates our system and streamlines the development process.

The current pricing is quite cheap. The thousand-line package costs only ten euros per month, which is much cheaper compared to competitors like Veracode, which charge around a hundred or even ninety-nine dollars per month. So, the pricing is good as it is, but if they add features like AI-powered algorithms and core data optimization, they could easily see significant growth.

Overall, I would rate this product around nine out of ten. They're putting a lot of effort into developing the product, and it compares favorably to other options available. Plus, it's free initially with a set limit, making it quite accessible.

One thing SonarCloud could add is a separate AI for comprehensive code analysis. They already suggest improvements and urge users to adopt specific practices, but it could go further. 

For example, imagine using Android Studio and writing some code. SonarCloud's AI could analyze it and suggest algorithm or coding structure improvements.

There are also some application crashes and concurrency issues we encounter due to shared multi-threaded environments. So, another AI check they could offer would be analyzing how to optimize the application's algorithms for better performance. That would be another great improvement for SonarCloud.

We use the product for code-based security scanning.

The platform has fewer false positives. It helps efficient code duplication concentration and integrates well with coverage tooling for generating reports. Its dashboard provides a unified view of various code quality metrics, including code duplication, unit test coverage, and security hotspots.

SonarCloud's UI needs enhancement.

We have been using SonarCloud for five years.

I rate the product's stability a ten out of ten.

We have more than 1000 SonarCloud users in our organization. It scales as per our project requirements. I rate its scalability a nine out of ten.

We have ten dedicated engineers working on the product's deployment and maintenance.

I rate the pricing a five out of ten. It has an expensive on-premise version and a community version as well.

I recommend SonarCloud and rate it an eight out of ten. Sometimes, the updates for the product's beta version are simple.

We use the solution for the software scan and integrate the application, which is a dependency check for the scan. Our customers send us the already developed solution for functional tests and security scans.

Firstly, the integration with the pipeline is good. If you have the FICO pipeline integrated already, the depth of the pipeline will be good. Secondly, the solution is easy to understand. It took little time to learn and understand how to use data.

SonarQube has a community edition and an enterprise edition. The community edition is free, but the enterprise edition is not. In Thailand, we cannot use the enterprise edition because there are no resellers in Thailand. So we found many issues, like when you scan some source code, and if it's a problem, it appears the tool that we need to fix, but after our manual review, we found that we already did have something there. For example, it improves validation. But we did not get the input as it was already validated in another library. We called support and complained but have not received any information as we use the free version. We had to fix it on our own and could not escalate it to the tool's developer.

I have been using SonarQube for a year.

It is a stable product. I rate it seven out of ten.

I didn't have any scalability issues when we used the pipeline. But downloading the code and doing this again on a local laptop is quite slow, especially when somebody needs to try some code in a big and complex project. It takes about four to six hours. I don't know why it takes so long on a local laptop because it works fine in the integrated pipeline. For support in the integration pipeline, it could be nine or ten, but If it is on a local laptop, I think it would be only five.

As we are using the free version, there is no technical support available. But the documentation support is okay for us. We read it depending on the website, but we cannot escalate the issue to the SonarQube provider.

I used the Micro Focus Fortify, but the performance integration in the pipeline is faster in SonarQube. But in Fortify, the support is better as it is a commercial product, and we paid for it, so we can complain and get feedback in case of any issue. We complain if anything needs to be fixed, and they accept and fix it, but SonarQube does not have such a platform.

The initial setup is simple. It requires some security, but it's simple. It has some community to help with the technical information, and the technical team of the solution is also okay. It takes one or two hours to deploy. I was not involved in the integration in the pipeline, but I was involved in the solution installed on the local laptop.

I do not know about the pricing as I am using the community edition, which is free. But I compared the pricing with Sigma, and it is higher than SonarQube.

If you need the support of SonarQube, then use the enterprise version.

SonarQube should have a foundation in Thailand so that we can buy the enterprise version and get support. Secondly, SonarQube still does not support many languages, but I am still determining which ones. So if these two can be improved, it will be good.

I rate it seven out of ten.

We are customers of SonarCloud.

I like that the solution can be installed locally. 

I'd like them to include an alert for a third person. Sometimes there are very big problems that come up, possibly a large bug report, and it would be helpful if a notification could go out to an extra person. 

I've been using this solution for about three years. 

The solution is stable. 

I believe the solution is scalable. For now, we have 20 users but we are planning to expand usage. 

I wasn't involved in the setup but I believe it was relatively easy. 

I rate this solution nine out of 10. 

We use this solution to configure our pipeline using Jenkins. From an integration perspective, it encompasses many languages and this is very useful.

This solution has helped with the integration and building of our CICD pipeline. Without any scans or assessments, the pipeline and build are not complete. One of the good features of SonarQube is the many languages it supports including Java, dotNET, Typescript and HTML CSS. It also allows us to set custom quality gates and rules.

This solution could be offered on Docker and the cloud. The support for this solution could be improved and the customization rules could also be made simpler. 

I have used this solution for three years. 

This is a stable solution. 

This solution could be scalable, specifically from a reporting perspective. 

I would rate the customer support for this solution a seven out of ten. 

Neutral

I have previously used Checkmarx, Blackbelt and WhiteSource.

We have experienced a good return on investment using this solution. 

This is a good solution if you are looking for good coverage, quality, and vulnerabilities to be highlighted. That being said, there are better solutions in the market when it comes to SAST scanning.

I would rate this solution an eight out of ten. 

We use SonarQube to find vulnerabilities in the source code, for better code quality, and code security.

The most valuable feature of this solution is that it is free.

There could be better integration with other products.

It could have more functionality, and the updates could be faster.

People must be trained extensively before they can use it.

I have been using SonarQube for three years.

It's a software as a service that you can access from on-premise.

The stability is fine. With any software, you must ensure that you keep up to date with the software. As a result, when there are new ways to attack you, the software detects it. You must be prepared. You can't just put it in and forget about it, you have to stay current.

More than just an environment, it was a project. There were about a dozen developers and five testers to ensure that the developers used the tool before handing it over to the testers. To ensure that everything was in order.

I have not contacted technical support.

Previously, we used Fortify. The company that I worked for owned Fortify. We then sold Fortify to another company. We could look at other products to do the job.

The initial setup was straightforward. It only took about two weeks to deploy.

Like in anything, if you're too restricted, it can result in being problematic, the same if you are too loose. In terms of the length of time it takes to deploy, we try to find a happy medium. Two weeks is reasonable.

I am the team leader, and I was assisted with the deployment by another very knowledgeable individual. We are a team of two.

We have seen a return on investment. It finds potential vulnerabilities inside a program's code. If you catch it and you fix it, it's good.

It's an open-source solution, with no additional costs.

We evaluated other products such as Veracode, Checkmarx as well as SonarQube.

The main difference is that SonarQube is free.

I am an expert in so many things, including security experts. We looked at the various products and chose one. And the reason was that any tool, any automated tool that can detect errors, is preferable to none at all.

Most systems are vulnerable at the application level, which means that people who program in Java or.NET may be brilliant, but they don't know about the security. The advice is that those who work in development must also understand security. They must test for security in the same way they test for whether something is red or blue. My recommendation is to have some type of training and to be aware that the application level is the place where most people attack.

I would rate SonarQube a six out of ten.

We primarily use SonarQube for quality control on the software being deployed in our company. We had to control the open-source software we use. We develop software and have to create builds around it. As part of this process, we want to be sure of the security conformity for each module.

It is installed and plugged into a Kubernetes pipeline build system.

Using SonarQube benefits us because we are able to avoid the inclusion of malware in our applications. We can repair vulnerabilities and exploits from outside of the organization.

The performance is good.

The handling of the contents of Docker container images could be better. We are building microservices using Docker containers, and the image is embedding a lot of software. The verification in the image could be improved because you're able to check the image while building it, but if you are using a prebuilt container image then it's more difficult to do.

I have been using SonarQube for between three and four years.

This solution consumes resources but that's something that is needed. In terms of performance, it's okay. It depends on the power of the hardware and servers that you have.

This is a product that we use on a daily basis. We are constantly developing software and this is used as part of the process.

We have never had problems in terms of scalability, so it's good. We have a license for approximately 250 users.

The technical support is good.

We did not use another similar solution prior to this one.

The initial setup is a little bit complex, although that's because of the type of tooling that it is. It took one person perhaps two months to deploy it.

The main thing that takes time during deployment is to get the users accustomed to it and use it properly. Essentially, the longest part of the deployment is the training time. Change management for people is time-consuming.

We handled the deployment completely in-house.

It is difficult to estimate ROI because this product is similar to insurance. If things were broken then it could cause a lot of damage to the company.

Once we identified the need, I researched different solutions. I tried SonarQube and one or two others.

My advice for anybody who is implementing this solution varies based on the use case and infrastructure that they have. For large scale-deployment, it needs more container images because it's easier to maintain. For a small company, it may be fine without them.

Overall, this is a good product. The only suggestion that I have for improvement is deeper container image analysis. The verification is already good but it depends on the format of the image. If you are speaking about a classical format, like a table or a zip file, it's okay. But, if you are talking about container images, there is room for improvement.

I would rate this solution an eight out of ten.