SonarQube Reviews

SonarQube delivers a continuous inspection of code quality.

When comparing other static code analysis tools, SonarQube has fewer false-positive issues being reported. They have a lot of support for different tech stacks. It covers the entire developer community which includes Salesforce or it could be the regular Java.net project. It has actually sufficed all the needs in one tool for static code analysis.

I have been using SonarQube for approximately two years.

The stability of SonarQube is good.

I have found SonarQube to be scalable.

SonarQube needs to improve its support model. They do not work 24/7, and they do not provide weekend support in case things go wrong. They only have a standard 8:00 am to 5:00 pm support model in which you have to raise a support ticket and wait. The support model is not effective for premium customers.

SonarQube is very user-friendly and it works for all tech stacks. It should be easy for any kind of integrations that you need to build. Additionally, SonarQube comes with a lot of in-house APIs.

I rate SonarQube a seven out of ten.

I have it integrated with our continuous integration server. On a scheduled basis, typically in the middle of the night, it'll do performance scans so that the results are available and viewable by the developers on the website. The scans are done automatically by using a continuous integration server, which is TeamCity.

We are using version 5.6.6. It is a very old version, but that's what we've been using. We haven't gotten around to updating it.

I like that it's easy to navigate not just in terms of code findings but you can actually see them in the context of your source code because it gives you a copy of your code with the items that it found and highlights them. You can see it directly in your code, so you can easily go back and make the corrections in the code. It basically finds the problems for you and tells you where they are.

The learning curve can be fairly steep at first, but then, it's not an entry-level type of application. It's not like an introduction to C programming. You should know not just C programming and how to make projects but also how to apply its findings to the bigger picture. I've had users who said that they wish it was easier to understand how to configure, but I don't know if that's doable because what it's doing is a very complicated thing. I don't know if it is possible to make a complicated thing trivially simple.

They could improve their documentation. There were some books written about it, but even when we first started using it, the books were out of date. It's more of a plea to some of the authors who have become experts in using it to revise their books. I'd buy a copy of it. SonarQube does a good job of supporting the open-source community, but some of the documentation tends to lag behind. That's not unique to SonarQube. It gives an opportunity to those who have taken the time to learn about it to author books and become resident experts or community experts. It'd be nice if some of those guys made another edition to support the open-source efforts that are there.

In terms of features, at this point, I don't have any requirements. We've been growing into it slowly, and we haven't really exhausted what it already has. When and if we get to a point where we are aggressively applying what it's telling us, we may reach a point where it's like, "If it could tell us this as well, that'd be nice." We haven't reached that point yet. We haven't listened to all of the advice that it's giving us now.

It has been a couple of years.

Any lack of stability is because it's being expanded and updated pretty much constantly. We haven't experienced any crashes or bugs. We do have an opportunity here coming up within the next few weeks of revisiting some of the ways we do things there.

It is definitely scalable. We plan to increase its usage.

Since we're using the open-source components, we use web searches and online resources. Once you get a little used to their website, they have a lot of information. The support, even for an older version, is pretty good. I've been able to find workable solutions. You just have to do a little searching.

We don't have stability issues. It hasn't crashed since we got it up and running, but there are some configurations or different options you can apply when you're scanning. So, you have to learn its language, and the information is available if you search the web.

Way back in the past, we used other static analysis tools like PC-lint or Gimpel Lint. I still have plans to resurrect some of that, but I'm of the mindset that the more opinions you get about your code, the better off you are. You get to look from different angles with different tools. In terms of the automated tool, SonarQube was the first one we had for getting into the DevOps generation of stuff.

We did have some issues, but they were because we didn't understand the relationship between different flavors. You've got the server, and the SonarQube service itself provides an HTTP type input. There are also versions of the scanners for different tools we're using, which are typically C++. We started with a mismatch of that. It may have been the server and the scanner, which runs on your client workstations. We had a mismatch of versions. After we dug into it a little bit and realized that was the problem, it was pretty straightforward. The setup from there was pretty trivial. 

You do need to know how to use a database. I most certainly use MySQL just because it's easily available on a minimal Linux install, CentOS. It's a Red Hat 7. It's BaseOS, a minimal install. It probably needed Java and a few tools that are fairly common. If you know how to set up a MySQL database, you can do it. If you know how to set up Java on Red Hat, which is pretty straightforward other than the fact that some path issues come into play, but that's just part of the game. Once you do that, it installs pretty easily.

We did have a consultant. He was looking at our overall engineering infrastructure, things beyond SonarQube. He was helpful in finding out, or pointing out, that it was the issue with the revisions. The versions of the different pieces weren't matching up. He did help with that, but in terms of putting it in, I did the validation work for validating the installation process and reproducibility for future users in case I leave the company and they need to recreate it. They've got the documentation to do so. So, I did all that. For an application of its complexity, it was fairly straightforward once we resolved the version issue.

Its deployment and maintenance can be done by one engineer.

We're using an older version because it is the open-source flavor of it and we can continue using it at no cost. We're not paying any licensing at all, which was another factor in choosing this route so that we can learn and grow with it and not be committed to licenses and other similar things. If we choose to get something else, we have to relearn, but we don't have to relicense. Basically, we're paying no license costs.

We did look at a lot of other ones. Some of the names I actually can't recall. There were code quality analyzers out there besides that. We did review them and settled on this one because it's very widely used, and the open-source capabilities are pretty well-supported to where you can use it without obligation. None of them are trivial to set up and use because they are doing a very complicated process. They all have their different ways of going about things, but you've got to understand any one of them. We picked this route.

You have to be willing to invest. For any tool of this magnitude, if you're going to say, "Well, we want to do the least we can possibly do and see what's the least we can get by with," you'll get the least possible benefit. My recommendation is that you do the opposite. You should consider everything it's telling you. You may not want to fix everything, but you should be aware of everything that's showing in your code. After that, you have the opportunity to look at your whole development process and just the way you do things and go back to your roots and look for ways to change things at the beginning that can have an impact. You have a big impact on the output of things towards the end, but maybe change the way you start things. Instead of trying to get the least that you can get with the least amount of effort, partner yourself with it as much as possible.

I would rate it an eight out of 10.

SonarQube is a code-scanning tool that ensures people follow the right coding standard. It detects any memory leaks or unwanted functions that have been written so developers can optimize the code for better performance. We don't know too much about how our customers use SonarQube because we just set it up for them. We show them how the reporting works and what to do to fix common issues. 

SonarQube is one of the more popular solutions because it supports 29 languages.

SonarQube supports most database languages, like SQL queries, PL/SQL, etc., but some newer programming languages are not there. For example, it's missing some more popular languages like Apache Groovy. I would like to see some support for scanning these new popular languages.

I would also like SonarQube to be able to write custom scanning rules. More documentation would be helpful as well because some of our guys were struggling with the customization script. 

I've been using SonarQube for the past eight years or so. I am a DevOps consultant who helps the end-users set up their environments. My clients operate in various industries, including the service industry. 

SonarQube takes five to 10 minutes to install, and I train people on this technology, so I install it for them and teach them how to use it. On Linux, it maybe takes another five or 10 minutes, but it is straightforward.

We first try it out with a limited number of users, so four or five users will run it, but the report is shared with multiple users. The report generated will go to thousands of users. You run the report from the DevOps point of view, then share it with everyone.

I'm involved in the price discussions, so I'm unaware of the cost. However, I don't see any other competitors in the same space. There are one or two, but they're not popular. SonarQube is free for one user, so people can explore it, but if they need enterprise support, they can buy licenses, and we can go forward.

SonarQube is the only code scanning software I've tried, but I've also seen Nexus Scanner. However, it's not for binary scanning and so forth. It won't scan your source code. It's just an artifact scanner. 

I rate SonarQube eight out of 10. I always recommend SonarQube because it is also available in an open-source version, so people can understand the power of this tool and how it can help in an IT setting. 

SonarQube is used for in-production scanning of applications. We are only doing unit testing to improve the overall quality of the code.

The developers have responsibility for unit testing, but it is very important that we check what they have been doing. SonarQube allows us to see the result directly in the pipeline.

We had some issues scanning the master branch but when we upgraded to version 7.9 we noticed it does scan the master branch but we had to do a workaround for it to happen. This process could be improved in a future release.

What we are seeing is for some of the Javascript projects SonarQube is not reading all the files. We had to manually configure it to accomplish what we wanted. However, we probably needed some documentation that we did not have that explained this process.

In an upcoming release, it would be beneficial to have the ability to use multiple applications under one project, and if we want to scan one of the applications we can just switch to that application, this would be really helpful.

I have been using SonarQube for approximately two years.

The solution is scalable. 

We have plans to increase the number of users using this solution because we have approximately 3,000 applications but only 200 are being used.

There are a lot of people using this solution in my organization because they are able to scan directly from their IDs.

We have worked with the support from SonarQube and we have had good experiences.

The initial setup was simple. When we did the upgrade and it took our team approximately two hours.

Our internal team did the implementation of the solution.

We are using the community version of the solution and we plan on purchasing licenses for the upgraded version soon. There is a limitation on how many lines of code can be scanned and this is why we are going to purchase a license for an increased amount.

SonarQube is a very nice tool and people can learn to code better from the analysis it provides. We needed to make sure our code is maintained properly and has high quality and this tool helped.

The solution has made the developers have more confidence in their code because from the scanning they can fix bugs and problems easily.

I rate SonarQube a seven out of ten.

SonarCloud's user interface integrates with version control tools like GitLab, showing code smells and commits for code reviews. Within these code reviews, we gain a complete analysis of things like code flow, which was a particularly helpful feature.

SonarCloud is overall a good tool for identifying code smells, bugs, and code duplication, but we've found that using Android Lint is more effective for our needs.

The main advantage of using Android Lint over SonarCloud is its ease of integration. It was a bit tricky to integrate SonarCloud, inside the CI/CD pipeline, which had some integration challenges. No proper documentation existed, making it tough. 

Specifically, when pushing code and creating merge requests, SonarCloud wouldn't generate the merge request or run itself. This felt clunky and required extra configuration. The documentation just wasn't sufficient for integrating with our cloud and Android Lint. Ultimately, it took too long to integrate SonarCloud, leading us to explore other options like Android lint for improving code quality.

So, adding better documentation on integrating SonarCloud's pipeline within GitLab CI/CD would definitely be a valuable addition from my perspective. That's the key takeaway they should work on.

We've been using SonarCloud for a while, inside TruckITAM, stopping about four months ago. We established our pipeline for seamless build sharing with stakeholders, using Android Lint to optimize the pipeline process and costs.

SonarCloud is well-stable. It's a good system. Whenever I used to commit, it gave proper feedback about our code, like duplication or optimization suggestions. 

Overall, the product is stable, but a few features need addressing to improve the user experience. The integration process and overall flow feel a bit clunky. They need to optimize the user experience. 

It requires a bit of work on the user side. It is difficult for non-trained users. If someone untrained reads their documentation, integrating with SonarCoud should be easy. That's the tricky part. They need a good onboarding process and a support team for communication. We're the clients, so they should provide daily updates on new features and address any integration issues on our cloud.

There should be an open-source community available so that they can target small queries. Our cloud community feels a bit small and not very active. I searched for workarounds and how to cancel merge requests, which took forever.

Also, on the GitLab side, working on CI/CD pipeline automation was challenging. Improving the build time of the application was a pain. We had to write XML files and run scripts.

The documentation needs improvement on optimizing build time for seamless CI/CD integration with our Android apps. That's something I noticed for GitLab and researched for a while. We integrated it successfully for the driver side, but the other application timed out. We used BigRise as an alternative, and it optimized the build time to 10 minutes. That's how we successfully integrated our CI/CD pipeline at TaxRise.

Technical support as a whole, it was a while ago, like three months after we stopped using their services, that they emailed us. They should approach users proactively and try to ensure a smooth integration process. 

We already have a lot on our plates, so we don't have time to chase them. Even if we email them and they respond, we have other tasks in the pipeline. They should take ownership and manage the integration. Our SonarCloud integration ended up getting put on the back burner.

So, in terms of technical support, if you're providing a service, you need to be quick to respond to users and grab their attention. These are a few things SonarCloud could improve.

I wouldn't want to discourage their efforts, so I won't rate them a very bad rating. The product itself is still good, so I'd rate their technical support around six and a half out of ten.

And one other thing you can tell the SonarCloud team: they can improve their open-source community. A strong open-source community can significantly reduce the need for technical support. 

If they have good documentation for integrating with various platforms like web applications, back-end applications, server-side applications, Android, iOS, etc., and also GitLab pipelines, their rating could easily go up to eight and a half, maybe even nine.

Neutral

I currently work with the Android Lint. It's a built-in tool in Android Studio, used for checking errors in the code, code duplication, code smells, and improving code reusability. 

It helps in identifying spelling mistakes, unused variables, and imports, optimizing the code. We chose Android Lint over SonarCloud for similar functionalities, allowing us to improve code quality without relying on a third-party app. 

As an alternative to improve our code quality, we migrated the same functionality to our own cloud environment. This allows us to utilize Android lint for code improvements internally, eliminating reliance on any third-party app.

Some of the good features we found in SonarCloud that were valuable include the user interface integration with version control tools like GitLab. This lets us see code smells and track commits associated with specific code portions for code reviews.

Within these code reviews, we gain a complete analysis of things like code flow, which was a particularly helpful feature. Additionally, we can integrate Android lint directly into our CI/CD pipeline, allowing us to run critical lint checks automatically within the pipeline. This further automates our system and streamlines the development process.

The current pricing is quite cheap. The thousand-line package costs only ten euros per month, which is much cheaper compared to competitors like Veracode, which charge around a hundred or even ninety-nine dollars per month. So, the pricing is good as it is, but if they add features like AI-powered algorithms and core data optimization, they could easily see significant growth.

Overall, I would rate this product around nine out of ten. They're putting a lot of effort into developing the product, and it compares favorably to other options available. Plus, it's free initially with a set limit, making it quite accessible.

One thing SonarCloud could add is a separate AI for comprehensive code analysis. They already suggest improvements and urge users to adopt specific practices, but it could go further. 

For example, imagine using Android Studio and writing some code. SonarCloud's AI could analyze it and suggest algorithm or coding structure improvements.

There are also some application crashes and concurrency issues we encounter due to shared multi-threaded environments. So, another AI check they could offer would be analyzing how to optimize the application's algorithms for better performance. That would be another great improvement for SonarCloud.

We use the product for code-based security scanning.

The platform has fewer false positives. It helps efficient code duplication concentration and integrates well with coverage tooling for generating reports. Its dashboard provides a unified view of various code quality metrics, including code duplication, unit test coverage, and security hotspots.

SonarCloud's UI needs enhancement.

We have been using SonarCloud for five years.

I rate the product's stability a ten out of ten.

We have more than 1000 SonarCloud users in our organization. It scales as per our project requirements. I rate its scalability a nine out of ten.

We have ten dedicated engineers working on the product's deployment and maintenance.

I rate the pricing a five out of ten. It has an expensive on-premise version and a community version as well.

I recommend SonarCloud and rate it an eight out of ten. Sometimes, the updates for the product's beta version are simple.

We use the solution for the software scan and integrate the application, which is a dependency check for the scan. Our customers send us the already developed solution for functional tests and security scans.

Firstly, the integration with the pipeline is good. If you have the FICO pipeline integrated already, the depth of the pipeline will be good. Secondly, the solution is easy to understand. It took little time to learn and understand how to use data.

SonarQube has a community edition and an enterprise edition. The community edition is free, but the enterprise edition is not. In Thailand, we cannot use the enterprise edition because there are no resellers in Thailand. So we found many issues, like when you scan some source code, and if it's a problem, it appears the tool that we need to fix, but after our manual review, we found that we already did have something there. For example, it improves validation. But we did not get the input as it was already validated in another library. We called support and complained but have not received any information as we use the free version. We had to fix it on our own and could not escalate it to the tool's developer.

I have been using SonarQube for a year.

It is a stable product. I rate it seven out of ten.

I didn't have any scalability issues when we used the pipeline. But downloading the code and doing this again on a local laptop is quite slow, especially when somebody needs to try some code in a big and complex project. It takes about four to six hours. I don't know why it takes so long on a local laptop because it works fine in the integrated pipeline. For support in the integration pipeline, it could be nine or ten, but If it is on a local laptop, I think it would be only five.

As we are using the free version, there is no technical support available. But the documentation support is okay for us. We read it depending on the website, but we cannot escalate the issue to the SonarQube provider.

I used the Micro Focus Fortify, but the performance integration in the pipeline is faster in SonarQube. But in Fortify, the support is better as it is a commercial product, and we paid for it, so we can complain and get feedback in case of any issue. We complain if anything needs to be fixed, and they accept and fix it, but SonarQube does not have such a platform.

The initial setup is simple. It requires some security, but it's simple. It has some community to help with the technical information, and the technical team of the solution is also okay. It takes one or two hours to deploy. I was not involved in the integration in the pipeline, but I was involved in the solution installed on the local laptop.

I do not know about the pricing as I am using the community edition, which is free. But I compared the pricing with Sigma, and it is higher than SonarQube.

If you need the support of SonarQube, then use the enterprise version.

SonarQube should have a foundation in Thailand so that we can buy the enterprise version and get support. Secondly, SonarQube still does not support many languages, but I am still determining which ones. So if these two can be improved, it will be good.

I rate it seven out of ten.

We are customers of SonarCloud.

I like that the solution can be installed locally. 

I'd like them to include an alert for a third person. Sometimes there are very big problems that come up, possibly a large bug report, and it would be helpful if a notification could go out to an extra person. 

I've been using this solution for about three years. 

The solution is stable. 

I believe the solution is scalable. For now, we have 20 users but we are planning to expand usage. 

I wasn't involved in the setup but I believe it was relatively easy. 

I rate this solution nine out of 10.