SonarQube Reviews

We use this solution to configure our pipeline using Jenkins. From an integration perspective, it encompasses many languages and this is very useful.

This solution has helped with the integration and building of our CICD pipeline. Without any scans or assessments, the pipeline and build are not complete. One of the good features of SonarQube is the many languages it supports including Java, dotNET, Typescript and HTML CSS. It also allows us to set custom quality gates and rules.

This solution could be offered on Docker and the cloud. The support for this solution could be improved and the customization rules could also be made simpler. 

I have used this solution for three years. 

This is a stable solution. 

This solution could be scalable, specifically from a reporting perspective. 

I would rate the customer support for this solution a seven out of ten. 

Neutral

I have previously used Checkmarx, Blackbelt and WhiteSource.

We have experienced a good return on investment using this solution. 

This is a good solution if you are looking for good coverage, quality, and vulnerabilities to be highlighted. That being said, there are better solutions in the market when it comes to SAST scanning.

I would rate this solution an eight out of ten. 

We use SonarQube to find vulnerabilities in the source code, for better code quality, and code security.

The most valuable feature of this solution is that it is free.

There could be better integration with other products.

It could have more functionality, and the updates could be faster.

People must be trained extensively before they can use it.

I have been using SonarQube for three years.

It's a software as a service that you can access from on-premise.

The stability is fine. With any software, you must ensure that you keep up to date with the software. As a result, when there are new ways to attack you, the software detects it. You must be prepared. You can't just put it in and forget about it, you have to stay current.

More than just an environment, it was a project. There were about a dozen developers and five testers to ensure that the developers used the tool before handing it over to the testers. To ensure that everything was in order.

I have not contacted technical support.

Previously, we used Fortify. The company that I worked for owned Fortify. We then sold Fortify to another company. We could look at other products to do the job.

The initial setup was straightforward. It only took about two weeks to deploy.

Like in anything, if you're too restricted, it can result in being problematic, the same if you are too loose. In terms of the length of time it takes to deploy, we try to find a happy medium. Two weeks is reasonable.

I am the team leader, and I was assisted with the deployment by another very knowledgeable individual. We are a team of two.

We have seen a return on investment. It finds potential vulnerabilities inside a program's code. If you catch it and you fix it, it's good.

It's an open-source solution, with no additional costs.

We evaluated other products such as Veracode, Checkmarx as well as SonarQube.

The main difference is that SonarQube is free.

I am an expert in so many things, including security experts. We looked at the various products and chose one. And the reason was that any tool, any automated tool that can detect errors, is preferable to none at all.

Most systems are vulnerable at the application level, which means that people who program in Java or.NET may be brilliant, but they don't know about the security. The advice is that those who work in development must also understand security. They must test for security in the same way they test for whether something is red or blue. My recommendation is to have some type of training and to be aware that the application level is the place where most people attack.

I would rate SonarQube a six out of ten.

We are using SonarQube for static analyzing and finding vulnerabilities in our code.

Easy installation. Very accurate finding of vulnerabilities and a minimum of false positives.

SonarQube could improve by adding automatic creation of tasks after scanning and more supported languages.

I have been using SonarQube for approximately two years.

SonarQube is a highly stable solution.

I have found SonarQube to be scalable.

We have 20 to 25 specialists using SonarQube in my organization.

We have plans to increase the usage of the solution.

We search Google for solutions to any problems we may face.

The solution is easy to implement in our process of continuous integration, continuous delivery, and continuous deployment(CI/CD). 

We did the implementation of the solution ourselves.

We have assigned each project one DevOps, and each DevOps is deploying SonarQube in their project and we have in total about 20 projects.

The free version of SonarQube does everything that we need it to.

Licenses of this solution can be purchased annually. We plan to buy the maximum license enterprise edition of the solution.

I highly recommend this solution to others.

I rate SonarQube a nine out of ten.

We have many developers and we use SonarQube to ensure that we don't have badly written code. We must have a way to write code that can be understood by different people.

Our developers are learning how to improve their code.

The most valuable features are the dashboard, the ability to drill down to the code, the technical debt estimation and the overall user-friendliness of the user interface.

The Enterprise edition has the additional features we need, but of course we have to pay for that.

I have been using SonarQube for approximately three months.

SonarQube is a reliable solution.

I have not tried to scale the solution. I am looking to integrate SonarQube with the 45 secure solutions.

I have not needed to contact technical support.

I found the user interface messages quite explanatory about issues. I didn't have to look up many issues elsewhere.

No.

The implementation of the solution is straightforward and it is well integrated with Atlassian software, i.e. Jira, Confluence, Bamboo and Butler.

We have a different group that is managing the SonarQube installation and setup.

SonarQube enterprise, I am not sure of the price but from what I understand they are charging a fee. It's is not clear if it is an annual fee or a one-off. 

I don't know the global figure but they are asking each director general approximately a lump sum of $5,000, which doesn't sound like a lot for what the solution does.

No.

My advice to others would be to take a look at the community edition of the SonarQube because it might be enough for their use case.

I rate SonarQube a nine out of ten.

Our primary use case of SonarQube is getting feedback on code. We are using Spring Boot and Java 8. We are also using SonarLint, which is an Eclipse IDE plugin, to detect vulnerabilities during development. Once the developer finishes the code and commits the code into the Bitbucket code repository, the continuous integration pipeline will automatically run using Jenkins. As part of this pipeline, there is a build unit test and a SonarQube scan. All the parameters are configured as per project requirements, and the SonarQube scan will run immediately once the developer commits the code to the repository. The advantage of this is that we can see immediate feedback: how many vulnerabilities there are, what the code quality is, the code quality metrics, and if there are any issues with the changes that we made. Since the feedback is immediate, the developer can rectify it immediately and can further communicate changes. This helps us with product quality and having less vulnerabilities in the early stages of development. 

This solution is deployed on-premise. 

One of the most valuable features of SonarQube is its ability to detect code quality during development. There are rules that define various technologies—Java, C#, Python, everything—and these rules declare the coding standards and code quality. With SonarQube, everything is detectable during the time of development and continuous integration, which is an advantage. SonarQube also has a Quality Gate, where the code should reach 85%. Below that, the code cannot be promoted to a further environment, it should be in a development environment only. So the checks are there, and SonarQube will provide that increase. It also provides suggestions on how the code can be fixed and methods of going about this, without allowing hackers to exploit the code. 

Another valuable feature is that it is tightly integrated with third-party tools. For example, we can see the SonarQube metrics in Bitbucket, the code repository. Once I raise the full request, the developer, team lead, or even the delivery lead can see the code quality metrics of the deliverable so that they can make a decision. SonarQube will also cover all of the top OWASP vulnerabilities, however it doesn't have penetration testing or hacker testing. We use other tools, like Checkmarx, to do penetration testing from the outside. 

SonarQube could be improved with more dynamic testing—basically, now, it's a static code analysis scan. For example, when the developer writes the code and does the corresponding unit test, he can cover functional and non-functional. So the SonarQube could be improved by helping to execute unit tests and test dynamically, using various parameters, and to help detect any vulnerabilities. Currently, it'll just give the test case and say whether it passes or fails—it won't give you any other input or dynamic testing. They could use artificial intelligence to build a feature that would help developers identify and fix issues in the early stages, which would help us deliver the product and reduce costs. 

Another area with room for improvement is in regard to automating things, since the process currently needs to be done manually.

Aside from other helpful features, the most important thing that SonarQube needs to do—the key feature—is to detect security vulnerabilities. The rest of the other features are helpful to the developer and the team to deliver the product faster, but security is a mandatory feature. 

As for additional features, SonarQube covers most of the languages, but there is still room for improvement covering the latest version of the tech stack—for example, Java 13. They're still improving, and they're focusing on SonarCloud nowadays. Currently, we aren't using all the top quality features of SonarCloud. I also think it would be helpful if SonarQube could integrate with Jira, a work management tool, or other communication tools, like Skype or Microsoft Teams, so that a bot could report directly to the developer. 

I have been using SonarQube for the past three years. 

The stability and performance of SonarQube are good. We use it on a daily basis, as part of our code development. 

As far as maintenance, it mainly happens when the product is being developed. There may be some features which can be enhanced, based on customer feedback and the tech stack, such as how we can improve performance of have a deployment with zero downtime. There are so many technologies coming, so many things happening, and there is always room for code improvements and the product we develop. Our top considerations are quality and security, which are being improved in a continuous process. There are many new features and enhancements coming in—for example, if you want to upgrade from the Java 6 version, then you can upgrade the tech stack, which will reduce the number of lines of code and improve performance. 

This solution is easy to scale. The instances in which we are deploying it are easy to scale because we are using it in production. We aren't supposed to deploy as part of the development, but the scalability feature is there because we are using Ansible, Kubernetes, and Docker. 

In our organization, there are currently around 25,000 people working with SonarQube. 

We also use Checkmarx and Snyk. One of the main differences between them and SonarQube is that they have dynamic testing and analysis, rather than static analysis. 

The initial setup wasn't a complex process. It was straightforward, and I had no issues. The deployment happened automatically and the pipeline was complete in three minutes. It depends on the scale of the project, the number of code repositories, the number of modules you are deploying, and all that. I would say deployment should take five minutes, maximum. 

We implemented this solution through an in-house team. Everything happens internally and we have our own internal tools, so there are no third-parties involved in development. 

I'm not too aware of the pricing because a different team covers that, but SonarQube has been on the market for a very long time, so I would guess the pricing would be decent. 

I rate SonarQube an eight out of ten. 

To those looking to implement SonarQube, I would advise you not to run it manually—integrate it with tools like Bitbucket and Jenkins, and make it automatic. If you change one line of code, the SonarQube should run automatically and give you the report. Don't go and run it manually and check the reports and all—it should run automatically to the entire code base, not to your particular module. So you need to configure that, as well as your project requirements and what code quality metrics will be achievable—like 85% or 95%—because you want code quality for a better product, without loopholes. You need to configure these things before starting to work with SonarQube. 

We are using SonarQube for code reviews. 

Code quality improvement, Secure coding pracitices 

The most valuable feature of SonarQube I have found to be the configuration that has allowed us to can make adjusts to the demands of the code review. It gives a specified classification regarding the skill, prioritization, and it is easy for me to review and make my code.

NA

I have been using SonarQube for approximately five years.

The solution is stable.

I have not needed to use technical support.

Positive

I have used some tools previously, such as Eclipse and Checkmarx. I used some tools directly linked with Eclipse, but SonarQube is much better. It has a better ability to link with Eclipse as well as the standalone features for a code review I have found the SonarQube most efficient.

I deployed SonarQube on my laptop. I found it to be straightforward and easy. I wanted my technical team to do implement it but since they didn't have time I took the initiative and did it myself. I am not exactly from a technical background, and it was very easy for me.

The time it took for me to do the whole process was approximately two hours because I had to download, read the documentation, and do the configurations.

The solution does not require any maintenance.

SonarQube fits my purpose. It doesn't cause any hassles for me.

I rate SonarQube a nine out of ten.

We mainly need to do certain static analyses. While doing the coding, everybody sends a pool request. Before committing the code on the main branch, we need to ensure that the code is up to level. That is basically our way of working to ensure that whatever rules we have configured, whatever gates we have defined, that gets passed before committing the code into the main branch.

I like almost all of the features. We were initially using all these techniques by using different tools. 

The vulnerabilities and the code quality parameters are really important for us.

The initial setup is easy.

There's plenty of documentation available to users. 

The solution is stable.

The scalability is good.

The only features which I think are lagging are the reporting to generate a PDF report. That is not available currently in the development version. However, if it is available in the development version, then it will be really helpful for us. I checked with the team and it seems that it is only available in the enterprise version. If the report can be sent over email, that would really help.

For example, let's say if I need to report to management or management wants to see a dashboard based on what each project looks like. Those figures are not available. There needs to be a shareable reporting piece or something we can click and generate easily.  

The only pain area for us is due to the fact that we purchased the 1 million lines of code license for now. We are a service product company, so some projects were finished in maybe less than six months and then maybe that is not useful for us. We need to remove those projects so we can utilize those lines of code for another project. That's something we need to see about. We're not sure how that works.

The solution is quite stable. Before, I used to generate reports by using some manual techniques. Now those are available right in SonarQube. The flexibility of rule configurations is great.

We found the solution to be scalable. We already integrated SonarQube with our CI/CD pipeline in Azure DevOps, and it works really well. We also integrated with the Jenkins CI/CD pipeline, and we also linked with the Visual Studio using SonarLint. That works really well.

We plan on expanding and need more licenses. 

When we purchased the license, they actually charged an additional amount for the support. Therefore, we haven't bought the support. Plus, we already know SonarQube. We have enough team members available who already have experience in it. For that reason, support is not required from us. That said, across the internet or on Google, there is enough documentation available. Even on the SonarQube website, there is enough documentation. 

The initial setup is really straightforward. The supports are really good from the SonarQube. Enough documentation is also available. t's really straightforward to figure out how to do it.

We purchased a SonarQube developer license. We do not have the enterprise version.

We pay for licensing on a yearly basis.

On the pricing side, it's 3,000 Euros for 1 million lines of code. Even if you look at the open-source, the open-source almost provide similar functions. Of course, some additional language support, among other things, however, the rest is available in open-source. If they can reduce the price, then I believe more people will join the licensed version rather than open-source. Pricing is a bit high based on the fact that they're already providing the open-source for free, and that also includes almost all the necessary items. People will not pay for the license if they can get most items for free. I would suggest if they reduce the price, that definitely it will boost the business.

We already linked with the CI/CD pipeline, and everything is working really smoothly. We already got the additional language support also, which was not available in the open-source version. In the developer version, we have six-plus additional language support onboard. That is actually helpful for us. Overall, it's going really well. 

The overall look and feel, the way of presenting the information, is really nice - including the way we can assign items. Everything looks okay. I also already integrated the APA of SonarQube in my external system and that really works. I don't see any integration problems so far. I would suggest those considering the solution simply go for SonarQube as it works really well for any integration of any software or with any third-party tools, including Azure DevOps.

I'd rate the solution at a nine out of ten.

We use SonarQube to scan SAS code for quality control in mostly mobile applications, such as iOS and Android applications.

SonarQube is designed well making it easy to use, simple to identify issues and find solutions to problems.

The solution could improve the management reports by making them easier to understand for the technical team that needs to review them.

I have been using the free version of SonarQube for approximately one year and then I purchased a subscription that I have been using for the last three years.

The solution is stable.

The solution has scaled well for our needs. We have two million lines of code and we have not had a problem.

We work for a large enterprise that has approximately 1,000 IT employees.

There is a lot of information for SonarQube online in the community forums. I only used technical support when I needed to renew my license.

The installation is not difficult.

The solution has a free version and a license version. The license is priced reasonably, the cost of hiring one programmer is more expensive than the solution.

The licensing process could be improved. We need to contact purchasing to receive the key for the license but the process should be automatic, similar to a SAS purchase.

I have evaluated Fortify Application Defender.

I rate SonarQube a nine out of ten.