SonarQube Server (formerly SonarQube) Reviews

We use this solution in the development of our travel programs.

We use this program as a compliment to our security scans, in addition to Checkmarx.

The most valuable function is its usability. It uses a simple approach.

This solution finds issues that are similar to what is found by Checkmarx, and it would be nice if the overlap could be eliminated.

The plugins are not well documented.

This is a stable solution.

We do not have any problems with scalability.

We have approximately fifteen developers using this solution, on the Java site.

We have not needed to use the technical support.

We did not use another solution, prior to this one.

The setup is not complex. There are some issues during setup with the plugins because they are not well documented.

Some of the plugins that were previously free are not free now.

We are looking for how we can integrate several products. We are using static code analysis, we are looking into runtime code analysis, and of course, we have a web application firewall. The problem with all of these tools is that you need a lot of maintenance, and you have a lot of false positives. So, we have tried to find the best solution.

I would suggest trying the product. I like its useability because it has a simple approach.

We use this solution in conjunction with Jenkins, and we have a two-week deployment cycle.

I would rate this solution a seven out of ten.

Our primary use is for coding best practice management and quality. Aside from that, we also use it for security.

I'm getting involved in moving this solution forward and positioning it in our enterprise so I haven't gotten to the point where we're nailing down the configuration and release controls yet.

SonarQube has not yet had an impact on our organization. In the past, however, I've used it to control the security vulnerabilities and establish standards for API control.

There are two major use cases. One is to integrate it into the developers' workbench so that they can bench check their code against what will be done in the server-based audit version.

I haven't really done a comparative analysis yet.

We're in the process of figuring out how to automate the workflow for QA audit controls on it. I think that's perhaps an area that we could use some buffing. We're a Kubernetes shop, so there are some things that aren't direct fits, which we're struggling with on the component Docker side, nothing major.

Kubernetes is a container-based run-time that works with Docker in terms of container-based applications, so we're a microservice based solution. Microservices are contained inside these containers which are managed by a run-time called Kubernetes. Kubernetes comes out of a Google enterprise. It's used by organizations like Netflix and apps to do continuous development deployment and use integration and development. It means that your container has this application lodging, around which all of the user authentication, run-time controls, and communications integration are handled by Kubernetes.

For instance, an application doesn't really see its DNS at all. It's completely abstract in a way. It is layers away from a virtual hardware. What it does is abstract that patient component into a nice package of business logic that is managed in a dynamic container, which takes care of all the run-time and communication issues that normally become a lot of the configuration overhead of an application.

Once you get your Kubernetes environment behind and organized, that forms a very efficient way to introduce these microservices in a dynamic way and to easily integrate and upgrade components rather than applications. You're much more granular in terms of your release capabilities and much more efficient in terms of how it's released and managed.

I would rate this around seven out of ten, because it has what we need, and it's easy to use.

SonarQube stability is fine. I would rank it high on the stability side.

We're not going to test scalability. Our volume is not that heavy. For this organization, it's not serious in scope.

Our users include about 60 developers and two dozen QA. On the QA side, there will only be about five really using it. There will also be two people on security. In total about 60 or 70 enterprise-wide.

We are in the introductory phase and we will, later on, make this a part of our release process.

It's pretty straightforward. It's a very easy thing to get up and running. It's the workflow side that you have to be careful about. Make sure that you don't overwhelm everybody with a report with a gazillion lines. Your real gems are in a very small percentage of it. So that's the configuration side, and that's what we're working on now. I've found that you have to tailor SonarQube's power to the maturity of the organization. Otherwise, you get a report with 2,000 items in it and it's hard to find the ones that are critical. This leads to data overflow and analysis paralysis at that rate.

We did an evaluation in about two weeks, so it was pretty easy to do and that wasn't full-time.

We did not use an integrator, reseller or consultant for the deployment.

From experience, you should just size the scale of what you're trying to do to the maturity of the organization.

Our primary use case is to provide more coverage and reduce the reliance on code reviews alone. It also provides confidence and helps begin a path towards continuous improvement.

This has improved our process because it allows us to pick up on a lot of the smaller best practices that might otherwise be missed, in addition to ensuring code quality is not compromised between builds.

The most valuable features are the wide array of languages, multiple languages per project, the breakdown of bugs, and the description of vulnerabilities and code smells (best practices).

A robust credential scanner would be a huge bonus as it would remove the need for yet another niche product with additional cost, also gives the benefit of a single pane of glass view, although we still need white source bolt for 3rd part library scanning. The integration into docker builds could be better as pulling the latest version of the scanner, setting the path and then invoking the scan is an extra overhead to manage between versions of the scanner. An apt-get and scan start with the key passed as a variable would be a nicer implementation. Have not looked into SSL for the management page yet but hoping that goes smoothly.

We have only used this solution for a few weeks, but so far we have had no issues at all.

My impression of the scalability is good, as it appears that it can support a much larger number of projects than we have.

We have had no need to contact technical support.

I did not use another solution prior to this one.

The setup took a bit of work, but that was because we were combining Docker, Kubernetes, Azure Key Vault, and the Azure PaaS SQL Server.

We took care of the implementation in-house.

In terms of ROI, it is difficult to put a number against code quality. For the cost of hosting it, I would say very good if you do not have a solution to start with.

A self-hosted SonarQube on a Kubernetes cluster is very cost efficient if you already have the infrastructure and don’t need the premium features.

We evaluated the Checkmark Software Exposure Platform and Veracode, but they were expensive for a first go.

Our primary use case for this solution is security testing using the FindSecBugs plugin.

This has improved our organization because it has helped to find security vulnerabilities.

The most valuable feature is the FindSecBugs (Find Security Bugs) plugin, which finds security vulnerabilities.

The product's user documentation can be vastly improved.

I would like to see SonarQube implement a good amount of improvements to the product's security features. Another aspect of SonarQube that could be improved is the search functionality.

The stability is good.

The scalability of SonarQube is good. The number of people required for deployment and maintenance depends on our requirements for different client projects.

We purchased the solution; it's not on a monthly or annual contract.

On a scale from one to ten with ten being the best, I would rate this product around an 8. If SonarQube makes some improvements with the security features, I would also probably use the product much more.

Primary use is code standards, or code quality. It's worked out okay. I find it is light on the security side though.

We brought into our CI pipeline to see if we could help our developers fix issues and identify issues sooner.

• Higher code quality. 
• Faster to market.
• Less errors.
  

• The issues it identifies.
• How easily it ties into our continuous integration pipeline.
• It is very good at identifying technical debt.

As far as code quality goes, I like it. It doesn't seem to do well when it comes to vulnerabilities on the security side. It may be that we don't have the right plugins, or we don't have the right add-ons.

It seems to be very stable. I haven't had many issues with it. 

We just upgraded to the 6.7 version, which has been performing well.

We haven't had any issues to date. We haven't had a huge number of projects to date. We're slowly slowing the uptake from some of our internal teams, but it seems to be fairly scalable.

I haven't had to use technical support.

The initial setup was fairly straightforward.

The price point on SonarQube is good.

We are looking into corporate security and a couple different tooling options for doing data code analysis and security scanning.

We have looked into a few options: 

• We are looking at IBM AppScan.
• I am going to be running a small PoC next week with Veracode. I started doing a bit of research on Veracode, and I saw how it ties in compared with SonarQube.

We are looking at using another product to compliment it for security reasons.

Most important criteria when selecting a vendor:

• Usability of the product
• Responsiveness when we have issues.

SonarQube is not valuable because of the information it gives it. We can gather that same information from several other tools as well. It is the way the information is presented that makes it so powerful. It provides a holistic picture of all quality issues in a software project. With SonarQube's web interface, it is easy to drill down to see the individual problems, but also to look at the project from above and get the big picture, with possible larger problem areas.

Individual developers are more concerned about the quality of their work when they see their results in the big picture.

About a year, in different projects, including the current one.

No.

No.

Not used.

We used the same tests, but with every developer running them individually. Now management can also get a picture of the quality assurance.

Very simple.

Price is high and only worth it if your organization has hundreds of developers.

No.

This product has helped us improve the quality of code within the business and ensure all new developers keep to a similar code convention per project. This can basically be tracked back to saving the company money, because improved quality of the code means less technical debt which means it's easier to extend or add functionality to the code base. The quicker the development team can roll out changes, the less developer hours needed to implement the changes, which the company needs to convert into profits.

Most features in the product are very useful, but there are some parts that I personally use more than others.

1. Code Convention: Using the tool to implement some sort of coding convention is really useful and ensures that the code is consistent no matter how many contributors.

A very usual addition to this tool is an IntelliJ plugin called SonarLint, which integrates into your IDE, then allows you to run the convention rules file by file and receive immediate feedback when making changes. This removes the need to push to the server before finding out what issues you need to resolve.

2. Technical Debt: Being able to see how much technical debt there is within the project is useful, especially if your change increases this value. It's a good way to determine whether your change is improving the overall code quality or not.

3. Graphing: The tool has some very useful graphs which give you an overall view of how the code looks and/or changes with time. A graph that I find useful is the bubble chart. It shows three different metrics in a 2D graph. It shows the number of lines of code versus the number of issues in that project. The third dimension is the size of the bubble, which is technical debt in the project. So it's very easy to see which projects need immediate attention, if they are in the top-right quadrant of the graph as a very large circle, i.e., high number of issues, high number of lines of code, and high technical debt. Seeing which project/submodule is in which quadrant of the graph shows where work is needed. You can also drill into the project and see any submodules within that project as well. Very useful.

• Upgrading the version of the server is a bit cumbersome and could be made slightly easier. Allowing admin users to upgrade the software through the front-end would make upgrading easier.
• Another improvement is with false positives. Sometimes the tool can say there is an issue in your code but, really, you have to do things in a certain way due to external dependencies, and I think it's very hard to indicate this is the case. There is a way to mark the code/method with the issue number, but having to add comments/annotations in your code for your static analysis tool feels wrong to me.
• Being able to have different groups or projects within the same server would be nice. Currently, I have a Sonar machine for production code (master branch) and UAT code (UAT branch), so when each branch is built in our continuous integration server it publishes to these two Sonar machines. What would be nice is if I could create subgroups within a single SonarQube server for each environment to remove the need for two separate machines.

It seems a lot more stable in the current versions of the product. I have never had major issues though, so I would say it's pretty stable.

I haven't yet found any scalability issues, although with the upgrade to version 6, they have moved the processing of the stats from outside the server to inside the server. What I have noticed is that the machines running SonarQube are using a lot more resources, as the processing is done server side. This means that I need to increase the resources allocated to the machine. If I was running this in the cloud, it would be easy, as I would create a larger instance for the service. But as I have this running on a physical machine, I am limited to what I can allocate.

I haven't used their technical support.

Yes, I have used individual components which SonarQube uses, such as FindBugs, but having the static analysis run and reported back within a continuous integration server. This gives you back some of the results, but SonarQube is a single, complete solution for static analysis and has added improvements like a great UI and visualisations.

Initial setup was pretty easy. I currently run this in a virtual Linux (Ubuntu) machine using Vagrant and VirtualBox. Installation using apt-get was pretty simple. I then bundled it all up into a new Vagrant box which means I can spin up a new instance of SonarQube whenever and wherever I am (like a custom AMI on AWS), but locally.

I am using the open source version of the product, so no cost. The licence is standard open source licensing, LGPL, so nothing to advise really.

I didn't. I am not sure if there are any other open source static analysis tools as good as this that I have found; Well at least three or four years ago there weren't.

I would advise to get it done sooner rather than later. The sooner you have a better understanding of the state of your code base, the sooner you can make better business decisions based on that information.

Also, even though you may be a sole developer, I think it's still useful to use this tool and have these metrics at your finger tips. It's like version control, even if you are the only developer, I think it should be used for everything you do.