SonarQube Server (formerly SonarQube) Reviews

We are working in the banking sector, and our application code is quite large in terms of performance. Ranorex has helped us a lot to follow Java code conventions for writing performance oriented code.

It also has very good compatibility with continuous integration servers like Hudson and Jenkins.

It had changed the whole attitude of the developers of our team as they can see their code exceptions at compile time. With this, we have delivered a quality product to our stakeholders.

It would be great if it also covered XML code.

We have been using this solution in our Java web application for the last 18 months. We embedded SonarQube with the help of a SonarQube-maven plugin in our web application.

No issues encountered.

No issues encountered.

No issues encountered.

It's excellent as we get everything we need from the product.

It was somewhat complex as we have to integrate it with Apache Maven-2.2.1, and there is no listing of SonarQube version compatibility with Apache Maven.

We did it in-house.

It is quite an efficient product in terms of ROI.

Its is available on open to use license.

We did some R&D according to our product need and found SonarQube as a solution.

I would advise you to implement SonarQube if they are facing any performance related issues in their products.

So, it's been more than a year on since I wrote this review, so what has changed ?

Well. The first thing to say is that we (that is, a large multi-national financial services company) continue to use Sonarqube, indeed it has become mandatory for all projects (new and existing). We have introduced an aggregation portal which takes metrics from SonarQube via its API along with other sources, to provide a cross project and somewhat sanitised view for upwards reporting. It's important, we feel, not to try and hide issues, but at the same time not to 'set hares running' by exposing more senior management to metrics 'in the raw'. So instead, we gather all the evidence that we have, and add to that some constructive assessment from the lead solution designers, scrum masters and others, to provide more balanced and reasoned view. As we all know, there are a whole multitude of metrics baying for our attention, and it is not always obvious which are critical and which are less important (and that is often a factor of timing and priority).

One thing we did do this year is consider other complementary products, particularly in the area of identifying security vulnerabilities with both our own code bases and the open source 3rd party libraries that are routinely packaged with a released application. The latter category can often account for 80%+ of the actual app, so it's an important area not to neglect. Sonarqube does provide some support here i.r.o the integration of OWASP top 10, but it clearly isn't an area of strength when compared to more dedicated products. We did an RFP and have now selected two further products that will bolster this aspect considerably.

We have also moved forward with SonarQube in 3 important ways. First, we have upgraded our implementation to version 5.4 (prev. 4.5.x). This was important to many of our teams because some plugin support require the later version. The second change is that we have moved our implementation of the Sonarqube server into docker. Sonarsource provide an OOTB image on DockerHub which is a good starting point. We have enhanced it in a couple of ways to reduce the size and attack surface and also to add our specific config, but it was pretty easy to do so, so good job from Sonarsource here. The third difference is we have moved some of our install to use the Professional version rather than OSS. There were a couple of reasons, one was to access some commercial plugins which come bundled as part of the product and it made more sense (funding-wise). Another was to provide better support for a central SQ service. When I said 'some' of our installs, that was deliberate. We don't only provide SQ as a central PaaS, but also allow distributed DevOps teams to spin up their own, as long as they fully understand that operational support becomes their problem too of course (no free lunch here !). This works well for teams who want to manage more of their delivery pipeline rather than be part of a change control process where other participants might need to be consulted and perhaps engage in regression testing when changes are requested.

One significant change in v5.x is the movement of the database update to the server. This has a couple of important consequences. The first is that the build-breaker plugin is no longer useful since its harder to synchronise the fact that a build has failed with the update of the analysis outcome visible on the server. We use that plugin a lot, so it was a bit of a PITA. There is a compatible approach that SonarSource have documented, but personally I'm not a great fan because it increases the number of moving parts and thus the opportunity for something else to fail. But, with any upgrade there are always 'swings and roundabouts', and on the whole the positives outweigh the negatives (decoupling the client-side analysis from database update *is* on the whole a good thing). SQ v5 also comes with a bunch of new 'runners', now called 'scanners'. We have used the basic one, the Maven one and the MSBuild one, and all work fine. It's another change that you need to consider as part of migration, but not a massive one. Security controls have been enhanced in v5 and it's now easier to apply more granular access controls than in v4. For companies that outsource development work that's likely to be quite important (it is for us).

Licensing in the 'immutable server' world, whether that's docker or native Cloud remains unresolved. SonarSource seem a little behind the curve here, but we are talking to them. The key point is that we no longer stand up environments (including CI/CD pipelines) with any intention that they will have a 'shelf life' beyond their immediate use. Creating environments for specific use cases then tearing them down frequently (often this can be measured in minutes or hours) has become common-place for use and has tremendous advantages over previously used 'convergence' approaches using config management tools like Pupper, Chef or Ansible. Many vendors recognise this and have adjusted licensing arrangements, SonarSource aren't quite there yet (but they are willing to talk about it).

Anyway, that's probably enough of an update. I hope you find this, and the previous review helpful ?

Original Review (circa: 2014/15)

Moving to a largely evidence-based assessment is hugely beneficial, especially if you are managing out-sourced resources. It provides a clear definition of what acceptable quality actually means, and supports the decision of when you can stop, as well as what is not as there are no arguments based on an opinion. That said, metrics only take you so far, you still need smart people who can interpret and see beyond the base facts provided.

The ability to integrate analysis of software engineering metrics directly into the Development Lifecycle (DLC) in much the same way as any other practice such as Unit Testing. Specifically, developers run SonarQube analysis frequently and don’t commit changes to SCM when build breaker issues remain.

Early warning via CI build pipeline and especially setting up ‘Build Breakers’ based on a team or code base specific quality gate - a set of rules/thresholds that determine the most important measures for a particular code base.

Targeted improvement allows a team to identify specific areas of threat (e.g. TD) and then set purposeful goals to improve in those areas (rather than trying to improve everything).

The SonarQube community is very active which often means that finding solutions is a blog post away from other like-minded organisations. Community plugins are a staple for this product and have tremendous breadth and depth.

It would be utterly impossible to contemplate Continuous Delivery without including a major focus on ensuring affordable software quality. SonarQube plays a key role in this endeavour and provides Senior Management oversight across multiple project teams and business deliveries. Fits in very well with existing Continuous Integration build pipeline workflows. As we move towards Continuous Delivery ensuring a ‘no surprises’ release management.

Our software quality assessment at an affordable cost (licensing, time and effort). Previous attempts have failed to win the support of the development community (typically overly complex and intrusive and/or not sufficiently timely) without which the initiative will be doomed to failure.

• More granular security
• Simpler integration with JIRA
• It would be nice for a dashboard server to be able to address more than one database (this limitation tends to encourage either lots of small (team/project) servers or one uber server if you want to report across projects).

3years.

Originally we used Puppet to apply our specific configuration to our SQ install, and this was pretty successful albeit reasonably complicated. More latterly we have moved to using Docker. SonarSource provide a base image on DockerHub which is easy to extend for you own use case. We updated it to use a smaller footprint base image (Alpine) to reduce the size and attck surface, and then added our own set of plugins and other config. All straight-forward.

There were initially some questions about performance and in particular the location of the database (some suggesting that this needed to be physically close to the point of analysis to minimize network latency). However, this is highly dependent on the size of the code base under analysis (and the multiplicity of code bases). In our case we didn’t find any problem in running the database, server and analysis process in separate locations (RDS, EC2 and Jenkins respectively). Our largest code base to-date is around 500K lines.

Average. That said, considerable effort has been made to make the product largely self supporting at from the install and initial config perspective. Response to queries directly to SonarSource haven't always been particularly successful, but the community forum is pretty good.

We haven’t had a need for an official support contract with SonarSource. The open source community around SonarQube is very active and has met all of our needs to-date. That said, SonarSource do publish very helpful materials, documentation, blog posts, webinars etc. which we definitely take advantage of.

Yes. We had been using Coverity. However, whilst an excellent product with perhaps more capability, we found that it was more difficult to integrate into the development lifecycle and take up was relative modest. The sophistication of the solution was not well suited to our requirements in the sense that we are not producing commercial software but creating applications for internal use, and therefore the depth of analysis available was not really needed especially given the much higher learning curve. Also, licensing and platform costs were also high. We found SonarQube to be sufficiently powerful at a much more affordable price point.

More recently we have added two products with a specific focus on detecting security vulnerabilities. SQ does offer basic OWASP top 10 support within the language rule sets, but it's fair to say that this is probably not sufficient to keep your security folks happy. We definitely wanted to add support for scanning 3rd party libraries which probably make up 80%+ of our released app.

Creating instances of each of the major components (server and database) are very straightforward. Of course there are some complexities if you want to operate high availability, failover and so on, but no more so than any other application server. Given the stage in the lifecycle where SonarQube is used, it is in some ways less critical, so periodic outages can be tolerated. We typically operate an immutable server pattern so if/when we have server issues, we can easily destroy and re-create our environments or auto-scale them up and down as required. Integration into the CI world is easy (Jenkins plugin available or just use the command-line ‘runner’) and integration into the developer lifecycle also easy via plugins for mainstream IDEs (eClipse, Visual Studio, etc).

Using Docker simplifies things considerably. At the same time, the clutch of new 'scanners' does mean some extra work if you are migrating from v4.

In-house. The product is sufficiently simple that setting up the server environment requires some straightforward DevOps skills (spinning up servers and configuration management) and creating Jenkins jobs and installing IDE plugins. This is something that typically your developers should already be familiar with. We didn’t need any vendor support beyond the available documentation. Product training was not really necessary although we did run some awareness/101 sessions in-house, but more to promote why we wanted to go this route rather than any how-to technical skills.H

The only associated costs if you are following the OSS route are the platforms on which you will run your server and database, and any commercial plugins that you want to use (we only use a couple of those). There is a need to invest in a robust environment and some recommended practice but that is no different from any other similar software engineering process. We tend to prefer devolvement of responsibility rather than centralized control. This includes individual teams looking after their own infrastructure as well as determining their own priorities in terms of continuous improvement (albeit there are some standard measure that apply, for example unit testing, code coverage, technical debt and so on).

For v5.4 we moved one of our installs to use the Professional edition. This made sense for us because we wanted to use some of the commercial plugins that are already bundled as well as formalise support with SonarSource. We still use the OSS version for teams who don't need commercial plugins and want to manage their own SQ environment (see above comments).

Yes, and we did so again recently (2016). We had an encumbant Coverity solution which was very expensive and very under-used (too complicated). Since then we have also considered specific security analysis tools as complementary products (e.g. CheckMarx, Veracode, Nexus Life-cycle/Firewall, and a few others). We have since selected from these.

If you are looking at SonarQube you already realize the importance of software quality and it’s value proposition. Sometimes you just want to discover the types and severity of issues you have especially for legacy or inherited code bases (i.e. as a result of a merger). You should definitely follow best practice of not trying to cover every metric all at the same time, but instead pick out the two or three (at most) that are most critical to you right now (recognizing that this will change over time). Time based metrics are especially useful to help you understand if you are getting better or worse, and other well known strategies (such as ‘boy scout’) can also help formalise an improvement plan.

Perhaps the single most important consideration is to involve your development community right from the start (don’t try and foist a tool, set of skills or a change in process on them, as they will resist). Those guys are the ones that know where all the skeletons are and their buy in is absolutely critical especially if you need to change some existing behaviors. In my experience most software professionals are highly supportive but you should expect a few negative challengers).

The feature I find most valuable are--

• Quick access to issues in the code
• The ability to define your own analysis profiles
• Easy integration with Jenkins

For the record, what I do with SonarQube is develop a language plugin for a language not previously covered by SonarQube. As such, my experience of running SonarQube is limited to that necessary to have the plugin tested, nothing more.

I'd like to see more API documentation, including, but not limited to, more extensive documentation of provided examples.

I've used it for eight months.

I only deployed it for development purposes and it was pretty straightforward. You unzip, configure, and run. Of course, production deployments will require more than that.

The provided archives are self running; but since this is a bona fide webapp, you might want to use your own servlet container to run it instead.

No, I didn't. I was employed specifically for this plugin, and while know other code-quality control solutions exist, I didn't explore any of them.

Product is good, but the API documentation is poor, when it exists at all.

Its dashboards, quality profile, quality gates and CI integration features (like as build breaker plugin) are the most valuable features for me.

Personally, I have used SonarQube for educational purposes. SonarQube is helpful for giving motivation to a small development team (10 members or a little above) on code quality improvements with small efforts.

My team uses just two features - dashboards and CI-build-breaker - for checking code quality and the stability of our code base. For those purpose, SonarQube has done its work greatly. We have seen a decrease of about 25% of issues from since we first started using it a few months ago, and my team code bases are getting better.

The only thing I don't like is that they removed the design libraries and dependencies-checking features from v5.2. I hope they reintroduce these features in the future.

I've used it for approximately two years, since December 2013.

I have not encountered any issues.

I have not encountered any issues.

I have not encountered any issues.

I've not had to use them. I thinks it's online documentation is up to date, and it is enough to use them to solve problems and to understand features.

I've not had to use them.

My development team adopted SonarQube in January 2015 for code quality improvement, and had not used any code quality checking tool before.

The initial setup is easy. They provide a step-by-step online guideline to follow for installing it.

It has decreased the efforts of my team for finding and fixing potential issues which exist in our code base.

We are only using the free features.

Just keep following their online installation and plugin development guide.

The rich graphical representation of numbers which are meaningful to dev leads/managers and top management .

It was brought in to help with best practices in writing test cases, and each test should pass given all numbers are highlighted on SonarQube.

Executing sonar analysis on a big chunk of code - with an Oracle database does take up a lot of time.

Widgets - as the world of development expands, SonarQube should have plug-ins to cater to different technologies.

I've used it for three years.

No issues encountered.

No issues encountered.

No issues encountered.

It's very good, and I have personally had conversations with the SonarQube guys regarding plug-ins and modifications.

No previous solution was used.

The documentation is good . It should be fairly simple for someone with database knowledge.

We did it in-house.

Code exploration on the front-end, as well as the ability to import from Fortify, are valuable features.

It allows for better collaboration of our team members on security findings.

The Python code scan has so few rules that it is meaningless.

The support for mobile applications is limited to Android Lint importing, although the Android Lint report is fine on it's own so what it he point of using it.

And the Fortify plugin is deprecated.

I've used it for two years.

It is quality software, even if the plugins are often weaker than would be necessary to have a team centralize around it. It is good for an open source project, but creating plugins is important and so complicated and not well documented that it is rarely done.

No issues encountered.

No issues encountered.

It is open source so I don't try to rely on their technical support.

It was fairly straightforward, although some plugins depend on outside software to run, which is to be expected.

We implemented it ourselves.

It is free, so the price is good. If they had stronger plugins then we would gladly pay.

We evaluated the market, and because security scans are so different, there was not a good COTS or open source solution that met our needs so we went with the best open source solution, which was SonarQube.

To create your own quality profiles and gates is really cool; you can apply different policies depending the maturity grade of the project are you dealing with.

Also, we use a lot the time machine tool to take important decisions to determine if the projects are going in the right direction.

Elastic search is really helpful and also there is a plug-in we use a lot named "3D Code Metrics" that gives us a quick overview about the general situation about the projects.

Also, the integration with different CVS', and the dependency search are nice and helpful features.

This product helps us to determine the maturity and quality of the coding of our software customers, preventing future crashes in the software. We get users used to developing clean code makes SonarQube a valuable tool. Also, we use it for our internal software development helping us to create a good quality software.

With the new SonarQube versions, the analysis time is increasing, and some projects are difficult to configure due to the different modules and languages that it uses. A few versions ago, it had a multi-language option which was really helpful.

I've used it for over two years.

The worst about this tool I think is the upgrade method, and it's really easy to wreck the database when upgrading. It would be better idea to make less versions, but make it easier and consistent to upgrade. Also, sometimes if you are using really old instances and you move to a new version it's possible to lose some information about projects.

Thanks to this tool we can improve old code were developers are not available anymore and display the projects filtering by different fields, we save a lot of time, and time is money.

Once it is up and running, we didn't find any big issues with the stability, but it's important to configure in the right way the properties file according with you system specifications.

I think is good, also there is a new forum named "https://sonarqubehispano.org/display/HOME/Bienvenido" for the spanish community who helps a lot to spanish quality assurance fellas.

I think is good, also there is a new forum, https://sonarqubehispano.org/display/HOME/Bienvenido for the Spanish language community which helps a lot.

I used a few specific tools for the PHP language, that tools were really powerful (Codesniffer, PHPCPD, PHP Mess Detector among others) and provide a good information about the quality of our code. Nowadays, I am mixing that tools with SonarQube, but in shortly, I am thinking of using just SonarQube. The reason is that SonarQube is including more and more PHP rules in every PHP plugin version.

After dealing with configuration files and SonarQube is up and running there is not a big problem to start working with it, SonarQube include some standard quality profiles that makes it easier for the beginners. Also, the option to configure your own dashboard with different widgets exists.

I have experience with both of them and the main problem is not how the tool is working, but it's to make people follow the rules and change bad habits. However, I think that's a common challenge for our QA guild.

Actually SonarQube offers a lot of free plug-ins for different languages, and we add additional paid plug-ins as well, such as PL/SQL, COBOL and Views, and our experience tell us that it is worth it.

Only one option we found competitive was CAST, but the prices and the functionality didn't convince us at all.

• Languages Support - over 20 programming languages
• Pre-commit check directly into Eclipse
• Issues Report into PreviewMode
• Custom coding rules
• Unit tests
• Duplication and code duplication check
• Custom-defined checks

I have fallen in love with SonarQube when I could've easily built custom rules checks. However, doing that manually checking takes tons of time.

• Explicit checks for issues
• Severity tab tweaks
• Optimization into the Settings, such as adding new features/customization

I've used it for almost two years, starting with v4.3.3.

Predefined rules/overriding rules caused some issues.

6.5/10.

• Squale
• Panopticode
• CodePro AnalytiX

It was straightforward to install and setup, but complex to adapt to and learn.

We used a vendor team.

I did not evaluated other options.

I would advise you to think a lot before acting.