We use SonarQube to help with our software development and testing. At the moment, we're mainly using it for static analysis and code inspection. We have an on-premises server and we connect to it from there.
Our main use case is testing software for security weaknesses, but we also use it to help eliminate code smells and to make sure our code is compliant with established coding standards.
SonarQube lets us find security issues during development and testing so that we can release more secure and higher quality applications.
Apart from the security point of view, I like that it makes it easy to detect code smells and other issues in terms of code quality and standards.
From a reporting perspective, we sometimes have problems interpreting the vulnerability scan reports. For example, if it finds a possible threat, our analysts have to manually check the provided reports, and sometimes we have issues getting all the data needed to properly verify if it's accurate or not.
This is especially important when considering false positives, and often we have issues getting all the necessary information from SonarQube in order to determine whether it is a true vulnerability or a false positive.
Another suggestion for improvement is that SonarQube could be better when it comes to integration with different development pipelines for continuous monitoring. For example, whether you are scanning manually or on-demand, we would like more ways to integrate SonarQube into our pipeline so that we can get reports quickly and automatically as we work.
I have been using SonarQube for about two years now.
I have not run into major issues or bugs and it works well when it comes to stability.
I don't think we have had any problem with traffic or things like that.
I don't have experience with SonarQube support because we do it all ourselves.
I have not used any other similar solutions in the past. SonarQube is the first of its kind in my experience.
It's quite easy to set up, not too complex.
The development license cost is reasonable, and we've had no concerns about SonarQube when it comes to cost.
Personally, I can't compare it to other similar solutions like Fortify, but SonarQube does a good job when it comes to making sure our code is compliant with standards and free of any obvious security weaknesses.
I would rate SonarQube a six out of ten.
Interesting, I haven't used yet however, the review by ServiceLineLead817 is amazing and impressive. Consequently I should give a try and appreciate your positive feedback about SONARQUBE.