SonarQube Reviews

The feature I find most valuable are--

• Quick access to issues in the code
• The ability to define your own analysis profiles
• Easy integration with Jenkins

For the record, what I do with SonarQube is develop a language plugin for a language not previously covered by SonarQube. As such, my experience of running SonarQube is limited to that necessary to have the plugin tested, nothing more.

I'd like to see more API documentation, including, but not limited to, more extensive documentation of provided examples.

I've used it for eight months.

I only deployed it for development purposes and it was pretty straightforward. You unzip, configure, and run. Of course, production deployments will require more than that.

The provided archives are self running; but since this is a bona fide webapp, you might want to use your own servlet container to run it instead.

No, I didn't. I was employed specifically for this plugin, and while know other code-quality control solutions exist, I didn't explore any of them.

Product is good, but the API documentation is poor, when it exists at all.

Code exploration on the front-end, as well as the ability to import from Fortify, are valuable features.

It allows for better collaboration of our team members on security findings.

The Python code scan has so few rules that it is meaningless.

The support for mobile applications is limited to Android Lint importing, although the Android Lint report is fine on it's own so what it he point of using it.

And the Fortify plugin is deprecated.

I've used it for two years.

It is quality software, even if the plugins are often weaker than would be necessary to have a team centralize around it. It is good for an open source project, but creating plugins is important and so complicated and not well documented that it is rarely done.

No issues encountered.

No issues encountered.

It is open source so I don't try to rely on their technical support.

It was fairly straightforward, although some plugins depend on outside software to run, which is to be expected.

We implemented it ourselves.

It is free, so the price is good. If they had stronger plugins then we would gladly pay.

We evaluated the market, and because security scans are so different, there was not a good COTS or open source solution that met our needs so we went with the best open source solution, which was SonarQube.

• Languages Support - over 20 programming languages
• Pre-commit check directly into Eclipse
• Issues Report into PreviewMode
• Custom coding rules
• Unit tests
• Duplication and code duplication check
• Custom-defined checks

I have fallen in love with SonarQube when I could've easily built custom rules checks. However, doing that manually checking takes tons of time.

• Explicit checks for issues
• Severity tab tweaks
• Optimization into the Settings, such as adding new features/customization

I've used it for almost two years, starting with v4.3.3.

Predefined rules/overriding rules caused some issues.

6.5/10.

• Squale
• Panopticode
• CodePro AnalytiX

It was straightforward to install and setup, but complex to adapt to and learn.

We used a vendor team.

I did not evaluated other options.

I would advise you to think a lot before acting.

SonarQube is not valuable because of the information it gives it. We can gather that same information from several other tools as well. It is the way the information is presented that makes it so powerful. It provides a holistic picture of all quality issues in a software project. With SonarQube's web interface, it is easy to drill down to see the individual problems, but also to look at the project from above and get the big picture, with possible larger problem areas.

Individual developers are more concerned about the quality of their work when they see their results in the big picture.

About a year, in different projects, including the current one.

No.

No.

Not used.

We used the same tests, but with every developer running them individually. Now management can also get a picture of the quality assurance.

Very simple.

Price is high and only worth it if your organization has hundreds of developers.

No.

I was using SonarQube to scan my code for vulnerabilities as part of the DevOps process.

The most valuable features are code scanning and Quality Gates.

The reporting can be improved. In particular, the portability report can be better.

I would like to see better integration with the various DevOps tools.

I was using SonarQube for between six and ten months.

The stability is good.

The community support is great. I have not had reason to contact the technical support team from the vendor.

The initial setup is straightforward. I would not say that it is complex and it can be deployed in less than 10 minutes.

I was using the Community Edition, which is available free of charge.

I evaluated other products including Veracode and I felt that SonarQube was the best product.

I would rate this solution a seven out of ten.

I would like to see SonarQube implement a good amount of improvements to the product's security features. Another aspect of SonarQube that could be improved is the search functionality.

The stability is good.

The scalability of SonarQube is good. The number of people required for deployment and maintenance depends on our requirements for different client projects.

We purchased the solution; it's not on a monthly or annual contract.

On a scale from one to ten with ten being the best, I would rate this product around an 8. If SonarQube makes some improvements with the security features, I would also probably use the product much more.