SonarQube Reviews

We use SonarQube for determining code coverage, finding bugs, and searching for security-related issues in our development environment.

The code coverage feature is very good.

When performing the code coverage function, there are a lot of warnings that come up and you may not have time to solve them. You need to have the ability to overrule warnings or issues because it may not be possible to commit the time to resolve them immediately. If the product could assist us with fixing issues by giving us more pointers then it would help to resolve more of the warnings without such a commitment in terms of time.

SonarQube needs some improvement in its ability to find security-related issues.

I have been using SonarQube for the past seven or eight years.

We have not found any bugs or had trouble with stability. We have had some minor hiccups, here and there, but otherwise, we are fine.

We have not found any issues with respect to scalability. 

I have not personally been in contact with technical support. I believe that our team recently had contact with them when we migrated to the newer version, and we received help from their support agent.

I have also used Veracode and when comparing the two, I find that Veracode is better at finding security-related issues during the static code analysis. At the same time, during my PoC with Veracode, they did not claim to be able to provide everything that SonarQube does. 

I was not involved in the initial setup. However, I do know that it can be set up within one or two days.

We have an in-house team for deployment and maintenance.

I am satisfied with the pricing.

In general, I am very satisfied with SonarQube and I highly recommend it. If you are looking for full coverage and quality improvement then it is the best product to use.

I would rate this solution a nine out of ten.

We used SonarQube during the development period and AppScan after the system was deployed on the production site.

SonarQube is integrated with the CI/CD infrastructure. It automatically scans for code, detects vulnerabilities, and generates daily reports. SonarQube's integration with the CI/CD infrastructure helps us reduce the effort to scan the code manually.

After scanning our code and generating a report, it would be helpful if SonarQube could also generate a solution to fix vulnerabilities in the report.

I have been using SonarQube for six to seven years.

We haven’t faced any issues with the solution’s performance or stability.

We don't have a support license for SonarQube. We currently use the open-source community, which provides us with much support from communities worldwide.

The solution's initial setup is very easy. We have a team that handles the maintenance of SonarQube in the CI/CD environment.

The solution's deployment takes about two weeks. We have a new software development project, and integrating it into the CI/CD system took about half a working day.

We use the solution free of cost. SonarQube is a cost-efficient solution.

I would recommend the solution to other users.

Overall, I rate the solution ten out of ten.

We use this solution to configure our pipeline using Jenkins. From an integration perspective, it encompasses many languages and this is very useful.

This solution has helped with the integration and building of our CICD pipeline. Without any scans or assessments, the pipeline and build are not complete. One of the good features of SonarQube is the many languages it supports including Java, dotNET, Typescript and HTML CSS. It also allows us to set custom quality gates and rules.

This solution could be offered on Docker and the cloud. The support for this solution could be improved and the customization rules could also be made simpler. 

I have used this solution for three years. 

This is a stable solution. 

This solution could be scalable, specifically from a reporting perspective. 

I would rate the customer support for this solution a seven out of ten. 

Neutral

I have previously used Checkmarx, Blackbelt and WhiteSource.

We have experienced a good return on investment using this solution. 

This is a good solution if you are looking for good coverage, quality, and vulnerabilities to be highlighted. That being said, there are better solutions in the market when it comes to SAST scanning.

I would rate this solution an eight out of ten. 

SonarQube delivers a continuous inspection of code quality.

When comparing other static code analysis tools, SonarQube has fewer false-positive issues being reported. They have a lot of support for different tech stacks. It covers the entire developer community which includes Salesforce or it could be the regular Java.net project. It has actually sufficed all the needs in one tool for static code analysis.

I have been using SonarQube for approximately two years.

The stability of SonarQube is good.

I have found SonarQube to be scalable.

SonarQube needs to improve its support model. They do not work 24/7, and they do not provide weekend support in case things go wrong. They only have a standard 8:00 am to 5:00 pm support model in which you have to raise a support ticket and wait. The support model is not effective for premium customers.

SonarQube is very user-friendly and it works for all tech stacks. It should be easy for any kind of integrations that you need to build. Additionally, SonarQube comes with a lot of in-house APIs.

I rate SonarQube a seven out of ten.

I'm a software development engineer and we are customers of SonarQube. 

SonarQube does SAST and SCAs pretty well. One of the important things for me, something that is different from a solution like Checkmarx, was that SonarQube had SonarLint that we can use for local scanning for developers. The product does well in scanning and vulnerability.  

SonarQube is missing specific SAST capabilities. In addition, when we have security issues we want to mitigate those and it seems that SonarQube doesn't persist with the mitigation. Each time it discovered a new scan it wiped out all the persistence that we had mitigated for previous vulnerabilities. Dynamic scanning is missing and there are issues with security scanning in terms of failing projects where it didn't pass a scan.

I've been using this solution for three years. 

The solution is quite stable. 

We don't have contact with technical support, any issues are solved by our operation team.

The initial setup wasn't too complicated. We have a number of teams of developers and around 150 users together with an operations team who maintain the infrastructure. From a user perspective we scan at least once a day. 

I looked at Checkmarx but it wasn't as straightforward as SonarQube because it's only supporting Linux and maybe Windows, but I wasn't able to find any local scanning support for Mac computers, and that was an issue. I'd like to learn more about Checkmarx. 

I would suggest looking at the pipelines and understanding usage scenarios in terms of what the customer is looking for. For instance, the mitigation persistence through the life cycle of a project is not there. For me, it's like a lack of tracking records of what to mitigate. It's something that you thought would be a part of the basics, but it's not there.

I think there's about 40% of the features I'd like to see that are missing in SonarQube, so I'd rate it a six out of 10.  

The primary use case of this solution is for static code analysis, and benchmarking our code standards according to our preferences. 

Our builds process through SonarQube and if it passes the required set of requirements we have set, it will then go through to production.

The most valuable features are the segregation containment and the suspension of product services. Also, the library that SonarQube covers is good.

The library could have more languages that are supported. It would be helpful.

There are a few clauses that are specific to our organization, and it needs to improve. It's the reason that were are evaluating other solutions. It creates the ability for the person who releases the authorized release, which is not good. We would like to be able to expand on our work.

MicroFocus, as an example, would be helping us with that area or creating a dependency tree of the code from where it deployed and branching it into your entire code base. This would be something that is very helpful and has helped in identifying the gaps.

It would be great to have a dependency tree with each line of your code based on an OS top ten plugin that needs to be scanned. For example, a line or branch of code used in a particular site that needs to be branched into my entire codebase, and direct integration with Jira in order to assign that particular root to a developer would be really good.

Automated patching for my library, variable audience, and support for the client in the CICD pipeline is all done with a set of different tools, but it would be nice to have it like a one-stop-shop.

I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production. We would also need the ability to edit those rules.

I have been using SonarQube for approximately two years.

The stability is good. 

The branch advanced analysis pull request declarations, they are good and highly valuable, but they are not part of the free edition. They are only available as part of the licensed one.

Currently, we have 1.2 to 1.5 million lines of code. Certainly, if that increases, so would the costs expediently. 

We have 50 developers' licenses.

There is quite a bit of maintenance that is needed. We have a couple of people from our operations team to do the maintaining.

It is integrated with our CICD department and is being used extensively.

We do have plans to increase the usage of SonarQube.

We have used open-source origins of the tools.

PCI is an open-source solution that we used before, and we used Snyk as well.

The initial setup is straightforward.

We did not use a vendor team, it was done by us.

The developer edition is based on cost per lines of code.

Now we are looking for a more mature solution and evaluating other products. We want a complete code analysis platform that is more mature.

We will either go with the paid Developer active license or solutions such as Checkmarx or MicroFocus.

The community edition is quite informative for engineers. The actual code analysis is not conducted on the GitLab flow, but the build pipeline would show the core quantity steps which is part of the criteria.

The trial gives you a way to implement the POC and check if it can be integrated with your own stack. Once the trial expires, you can continue with the same setup for getting the license.

I would rate this solution a six out of ten.

We are using SonarQube for static analyzing and finding vulnerabilities in our code.

Easy installation. Very accurate finding of vulnerabilities and a minimum of false positives.

SonarQube could improve by adding automatic creation of tasks after scanning and more supported languages.

I have been using SonarQube for approximately two years.

SonarQube is a highly stable solution.

I have found SonarQube to be scalable.

We have 20 to 25 specialists using SonarQube in my organization.

We have plans to increase the usage of the solution.

We search Google for solutions to any problems we may face.

The solution is easy to implement in our process of continuous integration, continuous delivery, and continuous deployment(CI/CD). 

We did the implementation of the solution ourselves.

We have assigned each project one DevOps, and each DevOps is deploying SonarQube in their project and we have in total about 20 projects.

The free version of SonarQube does everything that we need it to.

Licenses of this solution can be purchased annually. We plan to buy the maximum license enterprise edition of the solution.

I highly recommend this solution to others.

I rate SonarQube a nine out of ten.

I have used SonarQube for static code analysis. I am using it to assess my internal applications.

I like the by-default policies that are they, as they seem to cover most of what I need. I see that as an essential feature.

The interface could be a little better and should be enhanced.

More support for integration with third-party products would be an improvement.

I have been using SonarQube for more than five years.

I have not faced any bugs or glitches in SonarQube.

I have not been in contact with technical support, although my teams would have definitely reached out.

I would not say that the initial setup was complex, although it was not smooth enough. This was a mixed, hybrid set up because every environment has its own applications to deploy. That said, it was not so critical that we were no able to manage it.

We have an in-house team in charge of maintenance. I have four people who are on payroll and an augmented staff of three more.

SonarQube is an open-source product that can be used free of charge. It is a cost-effective solution.

You cannot really compare this product to commercial solutions. However, the features that it provides out of the box are very good.

When it comes to other technologies, such as the Checkmarx of the world, they are better than SonarQube. This is something that they should look at as this project evolves.

This product is leading its class in the open-source community. It is absolutely a product that I can recommend. I think that digital organizations that have budget constraints should look at this technology, and then they can evolve it as per their needs.

In the future, I may look into deploying SonarQube in a hybrid model.

I would rate this solution an eight out of ten.