SonarQube Review

Detects problems before source code is even compiled, but improvements are needed to reduce the false positives

What is our primary use case?

Our software developers use SonarQube to catch any issues that can be found by using static code analysis. My understanding is that it checks the core complexity by evaluating the coding rules to make sure of things such as the correct classes are private.

How has it helped my organization?

The developers are rejecting the idea that this product is useful.

What is most valuable?

Before you even compile, it can catch known vulnerability issues or patterns.

What needs improvement?

Our developers have complained about the Quality Gates and the number of false positives that this product reports. Their older code is breaking and with the Quality Gate on the pipeline, they are not able to safely release at this point. This means that they have to add a lot of things to the whitelist, so there is room for improvement in this regard.

For how long have I used the solution?

We have been using SonarQube for less than six months. We have not yet onboarded it for production.

What do I think about the stability of the solution?

I have not seen any problems in terms of stability, although it has not been onboarded yet. Once that happens, we may see more problems.

What do I think about the scalability of the solution?

We have not tried to scale yet.

How was the initial setup?

The initial setup involved downloading the open-source code and installing it in a container. 

What about the implementation team?

I was responsible for setting up this tool in our company.

What's my experience with pricing, setup cost, and licensing?

We are using the open-source version, which is available free of cost.

Which other solutions did I evaluate?

We evaluated other open-source products and found that SonarQube was the best one of the set.

What other advice do I have?

This product is regularly updated by the open-source community, although the changes are often project-specific and may not help in the general case.

I would rate this solution a five out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
**Disclosure: I am a real user, and this review is based on my own experience and opinions.
More SonarQube reviews from users
...who work at a Computer Software Company
...who compared it with Fortify Application Defender
Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: August 2021.
535,919 professionals have used our research since 2012.
Add a Comment
ITCS user