What is our primary use case?
We are a security organization, and we deploy security solutions and applications related to network for our clients. We mostly focus on open source products because clients don't like to have proprietary products because of the available budget for their different projects. We try to find the possible solution, and then we deploy the solution for them. Deployments are done on the AWS cloud as well as on-premises.
I came to know that there is a SonarQube solution that is used for clean and secure coding purposes and bug fixes in a large DevOps team. That's why I have deployed SonarQube. Currently, I'm testing SonarQube to demonstrate to my higher department what this tool can do. We are testing this solution for one of our clients, who may use it for two or three use cases during static code analysis and the software development life cycle.
What is most valuable?
It's a great product. If you are in a hurry and just want to focus on the functional requirements of any kind of project, SonarQube is highly helpful. It enables the developers to code securely.
SonarQube has a Community edition, which is open source and free. There are also three proprietary or paid versions: Enterprise edition, Data Center edition, and Developer edition.
What needs improvement?
If I configure a project in SonarQube, it generates a token. When we're compiling our code with SonarQube, we have to provide the token for security reasons. If IP-based connectivity is established with the solution, the project should automatically be populated without providing any additional token. It will be easy to provide just the IP address. It currently supports this functionality, but it makes a different branch in the project dashboard.
From the configuration and dashboard point of view, it should have some transformations. There can be dashboard integration so that we can configure the dashboard for different purposes.
For how long have I used the solution?
It has been just three days since I deployed this solution. I have just configured the Community edition of SonarQube, and now I am searching for some Java products to test the solution.
Which solution did I use previously and why did I switch?
I have previously created a report comparing SonarQube with other products such as Micro Focus Fortify. SonarQube is way ahead than Micro Focus Fortify because SonarQube has a cloud solution. Micro Focus Fortify does not support cloud-based hosting.
How was the initial setup?
The initial setup was simple for me. It was very straightforward and to the point. The documentation was also very much to the point and perfectly explained.
There are open source solutions for the Linux environment that let you automatically deploys everything in the new environment by using a specific file, but SonarQube doesn't have that file. That would be a plus point.
What about the implementation team?
I deployed it myself. Because of our Linux environment, it took me around three hours. I was reading the documentation and learning about configuration-related parameters while deploying this solution.
What's my experience with pricing, setup cost, and licensing?
For the Community edition, there is no extra cost. It's totally free. The Enterprise edition, Data Center edition, and Developer edition are the paid versions.
Which other solutions did I evaluate?
We have already used SonarLint. I am considering both SonarLint and SonarQube.
What other advice do I have?
I always talk in favor of secure programming, secure coding. SonarQube is easy for me. I am recruiting buggy code with this, and it is reporting. It shows that this code should not be like this and the reason for it. For example, it shows that you should declare a static function, or why you should or should not initialize a variable. This is an amazing feature. I am enjoying testing SonarQube, but I don't know what is the feedback from a developer's point of view.
I highly recommend SonarQube. I would rate this solution a ten out of ten.