What is our primary use case?
There are two versions: a free, open-source community version, and a subscription-based version.We use the community version, not the enterprise version.
We are a very small organization. In total, there are four of us who use this solution. We will keep using SonarQube, with some additions, in the future.
Firstly, we use SonarQube to evaluate code for M&A projects. Secondly, we use it to detect vulnerabilities while performing security audits. Our third use case is the detection of violation of programming practices towards code refactoring and code maintenance.
What needs improvement?
The results of exporting capability could be improved. Currently, exporting is a bit messy and fully dependent on the SonarQube environment. Sonar Qube offers REST API and you could export the results programmatically, but the process is quite slow and limited. You could extract the maximum 10000 results per query, which increases the overall execution process tremendously. I guess the majority of the users are based on Sonar Qube presentation capabilities, which is very restrictive for some use cases.
For how long have I used the solution?
I have been using SonarQube, every day, for more than two years.
What do I think about the stability of the solution?
What do I think about the scalability of the solution?
I wouldn't say that isn't fully scalable. It's damn slow. It takes a lot of time parsing an average size codebase. If you'd like to scale up and deploy it on a cloud environment, it's a completely different scale of difficulty. We have done this but it's really hard.
How are customer service and technical support?
As we are using the community version, there is no technical support.
Which solution did I use previously and why did I switch?
I have used a wide variety of tools.SonarQube covers a wide variety of issues and it is well well designed robust framework.
How was the initial setup?
To be honest, for me, the initial setup was a piece of cake; however, other colleagues and clients of mine have said that it's damn difficult to install it and extract the results, at least the first time. Initially, It took me some time to go through the process. It is not straightforward at all, it's quite complicated — it's a tool developed by developers for developers. If you are not a core developer, and I am not, it's super difficult to figure out the installation process thanks to the multiple steps involved. The autogenerated script, isn't functional, it needs some tweaking.
My clients report that it takes about a week to install it properly, and you need about two weeks more to configure it, let alone the performance optimization.
The installation should be much simpler. There are competitive tools that come with a self-contained installation and configuration process. It requires a time investment to configure it properly. . In short, it should come with a self-contained functional configuration set.
Overall, the initial setup should be easier.
What about the implementation team?
Currently, I could configure SonarQube by myself. Only one person, knowledgeable enough, is required to deploy it.
What's my experience with pricing, setup cost, and licensing?
Unless you use a tech stack that is not supported, use the community version; there are no hidden costs or licensing required.
Which other solutions did I evaluate?
Yes, we have evaluated plenty of alternatives nothing really comparable.
What other advice do I have?
I would recommend this solution to others. It easily outperforms other static code tools — It's perfect as a static code analysis tool.
Overall, on a scale from one to ten, I would give SonarQube a rating of eight.
Which deployment model are you using for this solution?
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?