SonarQube Review

It allows for code exploration on the front-end as well as the ability to import from Fortify.


Valuable Features

Code exploration on the front-end, as well as the ability to import from Fortify, are valuable features.

Improvements to My Organization

It allows for better collaboration of our team members on security findings.

Room for Improvement

The Python code scan has so few rules that it is meaningless.

The support for mobile applications is limited to Android Lint importing, although the Android Lint report is fine on it's own so what it he point of using it.

And the Fortify plugin is deprecated.

Use of Solution

I've used it for two years.

Deployment Issues

It is quality software, even if the plugins are often weaker than would be necessary to have a team centralize around it. It is good for an open source project, but creating plugins is important and so complicated and not well documented that it is rarely done.

Stability Issues

No issues encountered.

Scalability Issues

No issues encountered.

Customer Service and Technical Support

It is open source so I don't try to rely on their technical support.

Initial Setup

It was fairly straightforward, although some plugins depend on outside software to run, which is to be expected.

Implementation Team

We implemented it ourselves.

Pricing, Setup Cost and Licensing

It is free, so the price is good. If they had stronger plugins then we would gladly pay.

Other Solutions Considered

We evaluated the market, and because security scans are so different, there was not a good COTS or open source solution that met our needs so we went with the best open source solution, which was SonarQube.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Add a Comment
Guest

Sign Up with Email