SonarQube Review

An open-source platform for the continuous inspection of code quality with a useful code security feature

What is our primary use case?

We are application support vendors, and we develop applications for our clients. To maintain code quality, we were using SonarQube, and then we presented that to our clients in order to purchase that. That's where this whole thing got started. 

One thing that we were using it majorly for was our work quality. It usually helped us in automating the review and making it more gate-oriented. Recently we were able to see the latest features like security hotspots and all that.

We were trying to serve two purposes; work quality and code security, with one tool. That's where our inclination was more towards Sonar because other tools generally target code security only.

What is most valuable?

I like that it helps us maintain our work quality and code security.

What needs improvement?

Code security could be better. They are already focusing on it, but I see a lot of improvement opportunities over there. I can see a lot of false positives in terms of security. They need to make the tests more accurate so that the false positives are not detected so frequently. It would also help if they provided us with an installer. 

For how long have I used the solution?

I have been using SonarQube for about three or four years. However, in this organization, we have been using it for the last year or so.

What do I think about the scalability of the solution?

In Community Edition, I don't think that we have enough scalability options because it runs only on one instance, plus it runs only one scan at a time. It doesn't even provide a settings capability where multiple scans are running simultaneously. That's why we want to move to the Enterprise Edition because it gives you a possibility of parallel analysis of reports, and that could speed up things.

How are customer service and technical support?

We're using the Community Edition, and I think support comes only with the paid version. But we had an initial conversation with them, and we got our answers clarified. I certainly look forward to getting in touch with somebody from SonarCloud because I hear that they are separate entities. SonarSource people don't talk about SonarCloud. We want a contact whom we can speak to regarding our security-related concerns, privacy-related concerns, and how we can secure our code in their environment.

How was the initial setup?

The initial setup on-premise may take a while because you have to procure all the servers and do the reconfiguration yourself. But I think they have provided their steps very elaborately, and that certainly helps. However, you need to make an effort to set it up. It doesn't come with an installer, and you have to download it, extract it, then configure it to run on your server automatically with every server system. If they could have provided us with an installer setup, it could have made it much easier.

What's my experience with pricing, setup cost, and licensing?

We're using the Community Edition, and we don't pay for anything.

What other advice do I have?

On a scale from one to ten, I would give SonarQube a nine.

Which deployment model are you using for this solution?


Which version of this solution are you currently using?

**Disclosure: I am a real user, and this review is based on my own experience and opinions.
More SonarQube reviews from users
...who work at a Computer Software Company
...who compared it with Fortify Application Defender
Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: August 2021.
535,919 professionals have used our research since 2012.
Add a Comment
ITCS user