SonarQube Review

Improves code quality and basic security but code analyzing has limitations


What is our primary use case?

We use this SonarQube solution for code quality and as a basic security issues solution for our clients.

How has it helped my organization?

It has improved our options for offering products to our clients that can better meet their needs, lower costs, and improves code quality and basic security. 

What is most valuable?

Code analyzing is very valuable for detecting vulnerabilities but it has limitations.

What needs improvement?

With the aesthetic code analyzer or dynamic code analyzer, we would like to see zero vulnerabilities. This is actually currently not available with any available code analyzer so it is not the fault of this one product. We would like to see that the latest CVE (Common Vulnerabilities and Exposures) gets represented. This would be more useful but does not always happen. 

If we have more of an idea of the likelihood of zero vulnerabilities then the product is more useful for user communities.

For how long have I used the solution?

We have been using the SonarQube solution for about a year.

What do I think about the stability of the solution?

The product is stable.

What do I think about the scalability of the solution?

We use a centralized machine so scalability is not an issue. We have yet to realize a limitation.

How are customer service and technical support?

We have little or no interaction with technical support.

If you previously used a different solution, which one did you use and why did you switch?

We service client needs so we consider all solutions we are aware of and weigh the pros and cons for deployment with a specific client.

How was the initial setup?

Implementation is easy and very straightforward. We do a POC with our client and based on that we make a comparison to the client's needs and available solutions. We compare that with any of the open source options and with any of the premium commercial tools. We go with the one that makes sense. But the implementation of this product is not complex especially as we have experience with it.

What about the implementation team?

We do our own implementations for various clients. We do not need the assistance of another team.

What was our ROI?

Return on investment is enhanced code and security. The actual ROI is difficult to measure except that licensing a commercial product will cost more over the long term if this product is enough to meet the user's immediate needs.

What's my experience with pricing, setup cost, and licensing?

The product is basically free, so implementation is the greater cost. It will cost in man-hours for deployment and resources, or in consultation. The licensing fee is negligible.

Which other solutions did I evaluate?

We are constantly evaluating other products. So it might be that we will go with Micro Focus, for example, or any other tool in the future. It depends on what is offered by the product and what fits the client needs and budget.

What other advice do I have?

I would rate this product somewhere between six and seven. It works for many clients, but if the user need and application is super critical, people should go with commercial products like Micro Focus. If the deployment is less critical, they can go with that as SonarQube, or another open source software solution.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Add a Comment
Guest
Sign Up with Email