We previously used a different solution but moved to SonarQube because it better suits our use cases. 

Way back in the past, we used other static analysis tools like PC-lint or Gimpel Lint. I still have plans to resurrect some of that, but I'm of the mindset that the more opinions you get about your code, the better off you are. You get to look from different angles with different tools. In terms of the automated tool, SonarQube was the first one we had for getting into the DevOps generation of stuff.

In comparing Coverity and SonarQube, Coverity stands out for its superior vendor support and enterprise-level analysis capabilities, particularly in security and leak detection across procedures. SonarQube excels in dashboard usability and cost-effectiveness but lacks certain advanced features like inter-procedural analysis and some leak detections available in Coverity.

Previously, we used Fortify. The company that I worked for owned Fortify. We then sold Fortify to another company. We could look at other products to do the job.

I used the Micro Focus Fortify, but the performance integration in the pipeline is faster in SonarQube. But in Fortify, the support is better as it is a commercial product, and we paid for it, so we can complain and get feedback in case of any issue. We complain if anything needs to be fixed, and they accept and fix it, but SonarQube does not have such a platform.

We chose SonarQube due to its free community edition. After a while, when we will need more features, we will probably purchase the solution next year. 

No.

We try to primarily use open-source solutions. The organization tries not to spend money for the moment. Many clients do not want to pay for solutions during this time, especially in the case of products that are expensive.

We did use another solution, however, we found issues such as:

• Ineffective time management
• Lack of instant communication
• Not receiving timely feedback
• Not receiving clear instructions or expectations
• Share time management apps and resources for students
• Utilize educational technology (“EdTech”)
• There's also a need to increase peer review

We did not use another similar solution prior to this one.

We only use SonarQube with SonarScanner.

We used Fortify, it is also another tool for static code analysis. The security team used to use that, but not in our team because ours was a newly assembled team for the work. 

No, not that I am aware of.

I have previously used Checkmarx, Blackbelt and WhiteSource.

We also use Checkmarx and Snyk. One of the main differences between them and SonarQube is that they have dynamic testing and analysis, rather than static analysis. 

I have used Checkmarx and also tried a demo of Veracode. 

Checkmarx was far too heavy-handed and only handled security concerns for a VERY large price tag. 

Veracode is very good, however, the price vs a free solution was a deciding factor in many cases. 

We didn't have a previous solution other than paper systems that we never got in the habit of going back to referring to. We didn't switch, we started fresh.

We use this solution in parallel with Checkmarx because both of them are good for different things. SonarQube is good for code quality, whereas Checkmarx is more for security.

I have used some tools previously, such as Eclipse and Checkmarx. I used some tools directly linked with Eclipse, but SonarQube is much better. It has a better ability to link with Eclipse as well as the standalone features for a code review I have found the SonarQube most efficient.

We were previously using Coverity. We used it for three years or so.

I have also used Veracode and when comparing the two, I find that Veracode is better at finding security-related issues during the static code analysis. At the same time, during my PoC with Veracode, they did not claim to be able to provide everything that SonarQube does. 

We have used open-source origins of the tools.

PCI is an open-source solution that we used before, and we used Snyk as well.

We were using some other products, but not on an enterprise level. There were several locally developed applications, but when we tried to consolidate all of these into an enterprise-level solution, we opted for this.

I have used Codestyle and a few other tools. SonarQube is similar to other tools.

I did not use another solution prior to this one.

I have worked with Snyk. Snyk is more developer friendly. I have also worked with Coverity. SonarQube has features that are similar to Snyk and Coverity. So, SonarQube is better because it is an open-source tool.

I have used Veracode.

Yes. We had been using Coverity. However, whilst an excellent product with perhaps more capability, we found that it was more difficult to integrate into the development lifecycle and take up was relative modest. The sophistication of the solution was not well suited to our requirements in the sense that we are not producing commercial software but creating applications for internal use, and therefore the depth of analysis available was not really needed especially given the much higher learning curve. Also, licensing and platform costs were also high. We found SonarQube to be sufficiently powerful at a much more affordable price point.

More recently we have added two products with a specific focus on detecting security vulnerabilities. SQ does offer basic OWASP top 10 support within the language rule sets, but it's fair to say that this is probably not sufficient to keep your security folks happy. We definitely wanted to add support for scanning 3rd party libraries which probably make up 80%+ of our released app.

I have previously created a report comparing SonarQube with other products such as Micro Focus Fortify. SonarQube is way ahead than Micro Focus Fortify because SonarQube has a cloud solution. Micro Focus Fortify does not support cloud-based hosting.

We were not using another solution prior to this one. As we've evolved, this is one of the tools that we decided to go with.

Yes, I have used individual components which SonarQube uses, such as FindBugs, but having the static analysis run and reported back within a continuous integration server. This gives you back some of the results, but SonarQube is a single, complete solution for static analysis and has added improvements like a great UI and visualisations.

We are also onboarding Checkmarx. We use both solutions.

We are not replacing anything. Maybe we will use both in conjunction. Checkmarx provides DAST, whereas this product does not. 

Previously, we used to use regular code review (static analysis, coverage tools) without much into single dashboard. SonarQube helped to put everything together into place supporting almost all languages, or quality profiles.

I have minor experience with Q One. The main difference is in the licensing structure, with regards to lines of code. We have noticed that Q One has a bit more details, but support for various languages is lacking. 

We have not used any other solution, but we did some comparisons and decided to go with SonarQube because it was open-source.

We did not use a different solution in the past.

No previous solution was used.

I have used a wide variety of tools.SonarQube covers a wide variety of issues and it is well well designed robust framework.

Yes, we used PMD, FindBugs and FxCop. Switched for the reporting and dashboard capabilities.

Previous to this solution, we used static code analysis using built-in IDE tools and plugins. SonarQube just centralizes the same thing and adds some extra layers to systemize and create a somewhat better pipelining for the quality analysis process.

IDE-related tools and plugins are still in use today, as first-in-line hints and helpers. SonarQube manages the quality threshold and it is part of the larger overall process.

I used a few specific tools for the PHP language, that tools were really powerful (Codesniffer, PHPCPD, PHP Mess Detector among others) and provide a good information about the quality of our code. Nowadays, I am mixing that tools with SonarQube, but in shortly, I am thinking of using just SonarQube. The reason is that SonarQube is including more and more PHP rules in every PHP plugin version.

I don't think that we used anything else previously. SonarQube was the first one.

Previously I worked with Fortify and Veracode and I have found those tools provided much better because they are from a commercial solution.

I have used Veracode previously.

We did not use another solution, prior to this one.

My development team adopted SonarQube in January 2015 for code quality improvement, and had not used any code quality checking tool before.

We did not previously use a different solution. It was always manual code reviewing via the most experienced team members who would offer guidance on adjustments.

We service client needs so we consider all solutions we are aware of and weigh the pros and cons for deployment with a specific client.

It was years ago. They probably evaluated other solutions. 

We're evaluating the use of different solutions at the moment, but I've just withdrawn from that task.

I have used Snyk and it is more catered to a different audience than SolarQube.SolarQube is more for software developers.

I have not used any other similar solutions in the past. SonarQube is the first of its kind in my experience.

We did not use a different tool before this one.

We've also used Fortify.

This was our first one.

Nothing was implemented before this software, only PMD, a light control tool.

• Squale
• Panopticode
• CodePro AnalytiX

We used the same tests, but with every developer running them individually. Now management can also get a picture of the quality assurance.