SonarQube Reviews

Filter by:Reset all filters
industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
rating
Loading...
Filter Unavailable
Steven Gomez
Real User
Lead Engineer at a pharma/biotech company with 1,001-5,000 employees
May 20 2019

What is most valuable?

I like the dashboard it shows by default, where you can see things at a glance. At the same time, you can also drill way down and see a lot of stuff about your code, like complexity metrics, and… more»

How has it helped my organization?

We have the software metrics that SonarQube gives us, which is something we did not have before. This helps us work towards aiming coding standards to empower us to move in the direction of better… more»

What needs improvement?

We've been using the Community Edition, which means that we get to use it at our leisure, and they're kind enough to literally give it to us. However, it takes a fair amount of effort to figure out… more»

If you previously used a different solution, which one did you use and why did you switch?

We didn't have a previous solution other than paper systems that we never got in the habit of going back to referring to. We didn't switch, we started fresh.

What other advice do I have?

I would rate SonarQube as a nine out of ten. Once you start drilling down through the menus, it tells you a lot of stuff about your code in one view. That's really quite neat. That shows you a view of… more»

Which other solutions did I evaluate?

We had looked at other code quality systems. We had looked at a number of them. I don't remember them all, but Clockwork was on that list. I think it comes down to picking one and getting used to how… more»
Andrew Kew
Real User
Senior Java Developer at a financial services firm
Aug 30 2017

What is most valuable?

Most features in the product are very useful, but there are some parts that I personally use more than others. 1. Code Convention: Using the tool to implement some sort of… more»

How has it helped my organization?

This product has helped us improve the quality of code within the business and ensure all new developers keep to a similar code convention per project. This can basically… more»

What needs improvement?

* Upgrading the version of the server is a bit cumbersome and could be made slightly easier. Allowing admin users to upgrade the software through the front-end would make… more»

What's my experience with pricing, setup cost, and licensing?

I am using the open source version of the product, so no cost. The licence is standard open source licensing, LGPL, so nothing to advise really.

If you previously used a different solution, which one did you use and why did you switch?

Yes, I have used individual components which SonarQube uses, such as FindBugs, but having the static analysis run and reported back within a continuous integration server… more»

What other advice do I have?

I would advise to get it done sooner rather than later. The sooner you have a better understanding of the state of your code base, the sooner you can make better business… more»

Which other solutions did I evaluate?

I didn't. I am not sure if there are any other open source static analysis tools as good as this that I have found; Well at least three or four years ago there weren't.
Find out what your peers are saying about SonarQube, Veracode, Micro Focus and others in Application Security. Updated: June 2019.
353,345 professionals have used our research since 2012.
Phil Denomme
Real User
Manager at a wireless company with 11-50 employees
May 16 2019

What is most valuable?

There are two major use cases. One is to integrate it into the developers' workbench so that they can bench check their code against what will be done in the server-based audit version.

How has it helped my organization?

SonarQube has not yet had an impact on our organization. In the past, however, I've used it to control the security vulnerabilities and establish standards for API control.

What needs improvement?

I haven't really done a comparative analysis yet. We're in the process of figuring out how to automate the workflow for QA audit controls on it. I think that's perhaps an area that we could use some buffing. We're a Kubernetes shop, so there are some things that aren't direct fits, which we're… more»

What other advice do I have?

From experience, you should just size the scale of what you're trying to do to the maturity of the organization.
Jeff Ingalls
Real User
Automation Tool Specialist at a comms service provider with 1,001-5,000 employees
May 28 2019

What is most valuable?

The most valuable feature is that it lays everything out and breaks it down, making it very easy to find and identify issues. SonarQube is really good for finding coding standards when people deviate from what we have set corporately.

How has it helped my organization?

This solution is part of our pipeline. We use GitLab for source control and Jenkins to build management. Jenkins kicks off our SonarQube scans, we use Checkmarx for static code analysis, UrbanCode Deploy, and UrbanCode Release. Using… more»

What needs improvement?

I find that some of the graphs around the measures are too fancy, and they do not mean a whole lot to me. The solution is a bit lacking on the security side, in terms of finding and identifying vulnerabilities. By comparison, we run the… more»

If you previously used a different solution, which one did you use and why did you switch?

We were not using another solution prior to this one. As we've evolved, this is one of the tools that we decided to go with.

What other advice do I have?

My advice for anybody interested in implementing this solution is to start with the community version and try it out. It doesn't take long to see value in it, and it's very straightforward, easy, and intuitive to use. There are add-ons that… more»
Real User
Scala Contractor at a tech services company with 10,001+ employees
Jun 03 2019

What is most valuable?

Code coverage of tests is their most valuable feature. Code coverage is of no value if it's high, but if it's a low number then that's of great value to me.

How has it helped my organization?

We have literally thousands of rules and they are of medium effectiveness. The problem is that most people bypass the rules or turn them off. But even that is information to us. The fact that they have to turn the rules off is as much value… more»

What needs improvement?

I would like to see something around mutation testing included in SonarQube. I'd like to see some mechanism of quality which has real meaning. The problem in metrics is that they're correlated. I'd like to see how they can add a feature to… more»

If you previously used a different solution, which one did you use and why did you switch?

It was years ago. They probably evaluated other solutions. We're evaluating the use of different solutions at the moment, but I've just withdrawn from that task.

What other advice do I have?

My advice is to focus on quality, not on tools. Work on the quality of your code and get a quality culture, but don't require the use of a tool. SonarQube is an okay tool. I'd suggest it as a default tool, but I wouldn't rave about it. In… more»
Real User
IT Infrastructure Head / Facilities Manager - ITIL V3 Certified ,Vmware Vsphere5 at a financial services firm with 51-200 employees
Jun 12 2019

What is most valuable?

Code analyzing is very valuable for detecting vulnerabilities but it has limitations.

How has it helped my organization?

It has improved our options for offering products to our clients that can better meet their needs, lower costs, and improves code quality and basic security.

What needs improvement?

With the aesthetic code analyzer or dynamic code analyzer, we would like to see zero vulnerabilities. This is actually currently not available with any available code… more»

What's my experience with pricing, setup cost, and licensing?

The product is basically free, so implementation is the greater cost. It will cost in man-hours for deployment and resources, or in consultation. The licensing fee is… more»

If you previously used a different solution, which one did you use and why did you switch?

We service client needs so we consider all solutions we are aware of and weigh the pros and cons for deployment with a specific client.

What other advice do I have?

I would rate this product somewhere between six and seven. It works for many clients, but if the user need and application is super critical, people should go with… more»

Which other solutions did I evaluate?

We are constantly evaluating other products. So it might be that we will go with Micro Focus, for example, or any other tool in the future. It depends on what is offered… more»
Kiran Gujju
Real User
Cyber Security Architect (USDA) at a government with 10,001+ employees
Jun 20 2019

What is most valuable?

The most valuable features are the dashboard reports and the ease of integrating it with Jenkins.

How has it helped my organization?

It definitely helped our organization in hardening the software, the application itself. This is a part of our process now.

What needs improvement?

Although it has Sonar built into it, it is still lacking. Customization features of identifying a particular attack still need to be worked on. To give you an example: if we want to scan and do a false positive analysis, those types of… more»

If you previously used a different solution, which one did you use and why did you switch?

No, not that I am aware of.

What other advice do I have?

SonarQube is a very good tool. It is lightweight and very cost effective as compared to IBM AppScan. The dashboard is really neat and easy to operate. It gives a lot of information that makes it very easy for the developers. You can get it… more»
Daniel Hall
Real User
Technical Architect with 1,001-5,000 employees
May 09 2019

What is most valuable?

The most valuable features are the wide array of languages, multiple languages per project, the breakdown of bugs, and the description of vulnerabilities and code smells (best practices).

How has it helped my organization?

This has improved our process because it allows us to pick up on a lot of the smaller best practices that might otherwise be missed, in addition to ensuring code quality is not compromised between… more»

What needs improvement?

A robust credential scanner would be a huge bonus as it would remove the need for yet another niche product with additional cost, also gives the benefit of a single pane of glass view, although we… more»

What's my experience with pricing, setup cost, and licensing?

A self-hosted SonarQube on a Kubernetes cluster is very cost efficient if you already have the infrastructure and don’t need the premium features.

If you previously used a different solution, which one did you use and why did you switch?

I did not use another solution prior to this one.

Which other solutions did I evaluate?

We evaluated the Checkmark Software Exposure Platform and Veracode, but they were expensive for a first go.
See 10 More SonarQube Reviews

Articles

User Assessments By Topic About SonarQube

Find out what your peers are saying about SonarQube, Veracode, Micro Focus and others in Application Security. Updated: June 2019.
353,345 professionals have used our research since 2012.

SonarQube Questions

SonarQube Projects By Members

What is SonarQube?

SonarQube is the central place to manage code quality, offering visual reporting on and across projects and enabling to replay the past to follow metrics evolution
Also known as
Sonar
SonarQube customers
Bank of America, Siemens, Cognizant, Thales, Cisco, eBay
BUYER'S GUIDE
Download our free Application Security Report and find out what your peers are saying about SonarQube, Veracode, Micro Focus, and more!
Sign Up with Email