SonarQube Reviews

We are using this solution for analyzing sales, profit, and FI documents. We are using the HR section as well.

SonarQube simplified some of the processes and made others more complex.

The most valuable features are that it is user-friendly, easy to access, and they provide good training files. Ability to manage and customize reports. Sonar also models the relationship between packages and classes

It would be better if the users could have quick access to the features.

Monitoring is a feature that can be improved in the next version.

I have been using SonarQube for three years.

This solution is stable. Stability is not an issue for us.

It's scalable. Scaling is not a problem.

Because of the sanctions in our country, we cannot contact technical support directly.

The initial setup was straightforward. It was a normal installation.

It took approximately five days to deploy.

It's a bit expensive for us. The currency rate of the dollar is a problem but it may be fine for other countries.

This solution provides good features for users.

Before implementing, they should have more knowledge about the performance, and the features. It will be helpful in learning the hardware also.

If you have good resources for the performance, you won't worry about it. It will also be dependent on your information, and how much knowledge you have.

I would rate SonarQube an eight out of ten.

We use SonarQube for testing, reviewing, and ensuring the quality of application code.

The most valuable features are the analysis and detection of issues within the application code.

The solution could improve by providing more advanced technologies.

I have been using the solution within the last 12 months.

The SonarQube is stable.

The installation is easy.

The price of this solution is more expensive than competitors. However, it works better than competitors.

I have evaluated other solutions.

I rate SonarQube an eight out of ten.

I have used it in my previous company. In my current company, which I have joined recently, we don't use any of these tools. That's why I want to implement something for the company. I have the Community Edition of SonarQube. I am using one version prior to the latest one.

It was integrated with our build pipeline, and we had also customized the rules for the quality gate. For each release that got through SonarQube, it gave the results in terms of whether it was releasable or not. 

SLA was another use case. We internally had a rule that in case there are severity defects, they need to be fixed. If there is a false positive, it needs to be justified. That's the way it was used.

It assists during the development with SonarLint and helps the developer to change his approach or rather improve his coding pattern or style. That's one advantage I've seen. Another advantage is that we can customize the rules. 

I did an evaluation of the Enterprise Edition. It has the Portfolio view, which means you can roll up all your projects to the Portfolio level, and then it gives a visualization of each and every project's state in terms of security and other vulnerabilities.

It is very expensive. That's something that can be improved. 

I'm not sure if the latest vulnerabilities are being updated. When I compare it with Fortify on Demand (FoD), every now and then, they get all the latest and greatest versions for all these vulnerabilities as a rule pack. I'm not very sure about how that works in SonarQube, and how frequently they are updating the vulnerability databases and other things.

Their dashboarding is very limited. They can improve their dashboards for multiple areas, such as security review, maintainability, etc. They have all this information, so they should publish all this information on the dashboard so that the users can view the summary and then analyze it further. This is something that I would like to see in the next version. 

The portfolio-level dashboard is currently available only in the Enterprise Edition. They can have a similar dashboard in the Community Edition or at least in the Developer Edition. The portfolio-level dashboard is also very limited currently. There is hardly one report.

I have been using this solution for four years. 

It looks stable. So far, we haven't found any issues.

I contacted them once or twice. I am very satisfied with their support. I didn't have any concerns in terms of support.

It is straightforward. It takes very little time as compared to the other solutions.

It is very expensive. Its price should be improved.

I have worked on only two tools: one is Fortify on Demand, and the other one is SonarQube. Comparing these two, I would rate SonarQube an eight out of 10.

There are two versions: a free, open-source community version, and a subscription-based version.We use the community version, not the enterprise version.

We are a very small organization. In total, there are four of us who use this solution. We will keep using SonarQube, with some additions,  in the future.

Firstly, we use SonarQube to evaluate code for M&A projects. Secondly, we use it to detect vulnerabilities while performing security audits. Our third use case is the detection of violation of programming practices towards code refactoring and code maintenance. 

The results of exporting capability could be improved. Currently, exporting is a bit messy and fully dependent on the SonarQube environment. Sonar Qube offers REST API and you could export the results programmatically, but the process is quite slow and limited. You could extract the maximum 10000 results per query, which increases the overall execution process tremendously. I guess the majority of the users are based on Sonar Qube presentation capabilities, which is very restrictive for some use cases.

I have been using SonarQube, every day, for more than two years. 

SonarQube is stable.

I wouldn't say that isn't fully scalable. It's damn slow. It takes a lot of time parsing an average size codebase. If you'd like to scale up and deploy it on a cloud environment, it's a completely different scale of difficulty. We have done this but it's really hard.

As we are using the community version, there is no technical support.

I have used a wide variety of tools.SonarQube covers a wide variety of issues and it is well well designed robust framework.

To be honest, for me, the initial setup was a piece of cake; however, other colleagues and clients of mine have said that it's damn difficult to install it and extract the results, at least the first time. Initially, It took me some time to go through the process. It is not straightforward at all, it's quite complicated — it's a tool developed by developers for developers. If you are not a core developer, and I am not, it's super difficult to figure out the installation process thanks to the multiple steps involved. The autogenerated script, isn't functional, it needs some tweaking.

My clients report that it takes about a week to install it properly, and you need about two weeks more to configure it, let alone the performance optimization.

The installation should be much simpler. There are competitive tools that come with a self-contained installation and configuration process. It requires a time investment to configure it properly. . In short, it should come with a self-contained functional configuration set.

Overall, the initial setup should be easier.

Currently, I could configure SonarQube by myself. Only one person, knowledgeable enough, is required to deploy it.

Unless you use a tech stack that is not supported, use the community version; there are no hidden costs or licensing required.

Yes, we have evaluated plenty of alternatives nothing really comparable.

I would recommend this solution to others. It easily outperforms other static code tools — It's perfect as a static code analysis tool.

Overall, on a scale from one to ten, I would give SonarQube a rating of eight.

I am now working in a consultancy company and I work with different clients in different industries. For this reason I implement, for example, a delivery pipeline with the process whereby we need to validate the quality gate of the quality code. Meaning, the developer creates the unit testing and the code coverage, but grants the code coverage for a specific person. In other cases, we used to see what the technical depth was to see if if there are any bugs in the applications - the web application, mobile application and different languages, like, C-Sharp, JavaScript or Java, et cetera.

We deploy SonarQube on-premise on a Linux server and our pipelines were created with GitLab and Azure DevOps. Meaning that Azure DevOps and GitLab are the tools that do the build and release process.

We use Microsoft Azure and Google Cloud Platform a little.

In terms of most valuable feature, when you compute SonarQube you need to install an extension. This extension depends on the version control. You need to install different extensions or work with a specific language to use as the extensions, all of which I work in with different projects.

In terms of what can be improved, the areas that need more attention in the solution are its architecture and development.

Additionally, the QA team also needs work in different aspects. When you think about the support area - when the support team has an incident they need to do a hostage. When they do that they do a commit in the version control. These commits trigger a new build process and this process needs validation from SonarQube because we need to validate the quality of the software product for different cases and different aspects.

I have been using SonarQube for about four years, with different versions.

SonarQube works very well, but I prefer SonarCloud because the tendency of the technology world is to think less about the structure and more about the process and the value that this process provides.

In terms of scalability, with proper configuration and deployment, there is higher availability.

I have companies with 20 users and I have customers with 100 users. We work with a big company in Chile and in some cases national companies, in other cases international companies. With the international companies the majority of them are more than 1,000 users.

I have a technical DevOps team. The majority of the time we implement the trial version so that we show the value of the tool to our clients and they understand about the pricing and the cost of the tool.

It depends on the maturity of the company. In some case, we have companies that don't know about SonarQube so we deploy it to show the value. In other cases we have clients with no SonarQube experience but they know the quality of the codes. In this case we provide a license. In the majority of the cases we provide the license or the subscription for SonarCloud. Other clients get access to SonarQube directly.

I have never used technical support from the SonarQube support team.

I work very well with the documentation you find on the internet.

The initial setup is straightforward the majority of time. It takes about two hours.

I work in a consultancy company so we do the implementation. We deploy for our customers.

We did evaluate other options, for example Q1 and Veracode. In specific cases we created different aspects with different tools and these were the top peers that we would compare it to - Q1 and Veracode.

In terms of differences, Veracode is used more for the security of the development and you can configure the gates while thinking about software security and things like that. With Q1, the difference is the type of the license. In Q1 you have projects and you pay for the line. I know that SonarQube was changing the licensing plan. Right now, before you pay for a license, you pay for fair lines that you extend. This is the difference between these three tools.

I do recommend SonarQube because it is an easy tool that you can deploy and configure. After that you can measure the history of your obligation and integrate it with other tools like GitLab or GitHub or Azure DevOps to do quality code analysis.

On a scale of one to ten, I would give SonarQube an eight. To give it a 10 and not an eight, I would like to see architecture development and the QA area improved.

It has improved code quality and helped shift quality left. It also paved the way for implementing Continuous Integration/Continuous Delivery.

The customizable dashboard and ability to include results and coverage from unit test and other static analysis code tools.

Ease of use/interface.

I didn't encounter any issues with stability.

No - the tool was implemented in a pilot, and successfully scaled to the enterprise.

Fairly good.

Yes, we used PMD, FindBugs and FxCop. Switched for the reporting and dashboard capabilities.

There was a bit of a learning curve and some customization to get it to work, but nothing too complex.

Get the paid version which allows the customized dashboard and provides technical support.

Do your research to make sure the tool is a good fit for your organization.

Also, give the development teams some time to adapt to the standards - set the thresholds lower to begin with, and then gradually raise it to desired levels, rewarding compliance and good behavior.

We use this solution for qualitative coding. We make use of the SonarLint plugin as well as the dashboard.

We previously experienced issues with security but a segregated security violation has been implemented and the issues we experienced are being fixed. We have also experienced duplications of rules within the system as well as code samples that are short of ten numbers. 

This is a stable solution.

This is a scalable solution. 

The initial setup was straightforward. 

Most of the deployment was done by me. Once a certain level of complexity was involved, a team was used to validate and deploy those parts of the solution. 

I would recommend SonarQube to other users as it is a good solution and the security issues we experienced are being fixed. 
I would rate this solution an eight out of ten. 

Our primary use case for this solution is security testing using the FindSecBugs plugin.

This has improved our organization because it has helped to find security vulnerabilities.

The most valuable feature is the FindSecBugs (Find Security Bugs) plugin, which finds security vulnerabilities.

The product's user documentation can be vastly improved.