SonarQube Room for Improvement

Andrew Kew
Senior Java Developer at a financial services firm
* Upgrading the version of the server is a bit cumbersome and could be made slightly easier. Allowing admin users to upgrade the software through the front-end would make upgrading easier. * Another improvement is with false positives. Sometimes the tool can say there is an issue in your code but, really, you have to do things in a certain way due to external dependencies, and I think it's very hard to indicate this is the case. There is a way to mark the code/method with the issue number, but having to add comments/annotations in your code for your static analysis tool feels wrong to me. * Being able to have different groups or projects within the same server would be nice. Currently, I have a Sonar machine for production code (master branch) and UAT code (UAT branch), so when each branch is built in our continuous integration server it publishes to these two Sonar machines. What would be nice is if I could create subgroups within a single SonarQube server for each environment to remove the need for two separate machines. View full review »
Phil Denomme
Manager at a wireless company with 11-50 employees
I haven't really done a comparative analysis yet. We're in the process of figuring out how to automate the workflow for QA audit controls on it. I think that's perhaps an area that we could use some buffing. We're a Kubernetes shop, so there are some things that aren't direct fits, which we're struggling with on the component Docker side. But nothing major. Kubernetes is a container-based run-time that works with Docker in terms of container-based applications, so we're a microservice based solution. Microservices are contained inside these containers which are managed by a run-time called Kubernetes. Kubernetes comes out of a Google enterprise. It's used by organizations like Netflix and apps to do continuous development deployment and use integration and development. It means that your container has this application lodging, around which all of the user authentication, run-time controls, and communications integration, are handled by Kubernetes. So for instance, an application doesn't really see its DNS at all. It's completely abstract in a way. It is layers away from a virtual hardware, even. So what it does is abstract that patient component into a nice package of business logic that is managed in a dynamic container, which takes care of all the run-time and communication issues that normally become a lot of the configuration overhead of an application. Once you get your Kubernetes environment behind and organized, that forms a very efficient way to introduce these microservices in a dynamic way and to easily integrate and upgrade components rather than applications. So you're much more granular in terms of your release capabilities. And much more efficient in terms of how it's released and managed. I would rate this around seven out of ten, because it has what we need, and it's easy to use. View full review »
Risto Uibo
Senior Software Developer at a tech vendor
Deep intelligence and smarter code analysis: There are many cases where a bug or critical issue is reported. However, there is very little chance of rewriting the solution in some other way due to several circumstances. The written solution is actually safe. It requires advanced heuristics to recognize more complex constructs that could be disregarded as issues. There is a manual false positive feature for that, so it compensates for it. However, time and time again, some issues become annoying, since they are actually not issues. This can be time-tested though and configured/fine-tuned throughout working with the tool. View full review »
Daniel Hall
Technical Architect with 1,001-5,000 employees
A robust credential scanner would be a huge bonus as it would remove the need for yet another niche product with additional cost, also gives the benefit of a single pane of glass view, although we still need white source bolt for 3rd part library scanning. The integration into docker builds could be better as pulling the latest version of the scanner, setting the path and then invoking the scan is an extra overhead to manage between versions of the scanner. An apt-get and scan start with the key passed as a variable would be a nicer implementation. Have not looked into SSL for the management page yet but hoping that goes smoothly. View full review »
Rann Lifshitz
SW Automation Team Leader at a tech services company with 201-500 employees
There is need for support for the additional languages and ease of use in adding new rules for detecting issues. Some issues that were detected after committing to the CSM by SonarQube were not displayed in SonarLint scans (hopefully this was fixed in later versions). View full review »
Jeff Ingalls
Automation Tool Specialist at a comms service provider with 1,001-5,000 employees
As far as code quality goes, I like it. It doesn't seem to do well when it comes to vulnerabilities on the security side. It may be that we don't have the right plugins, or we don't have the right add-ons. View full review »
Application Security Analyst at a agriculture
This solution finds issues that are similar to what is found by Checkmarx, and it would be nice if the overlap could be eliminated. The plugins are not well documented. View full review »
Saurabh Ahuja
Devops Engineer at a healthcare company with 10,001+ employees
Well, load balancing is something we expect it to have. Also, sometimes the loading dashboards are a little slow. When we have a thousand products published over it, we expect it to be more efficient in terms of serving requests from the browser. View full review »
Noel Da Costa
Director at a consultancy with 10,001+ employees
Ease of use/interface. View full review »
Service Line Leader at a tech services company with 10,001+ employees
A better design of the interface and add some new rules. View full review »
Idan Adar
DevOps at a tech company with 10,001+ employees
We had some issues where the Quality Gate check sometimes gets stuck and it is unclear. View full review »
Senior Architect Information Security & Privacy at a tech services company with 501-1,000 employees
I would like to see SonarQube implement a good amount of improvements to the product's security features. Another aspect of SonarQube that could be improved is the search functionality. View full review »
Subhendu Mahapatra
Manager at a tech vendor with 10,001+ employees
The product's user documentation can be vastly improved. View full review »

Sign Up with Email