SonarQube Room for Improvement
Team Lead at a computer software company with 10,001+ employees
Integration could be better in SonarQube in the free version. It does not have any bug tracking tool, like Jira. They are not integrated with enough additional programming tools.
There is one issue with the dashboard. The dashboard which is there is okay. But sometimes if we have to work on multiple issues the application is giving us errors. Say we have five issues. All five issues might not be very important, so in cases where there are multiple issues, we would just want it to give us a warning about the important issue. It may be we will get to work on the things of greater importance and over-all have a better solution and we do not have to fix all five. Something like that would be good to help us to prioritize things so then we do not have to go into all the issues and fix them.
We do have this categorization for major and minor issues, but let's say, again, if there are five major issues. I would like to maybe get a score involving the prioritization of these. Out of these five major issues, we should know which issue should be fixed first. This would give us a backup for planning and organizing the prioritization. It is that kind of data that we do not get on the dashboard. If we could, that would be helpful to give priority to the correct issues.
Since we are using the community version, we have had some issues. For example, we have had some difficulties with the Single Sign-On (SSO) login. We tried to integrate with our Azure ID to have access to login, but it doesn't always update. We have to search for more forums, or in other communities for technical IT.
The documentation is not clear and it needs to be updated. As it is the community version we don't have team support and rely on the documentation that is available. We are creating more disciplines to do peer reviews on SonarQube. There is time spent on creating the tools but not the documentation that is needed for support.
It takes time to configure and create profiles. We need to improvise the way we introduce new tools.
We have only integrated the source code, but there are things that are not being utilized because it is product-driven and there needs to be more path and delivery.
Since we are now certified, we are utilizing more and we are creating an environment for security. We need more emphasis on the security side.
Support needs to improve with their response time.
There is a lack of local partners/vendors in our region and we are having difficulties finding vendors looking for another partner.
In the next release, I would like to see some automation scripts. At times by default, you have to configure some of the rules in the detection. You need some parameters to be set that define the source code, such as those required to eliminate a false positive.
They advance their product without addressing security or internal codes.View full review »
In terms of what can be improved, the areas that need more attention in the solution are its architecture and development.
Additionally, the QA team also needs work in different aspects. When you think about the support area - when the support team has an incident they need to do a hostage. When they do that they do a commit in the version control. These commits trigger a new build process and this process needs validation from SonarQube because we need to validate the quality of the software product for different cases and different aspects.View full review »
Devops Engineer at a financial services firm with 10,001+ employees
There are various standards that are followed. Awareness is a must.
Product awareness is something that I would recommend. If the users are not aware of how to use the product, they won't understand the features.
Engineer at a pharma/biotech company with 201-500 employees
The library could have more languages that are supported. It would be helpful.
There are a few clauses that are specific to our organization, and it needs to improve. It's the reason that were are evaluating other solutions. It creates the ability for the person who releases the authorized release, which is not good. We would like to be able to expand on our work.
MicroFocus, as an example, would be helping us with that area or creating a dependency tree of the code from where it deployed and branching it into your entire code base. This would be something that is very helpful and has helped in identifying the gaps.
It would be great to have a dependency tree with each line of your code based on an OS top ten plugin that needs to be scanned. For example, a line or branch of code used in a particular site that needs to be branched into my entire codebase, and direct integration with Jira in order to assign that particular root to a developer would be really good.
Automated patching for my library, variable audience, and support for the client in the CICD pipeline is all done with a set of different tools, but it would be nice to have it like a one-stop-shop.
I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production. We would also need the ability to edit those rules.
In terms of solving for security breaches in the code, we are looking for different tools to help us catch things much sooner. Right now, we're not doing so well on this front. Therefore, we are looking for some other options in the market. I'm not the one who is tasked with looking at the moment, however, we are actively seeking out a more effective option for the static code analysis.
There are sometimes security breaches in our code, which aren't be caught by SonarQube. In the security area, SonarCube has to improve. It needs to better compete with other products.
The solution could offer some sort of alert feature. We've had an incident, where somebody removed the solution from the pipeline and there were a couple of code instances that were pushed and married with the codebase without passing through SonarQube. It would be nice if we were alerted to that. If the solution is off-line or turned off, we'd like to be able to tell so that we can decide if it should be on or if it was a mistake.
It would be great if it could support testing and configurations a bit more.View full review »
DevOps Lead at a marketing services firm with 1,001-5,000 employees
The solution has a very shallow SAST scanning. That is something that can be improved.
I'm not sure if there is any plan for having DAST, as well, which is the dynamic scanning. If they offered that in SonarQube that would be ideal. I'd like to know if there is a plan or roadmap for Sonar to have that included. However, right now, at least, from the SAST perspective, it can improve.
The pricing could be reduced a bit. It's a little expensive.
Security consultant at a tech services company with 1,001-5,000 employees
If I configure a project in SonarQube, it generates a token. When we're compiling our code with SonarQube, we have to provide the token for security reasons. If IP-based connectivity is established with the solution, the project should automatically be populated without providing any additional token. It will be easy to provide just the IP address. It currently supports this functionality, but it makes a different branch in the project dashboard.
From the configuration and dashboard point of view, it should have some transformations. There can be dashboard integration so that we can configure the dashboard for different purposes.View full review »
CTO at a computer software company with 11-50 employees
The results of exporting capability could be improved. Currently, exporting is a bit messy and fully dependent on the SonarQube environment. Sonar Qube offers REST API and you could export the results programmatically, but the process is quite slow and limited. You could extract the maximum 10000 results per query, which increases the overall execution process tremendously. I guess the majority of the users are based on Sonar Qube presentation capabilities, which is very restrictive for some use cases.View full review »
It should keep up with newer technologies. As this is primarily open-source, it does require updates from the community. As such, there is sometimes a delay for new technologies to be covered by this too.
Particularly around the languages that the webpages state they support. The big benefit of Sonar is that it handles so many different languages, problems, and static analysis in one place.
When that one place has a low coverage for the most basic rules (OWASP top 10 for example) it starts to lose its value add.View full review »
In discussions with the security team, there are many other products that are available that perform better. The security in SonarQube could be better.
SonarQube is more about the quality checks of the source code. It allows us to do a code review but it lacks security. It could perform better.
I would like to have better support for CI/CD as DevOps appliances, in terms of reporting on the issue and to be integrated with the pipeline.
It integrates well but there is always room in this area to improve and to provide reports on the results.
The user experience for the on-premises installation, creating a new project, defining the quality gate, and the user interface could be improved. It wasn't a simple experience.View full review »
We could use some team support, but since we are using the community version, it's not available.
Also, because we are using the community version, we have some problems from time to time regarding the SSO logins.
Sometimes you need more time to configure things, to edit some profiles.
SonarQube has come to the end of the project phase. The development team doesn't really utilize this because it's in the product development phase. They need more paths and delivery — they don't really care about security. But now, since we are also certified technical security, we can go ahead and provide that for them.
In short, communication needs to be better.
Automation could be better. Sometimes by default, you need to configure some rules regarding detection. You need to have some parameters set regarding false-positive risk.View full review »
Technical Architect at a insurance company with 1,001-5,000 employees
Code security could be better. They are already focusing on it, but I see a lot of improvement opportunities over there. I can see a lot of false positives in terms of security. They need to make the tests more accurate so that the false positives are not detected so frequently. It would also help if they provided us with an installer.View full review »
Head Innovation Hub at a tech services company with 201-500 employees
It is very expensive. That's something that can be improved.
I'm not sure if the latest vulnerabilities are being updated. When I compare it with Fortify on Demand (FoD), every now and then, they get all the latest and greatest versions for all these vulnerabilities as a rule pack. I'm not very sure about how that works in SonarQube, and how frequently they are updating the vulnerability databases and other things.
Their dashboarding is very limited. They can improve their dashboards for multiple areas, such as security review, maintainability, etc. They have all this information, so they should publish all this information on the dashboard so that the users can view the summary and then analyze it further. This is something that I would like to see in the next version.
The portfolio-level dashboard is currently available only in the Enterprise Edition. They can have a similar dashboard in the Community Edition or at least in the Developer Edition. The portfolio-level dashboard is also very limited currently. There is hardly one report.
There are times that we have the database crash. However, this might be an issue with how we have configured it and not a software issue. Apart from this, I do not see any issues with the solution.
Web Developer at a tech services company with 51-200 employees
From a reporting perspective, we sometimes have problems interpreting the vulnerability scan reports. For example, if it finds a possible threat, our analysts have to manually check the provided reports, and sometimes we have issues getting all the data needed to properly verify if it's accurate or not.
This is especially important when considering false positives, and often we have issues getting all the necessary information from SonarQube in order to determine whether it is a true vulnerability or a false positive.
Another suggestion for improvement is that SonarQube could be better when it comes to integration with different development pipelines for continuous monitoring. For example, whether you are scanning manually or on-demand, we would like more ways to integrate SonarQube into our pipeline so that we can get reports quickly and automatically as we work.
The solution is still maturing a bit.
You may need to purchase add-ons to get the useability you desire.View full review »
SonarQube does not cover BPM programming language. It only covers the Java layer from BPM WebMethods. When we were faced with this issue with one of your applications, we found that we were not able to scan the BPM code for configurations generated from the WebMethod.
The BPM language is important and should be considered in SonarQube.
It utilizes a lot of resources from the servers. I think this issue should be resolved because it takes approx 20% of the CPU utilization.
Reporting related to SonarQube only exists in the enterprise edition, and not in the Community Edition.
There are no limitations in the lines of code with the Community Edition, but with the Enterprise Version, there are limitations related to the lines of code.
I don't understand why you can use an infinite line code amount with the Community Edition and the Enterprise Edition is limited.View full review »
When performing the code coverage function, there are a lot of warnings that come up and you may not have time to solve them. You need to have the ability to overrule warnings or issues because it may not be possible to commit the time to resolve them immediately. If the product could assist us with fixing issues by giving us more pointers then it would help to resolve more of the warnings without such a commitment in terms of time.
SonarQube needs some improvement in its ability to find security-related issues.View full review »
Systems Analyst at a manufacturing company with 5,001-10,000 employees
I am struggling to come up with an area needing improvement. I am a big fan of SonarQube. I do have familiarity with the solution, but not extensively on a daily basis in respect of development.
This said, we did have some trouble with the LDAP integration for the console.
Digital Solutions Architect at a tech services company with 1,001-5,000 employees
Having a tool that is comprehensive in nature is very useful because otherwise, we have to run through multiple tools in order to get the entire viewpoint of a particular set of code. For example, we use SonarQube in combination with Nexus, which is another product that gives us some other information. I guess when it comes to the gamut of things that we are looking for including static code quality, static testing, and dynamic testing of security. Having performance regression would be a helpful add on or ability to be able to do during the scan.
In an upcoming release, I would like to see the dynamic security testing feature available. I would like to point out that they could already offer this feature but I have not been that deep into the solution to know yet.View full review »
Senior Security Engineer at a financial services firm with 10,001+ employees
I was more focused on the security aspects and not on quality. SonarQube focuses a lot on security and is going to provide some visibility around that area, but if there could be more focus on team management. For example, what type of remediation is going to be provided when the types of scans are being applied based on different rule sets at the SonarQube level, from the security point of view, this would be helpful.
If there was an official Docker image of SonarQube that could easily integrate into the pipeline would help the user to plug in and plug out and use it directly without any custom configuration. I am not sure if this is being offered already in an update but it would be very helpful.
In an upcoming release of the solution, I would like to see more types of programming languages added and improvement in their SaaS offering to compete better with other enterprise solutions, such as Fortify.View full review »
Director IT Security, CISO at a transportation company with 10,001+ employees
The interface could be a little better and should be enhanced.
More support for integration with third-party products would be an improvement.View full review »
DevSecOps Lead at a tech services company with 11-50 employees
Our developers have complained about the Quality Gates and the number of false positives that this product reports. Their older code is breaking and with the Quality Gate on the pipeline, they are not able to safely release at this point. This means that they have to add a lot of things to the whitelist, so there is room for improvement in this regard.View full review »
If you don't have any experience with the configuration or how to configure the files, it can be complicated. The installation needs to be more user-friendly, as well as the interface, which could be more user-friendly.
We also use Fortify, which is another tool to find security errors. Fortify is a better security tool. It is better than SonarQube in finding errors. Sometimes, SonarQube doesn't find some of the errors that Fortify is able to find. Fortify also has a community, which SonarQube doesn't have.
Its installation is a little bit complex. We need to install a database, install the product, and specify the version of the database and the product. They can simplify the installation and make it easier. We use docker for the installation because it is easier to use.
Its dashboard needs to be improved. It is not intuitive. It is hard to understand the interface, and it can be improved to provide a better user experience.View full review »
There is room for improvement in the code security space which is not as extensive as it could be. There are other products on the market which are much better in terms of code security scanning. I'd also like to see improvement in support which is quite expensive.
It would be better if the users could have quick access to the features.
Monitoring is a feature that can be improved in the next version.View full review »
Arquitecto DevOps at a financial services firm with 1,001-5,000 employees
SonarQube is used for static testing, not for dynamic. We found a solution with dynamic testing, and are looking to find a solution that can be used for both types of testing.
I would like to see software included that can be used with Waterfall projects.View full review »
Security Engineer at a computer software company with 201-500 employees
I have found this solution creates more noise than competitors.
The documentation and reporting extract can improve because other solutions are far more advanced.View full review »
It does not provide deeper scanning of vulnerabilities in an application, on a live session. This is something we are not happy about. Maybe the reason for that is we are running the community edition currently, but other editions may improve on that aspect.View full review »
Independent Consultant at Klusener Consultancy
I am not very pleased with the technical debt computation, it's a bit arbitrary.
The codification metrics could also be improved.View full review »
Senior Software Engineering Manager at a computer software company with 10,001+ employees
The scanning part could be improved in SonarQube. We have used Coverity for scanning, and we have the critical issues reported by Coverity. When we used SonarQube for scanning and looked at the results, it seems that some of them have incorrect input. This part can be improved for C and C++ languages.
The reporting can be improved. In particular, the portability report can be better.
I would like to see better integration with the various DevOps tools.View full review »
The solution could improve by having better-consulting services.View full review »
Deputy Manager Quality Assurance at eInfochips
Technical support and the price could be better.View full review »
Director of consultory at a non-tech company with 1,001-5,000 employees
The solution could improve by providing more advanced technologies.View full review »