SonarQube Room for Improvement

Steven Gomez
Lead Engineer at bioMerieux, Inc.
We've been using the Community Edition, which means that we get to use it at our leisure, and they're kind enough to literally give it to us. However, it takes a fair amount of effort to figure out how to get everything up and running. Since we didn't go with the professional paid version, we're not entitled to support. Of course, that could be self-correcting if we were to make the step to buy into this and really use it. Then their technical support would be available to us to make strides for using it better. On the other hand, there are published books available. However, the one problem I ran into is they were a little bit out of date. They're still very helpful, but we had to kind of translate from the previous version that was covered in the published books to what's actually available now. An improvement I would like to see would be on the part of the authors to come out with a new edition or revision that covers some of the newer features of SonarQube and newer configurations. I'd buy a copy. In terms of additional features, it's actually a very complete solution from what we have seen. Again, I would like the authors to revise their books. I think even ordinary people that are using the licensed model with direct support could walk through some different use cases, just from having been around the block a few times. There are enough things that the software does that this could be very beneficial. Even beyond the technical issues of installation, there are further use cases that could be helpful. For instance, how to get the big bang from the buck out of it. View full review »
Team Lead at a computer software company with 10,001+ employees
Integration could be better in SonarQube in the free version. It does not have any bug tracking tool, like Jira. They are not integrated with enough additional programming tools. There is one issue with the dashboard. The dashboard which is there is okay. But sometimes if we have to work on multiple issues the application is giving us errors. Say we have five issues. All five issues might not be very important, so in cases where there are multiple issues, we would just want it to give us a warning about the important issue. It may be we will get to work on the things of greater importance and over-all have a better solution and we do not have to fix all five. Something like that would be good to help us to prioritize things so then we do not have to go into all the issues and fix them. We do have this categorization for major and minor issues, but let's say, again, if there are five major issues. I would like to maybe get a score involving the prioritization of these. Out of these five major issues, we should know which issue should be fixed first. This would give us a backup for planning and organizing the prioritization. It is that kind of data that we do not get on the dashboard. If we could, that would be helpful to give priority to the correct issues. View full review »
Hilman Tehrani
IT Security Architect at a insurance company with 51-200 employees
Since we are using the community version, we have had some issues. For example, we have had some difficulties with the Single Sign-On (SSO) login. We tried to integrate with our Azure ID to have access to login, but it doesn't always update. We have to search for more forums, or in other communities for technical IT. The documentation is not clear and it needs to be updated. As it is the community version we don't have team support and rely on the documentation that is available. We are creating more disciplines to do peer reviews on SonarQube. There is time spent on creating the tools but not the documentation that is needed for support. It takes time to configure and create profiles. We need to improvise the way we introduce new tools. We have only integrated the source code, but there are things that are not being utilized because it is product-driven and there needs to be more path and delivery. Since we are now certified, we are utilizing more and we are creating an environment for security. We need more emphasis on the security side. Support needs to improve with their response time. There is a lack of local partners/vendors in our region and we are having difficulties finding vendors looking for another partner. In the next release, I would like to see some automation scripts. At times by default, you have to configure some of the rules in the detection. You need some parameters to be set that define the source code, such as those required to eliminate a false positive. They advance their product without addressing security or internal codes. View full review »
Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: April 2020.
438,043 professionals have used our research since 2012.
Phil Denomme
Manager at a wireless company with 11-50 employees
I haven't really done a comparative analysis yet. We're in the process of figuring out how to automate the workflow for QA audit controls on it. I think that's perhaps an area that we could use some buffing. We're a Kubernetes shop, so there are some things that aren't direct fits, which we're struggling with on the component Docker side, nothing major. Kubernetes is a container-based run-time that works with Docker in terms of container-based applications, so we're a microservice based solution. Microservices are contained inside these containers which are managed by a run-time called Kubernetes. Kubernetes comes out of a Google enterprise. It's used by organizations like Netflix and apps to do continuous development deployment and use integration and development. It means that your container has this application lodging, around which all of the user authentication, run-time controls, and communications integration are handled by Kubernetes. For instance, an application doesn't really see its DNS at all. It's completely abstract in a way. It is layers away from a virtual hardware. What it does is abstract that patient component into a nice package of business logic that is managed in a dynamic container, which takes care of all the run-time and communication issues that normally become a lot of the configuration overhead of an application. Once you get your Kubernetes environment behind and organized, that forms a very efficient way to introduce these microservices in a dynamic way and to easily integrate and upgrade components rather than applications. You're much more granular in terms of your release capabilities and much more efficient in terms of how it's released and managed. I would rate this around seven out of ten, because it has what we need, and it's easy to use. View full review »
Yash Brahmani
Devops Engineer at a financial services firm with 10,001+ employees
There are various standards that are followed. Awareness is a must. Product awareness is something that I would recommend. If the users are not aware of how to use the product, they won't understand the features. View full review »
Jeff Ingalls
Automation Tool Specialist at a comms service provider with 1,001-5,000 employees
I find that some of the graphs around the measures are too fancy, and they do not mean a whole lot to me. The solution is a bit lacking on the security side, in terms of finding and identifying vulnerabilities. By comparison, we run the same piece of code through both SonarQube and Checkmarx and there is no comparison between the vulnerabilities that each finds. Checkmarx may find fifty, whereas SonarQube will only find fifteen or twenty. View full review »
Engineer at a pharma/biotech company with 201-500 employees
The library could have more languages that are supported. It would be helpful. There are a few clauses that are specific to our organization, and it needs to improve. It's the reason that were are evaluating other solutions. It creates the ability for the person who releases the authorized release, which is not good. We would like to be able to expand on our work. MicroFocus, as an example, would be helping us with that area or creating a dependency tree of the code from where it deployed and branching it into your entire code base. This would be something that is very helpful and has helped in identifying the gaps. It would be great to have a dependency tree with each line of your code based on an OS top ten plugin that needs to be scanned. For example, a line or branch of code used in a particular site that needs to be branched into my entire codebase, and direct integration with Jira in order to assign that particular root to a developer would be really good. Automated patching for my library, variable audience, and support for the client in the CICD pipeline is all done with a set of different tools, but it would be nice to have it like a one-stop-shop. I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production. We would also need the ability to edit those rules. View full review »
Tariq Saraj
Sr. Information Security Engineer at a tech services company with 1,001-5,000 employees
If I configure a project in SonarQube, it generates a token. When we're compiling our code with SonarQube, we have to provide the token for security reasons. If IP-based connectivity is established with the solution, the project should automatically be populated without providing any additional token. It will be easy to provide just the IP address. It currently supports this functionality, but it makes a different branch in the project dashboard. From the configuration and dashboard point of view, it should have some transformations. There can be dashboard integration so that we can configure the dashboard for different purposes. View full review »
Scala Contractor at a tech services company with 10,001+ employees
I would like to see something around mutation testing included in SonarQube. I'd like to see some mechanism of quality which has real meaning. The problem in metrics is that they're correlated. I'd like to see how they can add a feature to detect genuine quality, instead of numbers that people can game. The number can be manipulated. There are a few ways to do this, and mutation testing is one of them. I would also be interested in more security scanning. View full review »
Donovan Greeff
Head of Software Delivery at a tech services company with 51-200 employees
It should keep up with newer technologies. As this is primarily open-source, it does require updates from the community. As such, there is sometimes a delay for new technologies to be covered by this too. Particularly around the languages that the webpages state they support. The big benefit of Sonar is that it handles so many different languages, problems, and static analysis in one place. When that one place has a low coverage for the most basic rules (OWASP top 10 for example) it starts to lose its value add. View full review »
IT Infrastructure Head / Facilities Manager - ITIL V3 Certified ,Vmware Vsphere5 at a financial services firm with 51-200 employees
With the aesthetic code analyzer or dynamic code analyzer, we would like to see zero vulnerabilities. This is actually currently not available with any available code analyzer so it is not the fault of this one product. We would like to see that the latest CVE (Common Vulnerabilities and Exposures) gets represented. This would be more useful but does not always happen. If we have more of an idea of the likelihood of zero vulnerabilities then the product is more useful for user communities. View full review »
Kiran Gujju
Cyber Security Architect (USDA) at a government with 10,001+ employees
Although it has Sonar built into it, it is still lacking. Customization features of identifying a particular attack still need to be worked on. To give you an example: if we want to scan and do a false positive analysis, those types of features are missing. If we want to rescan something from a particular point that is a feature that is also missing. It’s in our queue. That will hopefully save a lot of time. View full review »
Daniel Hall
Technical Architect at Dwr Cymru Welsh Water
A robust credential scanner would be a huge bonus as it would remove the need for yet another niche product with additional cost, also gives the benefit of a single pane of glass view, although we still need white source bolt for 3rd part library scanning. The integration into docker builds could be better as pulling the latest version of the scanner, setting the path and then invoking the scan is an extra overhead to manage between versions of the scanner. An apt-get and scan start with the key passed as a variable would be a nicer implementation. Have not looked into SSL for the management page yet but hoping that goes smoothly. View full review »
Vice President at a financial services firm with 1,001-5,000 employees
The security portion of this solution needs to be improved. They do have a few rules, but I don't think that they are of much use because you cannot position it as a security scanner. I think that there is a lot more that can be done in the security space. I would like to see, for example, more security updates as part of the scan. The reporting is good, but I am not able to download a specific report as a PDF, so downloading reports is something that should be looked at. We would like to be able to perform differential scans for a few modules or a few lines, rather than for the whole source code each time. View full review »
Anshuman Kishore
Director Product Development at Mycom Osi
When performing the code coverage function, there are a lot of warnings that come up and you may not have time to solve them. You need to have the ability to overrule warnings or issues because it may not be possible to commit the time to resolve them immediately. If the product could assist us with fixing issues by giving us more pointers then it would help to resolve more of the warnings without such a commitment in terms of time. SonarQube needs some improvement in its ability to find security-related issues. View full review »
Country Manager Senegal at a financial services firm with 10,001+ employees
It would be nice is SonarQube analyzed external libraries, in addition to our current code. I would like to see more options for security, beyond the basics like SQL injection. View full review »
DevSecOps Lead at a tech services company with 11-50 employees
Our developers have complained about the Quality Gates and the number of false positives that this product reports. Their older code is breaking and with the Quality Gate on the pipeline, they are not able to safely release at this point. This means that they have to add a lot of things to the whitelist, so there is room for improvement in this regard. View full review »
Application Security Analyst at a agriculture with 501-1,000 employees
This solution finds issues that are similar to what is found by Checkmarx, and it would be nice if the overlap could be eliminated. The plugins are not well documented. View full review »
Company Director at Alwyn Technologies
Improvements could be made in terms of security. I would like to see dynamic code analysis in the next version of the software. View full review »
Independent Consultant at a consultancy with 1-10 employees
I am not very pleased with the technical debt computation, it's a bit arbitrary. The codification metrics could also be improved. View full review »
Software Engineer at Adfolks
The reporting can be improved. In particular, the portability report can be better. I would like to see better integration with the various DevOps tools. View full review »
Senior Architect Information Security & Privacy at a tech services company with 501-1,000 employees
I would like to see SonarQube implement a good amount of improvements to the product's security features. Another aspect of SonarQube that could be improved is the search functionality. View full review »
Subhendu Mahapatra
Manager at Dassault Systèmes
The product's user documentation can be vastly improved. View full review »
Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: April 2020.
438,043 professionals have used our research since 2012.