We just raised a $30M Series A: Read our story

SonarQube OverviewUNIXBusinessApplication

SonarQube is the #1 ranked solution in our list of application security tools. It is most often compared to Checkmarx: SonarQube vs Checkmarx

What is SonarQube?

SonarQube is the leading tool for continuously inspecting Code Quality and Code Security, and guiding development teams during code reviews. SonarQube provides clear remediation guidance for 27 languages so developers can understand and fix issues, and so teams can deliver better and safer software. SonarQube integrates into your workflow to provide the right feedback at the right time: in-IDE with SonarLint, in pull requests, and in SonarQube itself. With over 225,000 deployments helping small development teams and global organizations, SonarQube provides the means for teams and companies around the world to own and impact their Code Quality and Code Security.

SonarQube is also known as Sonar.

SonarQube Buyer's Guide

Download the SonarQube Buyer's Guide including reviews and more. Updated: September 2021

SonarQube Customers

Bank of America, Siemens, Cognizant, Thales, Cisco, eBay

SonarQube Video

Archived SonarQube Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Kiran Gujju
Cyber Security Architect (USDA) at a government with 10,001+ employees
Real User
Easily integrates with Jenkins and the information on the dashboard makes it easy for the developers to work on

Pros and Cons

  • "The most valuable features are the dashboard reports and the ease of integrating it with Jenkins."
  • "Although it has Sonar built into it, it is still lacking. Customization features of identifying a particular attack still need to be worked on. To give you an example: if we want to scan and do a false positive analysis, those types of features are missing. If we want to rescan something from a particular point that is a feature that is also missing. It’s in our queue. That will hopefully save a lot of time."

What is our primary use case?

I work for a government agency and we use this tool. It is lightweight and very cost effective as compared to IBM AppScan, but I wouldn't say it's a very good tool for vulnerability assessment. The dashboard is neat and easy to operate and the information on the dashboard makes it easy for the developers to work on. You can have it automated and set up for you to have an automated process every time the code is checked in. 

How has it helped my organization?

It definitely helped our organization in hardening the software, the application itself. This is a part of our process now.

What is most valuable?

The most valuable features are the dashboard reports and the ease of integrating it with Jenkins. 

What needs improvement?

Although it has Sonar built into it, it is still lacking. Customization features of identifying a particular attack still need to be worked on. To give you an example: if we want to scan and do a false positive analysis, those types of features are missing. If we want to rescan something from a particular point that is a feature that is also missing. It’s in our queue. That will hopefully save a lot of time.

For how long have I used the solution?

Our company has been using it for quite a while now.

What do I think about the stability of the solution?

This solution is very stable.

What do I think about the scalability of the solution?

It supports around 25 plus languages.

How are customer service and technical support?

The technical support is very good. When a product is good, we don't use them as regularly.

Which solution did I use previously and why did I switch?

No, not that I am aware of.

How was the initial setup?

Compared to other tools, the initial setup was straightforward. The deployment of the tool didn't take long at all. You need to take intrinsic care but setting up this tool is pretty easy. One can do it in a couple of hours. The dashboard is really neat and easy to operate. It gives a lot of information that makes it very easy for the developers. We haven't ever used more than one resource for operations.

What about the implementation team?

We have this implemented in CSAD pipeline as one of the tools for finding bugs in source code. This kind of tool has the capabilities of debugging abnormalities or finding abnormalities. We use it the same as any other static one level detail, and with a few other static tools like AppScan and Checkmarx.

What other advice do I have?

SonarQube is a very good tool. It is lightweight and very cost effective as compared to IBM AppScan. The dashboard is really neat and easy to operate. It gives a lot of information that makes it very easy for the developers. You can get it set up as an automated process every time the code is checked in. I would say, however, that it is not a vulnerability assessment tool. The dev and security team use this solution very closely. Fifteen to twenty people in total use it.

I would rate this solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
HJ
IT Infrastructure Head / Facilities Manager - ITIL V3 Certified ,Vmware Vsphere5 at a financial services firm with 51-200 employees
Real User
Improves code quality and basic security but code analyzing has limitations

Pros and Cons

  • "Strong code evaluation for budget-minded clients."
  • "Expression of common vulnerabilities and exposures is not always current."

What is our primary use case?

We use this SonarQube solution for code quality and as a basic security issues solution for our clients.

How has it helped my organization?

It has improved our options for offering products to our clients that can better meet their needs, lower costs, and improves code quality and basic security. 

What is most valuable?

Code analyzing is very valuable for detecting vulnerabilities but it has limitations.

What needs improvement?

With the aesthetic code analyzer or dynamic code analyzer, we would like to see zero vulnerabilities. This is actually currently not available with any available code analyzer so it is not the fault of this one product. We would like to see that the latest CVE (Common Vulnerabilities and Exposures) gets represented. This would be more useful but does not always happen. 

If we have more of an idea of the likelihood of zero vulnerabilities then the product is more useful for user communities.

For how long have I used the solution?

We have been using the SonarQube solution for about a year.

What do I think about the stability of the solution?

The product is stable.

What do I think about the scalability of the solution?

We use a centralized machine so scalability is not an issue. We have yet to realize a limitation.

How are customer service and technical support?

We have little or no interaction with technical support.

Which solution did I use previously and why did I switch?

We service client needs so we consider all solutions we are aware of and weigh the pros and cons for deployment with a specific client.

How was the initial setup?

Implementation is easy and very straightforward. We do a POC with our client and based on that we make a comparison to the client's needs and available solutions. We compare that with any of the open source options and with any of the premium commercial tools. We go with the one that makes sense. But the implementation of this product is not complex especially as we have experience with it.

What about the implementation team?

We do our own implementations for various clients. We do not need the assistance of another team.

What was our ROI?

Return on investment is enhanced code and security. The actual ROI is difficult to measure except that licensing a commercial product will cost more over the long term if this product is enough to meet the user's immediate needs.

What's my experience with pricing, setup cost, and licensing?

The product is basically free, so implementation is the greater cost. It will cost in man-hours for deployment and resources, or in consultation. The licensing fee is negligible.

Which other solutions did I evaluate?

We are constantly evaluating other products. So it might be that we will go with Micro Focus, for example, or any other tool in the future. It depends on what is offered by the product and what fits the client needs and budget.

What other advice do I have?

I would rate this product somewhere between six and seven. It works for many clients, but if the user need and application is super critical, people should go with commercial products like Micro Focus. If the deployment is less critical, they can go with that as SonarQube, or another open source software solution.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: September 2021.
542,267 professionals have used our research since 2012.
PR
Scala Contractor at a tech services company with 10,001+ employees
Real User
Code coverage is useful, but the solution lacks mutation testing

Pros and Cons

  • "If code coverage is a low number then that's of great value to me."
  • "I don't believe you can have metrics of code quality based upon code analysis. I don't think it's possible for a computer to do it."

How has it helped my organization?

We have literally thousands of rules and they are of medium effectiveness. The problem is that most people bypass the rules or turn them off. But even that is information to us. The fact that they have to turn the rules off is as much value to us as the rules themselves.

What is most valuable?

Code coverage of tests is their most valuable feature. Code coverage is of no value if it's high, but if it's a low number then that's of great value to me.

What needs improvement?

I would like to see something around mutation testing included in SonarQube. I'd like to see some mechanism of quality which has real meaning. The problem in metrics is that they're correlated. I'd like to see how they can add a feature to detect genuine quality, instead of numbers that people can game. The number can be manipulated. There are a few ways to do this, and mutation testing is one of them.

I would also be interested in more security scanning.

For how long have I used the solution?

Our company has been using this solution for over five years.

What do I think about the stability of the solution?

Stability has never been a problem. It would have to be unstable for me to experience a problem, and we haven't. So it's good.

What do I think about the scalability of the solution?

I don't really know how scalable this solution is, but I know we use it on thousands of projects, so it's probably good.

We have a pipeline. The pipeline currently runs 4000 teams through it, and all of them have SonarQube but usually with default rules. So that's pretty expensive. Now, we can't increase it because everything goes through it. We are evaluating what our best option is as we migrate our pipeline. We're migrating the pipeline and we're wondering what to do. If SonarQube did more security scanning, there's a good chance that we would use it more, in a different role. We're already using SonarQube everywhere, in some aspect.

Which solution did I use previously and why did I switch?

It was years ago. They probably evaluated other solutions. 

We're evaluating the use of different solutions at the moment, but I've just withdrawn from that task.

How was the initial setup?

In all the companies that I've worked with, nobody has ever had a problem with the initial setup. It takes time to set up. It's a big thing and you do it, but it's just a project.

What about the implementation team?

We used people in-house to deploy. We have about 100 people in our pipeline maintenance team. SonarQube has not led to any significant increase in that number. It's just absorbed as a part of the cost. There are no dedicated staff working on it.

What other advice do I have?

My advice is to focus on quality, not on tools. Work on the quality of your code and get a quality culture, but don't require the use of a tool. SonarQube is an okay tool. I'd suggest it as a default tool, but I wouldn't rave about it.

In all of my previous jobs, there has been somebody using SonarQube. They're usually very positive. I don't share that positiveness, but the reasons for that are that I don't believe you can have metrics of code quality based upon code analysis. I don't think it's possible for a computer to do it.

I don't rate any tool higher than a five or six, ever. JUnit is the only tool that gets a rating of ten. On a scale of one to ten, where ten is JUnit, I would rate SonarQube as about a five or a six.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
HK
Country Manager Senegal at a financial services firm with 10,001+ employees
Real User
Ensures a high quality of code, but would be improved with better support for security

Pros and Cons

  • "SonarQube is good for checking and maintaining code quality."
  • "I would like to see more options for security, beyond the basics like SQL injection."

What is our primary use case?

We are working on a payment system, and we need it to be secure. We use this solution to analyze our code to ensure that it is clean, easy to understand and maintain, and secure.

What is most valuable?

SonarQube is good for checking and maintaining code quality.

What needs improvement?

It would be nice is SonarQube analyzed external libraries, in addition to our current code.

I would like to see more options for security, beyond the basics like SQL injection.

For how long have I used the solution?

Five years.

What do I think about the stability of the solution?

The stability of this solution is quite good.

What do I think about the scalability of the solution?

I think that scalability is fine. We have a large number of users at my company.

The majority of the users for this solution are architects, but some technical managers use it too.

Which solution did I use previously and why did I switch?

We use this solution in parallel with Checkmarx because both of them are good for different things. SonarQube is good for code quality, whereas Checkmarx is more for security.

How was the initial setup?

This initial setup of this solution is not basic, but it is not complex. If you have some experience in IT then you should be able to do it.

We have this tool integrated with Jenkins.

One or two days is enough for deployment. There is some configuration to do, which takes time, but it is not difficult to deploy.

Three or four staff are enough for deployment and maintenance.

What was our ROI?

We have seen a return of investment, for sure. It is integrated with jobs on Jenkins and helps to provide stability. 

Which other solutions did I evaluate?

We did not evaluate other options before choosing this solution.

What other advice do I have?

This is a very nice product and I would recommend it. It is one of the best tools on the market to analyze your code.

If more rules for security were added then we would not have to use Checkmarx or other tools. SonarQube is very nice, but just missing some security rules.

I would rate this solution a seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
JI
Automation Tool Specialist at a comms service provider with 1,001-5,000 employees
Real User
Ensures compliance with corporate coding standards and reduces technical debt

Pros and Cons

  • "Using SonarQube has helped us to identify areas of technical debt to work on, resulting in better code, fewer vulnerabilities, and fewer bugs."
  • "The solution is a bit lacking on the security side, in terms of finding and identifying vulnerabilities."

What is our primary use case?

Our primary use for this solution is to improve code quality and reduce technical debt.

How has it helped my organization?

This solution is part of our pipeline. We use GitLab for source control and Jenkins to build management. Jenkins kicks off our SonarQube scans, we use Checkmarx for static code analysis, UrbanCode Deploy, and UrbanCode Release.

Using SonarQube has helped us to identify areas of technical debt to work on, resulting in better code, fewer vulnerabilities, and fewer bugs.

What is most valuable?

The most valuable feature is that it lays everything out and breaks it down, making it very easy to find and identify issues.

SonarQube is really good for finding coding standards when people deviate from what we have set corporately.

What needs improvement?

I find that some of the graphs around the measures are too fancy, and they do not mean a whole lot to me.

The solution is a bit lacking on the security side, in terms of finding and identifying vulnerabilities. By comparison, we run the same piece of code through both SonarQube and Checkmarx and there is no comparison between the vulnerabilities that each finds. Checkmarx may find fifty, whereas SonarQube will only find fifteen or twenty.

For how long have I used the solution?

Three years.

What do I think about the stability of the solution?

I haven't had any issues with stability and we see it as quite stable.

The only time we had an issue was because we used a third-party plugin for it to integrate with another piece of software and there was a versioning issue. Other than that, we haven't had any trouble. We've had to integrate it with our LDAP and everything seems to run quite smoothly.

What do I think about the scalability of the solution?

We are in the process of bringing on more projects right now. We are running probably forty-five right now, and we haven't had an issue.

We have approximately one hundred users. There are some developers, but mainly product managers who are using it to track the numbers, and see if they're moving in the right direction or not. We have it integrated with some of our IDEs that we use corporately, and the developers are using it to check for bugs before they check code in.

Right now it's a small subset of the company that is using this solution, and there are plans to increase it. They are already starting to onboard more teams. Our DevOps manager is starting to push it upon more and more projects.

How are customer service and technical support?

We haven't really had any issues, so I can't speak much about technical support. There is also a large community out there who uses it.

Which solution did I use previously and why did I switch?

We were not using another solution prior to this one. As we've evolved, this is one of the tools that we decided to go with.

How was the initial setup?

The initial setup was fairly straightforward. It's well documented and the documentation is easy to read.

We rolled it out to one server that was used as a POC, which was later moved into a production environment. We then rolled out a second one for Dev to test doing upgrades, which we do on a regular basis. Every time a new LTS (Long Term Support) version comes out then we run an upgrade.

Only one person is required in order to handle the maintenance. It is easy to maintain.

What about the implementation team?

We handled the deployment in-house.

What was our ROI?

I do not know the metrics, but they are being tracked for the projects. Better code is being built with fewer defects, bugs, and issues. Our DevOps manager is increasing its usage, so he definitely sees value in it. 

What other advice do I have?

My advice for anybody interested in implementing this solution is to start with the community version and try it out. It doesn't take long to see value in it, and it's very straightforward, easy, and intuitive to use.

There are add-ons that are available for purchase that we have not tried, although we're quite content with what we have right now.

I would rate this solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
BR
Company Director at Alwyn Technologies
Real User
Nice display and reporting of issues but needs more of a focus on security

Pros and Cons

  • "We advise all of our developers to have this solution in place."
  • "I would like to see dynamic code analysis in the next version of the software."

What is our primary use case?

My primary use for this solution is to perform static code analysis.

What is most valuable?

The most valuable feature is the display of issues, like in Jira. That is very helpful for us to track our coding.

What needs improvement?

Improvements could be made in terms of security. 

I would like to see dynamic code analysis in the next version of the software.

For how long have I used the solution?

Between one and two years.

What do I think about the stability of the solution?

The stability is good.

What do I think about the scalability of the solution?

Scalability is good; we currently have five users but we will definitely be increasing our usage of this solution.

How are customer service and technical support?

We have not required technical support for this solution.

How was the initial setup?

This solution is not as easy to install as SonarLint. 

What's my experience with pricing, setup cost, and licensing?

We are using the free, unlicensed version.

Which other solutions did I evaluate?

We evaluated other solutions including Cobra Static Code Analyzer, but we were not satisfied with their customer support in the open source community.

What other advice do I have?

We advise all of our developers to have this solution in place. That way, whenever they are developing, the will get live tracking with respect to the quality of their code.

I would rate this solution a seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user713202
Vice President at a financial services firm with 1,001-5,000 employees
Real User
Good reporting and works well for code timing, but is lacking in the security space

Pros and Cons

  • "If you want to have your code scanned and timed then this is a good tool."
  • "The reporting is good, but I am not able to download a specific report as a PDF, so downloading reports is something that should be looked at."

What is our primary use case?

We primarily use this solution for code quality purposes. We have a CICD environment, without a lot of manual steps.

How has it helped my organization?

This solution figures out and tells you when there are code quality issues.

What is most valuable?

The quantification and reporting features are really good. 

What needs improvement?

The security portion of this solution needs to be improved. They do have a few rules, but I don't think that they are of much use because you cannot position it as a security scanner. I think that there is a lot more that can be done in the security space. I would like to see, for example, more security updates as part of the scan.

The reporting is good, but I am not able to download a specific report as a PDF, so downloading reports is something that should be looked at.

We would like to be able to perform differential scans for a few modules or a few lines, rather than for the whole source code each time. 

For how long have I used the solution?

Two years.

What do I think about the stability of the solution?

We have been using this for quite a number of applications, and its stability is very good. The scan time is very fast because it is a text-based scan.

What do I think about the scalability of the solution?

We have not had any problems with scalability. We have a big organization with a lot of applications and all of our critical applications are on this platform. We are planning to increase the scope by adding less critical applications over time.

Which solution did I use previously and why did I switch?

We were using some other products, but not on an enterprise level. There were several locally developed applications, but when we tried to consolidate all of these into an enterprise-level solution, we opted for this.

How was the initial setup?

The initial setup was not complex. It is pretty simple and straightforward.

What's my experience with pricing, setup cost, and licensing?

The costs for this application, for the kind of job it does, are pretty decent.

What other advice do I have?

This product is good but it is not meant to be a single solution for all issues.

If you want to have your code scanned and timed then this is a good tool. If you want security to be part of it then you may need multiple tools. Overall, my advice is to use this tool in areas where it is strong.

I would rate this solution a six out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
SG
Lead Engineer at bioMerieux, Inc.
Real User
Great birds-eye view dashboard with detailed code metrics in the drill-down

Pros and Cons

  • "We have the software metrics that SonarQube gives us, which is something we did not have before. This helps us work towards aiming coding standards to empower us to move in the direction of better code quality. SonarQube provides targets and metrics for that."
  • "We've been using the Community Edition, which means that we get to use it at our leisure, and they're kind enough to literally give it to us. However, it takes a fair amount of effort to figure out how to get everything up and running. Since we didn't go with the professional paid version, we're not entitled to support. Of course that could be self-correcting if we were to make the step to buy into this and really use it. Then their technical support would be available to us to make strides for using it better."

What is our primary use case?

We're collecting code quality metrics.

How has it helped my organization?

We have the software metrics that SonarQube gives us, which is something we did not have before. This helps us work towards aiming coding standards to empower us to move in the direction of better code quality. SonarQube provides targets and metrics for that.

What is most valuable?

I like the dashboard it shows by default, where you can see things at a glance. At the same time, you can also drill way down and see a lot of stuff about your code, like complexity metrics, and things like that. It gives you a nice dashboard where you can just look at a birds-eye view.

What needs improvement?

We've been using the Community Edition, which means that we get to use it at our leisure, and they're kind enough to literally give it to us. However, it takes a fair amount of effort to figure out how to get everything up and running. Since we didn't go with the professional paid version, we're not entitled to support. Of course, that could be self-correcting if we were to make the step to buy into this and really use it. Then their technical support would be available to us to make strides for using it better.

On the other hand, there are published books available. However, the one problem I ran into is they were a little bit out of date. They're still very helpful, but we had to kind of translate from the previous version that was covered in the published books to what's actually available now.

An improvement I would like to see would be on the part of the authors to come out with a new edition or revision that covers some of the newer features of SonarQube and newer configurations. I'd buy a copy.

In terms of additional features, it's actually a very complete solution from what we have seen. Again, I would like the authors to revise their books. I think even ordinary people that are using the licensed model with direct support could walk through some different use cases, just from having been around the block a few times. There are enough things that the software does that this could be very beneficial. Even beyond the technical issues of installation, there are further use cases that could be helpful. For instance, how to get the big bang from the buck out of it.

For how long have I used the solution?

We've been using SonarQube for around eight months.

What do I think about the stability of the solution?

We use C++ and a lot of Python. Another group in our company is using Java. SonarQube is more directly suited for Java, being almost built into it, whereas C++ requires some extensions. The Java group is using a newer version. We were kind of hoping to piggyback on theirs but SonarQube did not create newer versions of the C++ interfaces as open source. It's starts costing money so we haven't crossed that threshold yet. We haven't established a clear path.

What do I think about the scalability of the solution?

I think if you're going to get the paid model, I get the impression it would do pretty much everything you need as far as metrics go.

A colleague of mine did some work looking at some plugins for Visual Studio and things like that, but they weren't going to work out, so we did take a look at some other options where they could have everything done on the desktop. Our solution in place now requires an infrastructure where it doesn't look at your code, but rather the code that you last checked in, which takes some levels of complexity that we've kind of built-in anyway. It's a little less intuitive how it works to the casual observer. It's set up now to where they don't have to know how it works, they can just go to the web interface and see it.

There are about eight programmers in our section of the solution. So we're kind of a smaller shop compared to some, but larger than many.

Certainly right now I think SonarQube is being underutilized, just because old habits die hard. If I had any say I would like to change that. We had coding standards in place, but they were written documents, whereas SonarQube takes that to another level and you had to look at the specification to see what you said you were going to do. It also tells you what the industry norms are, and whether or not you're meeting them. We have had some discussions about which we want to do. If we want it to happen automatically or if we want to go look for it again ourselves. I cast my vote in the automatic way because the research has already been done by the SonarQube community to come up with these roles, rules, coding standards, etc.

It wasn't done in a vacuum. The agile community has been beating on issues like this for a long time, and they're getting to a point that it's becoming a self-sustaining method.

How are customer service and technical support?

They do have a lot of information on their website for the parts that they're offering free. We don't have licensing but there is a lot of information, it's just a matter of digging for it and you have to infer a few things. With the proper amount of agony we've managed to get there. There are some subtleties as far as configuration parameters. It does it one way, but we'd really like to do it a different way. Finding that magic incantation to flip that switch is not always in bold print so to speak.

Even for the freebie community which we're in, they haven't held back information. The information is out there to do some amazing stuff with it, but you've got to get your shovel and go dig it up.

We do have some other licensed software and when you look for information on their product, all roads lead to them and when you get there, you log in with your account that costs tens of thousands of dollars. SonarQube isn't like that. They don't hold the information back but you just have to go find it on their website by yourself.

Which solution did I use previously and why did I switch?

We didn't have a previous solution other than paper systems that we never got in the habit of going back to referring to. We didn't switch, we started fresh.

How was the initial setup?

The initial setup was complex because we were using the Community Edition. We did have some issues with the compatibility of the different components. For example, there is the server itself, but then you can plug in different packages, like the C++ package. We've also experimented a little bit with Python metrics, but unfortunately we don't have a project that's really under that control yet, to really get a feel for how that works.

Configuration issues were pretty complicated, but once we got things up and running, it's been extremely stable, it was kind of maintenance-free, now, although we have a time issue. Of the scans that it does, it could be somewhat time-consuming, so originally some of the developers would say, "Well we want to be able to do that on our desktop." I told them, "I don't think you know what you're asking for, here." But as an alternative, we have it set up with our continuous integration server, which we use in TeamCity by the way. In the middle of the night, it automatically runs a scan for them, while they're in bed at home asleep so their results will be ready the next morning. This way, whatever they have most recently checked in, they can see the results right there. And then it runs in the background so it doesn't matter how long it takes per se, it gets it done by the next time they come in. That's part of what continuous integration does, it does things for you that years ago people would do themselves, and never get around to it.

What about the implementation team?

We spent a couple of weeks getting things figured out. I worked with an apprentice, who was kind of going through the motions.

We chose to use a Red Hat operating system for the base. It's running on a Red Hat 7 server which contributes to the stability from the foundation, then installed the actual SonarQube server on Red Hat. That's when we had the compatibility issues and so on when we started installing the scan engines on top of that. That's when things were not compatible with each other and we had to fall back and figure out why things weren't plugging and playing. However, they did have on their website a sheet that had a little chart that showed the compatibility between the different versions and once we discovered that I was able to see which version can work with which.

We didn't have to change the OS or the SonarQube's service itself, but the C++ extension. The version of the C++ extension we were using was not compatible with the Community Edition we had.

We've had a consultant at one point, not to look specifically at SonarQube, but rather at our firmer development processes as a whole. He's the one that played us towards SonarQube being a reasonable option. In fact, he was the one that helped us in finding the compatibility chart.

It's been mostly me doing the implementation on my own. I haven't been full time on it, but about half of my time is devoted to this. I do take some breaks and write some code and do some refactoring on occasion.

As far as time on SonarQube itself, only about a tenth of a person is devoted to this. It's part of an infrastructure. I have a whole family of virtual machines that do different things: build, test, etc..

Which other solutions did I evaluate?

We had looked at other code quality systems. We had looked at a number of them. I don't remember them all, but Clockwork was on that list. I think it comes down to picking one and getting used to how it works because they all do mostly the same thing. Some of them focus more on Java, some more on C++. I think Java seems to be the favorite. As far as what they can really do for you, there didn't seem to be any one of them that does ten times what another does. There were some differences, but not no show-stoppers that I recall. I guess the advice would be that one of several tools could do a good job for you, but you still have to manage it and manage the behavior that goes along with it.

What other advice do I have?

I would rate SonarQube as a nine out of ten.

Once you start drilling down through the menus, it tells you a lot of stuff about your code in one view. That's really quite neat. That shows you a view of maintainability. They have a maintainability view that shows bubbles for all the different code modules, and yours is beside the bubble. This represents the amount of "code smells," which is actually kind of a common definition. The bigger the bubble, the more your code smells. This shows where more attention is needed or it's a bubble that's kind of drifting out of control.

I have one graph here where there are probably 50 bubbles. There's one axis that shows technical death, meaning the amount of work that it's going to take to get the smells under control. The other axis is lines of code, which is obviously a very common thing to look at. On this particular graph, there are a whole bunch of bubbles down in the lower-left corner, which means you have a lot of small manageable things. 

If you hover over the bubble, it tells you what module it is. How many lines of code. Technical death and manpower estimate, things like that.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
LZ
Application Security Analyst at a agriculture with 501-1,000 employees
Real User
Simple to use but the plugins are not well documented

Pros and Cons

  • "The most valuable function is its usability."
  • "This solution finds issues that are similar to what is found by Checkmarx, and it would be nice if the overlap could be eliminated."

What is our primary use case?

We use this solution in the development of our travel programs.

How has it helped my organization?

We use this program as a compliment to our security scans, in addition to Checkmarx.

What is most valuable?

The most valuable function is its usability. It uses a simple approach.

What needs improvement?

This solution finds issues that are similar to what is found by Checkmarx, and it would be nice if the overlap could be eliminated.

The plugins are not well documented.

For how long have I used the solution?

Several years.

What do I think about the stability of the solution?

This is a stable solution.

What do I think about the scalability of the solution?

We do not have any problems with scalability.

We have approximately fifteen developers using this solution, on the Java site.

How are customer service and technical support?

We have not needed to use the technical support.

Which solution did I use previously and why did I switch?

We did not use another solution, prior to this one.

How was the initial setup?

The setup is not complex. There are some issues during setup with the plugins because they are not well documented.

What's my experience with pricing, setup cost, and licensing?

Some of the plugins that were previously free are not free now.

Which other solutions did I evaluate?

We are looking for how we can integrate several products. We are using static code analysis, we are looking into runtime code analysis, and of course, we have a web application firewall. The problem with all of these tools is that you need a lot of maintenance, and you have a lot of false positives. So, we have tried to find the best solution.

What other advice do I have?

I would suggest trying the product. I like its useability because it has a simple approach.

We use this solution in conjunction with Jenkins, and we have a two-week deployment cycle.

I would rate this solution a seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PD
Manager at a wireless company with 11-50 employees
Real User
Checks code against server-based audit version but QA audit controls need better automation

Pros and Cons

  • "Integrate it into the developers' workbench so that they can bench check their code against what will be done in the server-based audit version."
  • "We're in the process of figuring out how to automate the workflow for QA audit controls on it. I think that's perhaps an area that we could use some buffing. We're a Kubernetes shop, so there are some things that aren't direct fits, which we're struggling with on the component Docker side. But nothing major."

What is our primary use case?

Our primary use is for coding best practice management and quality. Aside from that, we also use it for security.

I'm getting involved in moving this solution forward and positioning it in our enterprise so I haven't gotten to the point where we're nailing down the configuration and release controls yet.

How has it helped my organization?

SonarQube has not yet had an impact on our organization. In the past, however, I've used it to control the security vulnerabilities and establish standards for API control.

What is most valuable?

There are two major use cases. One is to integrate it into the developers' workbench so that they can bench check their code against what will be done in the server-based audit version.

What needs improvement?

I haven't really done a comparative analysis yet.

We're in the process of figuring out how to automate the workflow for QA audit controls on it. I think that's perhaps an area that we could use some buffing. We're a Kubernetes shop, so there are some things that aren't direct fits, which we're struggling with on the component Docker side, nothing major.

Kubernetes is a container-based run-time that works with Docker in terms of container-based applications, so we're a microservice based solution. Microservices are contained inside these containers which are managed by a run-time called Kubernetes. Kubernetes comes out of a Google enterprise. It's used by organizations like Netflix and apps to do continuous development deployment and use integration and development. It means that your container has this application lodging, around which all of the user authentication, run-time controls, and communications integration are handled by Kubernetes.

For instance, an application doesn't really see its DNS at all. It's completely abstract in a way. It is layers away from a virtual hardware. What it does is abstract that patient component into a nice package of business logic that is managed in a dynamic container, which takes care of all the run-time and communication issues that normally become a lot of the configuration overhead of an application.

Once you get your Kubernetes environment behind and organized, that forms a very efficient way to introduce these microservices in a dynamic way and to easily integrate and upgrade components rather than applications. You're much more granular in terms of your release capabilities and much more efficient in terms of how it's released and managed.

I would rate this around seven out of ten, because it has what we need, and it's easy to use.

For how long have I used the solution?

I have used this solution for about a year.

What do I think about the stability of the solution?

SonarQube stability is fine. I would rank it high on the stability side.

What do I think about the scalability of the solution?

We're not going to test scalability. Our volume is not that heavy. For this organization, it's not serious in scope.

Our users include about 60 developers and two dozen QA. On the QA side, there will only be about five really using it. There will also be two people on security. In total about 60 or 70 enterprise-wide.

We are in the introductory phase and we will, later on, make this a part of our release process.

How was the initial setup?

It's pretty straightforward. It's a very easy thing to get up and running. It's the workflow side that you have to be careful about. Make sure that you don't overwhelm everybody with a report with a gazillion lines. Your real gems are in a very small percentage of it. So that's the configuration side, and that's what we're working on now. I've found that you have to tailor SonarQube's power to the maturity of the organization. Otherwise, you get a report with 2,000 items in it and it's hard to find the ones that are critical. This leads to data overflow and analysis paralysis at that rate.

What about the implementation team?

We did an evaluation in about two weeks, so it was pretty easy to do and that wasn't full-time.

We did not use an integrator, reseller or consultant for the deployment.

What other advice do I have?

From experience, you should just size the scale of what you're trying to do to the maturity of the organization.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Daniel Hall
Technical Architect at Dwr Cymru Welsh Water
Real User
Ensures that quality is not compromised between builds

Pros and Cons

  • "The most valuable features are the wide array of languages, multiple languages per project, the breakdown of bugs, and the description of vulnerabilities and code smells (best practices)."
  • "A robust credential scanner would be a huge bonus as it would remove the need for yet another niche product."

What is our primary use case?

Our primary use case is to provide more coverage and reduce the reliance on code reviews alone. It also provides confidence and helps begin a path towards continuous improvement.

How has it helped my organization?

This has improved our process because it allows us to pick up on a lot of the smaller best practices that might otherwise be missed, in addition to ensuring code quality is not compromised between builds.

What is most valuable?

The most valuable features are the wide array of languages, multiple languages per project, the breakdown of bugs, and the description of vulnerabilities and code smells (best practices).

What needs improvement?

A robust credential scanner would be a huge bonus as it would remove the need for yet another niche product with additional cost, also gives the benefit of a single pane of glass view, although we still need white source bolt for 3rd part library scanning. The integration into docker builds could be better as pulling the latest version of the scanner, setting the path and then invoking the scan is an extra overhead to manage between versions of the scanner. An apt-get and scan start with the key passed as a variable would be a nicer implementation. Have not looked into SSL for the management page yet but hoping that goes smoothly.

For how long have I used the solution?

Trial/evaluations only.

What do I think about the stability of the solution?

We have only used this solution for a few weeks, but so far we have had no issues at all.

What do I think about the scalability of the solution?

My impression of the scalability is good, as it appears that it can support a much larger number of projects than we have.

How are customer service and technical support?

We have had no need to contact technical support.

Which solution did I use previously and why did I switch?

I did not use another solution prior to this one.

How was the initial setup?

The setup took a bit of work, but that was because we were combining Docker, Kubernetes, Azure Key Vault, and the Azure PaaS SQL Server.

What about the implementation team?

We took care of the implementation in-house.

What was our ROI?

In terms of ROI, it is difficult to put a number against code quality. For the cost of hosting it, I would say very good if you do not have a solution to start with.

What's my experience with pricing, setup cost, and licensing?

A self-hosted SonarQube on a Kubernetes cluster is very cost efficient if you already have the infrastructure and don’t need the premium features.

Which other solutions did I evaluate?

We evaluated the Checkmark Software Exposure Platform and Veracode, but they were expensive for a first go.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
SM
Manager at Dassault Systèmes
Real User
The FindSecBugs plugin has helped to solve our security vulnerability issues

What is our primary use case?

Our primary use case for this solution is security testing using the FindSecBugs plugin.

How has it helped my organization?

This has improved our organization because it has helped to find security vulnerabilities.

What is most valuable?

The most valuable feature is the FindSecBugs (Find Security Bugs) plugin, which finds security vulnerabilities.

What needs improvement?

The product's user documentation can be vastly improved.

For how long have I used the solution?

Still implementing.

What is our primary use case?

Our primary use case for this solution is security testing using the FindSecBugs plugin.

How has it helped my organization?

This has improved our organization because it has helped to find security vulnerabilities.

What is most valuable?

The most valuable feature is the FindSecBugs (Find Security Bugs) plugin, which finds security vulnerabilities.

What needs improvement?

The product's user documentation can be vastly improved.

For how long have I used the solution?

Still implementing.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
CR
Senior Architect Information Security & Privacy at a tech services company with 501-1,000 employees
Real User
Protection That Detects Bugs and Provides Code Security

What needs improvement?

I would like to see SonarQube implement a good amount of improvements to the product's security features. Another aspect of SonarQube that could be improved is the search functionality.

What do I think about the stability of the solution?

The stability is good.

What do I think about the scalability of the solution?

The scalability of SonarQube is good. The number of people required for deployment and maintenance depends on our requirements for different client projects.

What's my experience with pricing, setup cost, and licensing?

We purchased the solution; it's not on a monthly or annual contract.

What other advice do I have?

On a scale from one to ten with ten being the best, I would rate this product around an 8. If SonarQube makes some…

What needs improvement?

I would like to see SonarQube implement a good amount of improvements to the product's security features. Another aspect of SonarQube that could be improved is the search functionality.

What do I think about the stability of the solution?

The stability is good.

What do I think about the scalability of the solution?

The scalability of SonarQube is good. The number of people required for deployment and maintenance depends on our requirements for different client projects.

What's my experience with pricing, setup cost, and licensing?

We purchased the solution; it's not on a monthly or annual contract.

What other advice do I have?

On a scale from one to ten with ten being the best, I would rate this product around an 8. If SonarQube makes some improvements with the security features, I would also probably use the product much more.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
JI
Automation Tool Specialist at a comms service provider with 1,001-5,000 employees
Real User
It easily ties into our continuous integration pipeline, but it is light on the security side

Pros and Cons

  • "It is very good at identifying technical debt."
  • "It easily ties into our continuous integration pipeline."
  • "I find it is light on the security side."

What is our primary use case?

Primary use is code standards, or code quality. It's worked out okay. I find it is light on the security side though.

We brought into our CI pipeline to see if we could help our developers fix issues and identify issues sooner.

How has it helped my organization?

  • Higher code quality. 
  • Faster to market.
  • Less errors.

What is most valuable?

  • The issues it identifies.
  • How easily it ties into our continuous integration pipeline.
  • It is very good at identifying technical debt.

What needs improvement?

As far as code quality goes, I like it. It doesn't seem to do well when it comes to vulnerabilities on the security side. It may be that we don't have the right plugins, or we don't have the right add-ons.

For how long have I used the solution?

Less than one year.

What do I think about the stability of the solution?

It seems to be very stable. I haven't had many issues with it. 

We just upgraded to the 6.7 version, which has been performing well.

What do I think about the scalability of the solution?

We haven't had any issues to date. We haven't had a huge number of projects to date. We're slowly slowing the uptake from some of our internal teams, but it seems to be fairly scalable.

How is customer service and technical support?

I haven't had to use technical support.

How was the initial setup?

The initial setup was fairly straightforward.

What's my experience with pricing, setup cost, and licensing?

The price point on SonarQube is good.

Which other solutions did I evaluate?

We are looking into corporate security and a couple different tooling options for doing data code analysis and security scanning.

We have looked into a few options: 

  • We are looking at IBM AppScan.
  • I am going to be running a small PoC next week with Veracode. I started doing a bit of research on Veracode, and I saw how it ties in compared with SonarQube.

What other advice do I have?

We are looking at using another product to compliment it for security reasons.

Most important criteria when selecting a vendor:

  • Usability of the product
  • Responsiveness when we have issues.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user732738
Technical Architect and Software Engineer at a tech services company
Real User
Provides holistic overview of all quality issues in a project and enables easy drill down into particular problems

Pros and Cons

  • "With SonarQube's web interface, it is easy to drill down to see the individual problems, but also to look at the project from above and get the big picture, with possible larger problem areas."

    What is most valuable?

    SonarQube is not valuable because of the information it gives it. We can gather that same information from several other tools as well. It is the way the information is presented that makes it so powerful. It provides a holistic picture of all quality issues in a software project. With SonarQube's web interface, it is easy to drill down to see the individual problems, but also to look at the project from above and get the big picture, with possible larger problem areas.

    How has it helped my organization?

    Individual developers are more concerned about the quality of their work when they see their results in the big picture.

    For how long have I used the solution?

    About a year, in different projects, including the current one.

    What do I think about the stability of the solution?

    No.

    What do I think about the scalability of the solution?

    No.

    How are customer service and technical support?

    Not used.

    Which solution did I use previously and why did I switch?

    We used the same tests, but with every developer running them individually. Now management can also get a picture of the quality assurance.

    How was the initial setup?

    Very simple.

    What's my experience with pricing, setup cost, and licensing?

    Price is high and only worth it if your organization has hundreds of developers.

    Which other solutions did I evaluate?

    No.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    it_user727500
    Senior Java Developer at a financial services firm
    Real User
    Code convention ensures consistency and graphing tool gives overall view of code changes over time

    Pros and Cons

    • "Code Convention: Using the tool to implement some sort of coding convention is really useful and ensures that the code is consistent no matter how many contributors."
    • "An improvement is with false positives. Sometimes the tool can say there is an issue in your code but, really, you have to do things in a certain way due to external dependencies, and I think it's very hard to indicate this is the case."

    How has it helped my organization?

    This product has helped us improve the quality of code within the business and ensure all new developers keep to a similar code convention per project. This can basically be tracked back to saving the company money, because improved quality of the code means less technical debt which means it's easier to extend or add functionality to the code base. The quicker the development team can roll out changes, the less developer hours needed to implement the changes, which the company needs to convert into profits.

    What is most valuable?

    Most features in the product are very useful, but there are some parts that I personally use more than others.

    1. Code Convention: Using the tool to implement some sort of coding convention is really useful and ensures that the code is consistent no matter how many contributors.

    A very usual addition to this tool is an IntelliJ plugin called SonarLint, which integrates into your IDE, then allows you to run the convention rules file by file and receive immediate feedback when making changes. This removes the need to push to the server before finding out what issues you need to resolve.

    2. Technical Debt: Being able to see how much technical debt there is within the project is useful, especially if your change increases this value. It's a good way to determine whether your change is improving the overall code quality or not.

    3. Graphing: The tool has some very useful graphs which give you an overall view of how the code looks and/or changes with time. A graph that I find useful is the bubble chart. It shows three different metrics in a 2D graph. It shows the number of lines of code versus the number of issues in that project. The third dimension is the size of the bubble, which is technical debt in the project. So it's very easy to see which projects need immediate attention, if they are in the top-right quadrant of the graph as a very large circle, i.e., high number of issues, high number of lines of code, and high technical debt. Seeing which project/submodule is in which quadrant of the graph shows where work is needed. You can also drill into the project and see any submodules within that project as well. Very useful.

    What needs improvement?

    • Upgrading the version of the server is a bit cumbersome and could be made slightly easier. Allowing admin users to upgrade the software through the front-end would make upgrading easier.
    • Another improvement is with false positives. Sometimes the tool can say there is an issue in your code but, really, you have to do things in a certain way due to external dependencies, and I think it's very hard to indicate this is the case. There is a way to mark the code/method with the issue number, but having to add comments/annotations in your code for your static analysis tool feels wrong to me.
    • Being able to have different groups or projects within the same server would be nice. Currently, I have a Sonar machine for production code (master branch) and UAT code (UAT branch), so when each branch is built in our continuous integration server it publishes to these two Sonar machines. What would be nice is if I could create subgroups within a single SonarQube server for each environment to remove the need for two separate machines.

    What do I think about the stability of the solution?

    It seems a lot more stable in the current versions of the product. I have never had major issues though, so I would say it's pretty stable.

    What do I think about the scalability of the solution?

    I haven't yet found any scalability issues, although with the upgrade to version 6, they have moved the processing of the stats from outside the server to inside the server. What I have noticed is that the machines running SonarQube are using a lot more resources, as the processing is done server side. This means that I need to increase the resources allocated to the machine. If I was running this in the cloud, it would be easy, as I would create a larger instance for the service. But as I have this running on a physical machine, I am limited to what I can allocate.

    How are customer service and technical support?

    I haven't used their technical support.

    Which solution did I use previously and why did I switch?

    Yes, I have used individual components which SonarQube uses, such as FindBugs, but having the static analysis run and reported back within a continuous integration server. This gives you back some of the results, but SonarQube is a single, complete solution for static analysis and has added improvements like a great UI and visualisations.

    How was the initial setup?

    Initial setup was pretty easy. I currently run this in a virtual Linux (Ubuntu) machine using Vagrant and VirtualBox. Installation using apt-get was pretty simple. I then bundled it all up into a new Vagrant box which means I can spin up a new instance of SonarQube whenever and wherever I am (like a custom AMI on AWS), but locally.

    What's my experience with pricing, setup cost, and licensing?

    I am using the open source version of the product, so no cost. The licence is standard open source licensing, LGPL, so nothing to advise really.

    Which other solutions did I evaluate?

    I didn't. I am not sure if there are any other open source static analysis tools as good as this that I have found; Well at least three or four years ago there weren't.

    What other advice do I have?

    I would advise to get it done sooner rather than later. The sooner you have a better understanding of the state of your code base, the sooner you can make better business decisions based on that information.

    Also, even though you may be a sole developer, I think it's still useful to use this tool and have these metrics at your finger tips. It's like version control, even if you are the only developer, I think it should be used for everything you do.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    it_user344817
    Service Line Leader at a tech services company with 10,001+ employees
    Consultant
    It's enabled us to improve software quality and help us to disseminate best practices, but it needs better design of the interface.

    How has it helped my organization?

    It's enabled us to improve software quality and help us to disseminate best practices.

    What is most valuable?

    This product is open source and very convenient.

    What needs improvement?

    A better design of the interface and add some new rules.

    What do I think about the stability of the solution?

    Only common issues have been experienced.

    What do I think about the scalability of the solution?

    Only common issues have been experienced.

    How are customer service and technical support?

    Customer Service: I can't rate because there was no customer service. Technical Support: The technical documentation is really good and the community is great and active.

    Which solution did I use previously and why did I switch?

    Nothing was…

    How has it helped my organization?

    It's enabled us to improve software quality and help us to disseminate best practices.

    What is most valuable?

    This product is open source and very convenient.

    What needs improvement?

    A better design of the interface and add some new rules.

    What do I think about the stability of the solution?

    Only common issues have been experienced.

    What do I think about the scalability of the solution?

    Only common issues have been experienced.

    How are customer service and technical support?

    Customer Service:

    I can't rate because there was no customer service.

    Technical Support:

    The technical documentation is really good and the community is great and active.

    Which solution did I use previously and why did I switch?

    Nothing was implemented before this software, only PMD, a light control tool.

    How was the initial setup?

    The technical documentation online is easy to understand, so the initial setup is straightforward. However, they need to adapt your organization's constraints to the software, which is more difficult.

    What about the implementation team?

    We did it in-house.

    What's my experience with pricing, setup cost, and licensing?

    This product is, to my mind, a reference so that if you decide to put in place this software, you will improve the quality control inside your organization. Simple and effective.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    it_user718230
    Devops Engineer at a healthcare company with 10,001+ employees
    Vendor
    Ensures A Good Quality Of Code Is Released To Customers

    Pros and Cons

    • "I follow Quality Gate's graduation model within organization, and it is extremely helpful for me to benchmark products."
    • "When we have a thousand products published over it, we expect it to be more efficient in terms of serving requests from the browser."

    How has it helped my organization?

    SonarQube ensures that we release a good quality of code to our customers. We have incorporated test driven development within the organization. It is also very helpful to bring a DevOps culture within the organisation.

    What is most valuable?

    I follow Quality Gate's graduation model within organization, and it is extremely helpful for me to benchmark products.

    What needs improvement?

    Well, load balancing is something we expect it to have. Also, sometimes the loading dashboards are a little slow. When we have a thousand products published over it, we expect it to be more efficient in terms of serving requests from the browser.

    What do I think about the stability of the solution?

    No.

    What do I think about the scalability of the solution?

    Yes, a little bit.

    How are customer service and technical support?

    Good.

    Which solution did I use previously and why did I switch?

    Previously, we used to use regular code review (static analysis, coverage tools) without much into single dashboard. SonarQube helped to put everything together into place supporting almost all languages, or quality profiles.

    How was the initial setup?

    Simple to setup.

    What's my experience with pricing, setup cost, and licensing?

    People can try the free licenses and later can seek buying plugins/support, etc. once they started liking it.

    Which other solutions did I evaluate?

    Not really.

    What other advice do I have?

    SonarQube provides easy upgrade mechanisms, and I rarely found any issues.

    Use a good VM for hosting, which can serve large requests on the fly with Oracle DB, etc.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    it_user700128
    Director at a consultancy with 10,001+ employees
    Consultant
    the tool was implemented in a pilot, and successfully scaled to the enterprise.

    Pros and Cons

    • "The customizable dashboard and ability to include results and coverage from unit test and other static analysis code tools."
    • "Ease of use/interface."

    How has it helped my organization?

    It has improved code quality and helped shift quality left. It also paved the way for implementing Continuous Integration/Continuous Delivery.

    What is most valuable?

    The customizable dashboard and ability to include results and coverage from unit test and other static analysis code tools.

    What needs improvement?

    Ease of use/interface.

    What do I think about the stability of the solution?

    I didn't encounter any issues with stability.

    What do I think about the scalability of the solution?

    No - the tool was implemented in a pilot, and successfully scaled to the enterprise.

    How are customer service and technical support?

    Fairly good.

    Which solution did I use previously and why did I switch?

    Yes, we used PMD, FindBugs and FxCop. Switched for the reporting and dashboard capabilities.

    How was the initial setup?

    There was a bit of a learning curve and some customization to get it to work, but nothing too complex.

    What's my experience with pricing, setup cost, and licensing?

    Get the paid version which allows the customized dashboard and provides technical support.

    What other advice do I have?

    Do your research to make sure the tool is a good fit for your organization.

    Also, give the development teams some time to adapt to the standards - set the thresholds lower to begin with, and then gradually raise it to desired levels, rewarding compliance and good behavior.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    it_user697056
    Senior Software Developer at a tech vendor
    Vendor
    Provides automated rules for determining if a project is above or below a quality threshold.

    Pros and Cons

    • "Issue Explanations: Documentation with detailed samples. Helps in growing technical knowledge and re-writing logic to conforming solutions."
    • "It requires advanced heuristics to recognize more complex constructs that could be disregarded as issues."

    How has it helped my organization?

    Better live process: More automated quality control in the lifecycle of development/testing/deployment/production. This includes the prevention of potential bugs due to ineffective code, as well as keeping a more unified style of solutions. This is thanks to standard solutions offered by the issue tips. It raises code maintainability as well as flexibility, to some extent.

    What is most valuable?

    Quality Gate: Automated rules for determining if a project is above or below a quality threshold. This is a concise "red"/"green" style, basic quality-control. This is integrated in the development and deployment process.

    Issue Explanations: Documentation with detailed samples. Helps in growing technical knowledge and re-writing logic to conforming solutions.

    What needs improvement?

    Deep intelligence and smarter code analysis: There are many cases where a bug or critical issue is reported. However, there is very little chance of rewriting the solution in some other way due to several circumstances. The written solution is actually safe.

    It requires advanced heuristics to recognize more complex constructs that could be disregarded as issues.

    There is a manual false positive feature for that, so it compensates for it. However, time and time again, some issues become annoying, since they are actually not issues. This can be time-tested though and configured/fine-tuned throughout working with the tool.

    What do I think about the stability of the solution?

    There were no stability issues. I can't think of any serious issues.

    What do I think about the scalability of the solution?

    There were no scalability issues, not as far as the development environments are concerned. I guess if there were tens of repos and maybe hundreds of commits per day, the analysis time would probably suffer. I suppose there is a way to cluster the solution somehow. I'm not sure. I never needed anything like it at the current scale that we have operated with it.

    How are customer service and technical support?

    I had no direct contact with tech support by myself, but I haven't heard any complaints about it going around either. I guess it is adequate.

    Which solution did I use previously and why did I switch?

    Previous to this solution, we used static code analysis using built-in IDE tools and plugins. SonarQube just centralizes the same thing and adds some extra layers to systemize and create a somewhat better pipelining for the quality analysis process.

    IDE-related tools and plugins are still in use today, as first-in-line hints and helpers. SonarQube manages the quality threshold and it is part of the larger overall process.

    How was the initial setup?

    The initial setup was not complex at all. There is default configurations out of the box in many ways. It was rather straightforward.

    What's my experience with pricing, setup cost, and licensing?

    I have no advice on that part, as I'm not directly related to these aspects of the product myself.

    What other advice do I have?

    Try it, get used to it, configure, and fine-tune it. Make it part of your everyday quality pipeline as gates necessary to pass before the green light to production deployment.

    While annoying occasionally with its issue reports, it is actually an invaluable source of better knowledge and applying it in practice to your solutions.

    Saves you bunch of headaches and debugging/fixing sessions at production, which is ten times as costly than using the help of this.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    it_user697050
    SW Automation Team Leader at a tech services company with 201-500 employees
    Consultant
    An actual RuntimeException bug was discovered and immediately fixed.

    Pros and Cons

    • "SonarQube: Recording of issues over a period of time, with an indication of the addition in the new issues or the reduction of existing issues (which were fixed)."
    • "There is need for support for the additional languages and ease of use in adding new rules for detecting issues."

    How has it helped my organization?

    SonarQube and SonarLint were adapted as part of the CI development process, i.e., the developers who committed to high severity issues in the repository were immediately notified via mail/Jenkins.

    An actual RuntimeException bug was discovered and immediately fixed by using SonarQube with CI.

    What is most valuable?

    SonarLint: It gives code smell check during development, via linting in IntelliJ (it helped with best practices and in discovering the early potential bugs).

    SonarQube: Recording of issues over a period of time, with an indication of the addition in the new issues or the reduction of existing issues (which were fixed).

    What needs improvement?

    There is need for support for the additional languages and ease of use in adding new rules for detecting issues. Some issues that were detected after committing to the CSM by SonarQube were not displayed in SonarLint scans (hopefully this was fixed in later versions).

    What do I think about the stability of the solution?

    A single developer claimed that the SonarLint plugin caused performance issues on his IntelliJ IDEA. However, this issue was not encountered by the other developers.

    What do I think about the scalability of the solution?

    There were no scalability issues but we did not use SonarQube/SonarLint on very large code bases.

    How are customer service and technical support?

    They have very good documentation at the SonarQube site; during inquiries on possible purchases, the SonarSource team was very responsive.

    Which solution did I use previously and why did I switch?

    We did not use a different solution in the past.

    How was the initial setup?

    The initial setup was relatively simple (raising a dedicated VM server for SonarQube, configuring a Jenkins job to interact with the SQ server on several CSMs).

    The SonarLint setup is extremely simple in IntelliJ.

    What's my experience with pricing, setup cost, and licensing?

    We did not purchase a license (required for C++ support), but this option was considered.

    The Java SonarQube version, which is free to use, was extremely helpful and I suggested to my managers that we purchase a license.

    Which other solutions did I evaluate?

    We did not evaluate other static code analysis solutions.

    What other advice do I have?

    I would recommend adopting the usage of SonarLint at the very least for Java development since it is a very good tool for helping to ensure high code quality.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    it_user697038
    DevOps at a tech company with 10,001+ employees
    MSP
    Keep source code well tested using SonarQube

    How has it helped my organization?

    Quality Gate helps us to merge code that was not covered with tests.

    What is most valuable?

    We can create a Quality Gate in order to fail Jenkins jobs where the code coverage is lower than the set percentage. We can review possible faults in JavaScript code.

    What needs improvement?

    We had some issues where the Quality Gate check sometimes gets stuck and it is unclear.

    What do I think about the stability of the solution?

    We had some stability issues where the Quality Gate check sometimes got stuck and it was unclear. This seldom happens.

    What do I think about the scalability of the solution?

    There were no scalability issues.

    How are customer service and technical support?

    The technical support team has experts on it. They are…

    How has it helped my organization?

    Quality Gate helps us to merge code that was not covered with tests.

    What is most valuable?

    • We can create a Quality Gate in order to fail Jenkins jobs where the code coverage is lower than the set percentage.
    • We can review possible faults in JavaScript code.

    What needs improvement?

    We had some issues where the Quality Gate check sometimes gets stuck and it is unclear.

    What do I think about the stability of the solution?

    We had some stability issues where the Quality Gate check sometimes got stuck and it was unclear. This seldom happens.

    What do I think about the scalability of the solution?

    There were no scalability issues.

    How are customer service and technical support?

    The technical support team has experts on it. They are available on Twitter, Google Groups, and StackOverflow.

    Which solution did I use previously and why did I switch?

    We did not use a different tool before this one.

    How was the initial setup?

    The initial setup required unzipping it and having MySQL install. We then set up a couple of configuration files. There was no need for IT for this.

    What's my experience with pricing, setup cost, and licensing?

    This is open source.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    it_user347733
    DevOps Engineer at Trantor Software Private Limited
    Consultant
    It's changed the attitude of our developers as they can see their code exceptions at compile time, but it would be great if it also covered XML code.

    Valuable Features

    We are working in the banking sector, and our application code is quite large in terms of performance. Ranorex has helped us a lot to follow Java code conventions for writing performance oriented code.

    It also has very good compatibility with continuous integration servers like Hudson and Jenkins.

    Improvements to My Organization

    It had changed the whole attitude of the developers of our team as they can see their code exceptions at compile time. With this, we have delivered a quality product to our stakeholders.

    Room for Improvement

    It would be great if it also covered XML code.

    Use of Solution

    We have been using this solution in our Java web application for the last 18 months. We embedded SonarQube with the help of a SonarQube-maven plugin in our web application.

    Deployment Issues

    No issues encountered.

    Stability Issues

    No issues encountered.

    Scalability Issues

    No issues encountered.

    Customer Service and Technical Support

    It's excellent as we get everything we need from the product.

    Initial Setup

    It was somewhat complex as we have to integrate it with Apache Maven-2.2.1, and there is no listing of SonarQube version compatibility with Apache Maven.

    Implementation Team

    We did it in-house.

    ROI

    It is quite an efficient product in terms of ROI.

    Pricing, Setup Cost and Licensing

    Its is available on open to use license.

    Other Solutions Considered

    We did some R&D according to our product need and found SonarQube as a solution.

    Other Advice

    I would advise you to implement SonarQube if they are facing any performance related issues in their products.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    ITCS user
    Technical Authority Digital at a insurance company with 1,001-5,000 employees
    Vendor
    It enables Technical Leads to monitor and measure the effectiveness of delivery teams, but it needs better integration with JIRA.

    What is most valuable?

    So, it's been more than a year on since I wrote this review, so what has changed ?

    Well. The first thing to say is that we (that is, a large multi-national financial services company) continue to use Sonarqube, indeed it has become mandatory for all projects (new and existing). We have introduced an aggregation portal which takes metrics from SonarQube via its API along with other sources, to provide a cross project and somewhat sanitised view for upwards reporting. It's important, we feel, not to try and hide issues, but at the same time not to 'set hares running' by exposing more senior management to metrics 'in the raw'. So instead, we gather all the evidence that we have, and add to that some constructive assessment from the lead solution designers, scrum masters and others, to provide more balanced and reasoned view. As we all know, there are a whole multitude of metrics baying for our attention, and it is not always obvious which are critical and which are less important (and that is often a factor of timing and priority).

    One thing we did do this year is consider other complementary products, particularly in the area of identifying security vulnerabilities with both our own code bases and the open source 3rd party libraries that are routinely packaged with a released application. The latter category can often account for 80%+ of the actual app, so it's an important area not to neglect. Sonarqube does provide some support here i.r.o the integration of OWASP top 10, but it clearly isn't an area of strength when compared to more dedicated products. We did an RFP and have now selected two further products that will bolster this aspect considerably.

    We have also moved forward with SonarQube in 3 important ways. First, we have upgraded our implementation to version 5.4 (prev. 4.5.x). This was important to many of our teams because some plugin support require the later version. The second change is that we have moved our implementation of the Sonarqube server into docker. Sonarsource provide an OOTB image on DockerHub which is a good starting point. We have enhanced it in a couple of ways to reduce the size and attack surface and also to add our specific config, but it was pretty easy to do so, so good job from Sonarsource here. The third difference is we have moved some of our install to use the Professional version rather than OSS. There were a couple of reasons, one was to access some commercial plugins which come bundled as part of the product and it made more sense (funding-wise). Another was to provide better support for a central SQ service. When I said 'some' of our installs, that was deliberate. We don't only provide SQ as a central PaaS, but also allow distributed DevOps teams to spin up their own, as long as they fully understand that operational support becomes their problem too of course (no free lunch here !). This works well for teams who want to manage more of their delivery pipeline rather than be part of a change control process where other participants might need to be consulted and perhaps engage in regression testing when changes are requested.

    One significant change in v5.x is the movement of the database update to the server. This has a couple of important consequences. The first is that the build-breaker plugin is no longer useful since its harder to synchronise the fact that a build has failed with the update of the analysis outcome visible on the server. We use that plugin a lot, so it was a bit of a PITA. There is a compatible approach that SonarSource have documented, but personally I'm not a great fan because it increases the number of moving parts and thus the opportunity for something else to fail. But, with any upgrade there are always 'swings and roundabouts', and on the whole the positives outweigh the negatives (decoupling the client-side analysis from database update *is* on the whole a good thing). SQ v5 also comes with a bunch of new 'runners', now called 'scanners'. We have used the basic one, the Maven one and the MSBuild one, and all work fine. It's another change that you need to consider as part of migration, but not a massive one. Security controls have been enhanced in v5 and it's now easier to apply more granular access controls than in v4. For companies that outsource development work that's likely to be quite important (it is for us).

    Licensing in the 'immutable server' world, whether that's docker or native Cloud remains unresolved. SonarSource seem a little behind the curve here, but we are talking to them. The key point is that we no longer stand up environments (including CI/CD pipelines) with any intention that they will have a 'shelf life' beyond their immediate use. Creating environments for specific use cases then tearing them down frequently (often this can be measured in minutes or hours) has become common-place for use and has tremendous advantages over previously used 'convergence' approaches using config management tools like Pupper, Chef or Ansible. Many vendors recognise this and have adjusted licensing arrangements, SonarSource aren't quite there yet (but they are willing to talk about it).

    Anyway, that's probably enough of an update. I hope you find this, and the previous review helpful ?

    Original Review (circa: 2014/15)

    Moving to a largely evidence-based assessment is hugely beneficial, especially if you are managing out-sourced resources. It provides a clear definition of what acceptable quality actually means, and supports the decision of when you can stop, as well as what is not as there are no arguments based on an opinion. That said, metrics only take you so far, you still need smart people who can interpret and see beyond the base facts provided.

    The ability to integrate analysis of software engineering metrics directly into the Development Lifecycle (DLC) in much the same way as any other practice such as Unit Testing. Specifically, developers run SonarQube analysis frequently and don’t commit changes to SCM when build breaker issues remain.

    Early warning via CI build pipeline and especially setting up ‘Build Breakers’ based on a team or code base specific quality gate - a set of rules/thresholds that determine the most important measures for a particular code base.

    Targeted improvement allows a team to identify specific areas of threat (e.g. TD) and then set purposeful goals to improve in those areas (rather than trying to improve everything).

    The SonarQube community is very active which often means that finding solutions is a blog post away from other like-minded organisations. Community plugins are a staple for this product and have tremendous breadth and depth.

    How has it helped my organization?

    It would be utterly impossible to contemplate Continuous Delivery without including a major focus on ensuring affordable software quality. SonarQube plays a key role in this endeavour and provides Senior Management oversight across multiple project teams and business deliveries. Fits in very well with existing Continuous Integration build pipeline workflows. As we move towards Continuous Delivery ensuring a ‘no surprises’ release management.

    Our software quality assessment at an affordable cost (licensing, time and effort). Previous attempts have failed to win the support of the development community (typically overly complex and intrusive and/or not sufficiently timely) without which the initiative will be doomed to failure.

    What needs improvement?

    • More granular security
    • Simpler integration with JIRA
    • It would be nice for a dashboard server to be able to address more than one database (this limitation tends to encourage either lots of small (team/project) servers or one uber server if you want to report across projects).

    For how long have I used the solution?

    3years.

    What was my experience with deployment of the solution?

    Originally we used Puppet to apply our specific configuration to our SQ install, and this was pretty successful albeit reasonably complicated. More latterly we have moved to using Docker. SonarSource provide a base image on DockerHub which is easy to extend for you own use case. We updated it to use a smaller footprint base image (Alpine) to reduce the size and attck surface, and then added our own set of plugins and other config. All straight-forward.


    What do I think about the stability of the solution?

    There were initially some questions about performance and in particular the location of the database (some suggesting that this needed to be physically close to the point of analysis to minimize network latency). However, this is highly dependent on the size of the code base under analysis (and the multiplicity of code bases). In our case we didn’t find any problem in running the database, server and analysis process in separate locations (RDS, EC2 and Jenkins respectively). Our largest code base to-date is around 500K lines.

    How are customer service and technical support?

    Customer Service:

    Average. That said, considerable effort has been made to make the product largely self supporting at from the install and initial config perspective. Response to queries directly to SonarSource haven't always been particularly successful, but the community forum is pretty good.

    Technical Support:

    We haven’t had a need for an official support contract with SonarSource. The open source community around SonarQube is very active and has met all of our needs to-date. That said, SonarSource do publish very helpful materials, documentation, blog posts, webinars etc. which we definitely take advantage of.

    Which solution did I use previously and why did I switch?

    Yes. We had been using Coverity. However, whilst an excellent product with perhaps more capability, we found that it was more difficult to integrate into the development lifecycle and take up was relative modest. The sophistication of the solution was not well suited to our requirements in the sense that we are not producing commercial software but creating applications for internal use, and therefore the depth of analysis available was not really needed especially given the much higher learning curve. Also, licensing and platform costs were also high. We found SonarQube to be sufficiently powerful at a much more affordable price point.

    More recently we have added two products with a specific focus on detecting security vulnerabilities. SQ does offer basic OWASP top 10 support within the language rule sets, but it's fair to say that this is probably not sufficient to keep your security folks happy. We definitely wanted to add support for scanning 3rd party libraries which probably make up 80%+ of our released app.

    How was the initial setup?

    Creating instances of each of the major components (server and database) are very straightforward. Of course there are some complexities if you want to operate high availability, failover and so on, but no more so than any other application server. Given the stage in the lifecycle where SonarQube is used, it is in some ways less critical, so periodic outages can be tolerated. We typically operate an immutable server pattern so if/when we have server issues, we can easily destroy and re-create our environments or auto-scale them up and down as required. Integration into the CI world is easy (Jenkins plugin available or just use the command-line ‘runner’) and integration into the developer lifecycle also easy via plugins for mainstream IDEs (eClipse, Visual Studio, etc).

    Using Docker simplifies things considerably. At the same time, the clutch of new 'scanners' does mean some extra work if you are migrating from v4.

    What about the implementation team?

    In-house. The product is sufficiently simple that setting up the server environment requires some straightforward DevOps skills (spinning up servers and configuration management) and creating Jenkins jobs and installing IDE plugins. This is something that typically your developers should already be familiar with. We didn’t need any vendor support beyond the available documentation. Product training was not really necessary although we did run some awareness/101 sessions in-house, but more to promote why we wanted to go this route rather than any how-to technical skills.H

    What's my experience with pricing, setup cost, and licensing?

    The only associated costs if you are following the OSS route are the platforms on which you will run your server and database, and any commercial plugins that you want to use (we only use a couple of those). There is a need to invest in a robust environment and some recommended practice but that is no different from any other similar software engineering process. We tend to prefer devolvement of responsibility rather than centralized control. This includes individual teams looking after their own infrastructure as well as determining their own priorities in terms of continuous improvement (albeit there are some standard measure that apply, for example unit testing, code coverage, technical debt and so on).

    For v5.4 we moved one of our installs to use the Professional edition. This made sense for us because we wanted to use some of the commercial plugins that are already bundled as well as formalise support with SonarSource. We still use the OSS version for teams who don't need commercial plugins and want to manage their own SQ environment (see above comments).

    Which other solutions did I evaluate?

    Yes, and we did so again recently (2016). We had an encumbant Coverity solution which was very expensive and very under-used (too complicated). Since then we have also considered specific security analysis tools as complementary products (e.g. CheckMarx, Veracode, Nexus Life-cycle/Firewall, and a few others). We have since selected from these.

    What other advice do I have?

    If you are looking at SonarQube you already realize the importance of software quality and it’s value proposition. Sometimes you just want to discover the types and severity of issues you have especially for legacy or inherited code bases (i.e. as a result of a merger). You should definitely follow best practice of not trying to cover every metric all at the same time, but instead pick out the two or three (at most) that are most critical to you right now (recognizing that this will change over time). Time based metrics are especially useful to help you understand if you are getting better or worse, and other well known strategies (such as ‘boy scout’) can also help formalise an improvement plan.

    Perhaps the single most important consideration is to involve your development community right from the start (don’t try and foist a tool, set of skills or a change in process on them, as they will resist). Those guys are the ones that know where all the skeletons are and their buy in is absolutely critical especially if you need to change some existing behaviors. In my experience most software professionals are highly supportive but you should expect a few negative challengers).

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    it_user347595
    Java Developer at a tech consulting company with 51-200 employees
    Consultant
    the API documentation is poor, when it exists at all, but it does easily integrate with Jenkins.

    Valuable Features:

    The feature I find most valuable are--

    • Quick access to issues in the code
    • The ability to define your own analysis profiles
    • Easy integration with Jenkins

    Improvements to My Organization:

    For the record, what I do with SonarQube is develop a language plugin for a language not previously covered by SonarQube. As such, my experience of running SonarQube is limited to that necessary to have the plugin tested, nothing more.

    Room for Improvement:

    I'd like to see more API documentation, including, but not limited to, more extensive documentation of provided examples.

    Use of Solution:

    I've used it for eight months.

    Initial Setup:

    I only deployed it for development purposes and it was pretty straightforward. You unzip, configure, and run. Of course, production deployments will require more than that.

    The provided archives are self running; but since this is a bona fide webapp, you might want to use your own servlet container to run it instead.

    Other Solutions Considered:

    No, I didn't. I was employed specifically for this plugin, and while know other code-quality control solutions exist, I didn't explore any of them.

    Other Advice:

    Product is good, but the API documentation is poor, when it exists at all.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    it_user347526
    Software Engineer, Agile/Lean Evangelist, Scrum Master at a tech services company with 51-200 employees
    Consultant
    My team's code bases have gotten better, with about 25% less issues since we began using it. However, they removed the design libraries and dependencies-checking features from v5.2.

    What is most valuable?

    Its dashboards, quality profile, quality gates and CI integration features (like as build breaker plugin) are the most valuable features for me.

    Personally, I have used SonarQube for educational purposes. SonarQube is helpful for giving motivation to a small development team (10 members or a little above) on code quality improvements with small efforts.

    How has it helped my organization?

    My team uses just two features - dashboards and CI-build-breaker - for checking code quality and the stability of our code base. For those purpose, SonarQube has done its work greatly. We have seen a decrease of about 25% of issues from since we first started using it a few months ago, and my team code bases are getting better.

    What needs improvement?

    The only thing I don't like is that they removed the design libraries and dependencies-checking features from v5.2. I hope they reintroduce these features in the future.

    For how long have I used the solution?

    I've used it for approximately two years, since December 2013.

    What was my experience with deployment of the solution?

    I have not encountered any issues.

    What do I think about the stability of the solution?

    I have not encountered any issues.

    What do I think about the scalability of the solution?

    I have not encountered any issues.

    How are customer service and technical support?

    Customer Service:

    I've not had to use them. I thinks it's online documentation is up to date, and it is enough to use them to solve problems and to understand features.

    Technical Support:

    I've not had to use them.

    Which solution did I use previously and why did I switch?

    My development team adopted SonarQube in January 2015 for code quality improvement, and had not used any code quality checking tool before.

    How was the initial setup?

    The initial setup is easy. They provide a step-by-step online guideline to follow for installing it.

    What was our ROI?

    It has decreased the efforts of my team for finding and fixing potential issues which exist in our code base.

    What's my experience with pricing, setup cost, and licensing?

    We are only using the free features.

    What other advice do I have?

    Just keep following their online installation and plugin development guide.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    ITCS user
    Assistant Director Implementation Services at a financial services firm with 5,001-10,000 employees
    Vendor
    It's helped with best practices in writing test cases, and each test should pass given all numbers are highlighted on it.

    What is most valuable?

    The rich graphical representation of numbers which are meaningful to dev leads/managers and top management .

    How has it helped my organization?

    It was brought in to help with best practices in writing test cases, and each test should pass given all numbers are highlighted on SonarQube. Executing sonar analysis on a big chunk of code - with an Oracle database does take up a lot of time.

    What needs improvement?

    Widgets - as the world of development expands, SonarQube should have plug-ins to cater to different technologies.

    For how long have I used the solution?

    I've used it for three years.

    What was my experience with deployment of the solution?

    No issues encountered.

    What do I think about the stability of the solution?

    No issues encountered. …

    What is most valuable?

    The rich graphical representation of numbers which are meaningful to dev leads/managers and top management .

    How has it helped my organization?

    It was brought in to help with best practices in writing test cases, and each test should pass given all numbers are highlighted on SonarQube.

    Executing sonar analysis on a big chunk of code - with an Oracle database does take up a lot of time.

    What needs improvement?

    Widgets - as the world of development expands, SonarQube should have plug-ins to cater to different technologies.

    For how long have I used the solution?

    I've used it for three years.

    What was my experience with deployment of the solution?

    No issues encountered.

    What do I think about the stability of the solution?

    No issues encountered.

    What do I think about the scalability of the solution?

    No issues encountered.

    How are customer service and technical support?

    It's very good, and I have personally had conversations with the SonarQube guys regarding plug-ins and modifications.

    Which solution did I use previously and why did I switch?

    No previous solution was used.

    How was the initial setup?

    The documentation is good . It should be fairly simple for someone with database knowledge.

    What about the implementation team?

    We did it in-house.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    it_user336438
    Web Developer/DevOps Engineer with 501-1,000 employees
    Vendor
    It allows for code exploration on the front-end as well as the ability to import from Fortify.

    Valuable Features

    Code exploration on the front-end, as well as the ability to import from Fortify, are valuable features.

    Improvements to My Organization

    It allows for better collaboration of our team members on security findings.

    Room for Improvement

    The Python code scan has so few rules that it is meaningless.

    The support for mobile applications is limited to Android Lint importing, although the Android Lint report is fine on it's own so what it he point of using it.

    And the Fortify plugin is deprecated.

    Use of Solution

    I've used it for two years.

    Deployment Issues

    It is quality software, even if the plugins are often weaker than would be necessary to have a team centralize around it. It is good for an open source project, but creating plugins is important and so complicated and not well documented that it is rarely done.

    Stability Issues

    No issues encountered.

    Scalability Issues

    No issues encountered.

    Customer Service and Technical Support

    It is open source so I don't try to rely on their technical support.

    Initial Setup

    It was fairly straightforward, although some plugins depend on outside software to run, which is to be expected.

    Implementation Team

    We implemented it ourselves.

    Pricing, Setup Cost and Licensing

    It is free, so the price is good. If they had stronger plugins then we would gladly pay.

    Other Solutions Considered

    We evaluated the market, and because security scans are so different, there was not a good COTS or open source solution that met our needs so we went with the best open source solution, which was SonarQube.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    it_user333735
    QA Engineer at a tech services company with 51-200 employees
    Consultant
    It helps us to determine the maturity and quality of the coding of our software customers, preventing future crashes in the software.

    What is most valuable?

    To create your own quality profiles and gates is really cool; you can apply different policies depending the maturity grade of the project are you dealing with.

    Also, we use a lot the time machine tool to take important decisions to determine if the projects are going in the right direction.

    Elastic search is really helpful and also there is a plug-in we use a lot named "3D Code Metrics" that gives us a quick overview about the general situation about the projects.

    Also, the integration with different CVS', and the dependency search are nice and helpful features.

    How has it helped my organization?

    This product helps us to determine the maturity and quality of the coding of our software customers, preventing future crashes in the software. We get users used to developing clean code makes SonarQube a valuable tool. Also, we use it for our internal software development helping us to create a good quality software.

    What needs improvement?

    With the new SonarQube versions, the analysis time is increasing, and some projects are difficult to configure due to the different modules and languages that it uses. A few versions ago, it had a multi-language option which was really helpful.

    For how long have I used the solution?

    I've used it for over two years.

    What was my experience with deployment of the solution?

    The worst about this tool I think is the upgrade method, and it's really easy to wreck the database when upgrading. It would be better idea to make less versions, but make it easier and consistent to upgrade. Also, sometimes if you are using really old instances and you move to a new version it's possible to lose some information about projects.

    Thanks to this tool we can improve old code were developers are not available anymore and display the projects filtering by different fields, we save a lot of time, and time is money.

    What do I think about the stability of the solution?

    Once it is up and running, we didn't find any big issues with the stability, but it's important to configure in the right way the properties file according with you system specifications.

    How are customer service and technical support?

    Customer Service:

    I think is good, also there is a new forum named "https://sonarqubehispano.org/display/HOME/Bienvenido" for the spanish community who helps a lot to spanish quality assurance fellas.

    Technical Support:

    I think is good, also there is a new forum, https://sonarqubehispano.org/display/HOME/Bienvenido for the Spanish language community which helps a lot.

    Which solution did I use previously and why did I switch?

    I used a few specific tools for the PHP language, that tools were really powerful (Codesniffer, PHPCPD, PHP Mess Detector among others) and provide a good information about the quality of our code. Nowadays, I am mixing that tools with SonarQube, but in shortly, I am thinking of using just SonarQube. The reason is that SonarQube is including more and more PHP rules in every PHP plugin version.

    How was the initial setup?

    After dealing with configuration files and SonarQube is up and running there is not a big problem to start working with it, SonarQube include some standard quality profiles that makes it easier for the beginners. Also, the option to configure your own dashboard with different widgets exists.

    What about the implementation team?

    I have experience with both of them and the main problem is not how the tool is working, but it's to make people follow the rules and change bad habits. However, I think that's a common challenge for our QA guild.

    What's my experience with pricing, setup cost, and licensing?

    Actually SonarQube offers a lot of free plug-ins for different languages, and we add additional paid plug-ins as well, such as PL/SQL, COBOL and Views, and our experience tell us that it is worth it.

    Which other solutions did I evaluate?

    Only one option we found competitive was CAST, but the prices and the functionality didn't convince us at all.

    Disclosure: My company has a business relationship with this vendor other than being a customer: We are a SonarQube partner in Spain.
    ITCS user
    Software Developer at a tech services company with 501-1,000 employees
    Consultant
    It supports over 20 programming languages and allows me to create custom coding rules.

    What is most valuable?

    • Languages Support - over 20 programming languages
    • Pre-commit check directly into Eclipse
    • Issues Report into PreviewMode
    • Custom coding rules
    • Unit tests
    • Duplication and code duplication check
    • Custom-defined checks

    How has it helped my organization?

    I have fallen in love with SonarQube when I could've easily built custom rules checks. However, doing that manually checking takes tons of time.

    What needs improvement?

    • Explicit checks for issues
    • Severity tab tweaks
    • Optimization into the Settings, such as adding new features/customization

    For how long have I used the solution?

    I've used it for almost two years, starting with v4.3.3.

    What was my experience with deployment of the solution?

    Predefined rules/overriding rules caused some issues.

    How are customer service and technical support?

    6.5/10.

    Which solution did I use previously and why did I switch?

    • Squale
    • Panopticode
    • CodePro AnalytiX

    How was the initial setup?

    It was straightforward to install and setup, but complex to adapt to and learn.

    What about the implementation team?

    We used a vendor team.

    Which other solutions did I evaluate?

    I did not evaluated other options.

    What other advice do I have?

    I would advise you to think a lot before acting.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Buyer's Guide
    Download our free SonarQube Report and get advice and tips from experienced pros sharing their opinions.