SonarQube Server (formerly SonarQube) Reviews

My usual use cases for SonarQube Server (formerly SonarQube) are for static code analysis to detect any build vulnerabilities, and we use it only for this reason.

The most valuable features of SonarQube Server (formerly SonarQube) for us include having control of the rules, enabling and disabling them. This feature was very helpful. However, I see a problem because the vulnerability assessment is continuous; if I fix some vulnerabilities today, they reappear in the next scan, and there will be completely different issues that need to be fixed. So, there should be a way for me to control when SonarQube can scan or when it should not scan.

My main use cases for SonarQube Server (formerly SonarQube) are mostly focused on static code analysis. We use it at the development level to improve the quality of the code and to analyze the technical debt of the current systems.

The features of SonarQube Server (formerly SonarQube) that I find most useful are the suggestions received from reviewing the code. When they review the code, they provide suggestions on how to fix it, and we find those very useful from a development perspective.

We use SonarQube Server's (formerly SonarQube) centralized management and visualization of code quality metrics on the dashboard because that's the executive dashboard that we send to the executives to show where we are in terms of quality, security, and where the company can improve. We use that for organizational improvement purposes.

The ability to tailor metrics tracking in SonarQube Server (formerly SonarQube) has been beneficial to my team. There are team-specific dashboards which are related to specific repositories they utilize, and we have that aggregative dashboard that shows the whole organization's performance. We can drill down per specific repository, which makes it easier for the team to improve specific things.

My company is a product engineering company, and we work for different clients. The majority of the projects use SonarQube, and some projects use Checkmarx. SonarQube is primarily used for static code analysis and checking the overall unit test coverage and vulnerabilities.

SonarQube's unit test coverage and exhaustive information at the module, project, and overall code repo levels are quite good.

We utilize a stage that's part of our Jenkins CI builds for our services CI processes. Our server runs static code analysis for our Golang project.

Some of the static code analysis capabilities are the most beneficial. We review them on a weekly or bi-weekly basis to identify code regressions and suggestions for code improvements. The feedback provided aligns with our goals for code quality assurance.

We use SonicWall for static core analysis.

The reporting is somewhat delayed, there is something missing. For example, if you compare it with GitHub Advanced Security, SonarQube has a more native integration, and its analysis is more structured and precise. SonarQube can do a better job compared to other native tools. It supports a good number of language tags and is continuously improving its analytics functions.

Any developer can easily identify issues using the process flow or steps provided by SonarQube. In terms of integration, SonarQube makes it quite easy, simplifying the steps for users.

At our company, we are using SonarQube to scan some of the Dot.Net and Java sources. The solution is also used for generating reports, which is a customer-mandate to scan source codes. The solution is used to setup a CI/CD pipeline following which scans are implemented and the report is shared with the developer. 

One of the solution's most vital features is its multi-programming language support. The solution also functions on an open-source model that allows users to easily check the setup and installation process and gain further knowledge regarding the solution across production grades. 

I work on vulnerability management. I use the security features in SonarQube. I also use Veracode. I use both solutions to verify each other’s results.

We see the security issues in our solutions with the help of the product. It helps us improve the solutions.

My main use case for SonarQube is to analyze code quality in various programming projects, particularly focusing on identifying bugs, vulnerabilities, and code smells. I also use it to detect patterns in data clusters and ensure there are no leaks in the codebase.

The features of SonarQube that I find most valuable for identifying code smells are its comprehensive code analysis capabilities, which cover various aspects of code sustainability. Specifically, its ability to detect issues across different functions and methods, including security vulnerabilities, is particularly useful.