SonarQube OverviewUNIXBusinessApplication

SonarQube is the #1 ranked solution in application security solutions, AST tools, and top Software Development Analytics tools. PeerSpot users give SonarQube an average rating of 8.0 out of 10. SonarQube is most commonly compared to Checkmarx: SonarQube vs Checkmarx. SonarQube is popular among the large enterprise segment, accounting for 73% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 20% of all views.
SonarQube Buyer's Guide

Download the SonarQube Buyer's Guide including reviews and more. Updated: November 2022

What is SonarQube?

SonarQube is the leading tool for continuously inspecting Code Quality and Code Security, and guiding development teams during code reviews. SonarQube provides clear remediation guidance for 27 languages so developers can understand and fix issues, and so teams can deliver better and safer software. SonarQube integrates into your workflow to provide the right feedback at the right time: in-IDE with SonarLint, in pull requests, and in SonarQube itself. With over 225,000 deployments helping small development teams and global organizations, SonarQube provides the means for teams and companies around the world to own and impact their Code Quality and Code Security.

SonarQube was previously known as Sonar.

SonarQube Customers

Bank of America, Siemens, Cognizant, Thales, Cisco, eBay

SonarQube Video

SonarQube Pricing Advice

What users are saying about SonarQube pricing:
  • "We're using an older version because it is the open-source flavor of it and we can continue using it at no cost. We're not paying any licensing at all, which was another factor in choosing this route so that we can learn and grow with it and not be committed to licenses and other similar things. If we choose to get something else, we have to relearn, but we don't have to relicense. Basically, we're paying no license costs."
  • "My guess is that we have a yearly subscription. We use it quite extensively, so a monthly license wouldn't make sense. Yearly subscriptions are usually cheaper. In addition to the standard licensing fee, there is just the cost of running the hardware where it is hosted."
  • "On the pricing side, it's 3,000 Euros for 1 million lines of code."
  • "We use the free version; there are no hidden costs or licensing required."
  • SonarQube Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Lead Engineer at a healthcare company with 10,001+ employees
    Real User
    Top 10
    Open-source, stable, and finds the problems for you and tells you where they are
    Pros and Cons
    • "I like that it's easy to navigate not just in terms of code findings but you can actually see them in the context of your source code because it gives you a copy of your code with the items that it found and highlights them. You can see it directly in your code, so you can easily go back and make the corrections in the code. It basically finds the problems for you and tells you where they are."
    • "The learning curve can be fairly steep at first, but then, it's not an entry-level type of application. It's not like an introduction to C programming. You should know not just C programming and how to make projects but also how to apply its findings to the bigger picture. I've had users who said that they wish it was easier to understand how to configure, but I don't know if that's doable because what it's doing is a very complicated thing. I don't know if it is possible to make a complicated thing trivially simple."

    What is our primary use case?

    I have it integrated with our continuous integration server. On a scheduled basis, typically in the middle of the night, it'll do performance scans so that the results are available and viewable by the developers on the website. The scans are done automatically by using a continuous integration server, which is TeamCity.

    We are using version 5.6.6. It is a very old version, but that's what we've been using. We haven't gotten around to updating it.

    What is most valuable?

    I like that it's easy to navigate not just in terms of code findings but you can actually see them in the context of your source code because it gives you a copy of your code with the items that it found and highlights them. You can see it directly in your code, so you can easily go back and make the corrections in the code. It basically finds the problems for you and tells you where they are.

    What needs improvement?

    The learning curve can be fairly steep at first, but then, it's not an entry-level type of application. It's not like an introduction to C programming. You should know not just C programming and how to make projects but also how to apply its findings to the bigger picture. I've had users who said that they wish it was easier to understand how to configure, but I don't know if that's doable because what it's doing is a very complicated thing. I don't know if it is possible to make a complicated thing trivially simple.

    They could improve their documentation. There were some books written about it, but even when we first started using it, the books were out of date. It's more of a plea to some of the authors who have become experts in using it to revise their books. I'd buy a copy of it. SonarQube does a good job of supporting the open-source community, but some of the documentation tends to lag behind. That's not unique to SonarQube. It gives an opportunity to those who have taken the time to learn about it to author books and become resident experts or community experts. It'd be nice if some of those guys made another edition to support the open-source efforts that are there.

    In terms of features, at this point, I don't have any requirements. We've been growing into it slowly, and we haven't really exhausted what it already has. When and if we get to a point where we are aggressively applying what it's telling us, we may reach a point where it's like, "If it could tell us this as well, that'd be nice." We haven't reached that point yet. We haven't listened to all of the advice that it's giving us now.

    For how long have I used the solution?

    It has been a couple of years.

    Buyer's Guide
    SonarQube
    November 2022
    Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
    655,711 professionals have used our research since 2012.

    What do I think about the stability of the solution?

    Any lack of stability is because it's being expanded and updated pretty much constantly. We haven't experienced any crashes or bugs. We do have an opportunity here coming up within the next few weeks of revisiting some of the ways we do things there.

    What do I think about the scalability of the solution?

    It is definitely scalable. We plan to increase its usage.

    How are customer service and support?

    Since we're using the open-source components, we use web searches and online resources. Once you get a little used to their website, they have a lot of information. The support, even for an older version, is pretty good. I've been able to find workable solutions. You just have to do a little searching.

    We don't have stability issues. It hasn't crashed since we got it up and running, but there are some configurations or different options you can apply when you're scanning. So, you have to learn its language, and the information is available if you search the web.

    Which solution did I use previously and why did I switch?

    Way back in the past, we used other static analysis tools like PC-lint or Gimpel Lint. I still have plans to resurrect some of that, but I'm of the mindset that the more opinions you get about your code, the better off you are. You get to look from different angles with different tools. In terms of the automated tool, SonarQube was the first one we had for getting into the DevOps generation of stuff.

    How was the initial setup?

    We did have some issues, but they were because we didn't understand the relationship between different flavors. You've got the server, and the SonarQube service itself provides an HTTP type input. There are also versions of the scanners for different tools we're using, which are typically C++. We started with a mismatch of that. It may have been the server and the scanner, which runs on your client workstations. We had a mismatch of versions. After we dug into it a little bit and realized that was the problem, it was pretty straightforward. The setup from there was pretty trivial. 

    You do need to know how to use a database. I most certainly use MySQL just because it's easily available on a minimal Linux install, CentOS. It's a Red Hat 7. It's BaseOS, a minimal install. It probably needed Java and a few tools that are fairly common. If you know how to set up a MySQL database, you can do it. If you know how to set up Java on Red Hat, which is pretty straightforward other than the fact that some path issues come into play, but that's just part of the game. Once you do that, it installs pretty easily.

    What about the implementation team?

    We did have a consultant. He was looking at our overall engineering infrastructure, things beyond SonarQube. He was helpful in finding out, or pointing out, that it was the issue with the revisions. The versions of the different pieces weren't matching up. He did help with that, but in terms of putting it in, I did the validation work for validating the installation process and reproducibility for future users in case I leave the company and they need to recreate it. They've got the documentation to do so. So, I did all that. For an application of its complexity, it was fairly straightforward once we resolved the version issue.

    Its deployment and maintenance can be done by one engineer.

    What's my experience with pricing, setup cost, and licensing?

    We're using an older version because it is the open-source flavor of it and we can continue using it at no cost. We're not paying any licensing at all, which was another factor in choosing this route so that we can learn and grow with it and not be committed to licenses and other similar things. If we choose to get something else, we have to relearn, but we don't have to relicense. Basically, we're paying no license costs.

    Which other solutions did I evaluate?

    We did look at a lot of other ones. Some of the names I actually can't recall. There were code quality analyzers out there besides that. We did review them and settled on this one because it's very widely used, and the open-source capabilities are pretty well-supported to where you can use it without obligation. None of them are trivial to set up and use because they are doing a very complicated process. They all have their different ways of going about things, but you've got to understand any one of them. We picked this route.

    What other advice do I have?

    You have to be willing to invest. For any tool of this magnitude, if you're going to say, "Well, we want to do the least we can possibly do and see what's the least we can get by with," you'll get the least possible benefit. My recommendation is that you do the opposite. You should consider everything it's telling you. You may not want to fix everything, but you should be aware of everything that's showing in your code. After that, you have the opportunity to look at your whole development process and just the way you do things and go back to your roots and look for ways to change things at the beginning that can have an impact. You have a big impact on the output of things towards the end, but maybe change the way you start things. Instead of trying to get the least that you can get with the least amount of effort, partner yourself with it as much as possible.

    I would rate it an eight out of 10.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Raja_Reddy - PeerSpot reviewer
    Manager at kellton
    Real User
    Top 10
    Good integration and has useful feedback features, such as Quality Gate
    Pros and Cons
    • "One of the most valuable features of SonarQube is its ability to detect code quality during development. There are rules that define various technologies—Java, C#, Python, everything—and these rules declare the coding standards and code quality. With SonarQube, everything is detectable during the time of development and continuous integration, which is an advantage. SonarQube also has a Quality Gate, where the code should reach 85%. Below that, the code cannot be promoted to a further environment, it should be in a development environment only. So the checks are there, and SonarQube will provide that increase. It also provides suggestions on how the code can be fixed and methods of going about this, without allowing hackers to exploit the code. Another valuable feature is that it is tightly integrated with third-party tools. For example, we can see the SonarQube metrics in Bitbucket, the code repository. Once I raise the full request, the developer, team lead, or even the delivery lead can see the code quality metrics of the deliverable so that they can make a decision. SonarQube will also cover all of the top OWASP vulnerabilities, however it doesn't have penetration testing or hacker testing. We use other tools, like Checkmarx, to do penetration testing from the outside."
    • "SonarQube could be improved with more dynamic testing—basically, now, it's a static code analysis scan. For example, when the developer writes the code and does the corresponding unit test, he can cover functional and non-functional. So the SonarQube could be improved by helping to execute unit tests and test dynamically, using various parameters, and to help detect any vulnerabilities. Currently, it'll just give the test case and say whether it passes or fails—it won't give you any other input or dynamic testing. They could use artificial intelligence to build a feature that would help developers identify and fix issues in the early stages, which would help us deliver the product and reduce costs. Another area with room for improvement is in regard to automating things, since the process currently needs to be done manually."

    What is our primary use case?

    Our primary use case of SonarQube is getting feedback on code. We are using Spring Boot and Java 8. We are also using SonarLint, which is an Eclipse IDE plugin, to detect vulnerabilities during development. Once the developer finishes the code and commits the code into the Bitbucket code repository, the continuous integration pipeline will automatically run using Jenkins. As part of this pipeline, there is a build unit test and a SonarQube scan. All the parameters are configured as per project requirements, and the SonarQube scan will run immediately once the developer commits the code to the repository. The advantage of this is that we can see immediate feedback: how many vulnerabilities there are, what the code quality is, the code quality metrics, and if there are any issues with the changes that we made. Since the feedback is immediate, the developer can rectify it immediately and can further communicate changes. This helps us with product quality and having less vulnerabilities in the early stages of development. 

    This solution is deployed on-premise. 

    What is most valuable?

    One of the most valuable features of SonarQube is its ability to detect code quality during development. There are rules that define various technologies—Java, C#, Python, everything—and these rules declare the coding standards and code quality. With SonarQube, everything is detectable during the time of development and continuous integration, which is an advantage. SonarQube also has a Quality Gate, where the code should reach 85%. Below that, the code cannot be promoted to a further environment, it should be in a development environment only. So the checks are there, and SonarQube will provide that increase. It also provides suggestions on how the code can be fixed and methods of going about this, without allowing hackers to exploit the code. 

    Another valuable feature is that it is tightly integrated with third-party tools. For example, we can see the SonarQube metrics in Bitbucket, the code repository. Once I raise the full request, the developer, team lead, or even the delivery lead can see the code quality metrics of the deliverable so that they can make a decision. SonarQube will also cover all of the top OWASP vulnerabilities, however it doesn't have penetration testing or hacker testing. We use other tools, like Checkmarx, to do penetration testing from the outside. 

    What needs improvement?

    SonarQube could be improved with more dynamic testing—basically, now, it's a static code analysis scan. For example, when the developer writes the code and does the corresponding unit test, he can cover functional and non-functional. So the SonarQube could be improved by helping to execute unit tests and test dynamically, using various parameters, and to help detect any vulnerabilities. Currently, it'll just give the test case and say whether it passes or fails—it won't give you any other input or dynamic testing. They could use artificial intelligence to build a feature that would help developers identify and fix issues in the early stages, which would help us deliver the product and reduce costs. 

    Another area with room for improvement is in regard to automating things, since the process currently needs to be done manually.

    Aside from other helpful features, the most important thing that SonarQube needs to do—the key feature—is to detect security vulnerabilities. The rest of the other features are helpful to the developer and the team to deliver the product faster, but security is a mandatory feature. 

    As for additional features, SonarQube covers most of the languages, but there is still room for improvement covering the latest version of the tech stack—for example, Java 13. They're still improving, and they're focusing on SonarCloud nowadays. Currently, we aren't using all the top quality features of SonarCloud. I also think it would be helpful if SonarQube could integrate with Jira, a work management tool, or other communication tools, like Skype or Microsoft Teams, so that a bot could report directly to the developer. 

    For how long have I used the solution?

    I have been using SonarQube for the past three years. 

    What do I think about the stability of the solution?

    The stability and performance of SonarQube are good. We use it on a daily basis, as part of our code development. 

    As far as maintenance, it mainly happens when the product is being developed. There may be some features which can be enhanced, based on customer feedback and the tech stack, such as how we can improve performance of have a deployment with zero downtime. There are so many technologies coming, so many things happening, and there is always room for code improvements and the product we develop. Our top considerations are quality and security, which are being improved in a continuous process. There are many new features and enhancements coming in—for example, if you want to upgrade from the Java 6 version, then you can upgrade the tech stack, which will reduce the number of lines of code and improve performance. 

    What do I think about the scalability of the solution?

    This solution is easy to scale. The instances in which we are deploying it are easy to scale because we are using it in production. We aren't supposed to deploy as part of the development, but the scalability feature is there because we are using Ansible, Kubernetes, and Docker. 

    In our organization, there are currently around 25,000 people working with SonarQube. 

    Which solution did I use previously and why did I switch?

    We also use Checkmarx and Snyk. One of the main differences between them and SonarQube is that they have dynamic testing and analysis, rather than static analysis. 

    How was the initial setup?

    The initial setup wasn't a complex process. It was straightforward, and I had no issues. The deployment happened automatically and the pipeline was complete in three minutes. It depends on the scale of the project, the number of code repositories, the number of modules you are deploying, and all that. I would say deployment should take five minutes, maximum. 

    What about the implementation team?

    We implemented this solution through an in-house team. Everything happens internally and we have our own internal tools, so there are no third-parties involved in development. 

    What's my experience with pricing, setup cost, and licensing?

    I'm not too aware of the pricing because a different team covers that, but SonarQube has been on the market for a very long time, so I would guess the pricing would be decent. 

    What other advice do I have?

    I rate SonarQube an eight out of ten. 

    To those looking to implement SonarQube, I would advise you not to run it manually—integrate it with tools like Bitbucket and Jenkins, and make it automatic. If you change one line of code, the SonarQube should run automatically and give you the report. Don't go and run it manually and check the reports and all—it should run automatically to the entire code base, not to your particular module. So you need to configure that, as well as your project requirements and what code quality metrics will be achievable—like 85% or 95%—because you want code quality for a better product, without loopholes. You need to configure these things before starting to work with SonarQube. 

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Buyer's Guide
    SonarQube
    November 2022
    Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
    655,711 professionals have used our research since 2012.
    Staff DevOps Specialist at a computer software company with 201-500 employees
    MSP
    Top 20
    Greatly improves the quality, straightforward to use, and stable
    Pros and Cons
    • "My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it."
    • "A little bit more emphasis on security and a bit more security scanning features would be nice."

    What is our primary use case?

    It is mainly used as part of the CI/CD pipeline through Azure DevOps and Jenkins to do static code analysis.

    We have the enterprise version. In terms of deployment, on-premise is the best description because they have their own cloud, but it is not a real cloud. It is like VMware.

    How has it helped my organization?

    In some instances, the project stakeholders were able to implement quality gate control for code coverage, security alerts, and things like that. It greatly improved the quality of the product. If our test code coverage is 80% and a person commits a change that brings the code coverage to below 80%, that code cannot be merged. We've been able to improve the quality of the products that we produce by using SonarQube. We are using it as a gate.

    It is a great tool in a situation where you have a dynamic team, and you sometimes hire staff or subcontractors from other companies. It provided us with the ability to implement quality gates in our project. We could look at the data and see which developers were producing quality code and which developers were not too worried about the quality. It helped us out with our junior devs. I know of a few cases where having this system helped our junior devs in taking their skills one level up because we had set up a hard quality gate.

    What is most valuable?

    My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it.

    What needs improvement?

    A little bit more emphasis on security and a bit more security scanning features would be nice. 

    It would also be nice if the discrepancy between the basic or free version and the enterprise version was less. In my opinion, some of the base functionality in the enterprise version should be in the basic version.

    Currently, we have static code scanning, and we have the scanning of the Docker containers. It would be great if some sort of penetration testing could easily be implemented in SonarQube for deploying something and doing some basic security scans. Currently, we have to use third-party tools for that. If everything was all under one roof, it would be more comfortable, but I don't know if it is possible or feasible. It is a typical issue of centralization versus distribution. In our particular case, because we're using SonarQube for almost every other project, it would make sense, but that doesn't necessarily mean that it is the same case with everybody else.

    For how long have I used the solution?

    I have been using this solution for four years in my current job.

    What do I think about the stability of the solution?

    I don't think I ever had a problem.

    What do I think about the scalability of the solution?

    We haven't reached a point where it is anywhere near saturation. We haven't scaled it yet, and I don't know if it will ever happen. The way it is implemented right now is more than enough for what we need. 

    We have used it in almost all projects of our client. It is a part of their process. It is used extensively, and it will be used for any future work that they might have where they develop any code that can be analyzed with SonarQube.

    We probably have 30 or 40 users. Their roles are developer team leads, developers, and DevOps people. These are the three roles of people who use it on a daily basis and look at the reports and work with the system. At some point, the data might be shown to the actual client or somebody else.

    How are customer service and support?

    I've never been in a situation where I needed their support.

    Which solution did I use previously and why did I switch?

    I don't think that we used anything else previously. SonarQube was the first one.

    How was the initial setup?

    It was straightforward. I wasn't technically involved in the deployment of SonarQube, but as far as I know, it was a matter of a few days.

    What about the implementation team?

    We probably just bought the license and did it ourselves. For its deployment and maintenance, we don't have a dedicated person. It is one of the many systems that our internal IT team manages.

    What was our ROI?

    I don't have that data. I don't think that we've ever calculated that. 

    What's my experience with pricing, setup cost, and licensing?

    My guess is that we have a yearly subscription. We use it quite extensively, so a monthly license wouldn't make sense. Yearly subscriptions are usually cheaper. 

    In addition to the standard licensing fee, there is just the cost of running the hardware where it is hosted.

    What other advice do I have?

    It is pretty straightforward, but if you don't intend to use it as a gate, it would just be a waste of time. You should invest in implementing such tools only when you have a clear understanding of how their results are going to be a part of a business process.

    I would rate it a 10 out of 10. I've never had any kind of problems with it. I have some products because of which I have had a bad day, but I never had a bad day because of it.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Project Manager at a manufacturing company with 1,001-5,000 employees
    Real User
    Top 20
    Great features, good code quality parameters, and is easy to set up
    Pros and Cons
    • "There's plenty of documentation available to users."
    • "There needs to be a shareable reporting piece or something we can click and generate easily."

    What is our primary use case?

    We mainly need to do certain static analyses. While doing the coding, everybody sends a pool request. Before committing the code on the main branch, we need to ensure that the code is up to level. That is basically our way of working to ensure that whatever rules we have configured, whatever gates we have defined, that gets passed before committing the code into the main branch.

    What is most valuable?

    I like almost all of the features. We were initially using all these techniques by using different tools. 

    The vulnerabilities and the code quality parameters are really important for us.

    The initial setup is easy.

    There's plenty of documentation available to users. 

    The solution is stable.

    The scalability is good.

    What needs improvement?

    The only features which I think are lagging are the reporting to generate a PDF report. That is not available currently in the development version. However, if it is available in the development version, then it will be really helpful for us. I checked with the team and it seems that it is only available in the enterprise version. If the report can be sent over email, that would really help.

    For example, let's say if I need to report to management or management wants to see a dashboard based on what each project looks like. Those figures are not available. There needs to be a shareable reporting piece or something we can click and generate easily.  

    The only pain area for us is due to the fact that we purchased the 1 million lines of code license for now. We are a service product company, so some projects were finished in maybe less than six months and then maybe that is not useful for us. We need to remove those projects so we can utilize those lines of code for another project. That's something we need to see about. We're not sure how that works.

    What do I think about the stability of the solution?

    The solution is quite stable. Before, I used to generate reports by using some manual techniques. Now those are available right in SonarQube. The flexibility of rule configurations is great.

    What do I think about the scalability of the solution?

    We found the solution to be scalable. We already integrated SonarQube with our CI/CD pipeline in Azure DevOps, and it works really well. We also integrated with the Jenkins CI/CD pipeline, and we also linked with the Visual Studio using SonarLint. That works really well.

    We plan on expanding and need more licenses. 

    How are customer service and support?

    When we purchased the license, they actually charged an additional amount for the support. Therefore, we haven't bought the support. Plus, we already know SonarQube. We have enough team members available who already have experience in it. For that reason, support is not required from us. That said, across the internet or on Google, there is enough documentation available. Even on the SonarQube website, there is enough documentation. 

    How was the initial setup?

    The initial setup is really straightforward. The supports are really good from the SonarQube. Enough documentation is also available. t's really straightforward to figure out how to do it.

    What's my experience with pricing, setup cost, and licensing?

    We purchased a SonarQube developer license. We do not have the enterprise version.

    We pay for licensing on a yearly basis.

    On the pricing side, it's 3,000 Euros for 1 million lines of code. Even if you look at the open-source, the open-source almost provide similar functions. Of course, some additional language support, among other things, however, the rest is available in open-source. If they can reduce the price, then I believe more people will join the licensed version rather than open-source. Pricing is a bit high based on the fact that they're already providing the open-source for free, and that also includes almost all the necessary items. People will not pay for the license if they can get most items for free. I would suggest if they reduce the price, that definitely it will boost the business.

    What other advice do I have?

    We already linked with the CI/CD pipeline, and everything is working really smoothly. We already got the additional language support also, which was not available in the open-source version. In the developer version, we have six-plus additional language support onboard. That is actually helpful for us. Overall, it's going really well. 

    The overall look and feel, the way of presenting the information, is really nice - including the way we can assign items. Everything looks okay. I also already integrated the APA of SonarQube in my external system and that really works. I don't see any integration problems so far. I would suggest those considering the solution simply go for SonarQube as it works really well for any integration of any software or with any third-party tools, including Azure DevOps.

    I'd rate the solution at a nine out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Gustavo Lugo - PeerSpot reviewer
    Chief Solutions Officer at CleverIT B.V.
    Reseller
    Top 5Leaderboard
    Easy to deploy and applicable for various uses
    Pros and Cons
    • "It is an easy tool that you can deploy and configure. After that you can measure the history of your obligation and integrate it with other tools like GitLab or GitHub or Azure DevOps to do quality code analysis."
    • "In terms of what can be improved, the areas that need more attention in the solution are its architecture and development."

    What is our primary use case?

    I am now working in a consultancy company and I work with different clients in different industries. For this reason I implement, for example, a delivery pipeline with the process whereby we need to validate the quality gate of the quality code. Meaning, the developer creates the unit testing and the code coverage, but grants the code coverage for a specific person. In other cases, we used to see what the technical depth was to see if if there are any bugs in the applications - the web application, mobile application and different languages, like, C-Sharp, JavaScript or Java, et cetera.

    We deploy SonarQube on-premise on a Linux server and our pipelines were created with GitLab and Azure DevOps. Meaning that Azure DevOps and GitLab are the tools that do the build and release process.

    We use Microsoft Azure and Google Cloud Platform a little.

    What is most valuable?

    In terms of most valuable feature, when you compute SonarQube you need to install an extension. This extension depends on the version control. You need to install different extensions or work with a specific language to use as the extensions, all of which I work in with different projects.

    What needs improvement?

    In terms of what can be improved, the areas that need more attention in the solution are its architecture and development.

    Additionally, the QA team also needs work in different aspects. When you think about the support area - when the support team has an incident they need to do a hostage. When they do that they do a commit in the version control. These commits trigger a new build process and this process needs validation from SonarQube because we need to validate the quality of the software product for different cases and different aspects.

    For how long have I used the solution?

    I have been using SonarQube for about four years, with different versions.

    What do I think about the stability of the solution?

    SonarQube works very well, but I prefer SonarCloud because the tendency of the technology world is to think less about the structure and more about the process and the value that this process provides.

    What do I think about the scalability of the solution?

    In terms of scalability, with proper configuration and deployment, there is higher availability.

    I have companies with 20 users and I have customers with 100 users. We work with a big company in Chile and in some cases national companies, in other cases international companies. With the international companies the majority of them are more than 1,000 users.

    I have a technical DevOps team. The majority of the time we implement the trial version so that we show the value of the tool to our clients and they understand about the pricing and the cost of the tool.

    It depends on the maturity of the company. In some case, we have companies that don't know about SonarQube so we deploy it to show the value. In other cases we have clients with no SonarQube experience but they know the quality of the codes. In this case we provide a license. In the majority of the cases we provide the license or the subscription for SonarCloud. Other clients get access to SonarQube directly.

    How are customer service and technical support?

    I have never used technical support from the SonarQube support team.

    I work very well with the documentation you find on the internet.

    How was the initial setup?

    The initial setup is straightforward the majority of time. It takes about two hours.

    What about the implementation team?

    I work in a consultancy company so we do the implementation. We deploy for our customers.

    Which other solutions did I evaluate?

    We did evaluate other options, for example Q1 and Veracode. In specific cases we created different aspects with different tools and these were the top peers that we would compare it to - Q1 and Veracode.

    In terms of differences, Veracode is used more for the security of the development and you can configure the gates while thinking about software security and things like that. With Q1, the difference is the type of the license. In Q1 you have projects and you pay for the line. I know that SonarQube was changing the licensing plan. Right now, before you pay for a license, you pay for fair lines that you extend. This is the difference between these three tools.

    What other advice do I have?

    I do recommend SonarQube because it is an easy tool that you can deploy and configure. After that you can measure the history of your obligation and integrate it with other tools like GitLab or GitHub or Azure DevOps to do quality code analysis.

    On a scale of one to ten, I would give SonarQube an eight. To give it a 10 and not an eight, I would like to see architecture development and the QA area improved.

    Which deployment model are you using for this solution?

    Hybrid Cloud
    Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
    PeerSpot user
    DevOps Lead at a marketing services firm with 1,001-5,000 employees
    Real User
    Top 20
    Very stable and easy to integrate, but is a bit expensive
    Pros and Cons
    • "The reporting and the results are quick. It gets integrated within the pipeline well."
    • "The pricing could be reduced a bit. It's a little expensive."

    What is our primary use case?

    We generally use the solution in order to do static code analysis.

    What is most valuable?

    What I like about SonarQube is the integration of the pipelines. It is pretty easy. 

    The reporting and the results are quick. It gets integrated within the pipeline well.

    The solution is very stable.

    The scalability is very good.

    We found the initial setup to be straightforward.

    What needs improvement?

    The solution has a very shallow SAST scanning. That is something that can be improved. 

    I'm not sure if there is any plan for having DAST, as well, which is the dynamic scanning. If they offered that in SonarQube that would be ideal. I'd like to know if there is a plan or roadmap for Sonar to have that included. However, right now, at least, from the SAST perspective, it can improve.

    The pricing could be reduced a bit. It's a little expensive.

    For how long have I used the solution?

    We've been using the solution for the past two years or so. It's been a while.

    What do I think about the stability of the solution?

    The solution is pretty much stable. Sometimes we have observed some issues when there are a lot of services getting deployed together. We have noticed some resource constraints sometimes. Occasionally the CPU and memory get affected. That was the only thing. It could be due to the resources that we have provided and maybe not the fault of the product itself.

    What do I think about the scalability of the solution?

    I don't have the user count, however, from the application perspective, we have around 30 to 50 applications, which are on SonarQube. All of the teams that are managing those applications have access to that.

    It is integrated within our pipelines. It gets used every day.

    Right now we are not scaling the solution. It is just one server that we have. It is static of sizing and we do not scale it.

    How are customer service and technical support?

    We do have an enterprise version, however, that does not include the support right now.

    If we have any issues we're trying to resolve them on your own. So far, that has been sufficient.

    Which solution did I use previously and why did I switch?

    We are also onboarding Checkmarx. We use both solutions.

    We are not replacing anything. Maybe we will use both in conjunction. Checkmarx provides DAST, whereas this product does not. 

    How was the initial setup?

    The initial setup is pretty simple.

    I do not recall the exact amount of time it took to deploy the solution.

    It does not require a lot of maintenance. It's just that whenever any latest version is coming in, we just have to upgrade it.

    What about the implementation team?

    We did the installation on our own. We did not need the assistance of any outside resources such as consultants or integrtors. It was all handled in-house.

    What's my experience with pricing, setup cost, and licensing?

    What we are looking at in the future is a bit of a price reduction. The pricing that we have been quoted for the next version is a little expensive. The pricing could be also a bit reduced.

    What other advice do I have?

    We are just a customer and an end-user.

    While we installed the solution on the cloud, we host it on our machines.

    I would recommend the product to the companies or the teams who are building from scratch, and they don't have anything for doing the scanning of their products. That is something where SonarQube can be pretty helpful.

    It's good for a very small company with a limited number of products, which do not have a lot of compliance and security-related requirements that big enterprises might have.

    I would rate the solution at a six out of ten.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    CTO at a computer software company with 11-50 employees
    Real User
    Top 5Leaderboard
    An open-source platform for the continuous inspection of code quality
    Pros and Cons
    • "The good thing with SonarQube is it covers a lot of issues, it's a very robust framework."
    • "The exporting capabilities could be improved. Currently, exporting is fully dependent on the SonarQube environment."

    What is our primary use case?

    There are two versions: a free, open-source community version, and a subscription-based version.We use the community version, not the enterprise version.

    We are a very small organization. In total, there are four of us who use this solution. We will keep using SonarQube, with some additions,  in the future.

    Firstly, we use SonarQube to evaluate code for M&A projects. Secondly, we use it to detect vulnerabilities while performing security audits. Our third use case is the detection of violation of programming practices towards code refactoring and code maintenance. 

    What needs improvement?

    The results of exporting capability could be improved. Currently, exporting is a bit messy and fully dependent on the SonarQube environment. Sonar Qube offers REST API and you could export the results programmatically, but the process is quite slow and limited. You could extract the maximum 10000 results per query, which increases the overall execution process tremendously. I guess the majority of the users are based on Sonar Qube presentation capabilities, which is very restrictive for some use cases.

    For how long have I used the solution?

    I have been using SonarQube, every day, for more than two years. 

    What do I think about the stability of the solution?

    SonarQube is stable.

    What do I think about the scalability of the solution?

    I wouldn't say that isn't fully scalable. It's damn slow. It takes a lot of time parsing an average size codebase. If you'd like to scale up and deploy it on a cloud environment, it's a completely different scale of difficulty. We have done this but it's really hard.

    How are customer service and technical support?

    As we are using the community version, there is no technical support.

    Which solution did I use previously and why did I switch?

    I have used a wide variety of tools.SonarQube covers a wide variety of issues and it is well well designed robust framework.

    How was the initial setup?

    To be honest, for me, the initial setup was a piece of cake; however, other colleagues and clients of mine have said that it's damn difficult to install it and extract the results, at least the first time. Initially, It took me some time to go through the process. It is not straightforward at all, it's quite complicated — it's a tool developed by developers for developers. If you are not a core developer, and I am not, it's super difficult to figure out the installation process thanks to the multiple steps involved. The autogenerated script, isn't functional, it needs some tweaking.

    My clients report that it takes about a week to install it properly, and you need about two weeks more to configure it, let alone the performance optimization.

    The installation should be much simpler. There are competitive tools that come with a self-contained installation and configuration process. It requires a time investment to configure it properly. . In short, it should come with a self-contained functional configuration set.

    Overall, the initial setup should be easier.

    What about the implementation team?

    Currently, I could configure SonarQube by myself. Only one person, knowledgeable enough, is required to deploy it.

    What's my experience with pricing, setup cost, and licensing?

    Unless you use a tech stack that is not supported, use the community version; there are no hidden costs or licensing required.

    Which other solutions did I evaluate?

    Yes, we have evaluated plenty of alternatives nothing really comparable.

    What other advice do I have?

    I would recommend this solution to others. It easily outperforms other static code tools — It's perfect as a static code analysis tool.

    Overall, on a scale from one to ten, I would give SonarQube a rating of eight.

    Which deployment model are you using for this solution?

    On-premises

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    User
    Good analysis of code quality, great for even junior developers, and improves a website's look/feel
    Pros and Cons
    • "We consider it a handy tool that helps to resolve our issues immediately."
    • "It should be user-friendly."

    What is our primary use case?

    I have used it to test clients' websites. After testing, it gives a deep overview of website bugs and issues. 

    A good point about SonarQube is that it gives you the solutions to resolve your issues. At times, I find the blocker (during times of emergency code deployment) doesn't allow the code to be checked-in to the repository unless the violations are fixed, which should enable the user to bypass the number of lines that should be part of the written method. 

    How has it helped my organization?

    It improved our website's look and feel. 

    We consider it a handy tool that helps to resolve our issues immediately. 

    It is a good tool for evaluating technical debt and introducing junior developers to codification standards and good practices. There is an amazing code quality application that defines coding standards. 

    The tool is pretty much useful for a technical lead to reduce his efforts in reviewing the codes. The tool has integration with several languages. 

    What is most valuable?

    SonarQube is a Code Quality Assurance tool that collects and analyzes source code and provides reports on the code quality of your project. It combines static and dynamic analysis tools and enables quality to be measured continuously over time.

    The solution's most valuable features are its:

    • Code quality
    • Release quality code
    • Code security
    • Security analysis

    SonarQube empowers all developers to write cleaner and safer code. You can grow as a developer.

    Integrations Analysis results are right where your code lives.

    It works well with GitHub.

    What needs improvement?

    It should be user-friendly. I keep looking for improvements after every update. 

    PeerSpot users give SonarQube an average rating of 8 out of 10. 

    SonarQube is most commonly compared to Checkmarx: SonarQube vs Checkmarx.

    The SonarQube brand is trusted by many teams and it has been validated. It is one of the most recommended free application security testing solutions. 

    SonarQube is really a good tool for SAST with seamless integration to your CI/CD pipeline. We have used it on our website and had good results.

    For how long have I used the solution?

    I have been using SonarQube 8.9.7 for a long time (since we had some issues in our software dealing with many critical issues that needed to be resolved for clients). 

    I recommend SonarQube as it is beginner-friendly and can resolve your issues with the proper usage of your website.

    What do I think about the stability of the solution?

    The dimensional stability of the impression materials depends on the time elapsed between the completion of the impression and their casting, thus storage time is critical to obtaining reliable casts.

    How are customer service and support?

    Beyond listening, customer service is doing everything in one's power to efficiently and accurately serve each customer.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We did use another solution, however, we found issues such as:

    • Ineffective time management
    • Lack of instant communication
    • Not receiving timely feedback
    • Not receiving clear instructions or expectations
    • Share time management apps and resources for students
    • Utilize educational technology (“EdTech”)
    • There's also a need to increase peer review

    How was the initial setup?

    The solution is easy to do and understand. It's not complicated and it's easy. It's a relatively straightforward process.

    What was our ROI?

    According to conventional wisdom, an annual ROI of approximately 7% or greater is considered a good ROI for an investment in stocks.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Google
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Download our free SonarQube Report and get advice and tips from experienced pros sharing their opinions.
    Updated: November 2022
    Buyer's Guide
    Download our free SonarQube Report and get advice and tips from experienced pros sharing their opinions.