What is our primary use case?
I have it integrated with our continuous integration server. On a scheduled basis, typically in the middle of the night, it'll do performance scans so that the results are available and viewable by the developers on the website. The scans are done automatically by using a continuous integration server, which is TeamCity. We are using version 5.6.6. It is a very old version, but that's what we've been using. We haven't gotten around to updating it.
What is most valuable?
I like that it's easy to navigate not just in terms of code findings but you can actually see them in the context of your source code because it gives you a copy of your code with the items that it found and highlights them. You can see it directly in your code, so you can easily go back and make the corrections in the code. It basically finds the problems for you and tells you where they are.
What needs improvement?
The learning curve can be fairly steep at first, but then, it's not an entry-level type of application. It's not like an introduction to C programming. You should know not just C programming and how to make projects but also how to apply its findings to the bigger picture. I've had users who said that they wish it was easier to understand how to configure, but I don't know if that's doable because what it's doing is a very complicated thing. I don't know if it is possible to make a complicated thing trivially simple. They could improve their documentation. There were some books written about it, but even when we first started using it, the books were out of date. It's more of a plea to some of the authors who have become experts in using it to revise their books. I'd buy a copy of it. SonarQube does a good job of supporting the open-source community, but some of the documentation tends to lag behind. That's not unique to SonarQube. It gives an opportunity to those who have taken the time to learn about it to author books and become resident experts or community experts. It'd be nice if some of those guys made another edition to support the open-source efforts that are there. In terms of features, at this point, I don't have any requirements. We've been growing into it slowly, and we haven't really exhausted what it already has. When and if we get to a point where we are aggressively applying what it's telling us, we may reach a point where it's like, "If it could tell us this as well, that'd be nice." We haven't reached that point yet. We haven't listened to all of the advice that it's giving us now.
For how long have I used the solution?
It has been a couple of years.
Buyer's Guide
SonarQube
June 2022
Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: June 2022.
609,272 professionals have used our research since 2012.
What do I think about the stability of the solution?
Any lack of stability is because it's being expanded and updated pretty much constantly. We haven't experienced any crashes or bugs. We do have an opportunity here coming up within the next few weeks of revisiting some of the ways we do things there.
What do I think about the scalability of the solution?
It is definitely scalable. We plan to increase its usage.
How are customer service and support?
Since we're using the open-source components, we use web searches and online resources. Once you get a little used to their website, they have a lot of information. The support, even for an older version, is pretty good. I've been able to find workable solutions. You just have to do a little searching. We don't have stability issues. It hasn't crashed since we got it up and running, but there are some configurations or different options you can apply when you're scanning. So, you have to learn its language, and the information is available if you search the web.
Which solution did I use previously and why did I switch?
Way back in the past, we used other static analysis tools like PC-lint or Gimpel Lint. I still have plans to resurrect some of that, but I'm of the mindset that the more opinions you get about your code, the better off you are. You get to look from different angles with different tools. In terms of the automated tool, SonarQube was the first one we had for getting into the DevOps generation of stuff.
How was the initial setup?
We did have some issues, but they were because we didn't understand the relationship between different flavors. You've got the server, and the SonarQube service itself provides an HTTP type input. There are also versions of the scanners for different tools we're using, which are typically C++. We started with a mismatch of that. It may have been the server and the scanner, which runs on your client workstations. We had a mismatch of versions. After we dug into it a little bit and realized that was the problem, it was pretty straightforward. The setup from there was pretty trivial. You do need to know how to use a database. I most certainly use MySQL just because it's easily available on a minimal Linux install, CentOS. It's a Red Hat 7. It's BaseOS, a minimal install. It probably needed Java and a few tools that are fairly common. If you know how to set up a MySQL database, you can do it. If you know how to set up Java on Red Hat, which is pretty straightforward other than the fact that some path issues come into play, but that's just part of the game. Once you do that, it installs pretty easily.
What about the implementation team?
We did have a consultant. He was looking at our overall engineering infrastructure, things beyond SonarQube. He was helpful in finding out, or pointing out, that it was the issue with the revisions. The versions of the different pieces weren't matching up. He did help with that, but in terms of putting it in, I did the validation work for validating the installation process and reproducibility for future users in case I leave the company and they need to recreate it. They've got the documentation to do so. So, I did all that. For an application of its complexity, it was fairly straightforward once we resolved the version issue. Its deployment and maintenance can be done by one engineer.
What's my experience with pricing, setup cost, and licensing?
We're using an older version because it is the open-source flavor of it and we can continue using it at no cost. We're not paying any licensing at all, which was another factor in choosing this route so that we can learn and grow with it and not be committed to licenses and other similar things. If we choose to get something else, we have to relearn, but we don't have to relicense. Basically, we're paying no license costs.
Which other solutions did I evaluate?
We did look at a lot of other ones. Some of the names I actually can't recall. There were code quality analyzers out there besides that. We did review them and settled on this one because it's very widely used, and the open-source capabilities are pretty well-supported to where you can use it without obligation. None of them are trivial to set up and use because they are doing a very complicated process. They all have their different ways of going about things, but you've got to understand any one of them. We picked this route.
What other advice do I have?
You have to be willing to invest. For any tool of this magnitude, if you're going to say, "Well, we want to do the least we can possibly do and see what's the least we can get by with," you'll get the least possible benefit. My recommendation is that you do the opposite. You should consider everything it's telling you. You may not want to fix everything, but you should be aware of everything that's showing in your code. After that, you have the opportunity to look at your whole development process and just the way you do things and go back to your roots and look for ways to change things at the beginning that can have an impact. You have a big impact on the output of things towards the end, but maybe change the way you start things. Instead of trying to get the least that you can get with the least amount of effort, partner yourself with it as much as possible. I would rate it an eight out of 10.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.