SonarQube Reviews

We are a security organization, and we deploy security solutions and applications related to network for our clients. We mostly focus on open source products because clients don't like to have proprietary products because of the available budget for their different projects. We try to find the possible solution, and then we deploy the solution for them. Deployments are done on the AWS cloud as well as on-premises.

I came to know that there is a SonarQube solution that is used for clean and secure coding purposes and bug fixes in a large DevOps team. That's why I have deployed SonarQube. Currently, I'm testing SonarQube to demonstrate to my higher department what this tool can do. We are testing this solution for one of our clients, who may use it for two or three use cases during static code analysis and the software development life cycle. 

It's a great product. If you are in a hurry and just want to focus on the functional requirements of any kind of project, SonarQube is highly helpful. It enables the developers to code securely. 

SonarQube has a Community edition, which is open source and free. There are also three proprietary or paid versions: Enterprise edition, Data Center edition, and Developer edition. 

If I configure a project in SonarQube, it generates a token. When we're compiling our code with SonarQube, we have to provide the token for security reasons. If IP-based connectivity is established with the solution, the project should automatically be populated without providing any additional token. It will be easy to provide just the IP address. It currently supports this functionality, but it makes a different branch in the project dashboard.

From the configuration and dashboard point of view, it should have some transformations. There can be dashboard integration so that we can configure the dashboard for different purposes. 

It has been just three days since I deployed this solution. I have just configured the Community edition of SonarQube, and now I am searching for some Java products to test the solution. 

I have previously created a report comparing SonarQube with other products such as Micro Focus Fortify. SonarQube is way ahead than Micro Focus Fortify because SonarQube has a cloud solution. Micro Focus Fortify does not support cloud-based hosting.

The initial setup was simple for me. It was very straightforward and to the point. The documentation was also very much to the point and perfectly explained.

There are open source solutions for the Linux environment that let you automatically deploys everything in the new environment by using a specific file, but SonarQube doesn't have that file. That would be a plus point.

I deployed it myself. Because of our Linux environment, it took me around three hours. I was reading the documentation and learning about configuration-related parameters while deploying this solution.  

For the Community edition, there is no extra cost. It's totally free. The Enterprise edition, Data Center edition, and Developer edition are the paid versions. 

We have already used SonarLint. I am considering both SonarLint and SonarQube.

I always talk in favor of secure programming, secure coding. SonarQube is easy for me. I am recruiting buggy code with this, and it is reporting. It shows that this code should not be like this and the reason for it. For example, it shows that you should declare a static function, or why you should or should not initialize a variable. This is an amazing feature. I am enjoying testing SonarQube, but I don't know what is the feedback from a developer's point of view.

I highly recommend SonarQube. I would rate this solution a ten out of ten. 

We are using the free version of the SonarQube product. Be warned if you choose this version because it is lacking some of the capabilities and support. It is for this reason that we are currently considering migrating to a commercial solution.  

The main factor that makes the product valuable for us is that it is free because budget is always an issue. We do not have to pay for it, but there are many cons to using a free product at times. It is a very good tool even if it is free. The dashboard and the media that it provides are all quite helpful.  

We are always using SonarQube. But currently, we were trying to evaluate some more tools because Sonar in the free version has around 10 to 15 languages. If we go to the commercial version, they support 27 languages and there are a lot of limitations in the resources for traditional support which is not available for the free license users of Sonar.  

Integration is there with most of the tools, but we do not have full integration with the free version. That is why we were planning to go ahead and plan to work with some other commercial tools. But as a whole, Sonar will do what we need it to.  

Integration could be better in SonarQube in the free version. It does not have any bug tracking tool, like Jira. They are not integrated with enough additional programming tools.  

There is one issue with the dashboard. The dashboard which is there is okay. But sometimes if we have to work on multiple issues the application is giving us errors. Say we have five issues. All five issues might not be very important, so in cases where there are multiple issues, we would just want it to give us a warning about the important issue. It may be we will get to work on the things of greater importance and over-all have a better solution and we do not have to fix all five. Something like that would be good to help us to prioritize things so then we do not have to go into all the issues and fix them.  

We do have this categorization for major and minor issues, but let's say, again, if there are five major issues. I would like to maybe get a score involving the prioritization of these. Out of these five major issues, we should know which issue should be fixed first. This would give us a backup for planning and organizing the prioritization. It is that kind of data that we do not get on the dashboard. If we could, that would be helpful to give priority to the correct issues.  

We have been using SonarQube for maybe for a year or so. A little more than that.  

The stability is good. We are not having problems with the product failing.  

The stability of SonarQube is good. The scaling part is the problem. We cannot scale to all the other products that we want to use and we cannot improve and scale to other languages.  

The language issue is one that we are facing. If you want to use some languages like maybe tool languages or something people want to use, they are not all available in Sonar. In the commercial version of Sonar they may be available. But the free version, there are some limitations.  

So we do understand the limitations of the scalability. The free tool comes with its own advantages and disadvantages and limitations on scalability is one of the disadvantages.  

We do not really have very much contact at all with technical support because SonarQube quite user friendly and intuitive. Technical support is not actually available with the free product, but we do have access to community tools online.   

There was this one issue that we had where we had raised a question in the community. We found that if we scanned our project with SonarLint and if we scanned our project with SonarQube, it was giving some different results. SonarQube was showing some issues and SonarLint was not showing any issues at all. There was a clear difference in the report. But when we Googled this issue and looked on the support web site, we found now that SonarLint does not give you the errors around integration. When it comes to SonarQube, it automatically integrates with other processes and scans your port to that. SolarLint does not do this in the same way. This is why SonarQube might give you some errors that SolarLint does not.  

So we are not in contact the company support. When there are times when we do have an issue, we see what we can Google or the SonarQube community. Usually, we do find out our answers.  

The initial setup is quite straightforward. The setup process is very reasonable as far as it is logical and very simple. It doesn't take much time.  

We are using Sonar, and we also evaluated Checkmarx. The version of Sonar we are using is the free version of it. Checkmarx is quite a bit different and more helpful compared to Sonar. There are a lot of features missing in the free version of SonarQube that I want to have that already exist in Checkmarx.  

Anyone considering SonarQube should initially start with a free trial and then start doing an evaluation. If you have a list of target requirements which you are looking for and you can accomplish these things with Sonar, then you can go ahead and use Sonar. If you are looking for something for diving more deeply into your application security, then you can possibly start with it and scale it or use some other complementary tools. If you want to see your reports, and how your development is performing, Sonar is the best tool, I think.  

On a scale from one to ten, where one is the worst and ten is the best, I would rate SonarQube as a seven-out-of-ten.  

Our software developers use SonarQube to catch any issues that can be found by using static code analysis. My understanding is that it checks the core complexity by evaluating the coding rules to make sure of things such as the correct classes are private.

The developers are rejecting the idea that this product is useful.

Before you even compile, it can catch known vulnerability issues or patterns.

Our developers have complained about the Quality Gates and the number of false positives that this product reports. Their older code is breaking and with the Quality Gate on the pipeline, they are not able to safely release at this point. This means that they have to add a lot of things to the whitelist, so there is room for improvement in this regard.

We have been using SonarQube for less than six months. We have not yet onboarded it for production.

I have not seen any problems in terms of stability, although it has not been onboarded yet. Once that happens, we may see more problems.

We have not tried to scale yet.

The initial setup involved downloading the open-source code and installing it in a container. 

I was responsible for setting up this tool in our company.

We are using the open-source version, which is available free of cost.

We evaluated other open-source products and found that SonarQube was the best one of the set.

This product is regularly updated by the open-source community, although the changes are often project-specific and may not help in the general case.

I would rate this solution a five out of ten.

I was using SonarQube to scan my code for vulnerabilities as part of the DevOps process.

The most valuable features are code scanning and Quality Gates.

The reporting can be improved. In particular, the portability report can be better.

I would like to see better integration with the various DevOps tools.

I was using SonarQube for between six and ten months.

The stability is good.

The community support is great. I have not had reason to contact the technical support team from the vendor.

The initial setup is straightforward. I would not say that it is complex and it can be deployed in less than 10 minutes.

I was using the Community Edition, which is available free of charge.

I evaluated other products including Veracode and I felt that SonarQube was the best product.

I would rate this solution a seven out of ten.

I work for a government agency and we use this tool. It is lightweight and very cost effective as compared to IBM AppScan, but I wouldn't say it's a very good tool for vulnerability assessment. The dashboard is neat and easy to operate and the information on the dashboard makes it easy for the developers to work on. You can have it automated and set up for you to have an automated process every time the code is checked in. 

It definitely helped our organization in hardening the software, the application itself. This is a part of our process now.

The most valuable features are the dashboard reports and the ease of integrating it with Jenkins. 

Although it has Sonar built into it, it is still lacking. Customization features of identifying a particular attack still need to be worked on. To give you an example: if we want to scan and do a false positive analysis, those types of features are missing. If we want to rescan something from a particular point that is a feature that is also missing. It’s in our queue. That will hopefully save a lot of time.

This solution is very stable.

It supports around 25 plus languages.

The technical support is very good. When a product is good, we don't use them as regularly.

No, not that I am aware of.

Compared to other tools, the initial setup was straightforward. The deployment of the tool didn't take long at all. You need to take intrinsic care but setting up this tool is pretty easy. One can do it in a couple of hours. The dashboard is really neat and easy to operate. It gives a lot of information that makes it very easy for the developers. We haven't ever used more than one resource for operations.

We have this implemented in CSAD pipeline as one of the tools for finding bugs in source code. This kind of tool has the capabilities of debugging abnormalities or finding abnormalities. We use it the same as any other static one level detail, and with a few other static tools like AppScan and Checkmarx.

SonarQube is a very good tool. It is lightweight and very cost effective as compared to IBM AppScan. The dashboard is really neat and easy to operate. It gives a lot of information that makes it very easy for the developers. You can get it set up as an automated process every time the code is checked in. I would say, however, that it is not a vulnerability assessment tool. The dev and security team use this solution very closely. Fifteen to twenty people in total use it.

I would rate this solution an eight out of ten.

We use this SonarQube solution for code quality and as a basic security issues solution for our clients.

It has improved our options for offering products to our clients that can better meet their needs, lower costs, and improves code quality and basic security. 

Code analyzing is very valuable for detecting vulnerabilities but it has limitations.

With the aesthetic code analyzer or dynamic code analyzer, we would like to see zero vulnerabilities. This is actually currently not available with any available code analyzer so it is not the fault of this one product. We would like to see that the latest CVE (Common Vulnerabilities and Exposures) gets represented. This would be more useful but does not always happen. 

If we have more of an idea of the likelihood of zero vulnerabilities then the product is more useful for user communities.

The product is stable.

We use a centralized machine so scalability is not an issue. We have yet to realize a limitation.

We have little or no interaction with technical support.

We service client needs so we consider all solutions we are aware of and weigh the pros and cons for deployment with a specific client.

Implementation is easy and very straightforward. We do a POC with our client and based on that we make a comparison to the client's needs and available solutions. We compare that with any of the open source options and with any of the premium commercial tools. We go with the one that makes sense. But the implementation of this product is not complex especially as we have experience with it.

We do our own implementations for various clients. We do not need the assistance of another team.

Return on investment is enhanced code and security. The actual ROI is difficult to measure except that licensing a commercial product will cost more over the long term if this product is enough to meet the user's immediate needs.

The product is basically free, so implementation is the greater cost. It will cost in man-hours for deployment and resources, or in consultation. The licensing fee is negligible.

We are constantly evaluating other products. So it might be that we will go with Micro Focus, for example, or any other tool in the future. It depends on what is offered by the product and what fits the client needs and budget.

I would rate this product somewhere between six and seven. It works for many clients, but if the user need and application is super critical, people should go with commercial products like Micro Focus. If the deployment is less critical, they can go with that as SonarQube, or another open source software solution.

We have literally thousands of rules and they are of medium effectiveness. The problem is that most people bypass the rules or turn them off. But even that is information to us. The fact that they have to turn the rules off is as much value to us as the rules themselves.

Code coverage of tests is their most valuable feature. Code coverage is of no value if it's high, but if it's a low number then that's of great value to me.

I would like to see something around mutation testing included in SonarQube. I'd like to see some mechanism of quality which has real meaning. The problem in metrics is that they're correlated. I'd like to see how they can add a feature to detect genuine quality, instead of numbers that people can game. The number can be manipulated. There are a few ways to do this, and mutation testing is one of them.

I would also be interested in more security scanning.

Stability has never been a problem. It would have to be unstable for me to experience a problem, and we haven't. So it's good.

I don't really know how scalable this solution is, but I know we use it on thousands of projects, so it's probably good.

We have a pipeline. The pipeline currently runs 4000 teams through it, and all of them have SonarQube but usually with default rules. So that's pretty expensive. Now, we can't increase it because everything goes through it. We are evaluating what our best option is as we migrate our pipeline. We're migrating the pipeline and we're wondering what to do. If SonarQube did more security scanning, there's a good chance that we would use it more, in a different role. We're already using SonarQube everywhere, in some aspect.

It was years ago. They probably evaluated other solutions. 

We're evaluating the use of different solutions at the moment, but I've just withdrawn from that task.

In all the companies that I've worked with, nobody has ever had a problem with the initial setup. It takes time to set up. It's a big thing and you do it, but it's just a project.

We used people in-house to deploy. We have about 100 people in our pipeline maintenance team. SonarQube has not led to any significant increase in that number. It's just absorbed as a part of the cost. There are no dedicated staff working on it.

My advice is to focus on quality, not on tools. Work on the quality of your code and get a quality culture, but don't require the use of a tool. SonarQube is an okay tool. I'd suggest it as a default tool, but I wouldn't rave about it.

In all of my previous jobs, there has been somebody using SonarQube. They're usually very positive. I don't share that positiveness, but the reasons for that are that I don't believe you can have metrics of code quality based upon code analysis. I don't think it's possible for a computer to do it.

I don't rate any tool higher than a five or six, ever. JUnit is the only tool that gets a rating of ten. On a scale of one to ten, where ten is JUnit, I would rate SonarQube as about a five or a six.

We are working on a payment system, and we need it to be secure. We use this solution to analyze our code to ensure that it is clean, easy to understand and maintain, and secure.

SonarQube is good for checking and maintaining code quality.

It would be nice is SonarQube analyzed external libraries, in addition to our current code.

I would like to see more options for security, beyond the basics like SQL injection.

The stability of this solution is quite good.

I think that scalability is fine. We have a large number of users at my company.

The majority of the users for this solution are architects, but some technical managers use it too.

We use this solution in parallel with Checkmarx because both of them are good for different things. SonarQube is good for code quality, whereas Checkmarx is more for security.

This initial setup of this solution is not basic, but it is not complex. If you have some experience in IT then you should be able to do it.

We have this tool integrated with Jenkins.

One or two days is enough for deployment. There is some configuration to do, which takes time, but it is not difficult to deploy.

Three or four staff are enough for deployment and maintenance.

We have seen a return of investment, for sure. It is integrated with jobs on Jenkins and helps to provide stability. 

We did not evaluate other options before choosing this solution.

This is a very nice product and I would recommend it. It is one of the best tools on the market to analyze your code.

If more rules for security were added then we would not have to use Checkmarx or other tools. SonarQube is very nice, but just missing some security rules.

I would rate this solution a seven out of ten.