SonarQube Reviews

We are using it for scanning our web applications, some internal applications and using it for code reviews.

SonarQube is good in terms of code review and to report on basic vulnerabilities in your applications. The code writing standard of SonarQube is good. It may be better in other editions but as we don't use those we're not able to find out with SonarQube. We are using the community, developer version for 14 days. If this version is successful we will go to the full version. We're using it on-premises.

It does not provide deeper scanning of vulnerabilities in an application, on a live session. This is something we are not happy about. Maybe the reason for that is we are running the community edition currently, but other editions may improve on that aspect.

We have been using SonarQube for one year.

It is stable.

SonarQube is scalable.

SonarQube was easy to setup.

We considered using Fortify.

I would rate SonarQube an eight out of 10.

We use SonarQube to help with our software development and testing. At the moment, we're mainly using it for static analysis and code inspection. We have an on-premises server and we connect to it from there.

Our main use case is testing software for security weaknesses, but we also use it to help eliminate code smells and to make sure our code is compliant with established coding standards.

SonarQube lets us find security issues during development and testing so that we can release more secure and higher quality applications.

Apart from the security point of view, I like that it makes it easy to detect code smells and other issues in terms of code quality and standards.

From a reporting perspective, we sometimes have problems interpreting the vulnerability scan reports. For example, if it finds a possible threat, our analysts have to manually check the provided reports, and sometimes we have issues getting all the data needed to properly verify if it's accurate or not.

This is especially important when considering false positives, and often we have issues getting all the necessary information from SonarQube in order to determine whether it is a true vulnerability or a false positive.

Another suggestion for improvement is that SonarQube could be better when it comes to integration with different development pipelines for continuous monitoring. For example, whether you are scanning manually or on-demand, we would like more ways to integrate SonarQube into our pipeline so that we can get reports quickly and automatically as we work.

I have been using SonarQube for about two years now.

I have not run into major issues or bugs and it works well when it comes to stability.

I don't think we have had any problem with traffic or things like that. 

I don't have experience with SonarQube support because we do it all ourselves. 

I have not used any other similar solutions in the past. SonarQube is the first of its kind in my experience.

It's quite easy to set up, not too complex.

The development license cost is reasonable, and we've had no concerns about SonarQube when it comes to cost.

Personally, I can't compare it to other similar solutions like Fortify, but SonarQube does a good job when it comes to making sure our code is compliant with standards and free of any obvious security weaknesses. 

I would rate SonarQube a six out of ten.

Quality Gate helps us to merge code that was not covered with tests.

• We can create a Quality Gate in order to fail Jenkins jobs where the code coverage is lower than the set percentage.
• We can review possible faults in JavaScript code.

We had some issues where the Quality Gate check sometimes gets stuck and it is unclear.

We had some stability issues where the Quality Gate check sometimes got stuck and it was unclear. This seldom happens.

There were no scalability issues.

The technical support team has experts on it. They are available on Twitter, Google Groups, and StackOverflow.

We did not use a different tool before this one.

The initial setup required unzipping it and having MySQL install. We then set up a couple of configuration files. There was no need for IT for this.

This is open source.

We find it very similar to Fortify and has the same advantages. 

The web interface is very good. 

We have found the solution to be stable. 

The solution offers a very good community edition.

There isn't a very good enterprise report. They also do not have an application report. We'd like for them to work on this aspect.

I've used the solution for three years. I've used it for a while now. 

In terms of stability, the solution is reliable and the performance is good. There are no bugs. It's not glitchy. It doesn't crash or freeze. 

I've never used technical support. I can't talk about how helpful they are, never spoken with them personally.

If I do need to troubleshoot, I tend to rely on the community and search for answers there. 

We've also used Fortify.

I didn't participate in the installation process. I can't speak to how easy or difficult the process was. 

I use the community version of the product.

We are a customer and an end-user.

I'd rate the solution at a seven out of ten. It's mostly reliable. 

We use it as a gatekeeper for our external developers to follow the rules. If they don't comply with the rules within the source code, they cannot commit. 

It is working fine. It provides good value for money.

One thing to improve would be the integration. There is a steep learning curve to get it integrated.

I have been using this solution for maybe two years.

It is stable.

It is definitely scalable. Currently, we have six users.

We didn't contact them.

This was our first one.

Its initial setup is okay. It is not too difficult. It probably took a couple of hours.

One developer is enough for its deployment.

We pay €10 per month for this solution, which is good. It provides good value for money.

I would recommend this solution to others. I would rate SonarQube a nine out of 10.

It's enabled us to improve software quality and help us to disseminate best practices.

This product is open source and very convenient.

A better design of the interface and add some new rules.

Only common issues have been experienced.

Only common issues have been experienced.

Customer Service:

I can't rate because there was no customer service.

Technical Support:

The technical documentation is really good and the community is great and active.

Nothing was implemented before this software, only PMD, a light control tool.

The technical documentation online is easy to understand, so the initial setup is straightforward. However, they need to adapt your organization's constraints to the software, which is more difficult.

We did it in-house.

This product is, to my mind, a reference so that if you decide to put in place this software, you will improve the quality control inside your organization. Simple and effective.

The feature I find most valuable are--

• Quick access to issues in the code
• The ability to define your own analysis profiles
• Easy integration with Jenkins

For the record, what I do with SonarQube is develop a language plugin for a language not previously covered by SonarQube. As such, my experience of running SonarQube is limited to that necessary to have the plugin tested, nothing more.

I'd like to see more API documentation, including, but not limited to, more extensive documentation of provided examples.

I've used it for eight months.

I only deployed it for development purposes and it was pretty straightforward. You unzip, configure, and run. Of course, production deployments will require more than that.

The provided archives are self running; but since this is a bona fide webapp, you might want to use your own servlet container to run it instead.

No, I didn't. I was employed specifically for this plugin, and while know other code-quality control solutions exist, I didn't explore any of them.

Product is good, but the API documentation is poor, when it exists at all.

Code exploration on the front-end, as well as the ability to import from Fortify, are valuable features.

It allows for better collaboration of our team members on security findings.

The Python code scan has so few rules that it is meaningless.

The support for mobile applications is limited to Android Lint importing, although the Android Lint report is fine on it's own so what it he point of using it.

And the Fortify plugin is deprecated.

I've used it for two years.

It is quality software, even if the plugins are often weaker than would be necessary to have a team centralize around it. It is good for an open source project, but creating plugins is important and so complicated and not well documented that it is rarely done.

No issues encountered.

No issues encountered.

It is open source so I don't try to rely on their technical support.

It was fairly straightforward, although some plugins depend on outside software to run, which is to be expected.

We implemented it ourselves.

It is free, so the price is good. If they had stronger plugins then we would gladly pay.

We evaluated the market, and because security scans are so different, there was not a good COTS or open source solution that met our needs so we went with the best open source solution, which was SonarQube.