SonarQube Reviews

Once integrated with the pipeline for the organization, we would be able to fetch vulnerabilities and code smells. We can have quality gates installed in the pipeline so that the pipeline should only be moved and processed further if the quality gates are passed.

This product is used with the deployment cycles. We have multiple CI/CD pipelines.

When we push our code to the repo, while in continuous integration, it will run a few tests. Based on the vulnerability data set it has, it has multiple tests. We can also have multiple unit tests along with this for code coverage. It has multiple offerings, not only the quality check and the vulnerability check. It also has code coverage, indicating how much code is covered by all the unit tests, integration tests, and those sorts of things. It has a complete database by itself and depending on that, it needs to be regularly updated so that we can track the vulnerabilities in the code. If it is not connected to the data source, for example, it has 10 versions, so if we are using a very old version, it would not be able to track the vulnerabilities which have the latest release.

We can track the vulnerabilities if our code is updated. If we are using the cloud version, then it is automatically upgraded because it is a paid version. We can track the vulnerabilities, where the vulnerability is, and at which code line we need to improve our code. We can have all the tracks only after we push our code to the repo.

SonarQube Cloud (formerly SonarCloud) has two offerings: cloud and server. We can use either of these. One is a paid version, and another one is a free version.

I have used the SonarQube Cloud (formerly SonarCloud)'s code analysis feature.

Sometimes, there are tracking issues. It has its own graphical GUI where we can track everything.

Since most of our projects are open source, there are multiple features which can be improved. For example, while creating a PR, the automatic runs from SonarQube Cloud (formerly SonarCloud) should also be run, but this is a feature which was in the previous version, but not with this version. You need to spend some money to buy that feature.

SonarQube Cloud (formerly SonarCloud) is one of the first of its kind which supports all these functionalities. I do not have any perception of documentation or support because once it is integrated with the pipeline, most of the task is done. The people who are developers need automatic bug creation and everything is done. This feature can be improved where, once it tracks the criticals and highs, it should create automatic tickets and assign them to the user who has pushed the code.

I have used the SonarQube Cloud (formerly SonarCloud)'s code analysis feature.

We have used it in AWS, but not from the marketplace.

We use other products because SonarQube Cloud (formerly SonarCloud) only offers SAST. It doesn't cover DAST, SCA, or those sorts of testing. Also, performance-based testing is not covered.

SonarQube Cloud (formerly SonarCloud) doesn't offer notifications, but we have some features in the pipeline which send notifications to the team leads or the assigned users to review the code.

SonarQube Cloud (formerly SonarCloud) is one of the first of its kind which supports all these functionalities. I do not have any perception of documentation or support because once it is integrated with the pipeline, most of the task is done. The people who are developers need automatic bug creation and everything is done. This feature can be improved where, once it tracks the criticals and highs, it should create automatic tickets and assign them to the user who has pushed the code.

On a scale of one to ten, I would give SonarQube Cloud (formerly SonarCloud) a rating of six.

We have SonarCloud integrated into our pipeline. It is used as a tool for checking code quality, clean code, bugs, and security issues. It acts as a quality gate for production, helping decide if our code can be applied.

SonarCloud aids us in checking major issues in legacy systems and helps prioritize solutions based on this data.

The SaaS solution for checking code without execution and dealing with security issues is valuable. It fulfills our needs.

Reporting features are missing in SonarCloud. We do not have a way to consolidate data within the tool, requiring us to extract data and use Power BI for reports.

I have used SonarCloud for the past three years.

SonarCloud has been stable except for an instance last month where it was unavailable for about four to six hours. Other than that, I am unaware of any unavailability issues.

It's very scalable with no issues. We can add as many projects as we want. The only restriction is the number of lines scanned, which affects billing. On a scale of one to ten, I rate scalability at eight out of ten.

I have not used their technical support or dealt directly with their customer service.

Neutral

We were already using SonarQube, the on-premises version, before transitioning to SonarCloud.

The initial setup was done by a previous team around three or four DevOps engineers. The transition took approximately one to two months.

Another team conducted the initial setup with about three or four DevOps engineers.

It's really hard to measure ROI. Previously, the low cost ensured it wasn't a concern, but now, with increasing costs, the need to measure ROI more accurately is arising.

Previously, the pricing was 17,000 euros for five million lines analyzed. However, they now charge $15,000 per one million lines, significantly increasing the cost.

We are evaluating Veracode as a possible replacement. I also checked resources like Forest Work and Gartner for other potential tools.

I would recommend SonarCloud to other development teams. While the cost might be a concern, it is a good tool and maintains an updated list of security issues. It is sufficient for most projects.

I'd rate the solution eight out of ten.

My company is a product engineering company, and we work for different clients. The majority of the projects use SonarQube, and some projects use Checkmarx. SonarQube is primarily used for static code analysis and checking the overall unit test coverage and vulnerabilities.

SonarQube's unit test coverage and exhaustive information at the module, project, and overall code repo levels are quite good.

One of the disadvantages of SonarQube is that it is quite comprehensive, which is both good and bad. Depending on the tool's configuration, sometimes you get false alarms that are unimportant to you.

We also work with Checkmarx.

My experience with the solution’s initial setup was quite good. The solution's deployment doesn't take much time. It can be done in a few hours or so.

The solution's shiftless approach allows you to pay attention during the unit testing phase rather than relying on your external testing, manual test cases, or automated test cases. You think about the use cases or test cases for the test-driven development (TDD) approach and then realize that you don't have that code written for those test cases.

You write the code and keep on complementing. Once the build is handed over to QA, SonarQube helps find most bugs during testing. Suppose on a BDD (business-driven development) level, I am a product manager who wants some functionality on my login page.

After I write those use cases in simple language, SonarQube can find out whether the corresponding unit test cases are in my codebase. This is a feature enhancement I would be interested in seeing by employing a fusion of AI and traditional ways of scanning.

SonarQube is a cost-effective solution.

SonarQube provides valuable information regarding vulnerability detection, but it depends on your configuration.

Overall, I rate the solution a nine out of ten.

My main use case for SonarQube Cloud (formerly SonarCloud) is for code checking and the quality of code.

A specific example of how I use SonarQube Cloud (formerly SonarCloud) for code checking and quality is that we have enabled quality gates for the pipeline.

The best features SonarQube Cloud (formerly SonarCloud) offers are that it is quite good and offers a perfunct feature.

The perfunct feature in SonarQube Cloud (formerly SonarCloud) shows the bugs in the codes and suggests the fixes.

SonarQube Cloud (formerly SonarCloud) has had a positive impact on my organization by giving the best impact for code checking and code structuring, making the code more usable and better.

It has made my code better because the team can improve their skills. It suggests fixes where needed, enabling the team to code better and maintain high code quality.

SonarQube Cloud (formerly SonarCloud) performs well currently and I cannot identify any needed improvements at this time.

I have been using SonarQube Cloud (formerly SonarCloud) for three years.

In my experience, SonarQube Cloud (formerly SonarCloud) is stable and I did not face any major issues.

SonarQube Cloud (formerly SonarCloud) has handled my organization's needs as we've grown.

The customer support for SonarQube Cloud (formerly SonarCloud) has been better. Some of my teammates have interacted with support by raising tickets, and their issues were successfully resolved.

Positive

My advice to others is to use SonarQube Cloud (formerly SonarCloud).

I rate SonarQube Cloud (formerly SonarCloud) nine out of ten.

We use SonicWall for static core analysis.

The reporting is somewhat delayed, there is something missing. For example, if you compare it with GitHub Advanced Security, SonarQube has a more native integration, and its analysis is more structured and precise. SonarQube can do a better job compared to other native tools. It supports a good number of language tags and is continuously improving its analytics functions.

Any developer can easily identify issues using the process flow or steps provided by SonarQube. In terms of integration, SonarQube makes it quite easy, simplifying the steps for users.

The detection and reporting are structured, with reporting being better compared to other tools. However, in terms of analysis and findings, other tools provide more in-depth insights and detailed steps to mitigate or handle issues. Therefore, the analysis engine of SonarQube could benefit from significant improvements to better compete in the market.

I have been using SonarQube for around a year and a half.

The solution is scalable.

I have used many open source solutions.

The initial setup is not easy, as there are many product protocol improvements that can be made. 

I rate the initial setup an eight out of ten, where one is difficult and ten is easy.

The engine needs significant improvement, but it is a good solution for detecting flaws. Enhancing the analytics engine could further improve its capabilities. The effectiveness of SonarQube depends on these factors. If you enhance the analytics engine, the quality of flaw detection will obviously improve as well.

The solution is expensive.

SonarQube has many integrations, even in our development backup environment. While setting up notifications was possible, it was quite complex to manage.

However, SonarQube is one of the solutions I would recommend. In terms of code quality, it offers many features compared to other solutions in the market. It has been around for a while and delivers many functionalities. There are different solutions with better detection engines than SonarQube, but in terms of scalability and compliance, SonarQube is superior. Taking all factors into consideration, it is a better option.

Overall, I rate the solution an eight-point five out of ten.

At our company, we are using SonarQube to scan some of the Dot.Net and Java sources. The solution is also used for generating reports, which is a customer-mandate to scan source codes. The solution is used to setup a CI/CD pipeline following which scans are implemented and the report is shared with the developer. 

One of the solution's most vital features is its multi-programming language support. The solution also functions on an open-source model that allows users to easily check the setup and installation process and gain further knowledge regarding the solution across production grades. 

In our organization, C/C++ programmers are preferring to use CodeSonar than SonarQube, so I believe the tool needs to be more compatible and user-friendly for the specific C/C++ language. 

The solution provider can evaluate how SonarQube can be integrated with AI in future versions similar to how Copilot is working with Outlook and GitHub. 

I have been using the solution for two years. 

The product is stable, but there are rarely a few configuration issues. I would rate the stability a ten out of ten. 

There are about 20-30 users of the solution in our organization. 

The initial setup process of the solution is quite simple. For the installation process, a database is required; at our company, we initially had four databases. To build the database properly, our company integrated AWS Postgres database to store all the data.

The SSL certificate installation can be carried out later on when the need arises while configuring the database for a specific project. For the setup process, our company got some support from the solution provider. 

Our company previously paid around $15000 for the solution which later on got increased by $1500 the next year. 

The code quality metrics from the solution help us generate reliable reports on behalf of our company instead of asking questions like whether the codes are scanned, whether they are vulnerable, and whether the code meets all standards. SonarQube is also able to identify to what level the code is secure, making it easier for the developer to check and understand the application. 

I would rate SonarQube an eight out of ten. I would recommend the solutions to others who are in need to scan their codes and are looking for the support that SonarQube provides through its features, but for core languages like C/C++ they can choose an alternative. 

My main use case for SonarQube is to analyze code quality in various programming projects, particularly focusing on identifying bugs, vulnerabilities, and code smells. I also use it to detect patterns in data clusters and ensure there are no leaks in the codebase.

The features of SonarQube that I find most valuable for identifying code smells are its comprehensive code analysis capabilities, which cover various aspects of code sustainability. Specifically, its ability to detect issues across different functions and methods, including security vulnerabilities, is particularly useful.

SonarQube could be improved by implementing inter-procedural code analysis capabilities, allowing for a more comprehensive detection of defects and vulnerabilities across the entire codebase.  Additional functionality that could improve SonarQube includes features like automatic code correction and AI-generated suggestions to streamline code maintenance.

I have been using SonarQube for almost three years.

I would rate the stability of the solution as an eight out of ten.

I would rate the scalability of the solution as an eight out of ten.

In comparing Coverity and SonarQube, Coverity stands out for its superior vendor support and enterprise-level analysis capabilities, particularly in security and leak detection across procedures. SonarQube excels in dashboard usability and cost-effectiveness but lacks certain advanced features like inter-procedural analysis and some leak detections available in Coverity.

Setting up SonarQube was relatively straightforward.

In terms of pricing, SonarQube is more comfortable for global licensing and cloud-based usage, while Coverity's licenses, particularly in India, may come with more restrictions and be less flexible.

I integrate SonarQube into my CI/CD pipeline by running it during the build process for static code analysis. Once the analysis is complete, the results are sent to the dashboard for easy monitoring and tracking of code quality.

Using SonarQube for security vulnerability detection offers several benefits such as comprehensive security rule coverage and integration with the dashboard for easy monitoring. Additionally, SonarQube provides features like password handling, eliminating the need for separate tools and enhancing overall code security.

SonarQube handles false positives during code analysis by allowing teams to review and exclude them, especially in long-term projects where patterns are familiar. While false positives may occur, experienced teams can easily identify and manage them, ensuring accurate analysis results.

For software development, especially in Java-based environments, I highly recommend using SonarQube due to its effectiveness in ensuring code quality and minimizing potential issues. While there are free tools available, SonarQube's comprehensive support for various languages and its benefits make it a valuable choice for developers.

Overall, I would rate SonarQube as an eight out of ten.

We use the product to review our software codes. We have integrated the product to review our new delivery code.

When we deliver a code, the solution scans the code and reports whether the code has bugs or any other vulnerability issues. Thus the solution helps us identify issues and improve the quality of our code before delivering it to the customer.

The solution has a plug-in that supports both C and C++ languages. This feature is valuable to us while creating vulnerability and bug reports.

The product provides false reports sometimes. It also fails to understand the context of the code. It reports that a line of code has issues without considering its relation with the previous line.

The product should improve the report quality. While it asks us to improve the code quality, it would be good if it also suggests how to improve the quality.

I have been using the solution for three years.

The solution's stability is good. I rate the stability an eight out of ten.

I rate the product's scalability a six out of ten. In our organization, 20 engineers are using the product. We do not have any plans to increase the number of users.

The initial setup was easy. I rate the ease of setup an eight out of ten.

We took one day to deploy the product for the first time. After that, we need only one hour to deploy it. To deploy the solution, we need to add a couple of priorities and then add the product’s instance to our system.

We deployed the solution with an in-house team consisting of 30 engineers. We need one software engineer to maintain the solution.

Though some employees in the organization use Coverity, I chose SonarQube because it is easy to integrate with our software component.

If we have any issues with the product, we search the internet to find a solution. Some employees in the organization use Coverity. Overall, I rate the solution an eight out of ten.