SonarQube Reviews

We use SonarQube to find vulnerabilities in the source code, for better code quality, and code security.

The most valuable feature of this solution is that it is free.

There could be better integration with other products.

It could have more functionality, and the updates could be faster.

People must be trained extensively before they can use it.

I have been using SonarQube for three years.

It's a software as a service that you can access from on-premise.

The stability is fine. With any software, you must ensure that you keep up to date with the software. As a result, when there are new ways to attack you, the software detects it. You must be prepared. You can't just put it in and forget about it, you have to stay current.

More than just an environment, it was a project. There were about a dozen developers and five testers to ensure that the developers used the tool before handing it over to the testers. To ensure that everything was in order.

I have not contacted technical support.

Previously, we used Fortify. The company that I worked for owned Fortify. We then sold Fortify to another company. We could look at other products to do the job.

The initial setup was straightforward. It only took about two weeks to deploy.

Like in anything, if you're too restricted, it can result in being problematic, the same if you are too loose. In terms of the length of time it takes to deploy, we try to find a happy medium. Two weeks is reasonable.

I am the team leader, and I was assisted with the deployment by another very knowledgeable individual. We are a team of two.

We have seen a return on investment. It finds potential vulnerabilities inside a program's code. If you catch it and you fix it, it's good.

It's an open-source solution, with no additional costs.

We evaluated other products such as Veracode, Checkmarx as well as SonarQube.

The main difference is that SonarQube is free.

I am an expert in so many things, including security experts. We looked at the various products and chose one. And the reason was that any tool, any automated tool that can detect errors, is preferable to none at all.

Most systems are vulnerable at the application level, which means that people who program in Java or.NET may be brilliant, but they don't know about the security. The advice is that those who work in development must also understand security. They must test for security in the same way they test for whether something is red or blue. My recommendation is to have some type of training and to be aware that the application level is the place where most people attack.

I would rate SonarQube a six out of ten.

SonarQube provides security vulnerabilities within the cloud. It identifies the code pattern and quality and detects the causes of any particular issues. We use this to minimize a lot of coding errors. I'm a lead dev ops consultant in IT infrastructure.

SonarQube helps to improve the code coverage in your core base and will give you the evaluation of the technical steps and the percentage of code being resolved. It can auto-calculate the technical depth. The beauty of the product is the quality gate where all parameters come together. If those parameters can pass through the quality gate successfully, you can go ahead with your build. You get clear and clean visibility in your code and it provides reliability. It's the most valuable feature. 

We would like to have more visibility and more documentation, starting with the installation. It needs to be more standardized and explain all the features. We'd also like to get an idea of the level of stability we can get for our larger-sized projects. The notifications from the channel queue can be improved including email notifications. We currently rely on getting those notifications passed onto us and that should not be the case. The customization of different languages would also be helpful. If all the above could be implemented, SonarQube would be the best vulnerability security scanning tool.

We've been using this solution for two years. 

The stability is very good. 

Scalability is high and that includes within the different zones and regions that we require in the company. We use SonarQube about once a week and don't plan to increase usage for now. 

The technical support is excellent. 

Positive

We previously used a different solution but moved to SonarQube because it better suits our use cases. 

The initial setup is straightforward and doesn't take much time. That said, setting up the quality level is challenging because of the different calculations required, setting up for issue tracking and getting the appropriate quality gate feature. It requires proper allocation and understanding the perameters. Deployment time is generally less than an hour, but it depends on the project size. Implementation generally requires a minimum of two people.

The fact that we have bug-free coding is a good return on investment. 

Licensing costs are in the mid-range for this kind of solution. 

This product provides a lot of freedom to achieve many things including generating certain reports that can be integrated with numerous other tools such as Power BI.

I rate this solution eight out of 10. 

We use the solution for security vulnerabilities, static code analysis, and a few code quality issues like code smells. We mostly concentrate on security vulnerabilities.

SonarQube is admin friendly.

SonarQube is not development-centric like Snyk. The product gives an IDE plug-in called SonarLint. It needs to be expanded more. SonarLint is very limited.

I have been using the solution for the last five years.

The solution is quite mature. We did not have many issues.

The tool is very scalable.

Since it is an open-source product, we need to purchase support. However, the enterprise edition comes with a support package. The support package is really good. We get good support. We’ll have problems if we do not have support. I rate the support team a seven or eight out of ten. The quality of support depends on the support package we get. We had a limited package, so our support was at that level.

I have worked with Snyk. Snyk is more developer friendly. I have also worked with Coverity. SonarQube has features that are similar to Snyk and Coverity. So, SonarQube is better because it is an open-source tool.

The tool is easy to install compared to other products. We have to do basic things like installing our database and web applications. I do not find many problems with installation. The time taken for deployment depends on the nature of the setup and whether we are doing it for a large enterprise. The installation is quite simple, but it took a week to plan it. We had a good IT setup, which helped us. We do not need many people for implementation. It depends on the project structure.

Our IT team installed the solution. The product is easy to maintain. We have a mature system, so we do not have many issues. To manage reports, we need people to run scans. However, we need only one person to manage the environment.

It's an open-source product. All other solutions are commercial.

SonarQube is introducing a developer edition, but I have not explored it yet. We are using the enterprise edition of the solution. My advice to other users would depend on their requirements. If an organization has Synopsys products, Coverity would be the right choice for them. However, it is costly. SonarQube has an open-source and enterprise edition along with support packages, which is really good. If someone wants a developer-friendly tool, then Snyk would be a good choice. Overall, I rate the solution an eight out of ten.

SonarQube is a code-scanning tool that ensures people follow the right coding standard. It detects any memory leaks or unwanted functions that have been written so developers can optimize the code for better performance. We don't know too much about how our customers use SonarQube because we just set it up for them. We show them how the reporting works and what to do to fix common issues. 

SonarQube is one of the more popular solutions because it supports 29 languages.

SonarQube supports most database languages, like SQL queries, PL/SQL, etc., but some newer programming languages are not there. For example, it's missing some more popular languages like Apache Groovy. I would like to see some support for scanning these new popular languages.

I would also like SonarQube to be able to write custom scanning rules. More documentation would be helpful as well because some of our guys were struggling with the customization script. 

I've been using SonarQube for the past eight years or so. I am a DevOps consultant who helps the end-users set up their environments. My clients operate in various industries, including the service industry. 

SonarQube takes five to 10 minutes to install, and I train people on this technology, so I install it for them and teach them how to use it. On Linux, it maybe takes another five or 10 minutes, but it is straightforward.

We first try it out with a limited number of users, so four or five users will run it, but the report is shared with multiple users. The report generated will go to thousands of users. You run the report from the DevOps point of view, then share it with everyone.

I'm involved in the price discussions, so I'm unaware of the cost. However, I don't see any other competitors in the same space. There are one or two, but they're not popular. SonarQube is free for one user, so people can explore it, but if they need enterprise support, they can buy licenses, and we can go forward.

SonarQube is the only code scanning software I've tried, but I've also seen Nexus Scanner. However, it's not for binary scanning and so forth. It won't scan your source code. It's just an artifact scanner. 

I rate SonarQube eight out of 10. I always recommend SonarQube because it is also available in an open-source version, so people can understand the power of this tool and how it can help in an IT setting. 

I use SonarQube for Google's web services, from a security perspective, as well as Oracle Forms, HTML Forms, and script. 

SonarQube is deployed on-premises. 

Some of the most valuable features have been the latest up-to-date of the OWASP, the monitoring, the reporting, and the ease of use with the IDE plugins, in terms of integration.

SonarQube's detail in the security could be improved. It may be helpful to have additional details, with regards to Oracle PL/SQL. For example, it's neither as built nor as thorough as Java. For now, this is the only additional feature I would like to see. 

I have been working with the Community Edition for at least ten years, and I have been working with the Enterprise version for about a year. 

So far, we are happy and haven't had any issues with stability.

The only maintenance this product needs, for now, is just updates and patches. 

SonarQube is an auditing requirement from our side and for our SDLC, so it is a gate in our SDLC. 

SonarQube is easy to scale. As we've opted for the Docker builds, we haven't had issues yet. 

At this point, there are at least 300 people in my company who are working with SonarQube. 

I have minor experience with Q One. The main difference is in the licensing structure, with regards to lines of code. We have noticed that Q One has a bit more details, but support for various languages is lacking. 

The setup process of SonarQube is straightforward. Deployment took about a week, but the integration of the multiple teams—introducing them and getting them on board—took about a month. 

We implemented this solution through an in-house team. 

Compared to similar solutions, SonarQube was more accessible to us and had more benefits, with regards to size of the code base and supported languages. Apart from the Enterprise licensing fee, there are no additional costs. 

I rate SonarQube an eight out of ten. 

To anyone who is looking into implementing SonarQube, I would recommend they look at what their requirements are, with regards to languages. If it's just Java, then the Community Edition is fine, but if there are any additional languages, then I would recommend Enterprise. 

We do a lot of development. We were previously doing it internally, and then we hired a couple of development partners. So, day in and day out, a lot of changes were happening. We wanted to ensure that whatever changes happened, they undergo some level of quality assessments. That was one of the reasons why we wanted to use it. 

We have started looking into it from the information security side, but it is being used by the core development team.

We are using the Community edition. So, we don't have to incur any licensing costs. This is the best part.

There is no automation. You need to put the code there and test. You then pull the results and put them back in the development environment. There is no integration with the development environment. We would like it to be integrated with our development environment, which is basically the CI/CD pipeline or the IDE that we have.

It's a stable solution.

It is not scalable if you have a bigger workload. Because it is a Community edition, it has its own restrictions and limitations in terms of the number of lines of codes.

We have 15 to 20 people who are using it.

We don't have any experience with them. We don't have any AMCs, and we don't have any technical support.

It was easy, but because we were using it for the first time, it took some time. I would rate it 3.5 out of five in terms of ease of setup.

We deployed it in-house. In terms of maintenance, there is only one person who is taking care of SonarQube as a platform or the services that are provided by SonarQube.

We are using the Community edition of SonarQube.

For a small setup with less number of applications, it is okay because it is easy to deploy and manage with a simple console. When the number of lines of code is high, it takes time, and you have to spend a lot of time in terms of getting the right results.

I would rate it a seven out of ten.

We use the product to review our software codes. We have integrated the product to review our new delivery code.

When we deliver a code, the solution scans the code and reports whether the code has bugs or any other vulnerability issues. Thus the solution helps us identify issues and improve the quality of our code before delivering it to the customer.

The solution has a plug-in that supports both C and C++ languages. This feature is valuable to us while creating vulnerability and bug reports.

The product provides false reports sometimes. It also fails to understand the context of the code. It reports that a line of code has issues without considering its relation with the previous line.

The product should improve the report quality. While it asks us to improve the code quality, it would be good if it also suggests how to improve the quality.

I have been using the solution for three years.

The solution's stability is good. I rate the stability an eight out of ten.

I rate the product's scalability a six out of ten. In our organization, 20 engineers are using the product. We do not have any plans to increase the number of users.

The initial setup was easy. I rate the ease of setup an eight out of ten.

We took one day to deploy the product for the first time. After that, we need only one hour to deploy it. To deploy the solution, we need to add a couple of priorities and then add the product’s instance to our system.

We deployed the solution with an in-house team consisting of 30 engineers. We need one software engineer to maintain the solution.

Though some employees in the organization use Coverity, I chose SonarQube because it is easy to integrate with our software component.

If we have any issues with the product, we search the internet to find a solution. Some employees in the organization use Coverity. Overall, I rate the solution an eight out of ten.

We have many developers and we use SonarQube to ensure that we don't have badly written code. We must have a way to write code that can be understood by different people.

Our developers are learning how to improve their code.

The most valuable features are the dashboard, the ability to drill down to the code, the technical debt estimation and the overall user-friendliness of the user interface.

The Enterprise edition has the additional features we need, but of course we have to pay for that.

I have been using SonarQube for approximately three months.

SonarQube is a reliable solution.

I have not tried to scale the solution. I am looking to integrate SonarQube with the 45 secure solutions.

I have not needed to contact technical support.

I found the user interface messages quite explanatory about issues. I didn't have to look up many issues elsewhere.

No.

The implementation of the solution is straightforward and it is well integrated with Atlassian software, i.e. Jira, Confluence, Bamboo and Butler.

We have a different group that is managing the SonarQube installation and setup.

SonarQube enterprise, I am not sure of the price but from what I understand they are charging a fee. It's is not clear if it is an annual fee or a one-off. 

I don't know the global figure but they are asking each director general approximately a lump sum of $5,000, which doesn't sound like a lot for what the solution does.

No.

My advice to others would be to take a look at the community edition of the SonarQube because it might be enough for their use case.

I rate SonarQube a nine out of ten.