MarkRyall - PeerSpot reviewer
Strategist Individual Contributor at Peraton
MSP
Good ROI, easy to install but it could use more functionality, and faster updates
Pros and Cons
  • "The most valuable feature of this solution is that it is free."
  • "There could be better integration with other products."

What is our primary use case?

We use SonarQube to find vulnerabilities in the source code, for better code quality, and code security.

What is most valuable?

The most valuable feature of this solution is that it is free.

What needs improvement?

There could be better integration with other products.

It could have more functionality, and the updates could be faster.

People must be trained extensively before they can use it.

For how long have I used the solution?

I have been using SonarQube for three years.

It's a software as a service that you can access from on-premise.

Buyer's Guide
SonarQube
August 2023
Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: August 2023.
734,024 professionals have used our research since 2012.

What do I think about the stability of the solution?

The stability is fine. With any software, you must ensure that you keep up to date with the software. As a result, when there are new ways to attack you, the software detects it. You must be prepared. You can't just put it in and forget about it, you have to stay current.

What do I think about the scalability of the solution?

More than just an environment, it was a project. There were about a dozen developers and five testers to ensure that the developers used the tool before handing it over to the testers. To ensure that everything was in order.

How are customer service and support?

I have not contacted technical support.

Which solution did I use previously and why did I switch?

Previously, we used Fortify. The company that I worked for owned Fortify. We then sold Fortify to another company. We could look at other products to do the job.

How was the initial setup?

The initial setup was straightforward. It only took about two weeks to deploy.

Like in anything, if you're too restricted, it can result in being problematic, the same if you are too loose. In terms of the length of time it takes to deploy, we try to find a happy medium. Two weeks is reasonable.

What about the implementation team?

I am the team leader, and I was assisted with the deployment by another very knowledgeable individual. We are a team of two.

What was our ROI?

We have seen a return on investment. It finds potential vulnerabilities inside a program's code. If you catch it and you fix it, it's good.

What's my experience with pricing, setup cost, and licensing?

It's an open-source solution, with no additional costs.

Which other solutions did I evaluate?

We evaluated other products such as Veracode, Checkmarx as well as SonarQube.

The main difference is that SonarQube is free.

What other advice do I have?

I am an expert in so many things, including security experts. We looked at the various products and chose one. And the reason was that any tool, any automated tool that can detect errors, is preferable to none at all.

Most systems are vulnerable at the application level, which means that people who program in Java or.NET may be brilliant, but they don't know about the security. The advice is that those who work in development must also understand security. They must test for security in the same way they test for whether something is red or blue. My recommendation is to have some type of training and to be aware that the application level is the place where most people attack.

I would rate SonarQube a six out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Chetan Jayatheertha - PeerSpot reviewer
Lead DevOps Consultant at itcinfotech
MSP
Top 5Leaderboard
Has a great quality gate feature and improves the code coverage in your core base
Pros and Cons
  • "Improve the code coverage and evaluates the technical steps and percentage of code being resolved."
  • "Lacks sufficient visibility and documentation."

What is our primary use case?

SonarQube provides security vulnerabilities within the cloud. It identifies the code pattern and quality and detects the causes of any particular issues. We use this to minimize a lot of coding errors. I'm a lead dev ops consultant in IT infrastructure.

What is most valuable?

SonarQube helps to improve the code coverage in your core base and will give you the evaluation of the technical steps and the percentage of code being resolved. It can auto-calculate the technical depth. The beauty of the product is the quality gate where all parameters come together. If those parameters can pass through the quality gate successfully, you can go ahead with your build. You get clear and clean visibility in your code and it provides reliability. It's the most valuable feature. 

What needs improvement?

We would like to have more visibility and more documentation, starting with the installation. It needs to be more standardized and explain all the features. We'd also like to get an idea of the level of stability we can get for our larger-sized projects. The notifications from the channel queue can be improved including email notifications. We currently rely on getting those notifications passed onto us and that should not be the case. The customization of different languages would also be helpful. If all the above could be implemented, SonarQube would be the best vulnerability security scanning tool.

For how long have I used the solution?

We've been using this solution for two years. 

What do I think about the stability of the solution?

The stability is very good. 

What do I think about the scalability of the solution?

Scalability is high and that includes within the different zones and regions that we require in the company. We use SonarQube about once a week and don't plan to increase usage for now. 

How are customer service and support?

The technical support is excellent. 

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We previously used a different solution but moved to SonarQube because it better suits our use cases. 

How was the initial setup?

The initial setup is straightforward and doesn't take much time. That said, setting up the quality level is challenging because of the different calculations required, setting up for issue tracking and getting the appropriate quality gate feature. It requires proper allocation and understanding the perameters. Deployment time is generally less than an hour, but it depends on the project size. Implementation generally requires a minimum of two people.

What was our ROI?

The fact that we have bug-free coding is a good return on investment. 

What's my experience with pricing, setup cost, and licensing?

Licensing costs are in the mid-range for this kind of solution. 

What other advice do I have?

This product provides a lot of freedom to achieve many things including generating certain reports that can be integrated with numerous other tools such as Power BI.

I rate this solution eight out of 10. 

Which deployment model are you using for this solution?

Private Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Buyer's Guide
SonarQube
August 2023
Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: August 2023.
734,024 professionals have used our research since 2012.
Product Security Architect at a tech services company with 51-200 employees
Real User
Top 10Leaderboard
A mature and admin-friendly solution that is easy to deploy and easy to maintain
Pros and Cons
  • "SonarQube is admin friendly."
  • "SonarQube is not development-centric like Snyk."

What is our primary use case?

We use the solution for security vulnerabilities, static code analysis, and a few code quality issues like code smells. We mostly concentrate on security vulnerabilities.

What is most valuable?

SonarQube is admin friendly.

What needs improvement?

SonarQube is not development-centric like Snyk. The product gives an IDE plug-in called SonarLint. It needs to be expanded more. SonarLint is very limited.

For how long have I used the solution?

I have been using the solution for the last five years.

What do I think about the stability of the solution?

The solution is quite mature. We did not have many issues.

What do I think about the scalability of the solution?

The tool is very scalable.

How are customer service and support?

Since it is an open-source product, we need to purchase support. However, the enterprise edition comes with a support package. The support package is really good. We get good support. We’ll have problems if we do not have support. I rate the support team a seven or eight out of ten. The quality of support depends on the support package we get. We had a limited package, so our support was at that level.

Which solution did I use previously and why did I switch?

I have worked with Snyk. Snyk is more developer friendly. I have also worked with Coverity. SonarQube has features that are similar to Snyk and Coverity. So, SonarQube is better because it is an open-source tool.

How was the initial setup?

The tool is easy to install compared to other products. We have to do basic things like installing our database and web applications. I do not find many problems with installation. The time taken for deployment depends on the nature of the setup and whether we are doing it for a large enterprise. The installation is quite simple, but it took a week to plan it. We had a good IT setup, which helped us. We do not need many people for implementation. It depends on the project structure.

What about the implementation team?

Our IT team installed the solution. The product is easy to maintain. We have a mature system, so we do not have many issues. To manage reports, we need people to run scans. However, we need only one person to manage the environment.

What's my experience with pricing, setup cost, and licensing?

It's an open-source product. All other solutions are commercial.

What other advice do I have?

SonarQube is introducing a developer edition, but I have not explored it yet. We are using the enterprise edition of the solution. My advice to other users would depend on their requirements. If an organization has Synopsys products, Coverity would be the right choice for them. However, it is costly. SonarQube has an open-source and enterprise edition along with support packages, which is really good. If someone wants a developer-friendly tool, then Snyk would be a good choice. Overall, I rate the solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Tools manager at a retailer with 10,001+ employees
Real User
It supports 29 languages
Pros and Cons
  • "SonarQube is one of the more popular solutions because it supports 29 languages."
  • "I would also like SonarQube to be able to write custom scanning rules. More documentation would be helpful as well because some of our guys were struggling with the customization script."

What is our primary use case?

SonarQube is a code-scanning tool that ensures people follow the right coding standard. It detects any memory leaks or unwanted functions that have been written so developers can optimize the code for better performance. We don't know too much about how our customers use SonarQube because we just set it up for them. We show them how the reporting works and what to do to fix common issues. 

What is most valuable?

SonarQube is one of the more popular solutions because it supports 29 languages.

What needs improvement?

SonarQube supports most database languages, like SQL queries, PL/SQL, etc., but some newer programming languages are not there. For example, it's missing some more popular languages like Apache Groovy. I would like to see some support for scanning these new popular languages.

I would also like SonarQube to be able to write custom scanning rules. More documentation would be helpful as well because some of our guys were struggling with the customization script. 

For how long have I used the solution?

I've been using SonarQube for the past eight years or so. I am a DevOps consultant who helps the end-users set up their environments. My clients operate in various industries, including the service industry. 

How was the initial setup?

SonarQube takes five to 10 minutes to install, and I train people on this technology, so I install it for them and teach them how to use it. On Linux, it maybe takes another five or 10 minutes, but it is straightforward.

We first try it out with a limited number of users, so four or five users will run it, but the report is shared with multiple users. The report generated will go to thousands of users. You run the report from the DevOps point of view, then share it with everyone.

What's my experience with pricing, setup cost, and licensing?

I'm involved in the price discussions, so I'm unaware of the cost. However, I don't see any other competitors in the same space. There are one or two, but they're not popular. SonarQube is free for one user, so people can explore it, but if they need enterprise support, they can buy licenses, and we can go forward.

Which other solutions did I evaluate?

SonarQube is the only code scanning software I've tried, but I've also seen Nexus Scanner. However, it's not for binary scanning and so forth. It won't scan your source code. It's just an artifact scanner. 

What other advice do I have?

I rate SonarQube eight out of 10. I always recommend SonarQube because it is also available in an open-source version, so people can understand the power of this tool and how it can help in an IT setting. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Development Team Lead at a financial services firm with 1,001-5,000 employees
Real User
Top 20
IDE plugins are easy to use and integrate
Pros and Cons
  • "Some of the most valuable features have been the latest up-to-date of the OWASP, the monitoring, the reporting, and the ease of use with the IDE plugins, in terms of integration."
  • "SonarQube's detail in the security could be improved. It may be helpful to have additional details, with regards to Oracle PL/SQL. For example, it's neither as built nor as thorough as Java. For now, this is the only additional feature I would like to see."

What is our primary use case?

I use SonarQube for Google's web services, from a security perspective, as well as Oracle Forms, HTML Forms, and script. 

SonarQube is deployed on-premises. 

What is most valuable?

Some of the most valuable features have been the latest up-to-date of the OWASP, the monitoring, the reporting, and the ease of use with the IDE plugins, in terms of integration.

What needs improvement?

SonarQube's detail in the security could be improved. It may be helpful to have additional details, with regards to Oracle PL/SQL. For example, it's neither as built nor as thorough as Java. For now, this is the only additional feature I would like to see. 

For how long have I used the solution?

I have been working with the Community Edition for at least ten years, and I have been working with the Enterprise version for about a year. 

What do I think about the stability of the solution?

So far, we are happy and haven't had any issues with stability.

The only maintenance this product needs, for now, is just updates and patches. 

SonarQube is an auditing requirement from our side and for our SDLC, so it is a gate in our SDLC. 

What do I think about the scalability of the solution?

SonarQube is easy to scale. As we've opted for the Docker builds, we haven't had issues yet. 

At this point, there are at least 300 people in my company who are working with SonarQube. 

Which solution did I use previously and why did I switch?

I have minor experience with Q One. The main difference is in the licensing structure, with regards to lines of code. We have noticed that Q One has a bit more details, but support for various languages is lacking. 

How was the initial setup?

The setup process of SonarQube is straightforward. Deployment took about a week, but the integration of the multiple teams—introducing them and getting them on board—took about a month. 

What about the implementation team?

We implemented this solution through an in-house team. 

What's my experience with pricing, setup cost, and licensing?

Compared to similar solutions, SonarQube was more accessible to us and had more benefits, with regards to size of the code base and supported languages. Apart from the Enterprise licensing fee, there are no additional costs. 

What other advice do I have?

I rate SonarQube an eight out of ten. 

To anyone who is looking into implementing SonarQube, I would recommend they look at what their requirements are, with regards to languages. If it's just Java, then the Community Edition is fine, but if there are any additional languages, then I would recommend Enterprise. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
HimanshuSharma - PeerSpot reviewer
General Manager at Dalmia Bharat Group
Real User
Community edition is the best part, but there is no integration with the development environment
Pros and Cons
  • "We are using the Community edition. So, we don't have to incur any licensing costs. This is the best part."
  • "There is no automation. You need to put the code there and test. You then pull the results and put them back in the development environment. There is no integration with the development environment. We would like it to be integrated with our development environment, which is basically the CI/CD pipeline or the IDE that we have."

What is our primary use case?

We do a lot of development. We were previously doing it internally, and then we hired a couple of development partners. So, day in and day out, a lot of changes were happening. We wanted to ensure that whatever changes happened, they undergo some level of quality assessments. That was one of the reasons why we wanted to use it. 

We have started looking into it from the information security side, but it is being used by the core development team.

What is most valuable?

We are using the Community edition. So, we don't have to incur any licensing costs. This is the best part.

What needs improvement?

There is no automation. You need to put the code there and test. You then pull the results and put them back in the development environment. There is no integration with the development environment. We would like it to be integrated with our development environment, which is basically the CI/CD pipeline or the IDE that we have.

What do I think about the stability of the solution?

It's a stable solution.

What do I think about the scalability of the solution?

It is not scalable if you have a bigger workload. Because it is a Community edition, it has its own restrictions and limitations in terms of the number of lines of codes.

We have 15 to 20 people who are using it.

How are customer service and support?

We don't have any experience with them. We don't have any AMCs, and we don't have any technical support.

How was the initial setup?

It was easy, but because we were using it for the first time, it took some time. I would rate it 3.5 out of five in terms of ease of setup.

What about the implementation team?

We deployed it in-house. In terms of maintenance, there is only one person who is taking care of SonarQube as a platform or the services that are provided by SonarQube.

What's my experience with pricing, setup cost, and licensing?

We are using the Community edition of SonarQube.

What other advice do I have?

For a small setup with less number of applications, it is okay because it is easy to deploy and manage with a simple console. When the number of lines of code is high, it takes time, and you have to spend a lot of time in terms of getting the right results.

I would rate it a seven out of ten.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Wang Dayong - PeerSpot reviewer
Senior Software Engineering Manager at Hill
Real User
Easy to integrate and has a plug-in that supports both C and C++ languages
Pros and Cons
  • "The solution has a plug-in that supports both C and C++ languages."
  • "The product provides false reports sometimes."

What is our primary use case?

We use the product to review our software codes. We have integrated the product to review our new delivery code.

How has it helped my organization?

When we deliver a code, the solution scans the code and reports whether the code has bugs or any other vulnerability issues. Thus the solution helps us identify issues and improve the quality of our code before delivering it to the customer.

What is most valuable?

The solution has a plug-in that supports both C and C++ languages. This feature is valuable to us while creating vulnerability and bug reports.

What needs improvement?

The product provides false reports sometimes. It also fails to understand the context of the code. It reports that a line of code has issues without considering its relation with the previous line.

The product should improve the report quality. While it asks us to improve the code quality, it would be good if it also suggests how to improve the quality.

For how long have I used the solution?

I have been using the solution for three years.

What do I think about the stability of the solution?

The solution's stability is good. I rate the stability an eight out of ten.

What do I think about the scalability of the solution?

I rate the product's scalability a six out of ten. In our organization, 20 engineers are using the product. We do not have any plans to increase the number of users.

How was the initial setup?

The initial setup was easy. I rate the ease of setup an eight out of ten.

What about the implementation team?

We took one day to deploy the product for the first time. After that, we need only one hour to deploy it. To deploy the solution, we need to add a couple of priorities and then add the product’s instance to our system.

We deployed the solution with an in-house team consisting of 30 engineers. We need one software engineer to maintain the solution.

Which other solutions did I evaluate?

Though some employees in the organization use Coverity, I chose SonarQube because it is easy to integrate with our software component.

What other advice do I have?

If we have any issues with the product, we search the internet to find a solution. Some employees in the organization use Coverity. Overall, I rate the solution an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Angelo Quaglia - PeerSpot reviewer
Independent Professional at Studio Dott. Ing. Angelo Quaglia
Real User
Top 5Leaderboard
Useful dashboard, user-friendly, and effective drill down ability
Pros and Cons
  • "The most valuable features are the dashboard, the ability to drill down to the code, user-friendly, and the technical debt estimation."
  • "The implementation of the solution is straightforward. However, we did have some initial initialization issues at the of the projects. I don't think it was SonarQube's fault. It was the way it was implemented in our organization because it's mainly integrated with many software, such as Jira, Confluence, and Butler."

What is our primary use case?

We have many developers and we use SonarQube to ensure that we don't have badly written code. We must have a way to write code that can be understood by different people.

How has it helped my organization?

Our developers are learning how to improve their code.

What is most valuable?

The most valuable features are the dashboard, the ability to drill down to the code, the technical debt estimation and the overall user-friendliness of the user interface.

What needs improvement?

The Enterprise edition has the additional features we need, but of course we have to pay for that.

For how long have I used the solution?

I have been using SonarQube for approximately three months.

What do I think about the stability of the solution?

SonarQube is a reliable solution.

What do I think about the scalability of the solution?

I have not tried to scale the solution. I am looking to integrate SonarQube with the 45 secure solutions.

How are customer service and support?

I have not needed to contact technical support.

I found the user interface messages quite explanatory about issues. I didn't have to look up many issues elsewhere.

Which solution did I use previously and why did I switch?

No.

How was the initial setup?

The implementation of the solution is straightforward and it is well integrated with Atlassian software, i.e. Jira, Confluence, Bamboo and Butler.

What about the implementation team?

We have a different group that is managing the SonarQube installation and setup.

What's my experience with pricing, setup cost, and licensing?

SonarQube enterprise, I am not sure of the price but from what I understand they are charging a fee. It's is not clear if it is an annual fee or a one-off. 

I don't know the global figure but they are asking each director general approximately a lump sum of $5,000, which doesn't sound like a lot for what the solution does.

Which other solutions did I evaluate?

No.

What other advice do I have?

My advice to others would be to take a look at the community edition of the SonarQube because it might be enough for their use case.

I rate SonarQube a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free SonarQube Report and get advice and tips from experienced pros sharing their opinions.
Updated: August 2023
Buyer's Guide
Download our free SonarQube Report and get advice and tips from experienced pros sharing their opinions.