SonarQube Reviews

We use the product to review our software codes. We have integrated the product to review our new delivery code.

When we deliver a code, the solution scans the code and reports whether the code has bugs or any other vulnerability issues. Thus the solution helps us identify issues and improve the quality of our code before delivering it to the customer.

The solution has a plug-in that supports both C and C++ languages. This feature is valuable to us while creating vulnerability and bug reports.

The product provides false reports sometimes. It also fails to understand the context of the code. It reports that a line of code has issues without considering its relation with the previous line.

The product should improve the report quality. While it asks us to improve the code quality, it would be good if it also suggests how to improve the quality.

I have been using the solution for three years.

The solution's stability is good. I rate the stability an eight out of ten.

I rate the product's scalability a six out of ten. In our organization, 20 engineers are using the product. We do not have any plans to increase the number of users.

The initial setup was easy. I rate the ease of setup an eight out of ten.

We took one day to deploy the product for the first time. After that, we need only one hour to deploy it. To deploy the solution, we need to add a couple of priorities and then add the product’s instance to our system.

We deployed the solution with an in-house team consisting of 30 engineers. We need one software engineer to maintain the solution.

Though some employees in the organization use Coverity, I chose SonarQube because it is easy to integrate with our software component.

If we have any issues with the product, we search the internet to find a solution. Some employees in the organization use Coverity. Overall, I rate the solution an eight out of ten.

SonarQube provides security vulnerabilities within the cloud. It identifies the code pattern and quality and detects the causes of any particular issues. We use this to minimize a lot of coding errors. I'm a lead dev ops consultant in IT infrastructure.

SonarQube helps to improve the code coverage in your core base and will give you the evaluation of the technical steps and the percentage of code being resolved. It can auto-calculate the technical depth. The beauty of the product is the quality gate where all parameters come together. If those parameters can pass through the quality gate successfully, you can go ahead with your build. You get clear and clean visibility in your code and it provides reliability. It's the most valuable feature. 

We would like to have more visibility and more documentation, starting with the installation. It needs to be more standardized and explain all the features. We'd also like to get an idea of the level of stability we can get for our larger-sized projects. The notifications from the channel queue can be improved including email notifications. We currently rely on getting those notifications passed onto us and that should not be the case. The customization of different languages would also be helpful. If all the above could be implemented, SonarQube would be the best vulnerability security scanning tool.

We've been using this solution for two years. 

The stability is very good. 

Scalability is high and that includes within the different zones and regions that we require in the company. We use SonarQube about once a week and don't plan to increase usage for now. 

The technical support is excellent. 

Positive

We previously used a different solution but moved to SonarQube because it better suits our use cases. 

The initial setup is straightforward and doesn't take much time. That said, setting up the quality level is challenging because of the different calculations required, setting up for issue tracking and getting the appropriate quality gate feature. It requires proper allocation and understanding the perameters. Deployment time is generally less than an hour, but it depends on the project size. Implementation generally requires a minimum of two people.

The fact that we have bug-free coding is a good return on investment. 

Licensing costs are in the mid-range for this kind of solution. 

This product provides a lot of freedom to achieve many things including generating certain reports that can be integrated with numerous other tools such as Power BI.

I rate this solution eight out of 10. 

My main use case for SonarQube is to analyze code quality in various programming projects, particularly focusing on identifying bugs, vulnerabilities, and code smells. I also use it to detect patterns in data clusters and ensure there are no leaks in the codebase.

The features of SonarQube that I find most valuable for identifying code smells are its comprehensive code analysis capabilities, which cover various aspects of code sustainability. Specifically, its ability to detect issues across different functions and methods, including security vulnerabilities, is particularly useful.

SonarQube could be improved by implementing inter-procedural code analysis capabilities, allowing for a more comprehensive detection of defects and vulnerabilities across the entire codebase.  Additional functionality that could improve SonarQube includes features like automatic code correction and AI-generated suggestions to streamline code maintenance.

I have been using SonarQube for almost three years.

I would rate the stability of the solution as an eight out of ten.

I would rate the scalability of the solution as an eight out of ten.

In comparing Coverity and SonarQube, Coverity stands out for its superior vendor support and enterprise-level analysis capabilities, particularly in security and leak detection across procedures. SonarQube excels in dashboard usability and cost-effectiveness but lacks certain advanced features like inter-procedural analysis and some leak detections available in Coverity.

Setting up SonarQube was relatively straightforward.

In terms of pricing, SonarQube is more comfortable for global licensing and cloud-based usage, while Coverity's licenses, particularly in India, may come with more restrictions and be less flexible.

I integrate SonarQube into my CI/CD pipeline by running it during the build process for static code analysis. Once the analysis is complete, the results are sent to the dashboard for easy monitoring and tracking of code quality.

Using SonarQube for security vulnerability detection offers several benefits such as comprehensive security rule coverage and integration with the dashboard for easy monitoring. Additionally, SonarQube provides features like password handling, eliminating the need for separate tools and enhancing overall code security.

SonarQube handles false positives during code analysis by allowing teams to review and exclude them, especially in long-term projects where patterns are familiar. While false positives may occur, experienced teams can easily identify and manage them, ensuring accurate analysis results.

For software development, especially in Java-based environments, I highly recommend using SonarQube due to its effectiveness in ensuring code quality and minimizing potential issues. While there are free tools available, SonarQube's comprehensive support for various languages and its benefits make it a valuable choice for developers.

Overall, I would rate SonarQube as an eight out of ten.

We use it to check the code quality of our software.

We've configured it to run on each commit, providing feedback on our software quality. The solution works quite well remotely.

We would appreciate having PNC checking, though that's only available in a more expensive license type.

There is also room for improvement in the installation process.

I have been using this solution for a couple of years.

It is a stable solution. So, no issues with stability.

We haven't had much requirement for scalability. We had a single-node instance, and that is sufficient for our needs.

We have around 13 developers using this solution. 

Another department handled the installation. We only had one issue related to the number of available files. To perform the analysis, you have quite a lot of available file handles, so we had to increase that limit.

However, maintenance is actually quite easy. It requires a couple of people.

We used some main code quality tools before, along with certain plugins. SonarQube is better due to its integrated nature and easier management. There is no hassle to keep everything up to date.

I would definitely recommend using the solution.

Overall, I would rate the solution an eight out of ten. While I'm satisfied with the product, there's always room for improvement.

I work on vulnerability management. I use the security features in SonarQube. I also use Veracode. I use both solutions to verify each other’s results.

We see the security issues in our solutions with the help of the product. It helps us improve the solutions.

There are many options and examples available in the tool that help us fix the issues it shows us.

The product must improve security analysis. It must introduce software composition analysis in future releases.

I have been using the solution for three years or more. I am using the latest version of the solution.

I rate the tool’s stability a nine out of ten.

I rate the tool’s scalability a seven out of ten.

The solution is deployed on the cloud.

We have seen an ROI because we are avoiding rework. The product helps us to fix security and quality.

The product’s price is lower than Veracode’s price.

Veracode is more efficient in security analysis. It also has software composition analysis features. So, it would be difficult for SonarQube to compete with Veracode.

There are a lot of functions and features in SonarQube. I would recommend the product to others. Overall, I rate the tool an eight out of ten.

I use the solution for static code analysis and to identify vulnerabilities and code smells.

All the features of the solution are quite good.

New plug-ins should be integrated into SonarCloud to give more flexibility to the product.

I have been using the solution for the last couple of years.

I rate the stability an eight out of ten.

I rate the product’s scalability as an eight out of ten. Currently, not many teams are using the product. We are trying to increase the number of users.

The first time, the initial setup was complicated. It got easier once we got used to it.

The deployment took around one to two hours.

The solution is cheaper than other products.

We have not been able to use the product extensively. I would recommend the solution to others. It'll really help the developers to increase their development speed. Overall, I rate the solution an eight out of ten.

Our use case of SonarQube is to analyze code quality and to implement quality dates in our build pipelines.

The ability to tweak the rules and feed them into our build pipelines so that they can become an integral part of those pipelines is a valuable feature. This product works really well, the integrations and pipelines are good.

SonarQube currently requires multiple tools. I'd like to have the ability to use one tool overall. 

We've been using this solution for a few years. 

The solution is stable. 

The solution is scalable. 

We pay a very reasonable, annual licensing fee. 

My recommendation is to just go with this out-of-the-box rule set first. Don't try to tweak them and learn what they mean. First learn what the alerts mean and then slowly tweak it to your specific use cases.

SonarCloud is used for application security testing. The use cases you can bring into the pull request level, you can eliminate the problem into the developer's feature branch itself. The largest use case is if developers are writing a code and if the code has any vulnerabilities or problems, you can receive the feedback at the pull request level.

The most valuable features of SonarCloud are the ability to discover vulnerabilities, security weak points, security hotspots, and all the feedback that comes into the feature branch. You can deploy the code with the security, you can eliminate the problem at the developer level rather than identifying the problem in the productions.

Having SonarCloud on the cloud there is no maintenance because they patch everything. It's easy to maintain, but it may be a problem with very large organizations because of some of the false-positive and you may need to be very cautious on very large enterprises. The solution is best suited for startups and mid-size companies.

It is supporting the mono and multi report and overall they're always improving. Initially, they did not support the mono report, now they started supporting the mono report approach, when is a benefit.

SonarCloud can improve the false positives. Sometimes the gates sometimes act a little weird. We then need to manually go and mark the false positive. 

I have used SonarCloud for approximately five years.

SonarCloud is very stable, it does not go down.

Having SonarCloud in the cloud gives us a lot of scalabilities.

We have approximately 100 to 150  developers and others at the management level using this solution. Now we educate at the management level. Even they take a look and they see what gates are failing because it's a nice UI. Anybody can easily see what's going on with the solution, in terms of many aspects, such as security and reliability.

SonarCloud has community support, but not technical support. They frequently reach out to us and ask if we are happy or if we have any problems, if so, they can escalate it to the account manager. They have good support.

The price of SonarCloud is not expensive, it goes by the lines of code. 1 million lines per code are approximately 4,000 USD per year. If you need 2 million lines of code you would double the annual cost.

My advice to others would be to work out the appropriate gate that is meaningful and if your project has many problems. You can set the bar on high, in a way the gate forms are the same and you can lower the threshold as you progress.

I rate SonarCloud an eight out of ten.