SonarQube Reviews

We use it to check the code quality of our software.

We've configured it to run on each commit, providing feedback on our software quality. The solution works quite well remotely.

We would appreciate having PNC checking, though that's only available in a more expensive license type.

There is also room for improvement in the installation process.

I have been using this solution for a couple of years.

It is a stable solution. So, no issues with stability.

We haven't had much requirement for scalability. We had a single-node instance, and that is sufficient for our needs.

We have around 13 developers using this solution. 

Another department handled the installation. We only had one issue related to the number of available files. To perform the analysis, you have quite a lot of available file handles, so we had to increase that limit.

However, maintenance is actually quite easy. It requires a couple of people.

We used some main code quality tools before, along with certain plugins. SonarQube is better due to its integrated nature and easier management. There is no hassle to keep everything up to date.

I would definitely recommend using the solution.

Overall, I would rate the solution an eight out of ten. While I'm satisfied with the product, there's always room for improvement.

I work on vulnerability management. I use the security features in SonarQube. I also use Veracode. I use both solutions to verify each other’s results.

We see the security issues in our solutions with the help of the product. It helps us improve the solutions.

There are many options and examples available in the tool that help us fix the issues it shows us.

The product must improve security analysis. It must introduce software composition analysis in future releases.

I have been using the solution for three years or more. I am using the latest version of the solution.

I rate the tool’s stability a nine out of ten.

I rate the tool’s scalability a seven out of ten.

The solution is deployed on the cloud.

We have seen an ROI because we are avoiding rework. The product helps us to fix security and quality.

The product’s price is lower than Veracode’s price.

Veracode is more efficient in security analysis. It also has software composition analysis features. So, it would be difficult for SonarQube to compete with Veracode.

There are a lot of functions and features in SonarQube. I would recommend the product to others. Overall, I rate the tool an eight out of ten.

We use this solution to configure our pipeline using Jenkins. From an integration perspective, it encompasses many languages and this is very useful.

This solution has helped with the integration and building of our CICD pipeline. Without any scans or assessments, the pipeline and build are not complete. One of the good features of SonarQube is the many languages it supports including Java, dotNET, Typescript and HTML CSS. It also allows us to set custom quality gates and rules.

This solution could be offered on Docker and the cloud. The support for this solution could be improved and the customization rules could also be made simpler. 

I have used this solution for three years. 

This is a stable solution. 

This solution could be scalable, specifically from a reporting perspective. 

I would rate the customer support for this solution a seven out of ten. 

Neutral

I have previously used Checkmarx, Blackbelt and WhiteSource.

We have experienced a good return on investment using this solution. 

This is a good solution if you are looking for good coverage, quality, and vulnerabilities to be highlighted. That being said, there are better solutions in the market when it comes to SAST scanning.

I would rate this solution an eight out of ten. 

We are using SonarQube for static analyzing and finding vulnerabilities in our code.

Easy installation. Very accurate finding of vulnerabilities and a minimum of false positives.

SonarQube could improve by adding automatic creation of tasks after scanning and more supported languages.

I have been using SonarQube for approximately two years.

SonarQube is a highly stable solution.

I have found SonarQube to be scalable.

We have 20 to 25 specialists using SonarQube in my organization.

We have plans to increase the usage of the solution.

We search Google for solutions to any problems we may face.

The solution is easy to implement in our process of continuous integration, continuous delivery, and continuous deployment(CI/CD). 

We did the implementation of the solution ourselves.

We have assigned each project one DevOps, and each DevOps is deploying SonarQube in their project and we have in total about 20 projects.

The free version of SonarQube does everything that we need it to.

Licenses of this solution can be purchased annually. We plan to buy the maximum license enterprise edition of the solution.

I highly recommend this solution to others.

I rate SonarQube a nine out of ten.

We find it very similar to Fortify and has the same advantages. 

The web interface is very good. 

We have found the solution to be stable. 

The solution offers a very good community edition.

There isn't a very good enterprise report. They also do not have an application report. We'd like for them to work on this aspect.

I've used the solution for three years. I've used it for a while now. 

In terms of stability, the solution is reliable and the performance is good. There are no bugs. It's not glitchy. It doesn't crash or freeze. 

I've never used technical support. I can't talk about how helpful they are, never spoken with them personally.

If I do need to troubleshoot, I tend to rely on the community and search for answers there. 

We've also used Fortify.

I didn't participate in the installation process. I can't speak to how easy or difficult the process was. 

I use the community version of the product.

We are a customer and an end-user.

I'd rate the solution at a seven out of ten. It's mostly reliable. 

This solution has the capability to analyze source code in almost all the languages in the market.

This is a well-rounded solution, however, some features could be made available on the free version. The price of the solution could be reduced.

I have used this solution for ten years. 

This is a stable solution. 

This is a scalable solution. We have been using it for all of our critical projects. 

I have never made the calculations to understand the real value of this solution but I know that the return of investment is very good. If not, we wouldn't have continued to use it for the past 10 years.

As a user and a consumer of this solution, it can be pricey for my company to support and use, even though there are many benefits. For this reason, we use the free version. In the future, as our product cycles develop and evolve at a more steady pace, we hope to invest in the licensing for this tool. 

This solution has evolved a lot in the last ten years. 

It comes with good DevOps implementation and security, which is a big problem today. 

SonarQube delivers a continuous inspection of code quality.

When comparing other static code analysis tools, SonarQube has fewer false-positive issues being reported. They have a lot of support for different tech stacks. It covers the entire developer community which includes Salesforce or it could be the regular Java.net project. It has actually sufficed all the needs in one tool for static code analysis.

I have been using SonarQube for approximately two years.

The stability of SonarQube is good.

I have found SonarQube to be scalable.

SonarQube needs to improve its support model. They do not work 24/7, and they do not provide weekend support in case things go wrong. They only have a standard 8:00 am to 5:00 pm support model in which you have to raise a support ticket and wait. The support model is not effective for premium customers.

SonarQube is very user-friendly and it works for all tech stacks. It should be easy for any kind of integrations that you need to build. Additionally, SonarQube comes with a lot of in-house APIs.

I rate SonarQube a seven out of ten.

I use the solution for static code analysis and to identify vulnerabilities and code smells.

All the features of the solution are quite good.

New plug-ins should be integrated into SonarCloud to give more flexibility to the product.

I have been using the solution for the last couple of years.

I rate the stability an eight out of ten.

I rate the product’s scalability as an eight out of ten. Currently, not many teams are using the product. We are trying to increase the number of users.

The first time, the initial setup was complicated. It got easier once we got used to it.

The deployment took around one to two hours.

The solution is cheaper than other products.

We have not been able to use the product extensively. I would recommend the solution to others. It'll really help the developers to increase their development speed. Overall, I rate the solution an eight out of ten.