IT Central Station is now PeerSpot: Here's why
Independent Professional at Studio Dott. Ing. Angelo Quaglia
Real User
Top 20
Useful dashboard, user-friendly, and effective drill down ability
Pros and Cons
  • "The most valuable features are the dashboard, the ability to drill down to the code, user-friendly, and the technical debt estimation."
  • "The implementation of the solution is straightforward. However, we did have some initial initialization issues at the of the projects. I don't think it was SonarQube's fault. It was the way it was implemented in our organization because it's mainly integrated with many software, such as Jira, Confluence, and Butler."

What is our primary use case?

We have many developers and we use SonarQube to ensure that we don't have badly written code. We must have a way to write code that can be understood by different people.

How has it helped my organization?

Our developers are learning how to improve their code.

What is most valuable?

The most valuable features are the dashboard, the ability to drill down to the code, the technical debt estimation and the overall user-friendliness of the user interface.

What needs improvement?

The Enterprise edition has the additional features we need, but of course we have to pay for that.

Buyer's Guide
SonarQube
July 2022
Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: July 2022.
620,600 professionals have used our research since 2012.

For how long have I used the solution?

I have been using SonarQube for approximately three months.

What do I think about the stability of the solution?

SonarQube is a reliable solution.

What do I think about the scalability of the solution?

I have not tried to scale the solution. I am looking to integrate SonarQube with the 45 secure solutions.

How are customer service and support?

I have not needed to contact technical support.

I found the user interface messages quite explanatory about issues. I didn't have to look up many issues elsewhere.

Which solution did I use previously and why did I switch?

No.

How was the initial setup?

The implementation of the solution is straightforward and it is well integrated with Atlassian software, i.e. Jira, Confluence, Bamboo and Butler.

What about the implementation team?

We have a different group that is managing the SonarQube installation and setup.

What's my experience with pricing, setup cost, and licensing?

SonarQube enterprise, I am not sure of the price but from what I understand they are charging a fee. It's is not clear if it is an annual fee or a one-off. 

I don't know the global figure but they are asking each director general approximately a lump sum of $5,000, which doesn't sound like a lot for what the solution does.

Which other solutions did I evaluate?

No.

What other advice do I have?

My advice to others would be to take a look at the community edition of the SonarQube because it might be enough for their use case.

I rate SonarQube a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
DevSecOps Lead at a tech services company with 11-50 employees
MSP
Top 20
Detects problems before source code is even compiled, but improvements are needed to reduce the false positives
Pros and Cons
  • "Before you even compile, it can catch known vulnerability issues or patterns."
  • "Our developers have complained about the Quality Gates and the number of false positives that this product reports."

What is our primary use case?

Our software developers use SonarQube to catch any issues that can be found by using static code analysis. My understanding is that it checks the core complexity by evaluating the coding rules to make sure of things such as the correct classes are private.

How has it helped my organization?

The developers are rejecting the idea that this product is useful.

What is most valuable?

Before you even compile, it can catch known vulnerability issues or patterns.

What needs improvement?

Our developers have complained about the Quality Gates and the number of false positives that this product reports. Their older code is breaking and with the Quality Gate on the pipeline, they are not able to safely release at this point. This means that they have to add a lot of things to the whitelist, so there is room for improvement in this regard.

For how long have I used the solution?

We have been using SonarQube for less than six months. We have not yet onboarded it for production.

What do I think about the stability of the solution?

I have not seen any problems in terms of stability, although it has not been onboarded yet. Once that happens, we may see more problems.

What do I think about the scalability of the solution?

We have not tried to scale yet.

How was the initial setup?

The initial setup involved downloading the open-source code and installing it in a container. 

What about the implementation team?

I was responsible for setting up this tool in our company.

What's my experience with pricing, setup cost, and licensing?

We are using the open-source version, which is available free of cost.

Which other solutions did I evaluate?

We evaluated other open-source products and found that SonarQube was the best one of the set.

What other advice do I have?

This product is regularly updated by the open-source community, although the changes are often project-specific and may not help in the general case.

I would rate this solution a five out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
SonarQube
July 2022
Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: July 2022.
620,600 professionals have used our research since 2012.
Ahmed Rabea - PeerSpot reviewer
CEO at ITShare
Real User
Top 20
Good static code analysis but it's not stable and the installation is not user-friendly
Pros and Cons
  • "The static code analysis is very good."
  • "If you don't have any experience with the configuration or how to configure the files, it can be complicated."

What is our primary use case?

We use it for the static analysis of the source code to find issues or vulnerabilities.

What is most valuable?

The static code analysis is very good. In the banking sector, we have found several vulnerabilities and many issues in the source code.

What needs improvement?

If you don't have any experience with the configuration or how to configure the files, it can be complicated. The installation needs to be more user-friendly, as well as the interface, which could be more user-friendly.

For how long have I used the solution?

I use the full trial version of SonarQube. I have been using the latest version of SonarQube for six months.

What do I think about the stability of the solution?

There are issues with stability. It needs improvement.

We have four members in our organization who are using this solution.

What do I think about the scalability of the solution?

I am not able to evaluate the scalability. Once we go with the Enterprise version, we will know after three months, how efficient and scalable it is with large applications.

How are customer service and technical support?

I have not contacted technical support.

How was the initial setup?

The initial setup is straightforward. This solution is easy to install. It only takes five minutes.

We require a team of five to deploy and maintain it.

What about the implementation team?

I completed the installation myself.

Which other solutions did I evaluate?

We are also evaluating Acunetix and will know what direction we want to go in the next few weeks.

Based on the testing, Acunetix offers something different. Acunetix has many features that are not found in SonarQube.

What other advice do I have?

The enterprise version comes with many features. I have not been able to test it all because I am using the evaluation version. After three months of using this solution, I will have a better understanding of it.

We plan to continue using SonarQube. Some feel that it is unfair to compare SonarQube with other solutions as it has so many features.

I would rate this solution a seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
ErnestoGonzalez - PeerSpot reviewer
Backend Architect at Sngular
Real User
Top 20
It has very good scalability and stability
Pros and Cons
  • "It has very good scalability and stability."
  • "We also use Fortify, which is another tool to find security errors. Fortify is a better security tool. It is better than SonarQube in finding errors. Sometimes, SonarQube doesn't find some of the errors that Fortify is able to find. Fortify also has a community, which SonarQube doesn't have. Its installation is a little bit complex. We need to install a database, install the product, and specify the version of the database and the product. They can simplify the installation and make it easier. We use docker for the installation because it is easier to use. Its dashboard needs to be improved. It is not intuitive. It is hard to understand the interface, and it can be improved to provide a better user experience."

What is our primary use case?

We usually do the development in Java, and when we finish the development, we usually run the SonarQube tests and review the critical level, bugs, and security issues. We also review the license and the web issues and try to solve them, and then pass again through SonarQube.

We usually deploy it in the cloud, but sometimes we also have on-premises solutions.

What is most valuable?

It has very good scalability and stability.

What needs improvement?

We also use Fortify, which is another tool to find security errors. Fortify is a better security tool. It is better than SonarQube in finding errors. Sometimes, SonarQube doesn't find some of the errors that Fortify is able to find. Fortify also has a community, which SonarQube doesn't have.

Its installation is a little bit complex. We need to install a database, install the product, and specify the version of the database and the product. They can simplify the installation and make it easier. We use docker for the installation because it is easier to use.

Its dashboard needs to be improved. It is not intuitive. It is hard to understand the interface, and it can be improved to provide a better user experience.

For how long have I used the solution?

I have been using SonarQube for two years.

What do I think about the stability of the solution?

Its stability is very good.

What do I think about the scalability of the solution?

It has very good scalability. In my company, we have less than 15 users. They are mostly developers.

How are customer service and technical support?

I have not used the support.

Which solution did I use previously and why did I switch?

I have used Codestyle and a few other tools. SonarQube is similar to other tools.

How was the initial setup?

Its installation is a little bit complex. They can simplify the installation and make it easier.

Which other solutions did I evaluate?

We didn't evaluate other options. 

What other advice do I have?

I would rate SonarQube a nine out of ten.

Which deployment model are you using for this solution?

Private Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Nachu Subramanian - PeerSpot reviewer
Automation Practice Leader at a financial services firm with 10,001+ employees
Real User
Top 5
Provides great code coverage; code security scanning could be improved
Pros and Cons
  • "The software quality gate streamlines the product's quality."
  • "Code security scanning could be improved."

What is our primary use case?

We're using the enterprise edition of SonarQube. I'm the head of DevOps engineering and we are customers of SonarQube. 

What is most valuable?

The most important feature is the software quality gate. When that's implemented we're able to streamline the product's quality. The other good features are SonarQube's code quality scanning and code coverage. If we use it effectively, we can capture the software code bugs early in the software development. It also helps us to identify the test coverage for the code that we're writing. It's a very, very important feature for the software developers and testers. 

What needs improvement?

There is room for improvement in the code security space which is not as extensive as it could be. There are other products on the market which are much better in terms of code security scanning. I'd also like to see improvement in support which is quite expensive. 

For how long have I used the solution?

I've been using this solution for six years. 

What do I think about the stability of the solution?

The product is stable although maintenance is a little cumbersome. 

What do I think about the scalability of the solution?

The product is scalable but there are some concerns. You need to regularly do a cleanup of the lines of codes that are being scanned, otherwise the license will run out. We were not initially aware of having to do that. We have around 700 users in the company and we have three or four people involved with maintenance. 

How are customer service and technical support?

There's a problem with the technical support because it's offered as a separate paid package and doesn't come by default with the license. Most other products in the market include  technical support with the software. There are various other products in the market, which are much better and offer support without any additional costs.

What's my experience with pricing, setup cost, and licensing?

Licensing costs could be lower. We paid around 60,000 Singapore Dollars for our 20 million lines of code.

What other advice do I have?

SonarQube is a very good tool for code quality.

I rate this solution a seven out of 10.  

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Elham-Gharegozloo - PeerSpot reviewer
Senior System Analyst at a tech services company with 1,001-5,000 employees
Real User
Top 10
User-friendly, easy to access, and it has good training documentation
Pros and Cons
  • "The most valuable features are that it is user-friendly, easy to access, and they provide good training files."
  • "Monitoring is a feature that can be improved in the next version."

What is our primary use case?

We are using this solution for analyzing sales, profit, and FI documents. We are using the HR section as well.

How has it helped my organization?

SonarQube simplified some of the processes and made others more complex.

What is most valuable?

The most valuable features are that it is user-friendly, easy to access, and they provide good training files. Ability to manage and customize reports. Sonar also models the relationship between packages and classes

What needs improvement?

It would be better if the users could have quick access to the features.

Monitoring is a feature that can be improved in the next version.

For how long have I used the solution?

I have been using SonarQube for three years.

What do I think about the stability of the solution?

This solution is stable. Stability is not an issue for us.

What do I think about the scalability of the solution?

It's scalable. Scaling is not a problem.

How are customer service and technical support?

Because of the sanctions in our country, we cannot contact technical support directly.

Which solution did I use previously and why did I switch?


How was the initial setup?

The initial setup was straightforward. It was a normal installation.

It took approximately five days to deploy.

What's my experience with pricing, setup cost, and licensing?

It's a bit expensive for us. The currency rate of the dollar is a problem but it may be fine for other countries.

This solution provides good features for users.

What other advice do I have?

Before implementing, they should have more knowledge about the performance, and the features. It will be helpful in learning the hardware also.

If you have good resources for the performance, you won't worry about it. It will also be dependent on your information, and how much knowledge you have.

I would rate SonarQube an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Anuja S - PeerSpot reviewer
Program Manager at a computer software company with 1,001-5,000 employees
Real User
Stable, beneficial code review, and efficient
Pros and Cons
  • "The most valuable feature of SonarQube I have found to be the configuration that has allowed us to can make adjusts to the demands of the code review. It gives a specified classification regarding the skill, prioritization, and it is easy for me to review and make my code."
  • "The time it took for me to do the whole process was approximately two hours because I had to download, read the documentation, and do the configurations."

What is our primary use case?

We are using SonarQube for code reviews. 

How has it helped my organization?

Code quality improvement, Secure coding pracitices 

What is most valuable?

The most valuable feature of SonarQube I have found to be the configuration that has allowed us to can make adjusts to the demands of the code review. It gives a specified classification regarding the skill, prioritization, and it is easy for me to review and make my code.

What needs improvement?

NA

For how long have I used the solution?

I have been using SonarQube for approximately five years.

What do I think about the stability of the solution?

The solution is stable.

How are customer service and support?

I have not needed to use technical support.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I have used some tools previously, such as Eclipse and Checkmarx. I used some tools directly linked with Eclipse, but SonarQube is much better. It has a better ability to link with Eclipse as well as the standalone features for a code review I have found the SonarQube most efficient.

How was the initial setup?

I deployed SonarQube on my laptop. I found it to be straightforward and easy. I wanted my technical team to do implement it but since they didn't have time I took the initiative and did it myself. I am not exactly from a technical background, and it was very easy for me.

The time it took for me to do the whole process was approximately two hours because I had to download, read the documentation, and do the configurations.

What about the implementation team?

The solution does not require any maintenance.

What other advice do I have?

SonarQube fits my purpose. It doesn't cause any hassles for me.

I rate SonarQube a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Senior Technical Architect at a tech services company with 501-1,000 employees
Real User
Top 20
Effective vulnerability scanning, good support, and simple setup

What is our primary use case?

We are using SonarQube for scanning our services for issues as part of our IT department.

What is most valuable?

SonarQube has a lot of value, it reviews the basic coding standards and security vulnerabilities of code that help to reduce issues. 

What needs improvement?

SonarQube can improve by scanning the internal library which currently it does not do. We are looking for a solution for this.

For how long have I used the solution?

I have been using SonarQube for approximately three years.

What do I think about the stability of the solution?

SonarQube is a stable solution.

What do I think about the scalability of the solution?

I have found SonarQube to be stable. However, we have not tested it with more than one million lines of code.

We have a server that SonarQube is running on and we have approximately 50 people using it.

How are customer service and support?

We have used technical support in the past but not recently.

I would rate the support from SonarQube a four out of five.

Which solution did I use previously and why did I switch?

I have used Veracode previously.

How was the initial setup?

The initial setup is straightforward for SonarQube.

What about the implementation team?

We did the implementation in-house.

The DevOps team handles the maintenance of SonarQube.

What's my experience with pricing, setup cost, and licensing?

We are using the Developer Edition and the cost is based on the amount of code that is being processed.

What other advice do I have?

If SonarQube meets the needs of your use case then I use it.

I rate SonarQube an eight out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Buyer's Guide
Download our free SonarQube Report and get advice and tips from experienced pros sharing their opinions.
Updated: July 2022
Buyer's Guide
Download our free SonarQube Report and get advice and tips from experienced pros sharing their opinions.