We changed our name from IT Central Station: Here's why
Ahmed Rabea
CEO at ITShare
Real User
Top 20
Good static code analysis but it's not stable and the installation is not user-friendly
Pros and Cons
  • "The static code analysis is very good."
  • "If you don't have any experience with the configuration or how to configure the files, it can be complicated."

What is our primary use case?

We use it for the static analysis of the source code to find issues or vulnerabilities.

What is most valuable?

The static code analysis is very good. In the banking sector, we have found several vulnerabilities and many issues in the source code.

What needs improvement?

If you don't have any experience with the configuration or how to configure the files, it can be complicated. The installation needs to be more user-friendly, as well as the interface, which could be more user-friendly.

For how long have I used the solution?

I use the full trial version of SonarQube. I have been using the latest version of SonarQube for six months.

What do I think about the stability of the solution?

There are issues with stability. It needs improvement.

We have four members in our organization who are using this solution.

What do I think about the scalability of the solution?

I am not able to evaluate the scalability. Once we go with the Enterprise version, we will know after three months, how efficient and scalable it is with large applications.

How are customer service and technical support?

I have not contacted technical support.

How was the initial setup?

The initial setup is straightforward. This solution is easy to install. It only takes five minutes.

We require a team of five to deploy and maintain it.

What about the implementation team?

I completed the installation myself.

Which other solutions did I evaluate?

We are also evaluating Acunetix and will know what direction we want to go in the next few weeks.

Based on the testing, Acunetix offers something different. Acunetix has many features that are not found in SonarQube.

What other advice do I have?

The enterprise version comes with many features. I have not been able to test it all because I am using the evaluation version. After three months of using this solution, I will have a better understanding of it.

We plan to continue using SonarQube. Some feel that it is unfair to compare SonarQube with other solutions as it has so many features.

I would rate this solution a seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
ErnestoGonzalez
Backend Architect at Sngular
Real User
Top 20
It has very good scalability and stability
Pros and Cons
  • "It has very good scalability and stability."
  • "We also use Fortify, which is another tool to find security errors. Fortify is a better security tool. It is better than SonarQube in finding errors. Sometimes, SonarQube doesn't find some of the errors that Fortify is able to find. Fortify also has a community, which SonarQube doesn't have. Its installation is a little bit complex. We need to install a database, install the product, and specify the version of the database and the product. They can simplify the installation and make it easier. We use docker for the installation because it is easier to use. Its dashboard needs to be improved. It is not intuitive. It is hard to understand the interface, and it can be improved to provide a better user experience."

What is our primary use case?

We usually do the development in Java, and when we finish the development, we usually run the SonarQube tests and review the critical level, bugs, and security issues. We also review the license and the web issues and try to solve them, and then pass again through SonarQube.

We usually deploy it in the cloud, but sometimes we also have on-premises solutions.

What is most valuable?

It has very good scalability and stability.

What needs improvement?

We also use Fortify, which is another tool to find security errors. Fortify is a better security tool. It is better than SonarQube in finding errors. Sometimes, SonarQube doesn't find some of the errors that Fortify is able to find. Fortify also has a community, which SonarQube doesn't have.

Its installation is a little bit complex. We need to install a database, install the product, and specify the version of the database and the product. They can simplify the installation and make it easier. We use docker for the installation because it is easier to use.

Its dashboard needs to be improved. It is not intuitive. It is hard to understand the interface, and it can be improved to provide a better user experience.

For how long have I used the solution?

I have been using SonarQube for two years.

What do I think about the stability of the solution?

Its stability is very good.

What do I think about the scalability of the solution?

It has very good scalability. In my company, we have less than 15 users. They are mostly developers.

How are customer service and technical support?

I have not used the support.

Which solution did I use previously and why did I switch?

I have used Codestyle and a few other tools. SonarQube is similar to other tools.

How was the initial setup?

Its installation is a little bit complex. They can simplify the installation and make it easier.

Which other solutions did I evaluate?

We didn't evaluate other options. 

What other advice do I have?

I would rate SonarQube a nine out of ten.

Which deployment model are you using for this solution?

Private Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: January 2022.
564,599 professionals have used our research since 2012.
Nachu Subramanian
Automation Practice Leader at a financial services firm with 10,001+ employees
Real User
Top 5Leaderboard
Provides great code coverage; code security scanning could be improved
Pros and Cons
  • "The software quality gate streamlines the product's quality."
  • "Code security scanning could be improved."

What is our primary use case?

We're using the enterprise edition of SonarQube. I'm the head of DevOps engineering and we are customers of SonarQube. 

What is most valuable?

The most important feature is the software quality gate. When that's implemented we're able to streamline the product's quality. The other good features are SonarQube's code quality scanning and code coverage. If we use it effectively, we can capture the software code bugs early in the software development. It also helps us to identify the test coverage for the code that we're writing. It's a very, very important feature for the software developers and testers. 

What needs improvement?

There is room for improvement in the code security space which is not as extensive as it could be. There are other products on the market which are much better in terms of code security scanning. I'd also like to see improvement in support which is quite expensive. 

For how long have I used the solution?

I've been using this solution for six years. 

What do I think about the stability of the solution?

The product is stable although maintenance is a little cumbersome. 

What do I think about the scalability of the solution?

The product is scalable but there are some concerns. You need to regularly do a cleanup of the lines of codes that are being scanned, otherwise the license will run out. We were not initially aware of having to do that. We have around 700 users in the company and we have three or four people involved with maintenance. 

How are customer service and technical support?

There's a problem with the technical support because it's offered as a separate paid package and doesn't come by default with the license. Most other products in the market include  technical support with the software. There are various other products in the market, which are much better and offer support without any additional costs.

What's my experience with pricing, setup cost, and licensing?

Licensing costs could be lower. We paid around 60,000 Singapore Dollars for our 20 million lines of code.

What other advice do I have?

SonarQube is a very good tool for code quality.

I rate this solution a seven out of 10.  

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Elham-Gharegozloo
Senior System Analyst at a tech services company with 1,001-5,000 employees
Real User
Top 10
User-friendly, easy to access, and it has good training documentation
Pros and Cons
  • "The most valuable features are that it is user-friendly, easy to access, and they provide good training files."
  • "Monitoring is a feature that can be improved in the next version."

What is our primary use case?

We are using this solution for analyzing sales, profit, and FI documents. We are using the HR section as well.

How has it helped my organization?

SonarQube simplified some of the processes and made others more complex.

What is most valuable?

The most valuable features are that it is user-friendly, easy to access, and they provide good training files. Ability to manage and customize reports. Sonar also models the relationship between packages and classes

What needs improvement?

It would be better if the users could have quick access to the features.

Monitoring is a feature that can be improved in the next version.

For how long have I used the solution?

I have been using SonarQube for three years.

What do I think about the stability of the solution?

This solution is stable. Stability is not an issue for us.

What do I think about the scalability of the solution?

It's scalable. Scaling is not a problem.

How are customer service and technical support?

Because of the sanctions in our country, we cannot contact technical support directly.

Which solution did I use previously and why did I switch?


How was the initial setup?

The initial setup was straightforward. It was a normal installation.

It took approximately five days to deploy.

What's my experience with pricing, setup cost, and licensing?

It's a bit expensive for us. The currency rate of the dollar is a problem but it may be fine for other countries.

This solution provides good features for users.

What other advice do I have?

Before implementing, they should have more knowledge about the performance, and the features. It will be helpful in learning the hardware also.

If you have good resources for the performance, you won't worry about it. It will also be dependent on your information, and how much knowledge you have.

I would rate SonarQube an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Anuja S
Program Manager at a computer software company with 1,001-5,000 employees
Real User
Stable, beneficial code review, and efficient
Pros and Cons
  • "The most valuable feature of SonarQube I have found to be the configuration that has allowed us to can make adjusts to the demands of the code review. It gives a specified classification regarding the skill, prioritization, and it is easy for me to review and make my code."
  • "The time it took for me to do the whole process was approximately two hours because I had to download, read the documentation, and do the configurations."

What is our primary use case?

We are using SonarQube for code reviews. 

How has it helped my organization?

Code quality improvement, Secure coding pracitices 

What is most valuable?

The most valuable feature of SonarQube I have found to be the configuration that has allowed us to can make adjusts to the demands of the code review. It gives a specified classification regarding the skill, prioritization, and it is easy for me to review and make my code.

What needs improvement?

NA

For how long have I used the solution?

I have been using SonarQube for approximately five years.

What do I think about the stability of the solution?

The solution is stable.

How are customer service and support?

I have not needed to use technical support.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I have used some tools previously, such as Eclipse and Checkmarx. I used some tools directly linked with Eclipse, but SonarQube is much better. It has a better ability to link with Eclipse as well as the standalone features for a code review I have found the SonarQube most efficient.

How was the initial setup?

I deployed SonarQube on my laptop. I found it to be straightforward and easy. I wanted my technical team to do implement it but since they didn't have time I took the initiative and did it myself. I am not exactly from a technical background, and it was very easy for me.

The time it took for me to do the whole process was approximately two hours because I had to download, read the documentation, and do the configurations.

What about the implementation team?

The solution does not require any maintenance.

What other advice do I have?

SonarQube fits my purpose. It doesn't cause any hassles for me.

I rate SonarQube a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
System Quality Assurance Manager at AIS - Advanced Info Services Plc.
Real User
Top 5Leaderboard
Easy to use, stable, and installation straightforward
Pros and Cons
  • "SonarQube is designed well making it easy to use, simple to identify issues and find solutions to problems."
  • "The solution could improve the management reports by making them easier to understand for the technical team that needs to review them."

What is our primary use case?

We use SonarQube to scan SAS code for quality control in mostly mobile applications, such as iOS and Android applications.

What is most valuable?

SonarQube is designed well making it easy to use, simple to identify issues and find solutions to problems.

What needs improvement?

The solution could improve the management reports by making them easier to understand for the technical team that needs to review them.

For how long have I used the solution?

I have been using the free version of SonarQube for approximately one year and then I purchased a subscription that I have been using for the last three years.

What do I think about the stability of the solution?

The solution is stable.

What do I think about the scalability of the solution?

The solution has scaled well for our needs. We have two million lines of code and we have not had a problem.

We work for a large enterprise that has approximately 1,000 IT employees.

How are customer service and technical support?

There is a lot of information for SonarQube online in the community forums. I only used technical support when I needed to renew my license.

How was the initial setup?

The installation is not difficult.

What's my experience with pricing, setup cost, and licensing?

The solution has a free version and a license version. The license is priced reasonably, the cost of hiring one programmer is more expensive than the solution.

The licensing process could be improved. We need to contact purchasing to receive the key for the license but the process should be automatic, similar to a SAS purchase.

Which other solutions did I evaluate?

I have evaluated Fortify Application Defender.

What other advice do I have?

I rate SonarQube a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
ITCS user
Arquitecto DevOps at a financial services firm with 1,001-5,000 employees
Real User
Top 20
Open-source, secure static testing, but cannot be used for dynamic testing
Pros and Cons
  • "It provides the security that is required from a solution for financial businesses."
  • "We found a solution with dynamic testing, and are looking to find a solution that can be used for both types of testing."

What is our primary use case?

We use SonarQube for testing and quality assurance. We use this in banks for testing.

We also use SonarQube for security static testing.

What is most valuable?

It provides the security that is required from a solution for financial businesses.

What needs improvement?

SonarQube is used for static testing, not for dynamic. We found a solution with dynamic testing, and are looking to find a solution that can be used for both types of testing.

I would like to see software included that can be used with Waterfall projects.

Which solution did I use previously and why did I switch?

We try to primarily use open-source solutions. The organization tries not to spend money for the moment. Many clients do not want to pay for solutions during this time, especially in the case of products that are expensive.

What's my experience with pricing, setup cost, and licensing?

We have partnered with B2B American to help with the purchasing of the license.

We have just been approved to purchase SonarQube Developer Edition.

We have a license with 125,000 lines of code. We did not purchase a lot of lines but it is specific to our code environment.

It's an open-source solution.

Which other solutions did I evaluate?

We are currently evaluating other solutions that are open-source. The company is trying to reduce the amount of money spent on solutions.

We are looking for the newest technologies but the biggest stopper for us is money.

What other advice do I have?

For the units of architecture, we have tried to find the newest technology that would benefit the manifest of their orientation.

It has been very difficult. Last year many projects stopped.

I would rate SonarQube a six out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
TUDOR CALINESCU
Security Project Leader at a computer software company with 501-1,000 employees
Real User
Top 20
Plenty of features, but needs multiple other products to function well
Pros and Cons
  • "I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla."
  • "We have tens of millions of code to be analyzed and processed. There can be some performance degradation if we are applying Sonar Link to large code or code that is complex. When the code had to be analyzed is when we ran into the main issues. There were several routines involved to solve those performance issues but this process should be improved."

What is our primary use case?

SonarQube can be used to analyze application code. We are testing SonarQube with some of our other products. We use the Sonar Link plugin with Teamscale, which is then applied to the main product we are using.

What is most valuable?

I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla.

What needs improvement?

We have to combine several products in order to cover as many flaws that might exist in the code. We have to integrate several products to set the security functionality of the product. SonarQube should have better functionality to cover all areas of security limiting our need for other products.

We have tens of millions of code to be analyzed and processed. There can be some performance degradation if we are applying Sonar Link to large code or code that is complex. When the code had to be analyzed is when we ran into the main issues. There were several routines involved to solve those performance issues but this process should be improved.

For how long have I used the solution?

I have been using this solution for approximately three years.

What do I think about the stability of the solution?

There can be some stability issues.

Which solution did I use previously and why did I switch?

I have used Veracode.

Which other solutions did I evaluate?

I have evaluated many other solutions similar to SonarQube.

What other advice do I have?

I rate SonarQube a six out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Buyer's Guide
Download our free SonarQube Report and get advice and tips from experienced pros sharing their opinions.