SonarQube Reviews

We use the product for code-based security scanning.

The platform has fewer false positives. It helps efficient code duplication concentration and integrates well with coverage tooling for generating reports. Its dashboard provides a unified view of various code quality metrics, including code duplication, unit test coverage, and security hotspots.

SonarCloud's UI needs enhancement.

We have been using SonarCloud for five years.

I rate the product's stability a ten out of ten.

We have more than 1000 SonarCloud users in our organization. It scales as per our project requirements. I rate its scalability a nine out of ten.

We have ten dedicated engineers working on the product's deployment and maintenance.

I rate the pricing a five out of ten. It has an expensive on-premise version and a community version as well.

I recommend SonarCloud and rate it an eight out of ten. Sometimes, the updates for the product's beta version are simple.

We use the solution for the software scan and integrate the application, which is a dependency check for the scan. Our customers send us the already developed solution for functional tests and security scans.

Firstly, the integration with the pipeline is good. If you have the FICO pipeline integrated already, the depth of the pipeline will be good. Secondly, the solution is easy to understand. It took little time to learn and understand how to use data.

SonarQube has a community edition and an enterprise edition. The community edition is free, but the enterprise edition is not. In Thailand, we cannot use the enterprise edition because there are no resellers in Thailand. So we found many issues, like when you scan some source code, and if it's a problem, it appears the tool that we need to fix, but after our manual review, we found that we already did have something there. For example, it improves validation. But we did not get the input as it was already validated in another library. We called support and complained but have not received any information as we use the free version. We had to fix it on our own and could not escalate it to the tool's developer.

I have been using SonarQube for a year.

It is a stable product. I rate it seven out of ten.

I didn't have any scalability issues when we used the pipeline. But downloading the code and doing this again on a local laptop is quite slow, especially when somebody needs to try some code in a big and complex project. It takes about four to six hours. I don't know why it takes so long on a local laptop because it works fine in the integrated pipeline. For support in the integration pipeline, it could be nine or ten, but If it is on a local laptop, I think it would be only five.

As we are using the free version, there is no technical support available. But the documentation support is okay for us. We read it depending on the website, but we cannot escalate the issue to the SonarQube provider.

I used the Micro Focus Fortify, but the performance integration in the pipeline is faster in SonarQube. But in Fortify, the support is better as it is a commercial product, and we paid for it, so we can complain and get feedback in case of any issue. We complain if anything needs to be fixed, and they accept and fix it, but SonarQube does not have such a platform.

The initial setup is simple. It requires some security, but it's simple. It has some community to help with the technical information, and the technical team of the solution is also okay. It takes one or two hours to deploy. I was not involved in the integration in the pipeline, but I was involved in the solution installed on the local laptop.

I do not know about the pricing as I am using the community edition, which is free. But I compared the pricing with Sigma, and it is higher than SonarQube.

If you need the support of SonarQube, then use the enterprise version.

SonarQube should have a foundation in Thailand so that we can buy the enterprise version and get support. Secondly, SonarQube still does not support many languages, but I am still determining which ones. So if these two can be improved, it will be good.

I rate it seven out of ten.

We are customers of SonarCloud.

I like that the solution can be installed locally. 

I'd like them to include an alert for a third person. Sometimes there are very big problems that come up, possibly a large bug report, and it would be helpful if a notification could go out to an extra person. 

I've been using this solution for about three years. 

The solution is stable. 

I believe the solution is scalable. For now, we have 20 users but we are planning to expand usage. 

I wasn't involved in the setup but I believe it was relatively easy. 

I rate this solution nine out of 10. 

We use this solution to configure our pipeline using Jenkins. From an integration perspective, it encompasses many languages and this is very useful.

This solution has helped with the integration and building of our CICD pipeline. Without any scans or assessments, the pipeline and build are not complete. One of the good features of SonarQube is the many languages it supports including Java, dotNET, Typescript and HTML CSS. It also allows us to set custom quality gates and rules.

This solution could be offered on Docker and the cloud. The support for this solution could be improved and the customization rules could also be made simpler. 

I have used this solution for three years. 

This is a stable solution. 

This solution could be scalable, specifically from a reporting perspective. 

I would rate the customer support for this solution a seven out of ten. 

Neutral

I have previously used Checkmarx, Blackbelt and WhiteSource.

We have experienced a good return on investment using this solution. 

This is a good solution if you are looking for good coverage, quality, and vulnerabilities to be highlighted. That being said, there are better solutions in the market when it comes to SAST scanning.

I would rate this solution an eight out of ten. 

We use SonarCloud tools for all our 20 repositories and we are connecting the SonarCloud, from the Bitbucket pipeline.

The reports from SonarCloud are very good.

We had some issues with the scanner.

I have been using SonarCloud for approximately three weeks.

The solution is stable.

SonarCloud is scalable.

We plan to increase our package to the enterprise edition and decrease the lines of code in the future.

We have not needed the support at this time.

We previously used Codacy. We switch to SonarCloud because of their good reputation and we compared reports from both of them. SonarCloud seems to be more accurate. However, Codacy has a simpler installation. SonarCloud has more steps involved.

The solution is straightforward to implement. Some of the implementations can be quick.

The installation of the framwork was a bit difficult, it could be improved.

The price of SonarCloud could be less expensive. We are using the community version and the price should be more reasonable.

We have purchased a license for 2 million lines of code. However, we have 10 million lines of code but it would be too costly for us to have a license for all the amount.

I would recommend SonarCloud to others.

I rate SonarCloud a nine out of ten.

I use SonarQube for Google's web services, from a security perspective, as well as Oracle Forms, HTML Forms, and script. 

SonarQube is deployed on-premises. 

Some of the most valuable features have been the latest up-to-date of the OWASP, the monitoring, the reporting, and the ease of use with the IDE plugins, in terms of integration.

SonarQube's detail in the security could be improved. It may be helpful to have additional details, with regards to Oracle PL/SQL. For example, it's neither as built nor as thorough as Java. For now, this is the only additional feature I would like to see. 

I have been working with the Community Edition for at least ten years, and I have been working with the Enterprise version for about a year. 

So far, we are happy and haven't had any issues with stability.

The only maintenance this product needs, for now, is just updates and patches. 

SonarQube is an auditing requirement from our side and for our SDLC, so it is a gate in our SDLC. 

SonarQube is easy to scale. As we've opted for the Docker builds, we haven't had issues yet. 

At this point, there are at least 300 people in my company who are working with SonarQube. 

I have minor experience with Q One. The main difference is in the licensing structure, with regards to lines of code. We have noticed that Q One has a bit more details, but support for various languages is lacking. 

The setup process of SonarQube is straightforward. Deployment took about a week, but the integration of the multiple teams—introducing them and getting them on board—took about a month. 

We implemented this solution through an in-house team. 

Compared to similar solutions, SonarQube was more accessible to us and had more benefits, with regards to size of the code base and supported languages. Apart from the Enterprise licensing fee, there are no additional costs. 

I rate SonarQube an eight out of ten. 

To anyone who is looking into implementing SonarQube, I would recommend they look at what their requirements are, with regards to languages. If it's just Java, then the Community Edition is fine, but if there are any additional languages, then I would recommend Enterprise. 

Our primary use case of SonarQube is getting feedback on code. We are using Spring Boot and Java 8. We are also using SonarLint, which is an Eclipse IDE plugin, to detect vulnerabilities during development. Once the developer finishes the code and commits the code into the Bitbucket code repository, the continuous integration pipeline will automatically run using Jenkins. As part of this pipeline, there is a build unit test and a SonarQube scan. All the parameters are configured as per project requirements, and the SonarQube scan will run immediately once the developer commits the code to the repository. The advantage of this is that we can see immediate feedback: how many vulnerabilities there are, what the code quality is, the code quality metrics, and if there are any issues with the changes that we made. Since the feedback is immediate, the developer can rectify it immediately and can further communicate changes. This helps us with product quality and having less vulnerabilities in the early stages of development. 

This solution is deployed on-premise. 

One of the most valuable features of SonarQube is its ability to detect code quality during development. There are rules that define various technologies—Java, C#, Python, everything—and these rules declare the coding standards and code quality. With SonarQube, everything is detectable during the time of development and continuous integration, which is an advantage. SonarQube also has a Quality Gate, where the code should reach 85%. Below that, the code cannot be promoted to a further environment, it should be in a development environment only. So the checks are there, and SonarQube will provide that increase. It also provides suggestions on how the code can be fixed and methods of going about this, without allowing hackers to exploit the code. 

Another valuable feature is that it is tightly integrated with third-party tools. For example, we can see the SonarQube metrics in Bitbucket, the code repository. Once I raise the full request, the developer, team lead, or even the delivery lead can see the code quality metrics of the deliverable so that they can make a decision. SonarQube will also cover all of the top OWASP vulnerabilities, however it doesn't have penetration testing or hacker testing. We use other tools, like Checkmarx, to do penetration testing from the outside. 

SonarQube could be improved with more dynamic testing—basically, now, it's a static code analysis scan. For example, when the developer writes the code and does the corresponding unit test, he can cover functional and non-functional. So the SonarQube could be improved by helping to execute unit tests and test dynamically, using various parameters, and to help detect any vulnerabilities. Currently, it'll just give the test case and say whether it passes or fails—it won't give you any other input or dynamic testing. They could use artificial intelligence to build a feature that would help developers identify and fix issues in the early stages, which would help us deliver the product and reduce costs. 

Another area with room for improvement is in regard to automating things, since the process currently needs to be done manually.

Aside from other helpful features, the most important thing that SonarQube needs to do—the key feature—is to detect security vulnerabilities. The rest of the other features are helpful to the developer and the team to deliver the product faster, but security is a mandatory feature. 

As for additional features, SonarQube covers most of the languages, but there is still room for improvement covering the latest version of the tech stack—for example, Java 13. They're still improving, and they're focusing on SonarCloud nowadays. Currently, we aren't using all the top quality features of SonarCloud. I also think it would be helpful if SonarQube could integrate with Jira, a work management tool, or other communication tools, like Skype or Microsoft Teams, so that a bot could report directly to the developer. 

I have been using SonarQube for the past three years. 

The stability and performance of SonarQube are good. We use it on a daily basis, as part of our code development. 

As far as maintenance, it mainly happens when the product is being developed. There may be some features which can be enhanced, based on customer feedback and the tech stack, such as how we can improve performance of have a deployment with zero downtime. There are so many technologies coming, so many things happening, and there is always room for code improvements and the product we develop. Our top considerations are quality and security, which are being improved in a continuous process. There are many new features and enhancements coming in—for example, if you want to upgrade from the Java 6 version, then you can upgrade the tech stack, which will reduce the number of lines of code and improve performance. 

This solution is easy to scale. The instances in which we are deploying it are easy to scale because we are using it in production. We aren't supposed to deploy as part of the development, but the scalability feature is there because we are using Ansible, Kubernetes, and Docker. 

In our organization, there are currently around 25,000 people working with SonarQube. 

We also use Checkmarx and Snyk. One of the main differences between them and SonarQube is that they have dynamic testing and analysis, rather than static analysis. 

The initial setup wasn't a complex process. It was straightforward, and I had no issues. The deployment happened automatically and the pipeline was complete in three minutes. It depends on the scale of the project, the number of code repositories, the number of modules you are deploying, and all that. I would say deployment should take five minutes, maximum. 

We implemented this solution through an in-house team. Everything happens internally and we have our own internal tools, so there are no third-parties involved in development. 

I'm not too aware of the pricing because a different team covers that, but SonarQube has been on the market for a very long time, so I would guess the pricing would be decent. 

I rate SonarQube an eight out of ten. 

To those looking to implement SonarQube, I would advise you not to run it manually—integrate it with tools like Bitbucket and Jenkins, and make it automatic. If you change one line of code, the SonarQube should run automatically and give you the report. Don't go and run it manually and check the reports and all—it should run automatically to the entire code base, not to your particular module. So you need to configure that, as well as your project requirements and what code quality metrics will be achievable—like 85% or 95%—because you want code quality for a better product, without loopholes. You need to configure these things before starting to work with SonarQube. 

We are using SonarQube for code reviews. 

Code quality improvement, Secure coding pracitices 

The most valuable feature of SonarQube I have found to be the configuration that has allowed us to can make adjusts to the demands of the code review. It gives a specified classification regarding the skill, prioritization, and it is easy for me to review and make my code.

NA

I have been using SonarQube for approximately five years.

The solution is stable.

I have not needed to use technical support.

Positive

I have used some tools previously, such as Eclipse and Checkmarx. I used some tools directly linked with Eclipse, but SonarQube is much better. It has a better ability to link with Eclipse as well as the standalone features for a code review I have found the SonarQube most efficient.

I deployed SonarQube on my laptop. I found it to be straightforward and easy. I wanted my technical team to do implement it but since they didn't have time I took the initiative and did it myself. I am not exactly from a technical background, and it was very easy for me.

The time it took for me to do the whole process was approximately two hours because I had to download, read the documentation, and do the configurations.

The solution does not require any maintenance.

SonarQube fits my purpose. It doesn't cause any hassles for me.

I rate SonarQube a nine out of ten.