SonarQube Reviews

We have many developers and we use SonarQube to ensure that we don't have badly written code. We must have a way to write code that can be understood by different people.

Our developers are learning how to improve their code.

The most valuable features are the dashboard, the ability to drill down to the code, the technical debt estimation and the overall user-friendliness of the user interface.

The Enterprise edition has the additional features we need, but of course we have to pay for that.

I have been using SonarQube for approximately three months.

SonarQube is a reliable solution.

I have not tried to scale the solution. I am looking to integrate SonarQube with the 45 secure solutions.

I have not needed to contact technical support.

I found the user interface messages quite explanatory about issues. I didn't have to look up many issues elsewhere.

No.

The implementation of the solution is straightforward and it is well integrated with Atlassian software, i.e. Jira, Confluence, Bamboo and Butler.

We have a different group that is managing the SonarQube installation and setup.

SonarQube enterprise, I am not sure of the price but from what I understand they are charging a fee. It's is not clear if it is an annual fee or a one-off. 

I don't know the global figure but they are asking each director general approximately a lump sum of $5,000, which doesn't sound like a lot for what the solution does.

No.

My advice to others would be to take a look at the community edition of the SonarQube because it might be enough for their use case.

I rate SonarQube a nine out of ten.

We mainly need to do certain static analyses. While doing the coding, everybody sends a pool request. Before committing the code on the main branch, we need to ensure that the code is up to level. That is basically our way of working to ensure that whatever rules we have configured, whatever gates we have defined, that gets passed before committing the code into the main branch.

I like almost all of the features. We were initially using all these techniques by using different tools. 

The vulnerabilities and the code quality parameters are really important for us.

The initial setup is easy.

There's plenty of documentation available to users. 

The solution is stable.

The scalability is good.

The only features which I think are lagging are the reporting to generate a PDF report. That is not available currently in the development version. However, if it is available in the development version, then it will be really helpful for us. I checked with the team and it seems that it is only available in the enterprise version. If the report can be sent over email, that would really help.

For example, let's say if I need to report to management or management wants to see a dashboard based on what each project looks like. Those figures are not available. There needs to be a shareable reporting piece or something we can click and generate easily.  

The only pain area for us is due to the fact that we purchased the 1 million lines of code license for now. We are a service product company, so some projects were finished in maybe less than six months and then maybe that is not useful for us. We need to remove those projects so we can utilize those lines of code for another project. That's something we need to see about. We're not sure how that works.

The solution is quite stable. Before, I used to generate reports by using some manual techniques. Now those are available right in SonarQube. The flexibility of rule configurations is great.

We found the solution to be scalable. We already integrated SonarQube with our CI/CD pipeline in Azure DevOps, and it works really well. We also integrated with the Jenkins CI/CD pipeline, and we also linked with the Visual Studio using SonarLint. That works really well.

We plan on expanding and need more licenses. 

When we purchased the license, they actually charged an additional amount for the support. Therefore, we haven't bought the support. Plus, we already know SonarQube. We have enough team members available who already have experience in it. For that reason, support is not required from us. That said, across the internet or on Google, there is enough documentation available. Even on the SonarQube website, there is enough documentation. 

The initial setup is really straightforward. The supports are really good from the SonarQube. Enough documentation is also available. t's really straightforward to figure out how to do it.

We purchased a SonarQube developer license. We do not have the enterprise version.

We pay for licensing on a yearly basis.

On the pricing side, it's 3,000 Euros for 1 million lines of code. Even if you look at the open-source, the open-source almost provide similar functions. Of course, some additional language support, among other things, however, the rest is available in open-source. If they can reduce the price, then I believe more people will join the licensed version rather than open-source. Pricing is a bit high based on the fact that they're already providing the open-source for free, and that also includes almost all the necessary items. People will not pay for the license if they can get most items for free. I would suggest if they reduce the price, that definitely it will boost the business.

We already linked with the CI/CD pipeline, and everything is working really smoothly. We already got the additional language support also, which was not available in the open-source version. In the developer version, we have six-plus additional language support onboard. That is actually helpful for us. Overall, it's going really well. 

The overall look and feel, the way of presenting the information, is really nice - including the way we can assign items. Everything looks okay. I also already integrated the APA of SonarQube in my external system and that really works. I don't see any integration problems so far. I would suggest those considering the solution simply go for SonarQube as it works really well for any integration of any software or with any third-party tools, including Azure DevOps.

I'd rate the solution at a nine out of ten.

SonarQube is used for in-production scanning of applications. We are only doing unit testing to improve the overall quality of the code.

The developers have responsibility for unit testing, but it is very important that we check what they have been doing. SonarQube allows us to see the result directly in the pipeline.

We had some issues scanning the master branch but when we upgraded to version 7.9 we noticed it does scan the master branch but we had to do a workaround for it to happen. This process could be improved in a future release.

What we are seeing is for some of the Javascript projects SonarQube is not reading all the files. We had to manually configure it to accomplish what we wanted. However, we probably needed some documentation that we did not have that explained this process.

In an upcoming release, it would be beneficial to have the ability to use multiple applications under one project, and if we want to scan one of the applications we can just switch to that application, this would be really helpful.

I have been using SonarQube for approximately two years.

The solution is scalable. 

We have plans to increase the number of users using this solution because we have approximately 3,000 applications but only 200 are being used.

There are a lot of people using this solution in my organization because they are able to scan directly from their IDs.

We have worked with the support from SonarQube and we have had good experiences.

The initial setup was simple. When we did the upgrade and it took our team approximately two hours.

Our internal team did the implementation of the solution.

We are using the community version of the solution and we plan on purchasing licenses for the upgraded version soon. There is a limitation on how many lines of code can be scanned and this is why we are going to purchase a license for an increased amount.

SonarQube is a very nice tool and people can learn to code better from the analysis it provides. We needed to make sure our code is maintained properly and has high quality and this tool helped.

The solution has made the developers have more confidence in their code because from the scanning they can fix bugs and problems easily.

I rate SonarQube a seven out of ten.

We use the solution for the software scan and integrate the application, which is a dependency check for the scan. Our customers send us the already developed solution for functional tests and security scans.

Firstly, the integration with the pipeline is good. If you have the FICO pipeline integrated already, the depth of the pipeline will be good. Secondly, the solution is easy to understand. It took little time to learn and understand how to use data.

SonarQube has a community edition and an enterprise edition. The community edition is free, but the enterprise edition is not. In Thailand, we cannot use the enterprise edition because there are no resellers in Thailand. So we found many issues, like when you scan some source code, and if it's a problem, it appears the tool that we need to fix, but after our manual review, we found that we already did have something there. For example, it improves validation. But we did not get the input as it was already validated in another library. We called support and complained but have not received any information as we use the free version. We had to fix it on our own and could not escalate it to the tool's developer.

I have been using SonarQube for a year.

It is a stable product. I rate it seven out of ten.

I didn't have any scalability issues when we used the pipeline. But downloading the code and doing this again on a local laptop is quite slow, especially when somebody needs to try some code in a big and complex project. It takes about four to six hours. I don't know why it takes so long on a local laptop because it works fine in the integrated pipeline. For support in the integration pipeline, it could be nine or ten, but If it is on a local laptop, I think it would be only five.

As we are using the free version, there is no technical support available. But the documentation support is okay for us. We read it depending on the website, but we cannot escalate the issue to the SonarQube provider.

I used the Micro Focus Fortify, but the performance integration in the pipeline is faster in SonarQube. But in Fortify, the support is better as it is a commercial product, and we paid for it, so we can complain and get feedback in case of any issue. We complain if anything needs to be fixed, and they accept and fix it, but SonarQube does not have such a platform.

The initial setup is simple. It requires some security, but it's simple. It has some community to help with the technical information, and the technical team of the solution is also okay. It takes one or two hours to deploy. I was not involved in the integration in the pipeline, but I was involved in the solution installed on the local laptop.

I do not know about the pricing as I am using the community edition, which is free. But I compared the pricing with Sigma, and it is higher than SonarQube.

If you need the support of SonarQube, then use the enterprise version.

SonarQube should have a foundation in Thailand so that we can buy the enterprise version and get support. Secondly, SonarQube still does not support many languages, but I am still determining which ones. So if these two can be improved, it will be good.

I rate it seven out of ten.

We are customers of SonarCloud.

I like that the solution can be installed locally. 

I'd like them to include an alert for a third person. Sometimes there are very big problems that come up, possibly a large bug report, and it would be helpful if a notification could go out to an extra person. 

I've been using this solution for about three years. 

The solution is stable. 

I believe the solution is scalable. For now, we have 20 users but we are planning to expand usage. 

I wasn't involved in the setup but I believe it was relatively easy. 

I rate this solution nine out of 10. 

We use this solution to configure our pipeline using Jenkins. From an integration perspective, it encompasses many languages and this is very useful.

This solution has helped with the integration and building of our CICD pipeline. Without any scans or assessments, the pipeline and build are not complete. One of the good features of SonarQube is the many languages it supports including Java, dotNET, Typescript and HTML CSS. It also allows us to set custom quality gates and rules.

This solution could be offered on Docker and the cloud. The support for this solution could be improved and the customization rules could also be made simpler. 

I have used this solution for three years. 

This is a stable solution. 

This solution could be scalable, specifically from a reporting perspective. 

I would rate the customer support for this solution a seven out of ten. 

Neutral

I have previously used Checkmarx, Blackbelt and WhiteSource.

We have experienced a good return on investment using this solution. 

This is a good solution if you are looking for good coverage, quality, and vulnerabilities to be highlighted. That being said, there are better solutions in the market when it comes to SAST scanning.

I would rate this solution an eight out of ten. 

We use SonarCloud tools for all our 20 repositories and we are connecting the SonarCloud, from the Bitbucket pipeline.

The reports from SonarCloud are very good.

We had some issues with the scanner.

I have been using SonarCloud for approximately three weeks.

The solution is stable.

SonarCloud is scalable.

We plan to increase our package to the enterprise edition and decrease the lines of code in the future.

We have not needed the support at this time.

We previously used Codacy. We switch to SonarCloud because of their good reputation and we compared reports from both of them. SonarCloud seems to be more accurate. However, Codacy has a simpler installation. SonarCloud has more steps involved.

The solution is straightforward to implement. Some of the implementations can be quick.

The installation of the framwork was a bit difficult, it could be improved.

The price of SonarCloud could be less expensive. We are using the community version and the price should be more reasonable.

We have purchased a license for 2 million lines of code. However, we have 10 million lines of code but it would be too costly for us to have a license for all the amount.

I would recommend SonarCloud to others.

I rate SonarCloud a nine out of ten.

I use SonarQube for Google's web services, from a security perspective, as well as Oracle Forms, HTML Forms, and script. 

SonarQube is deployed on-premises. 

Some of the most valuable features have been the latest up-to-date of the OWASP, the monitoring, the reporting, and the ease of use with the IDE plugins, in terms of integration.

SonarQube's detail in the security could be improved. It may be helpful to have additional details, with regards to Oracle PL/SQL. For example, it's neither as built nor as thorough as Java. For now, this is the only additional feature I would like to see. 

I have been working with the Community Edition for at least ten years, and I have been working with the Enterprise version for about a year. 

So far, we are happy and haven't had any issues with stability.

The only maintenance this product needs, for now, is just updates and patches. 

SonarQube is an auditing requirement from our side and for our SDLC, so it is a gate in our SDLC. 

SonarQube is easy to scale. As we've opted for the Docker builds, we haven't had issues yet. 

At this point, there are at least 300 people in my company who are working with SonarQube. 

I have minor experience with Q One. The main difference is in the licensing structure, with regards to lines of code. We have noticed that Q One has a bit more details, but support for various languages is lacking. 

The setup process of SonarQube is straightforward. Deployment took about a week, but the integration of the multiple teams—introducing them and getting them on board—took about a month. 

We implemented this solution through an in-house team. 

Compared to similar solutions, SonarQube was more accessible to us and had more benefits, with regards to size of the code base and supported languages. Apart from the Enterprise licensing fee, there are no additional costs. 

I rate SonarQube an eight out of ten. 

To anyone who is looking into implementing SonarQube, I would recommend they look at what their requirements are, with regards to languages. If it's just Java, then the Community Edition is fine, but if there are any additional languages, then I would recommend Enterprise.