Wang Dayong - PeerSpot reviewer
Senior Software Engineering Manager at Hill
Real User
A stable solution for analysis and security vulnerability checking
Pros and Cons
  • "It is a very good tool for analysis and security vulnerability checking."
  • "The scanning part could be improved in SonarQube. We have used Coverity for scanning, and we have the critical issues reported by Coverity. When we used SonarQube for scanning and looked at the results, it seems that some of them have incorrect input. This part can be improved for C and C++ languages."

What is our primary use case?

We use SonarQube to scan our security protection.

What is most valuable?

It is a very good tool for analysis and security vulnerability checking.

What needs improvement?

The scanning part could be improved in SonarQube. We have used Coverity for scanning, and we have the critical issues reported by Coverity. When we used SonarQube for scanning and looked at the results, it seems that some of them have incorrect input. This part can be improved for C and C++ languages.

For how long have I used the solution?

I have been using this solution for a couple of weeks.

Buyer's Guide
SonarQube
March 2024
Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,386 professionals have used our research since 2012.

What do I think about the stability of the solution?

It is stable.

What do I think about the scalability of the solution?

We haven't evaluated its scalability.

How are customer service and support?

I just use our internal IT to get support for SonarQube. That is enough for me.

Which solution did I use previously and why did I switch?

We were previously using Coverity. We used it for three years or so.

How was the initial setup?

We just use the Enterprise SonarQube instance provided by our company.

What other advice do I have?

I would recommend this solution. I would rate SonarQube an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Anshuman Kishore - PeerSpot reviewer
Director Product Development at Mycom Osi
Real User
Top 5Leaderboard
Reasonably priced, provides good code coverage and improves quality
Pros and Cons
  • "The code coverage feature is very good."
  • "If the product could assist us with fixing issues by giving us more pointers then it would help to resolve more of the warnings without such a commitment in terms of time."

What is our primary use case?

We use SonarQube for determining code coverage, finding bugs, and searching for security-related issues in our development environment.

What is most valuable?

The code coverage feature is very good.

What needs improvement?

When performing the code coverage function, there are a lot of warnings that come up and you may not have time to solve them. You need to have the ability to overrule warnings or issues because it may not be possible to commit the time to resolve them immediately. If the product could assist us with fixing issues by giving us more pointers then it would help to resolve more of the warnings without such a commitment in terms of time.

SonarQube needs some improvement in its ability to find security-related issues.

For how long have I used the solution?

I have been using SonarQube for the past seven or eight years.

What do I think about the stability of the solution?

We have not found any bugs or had trouble with stability. We have had some minor hiccups, here and there, but otherwise, we are fine.

What do I think about the scalability of the solution?

We have not found any issues with respect to scalability. 

How are customer service and technical support?

I have not personally been in contact with technical support. I believe that our team recently had contact with them when we migrated to the newer version, and we received help from their support agent.

Which solution did I use previously and why did I switch?

I have also used Veracode and when comparing the two, I find that Veracode is better at finding security-related issues during the static code analysis. At the same time, during my PoC with Veracode, they did not claim to be able to provide everything that SonarQube does. 

How was the initial setup?

I was not involved in the initial setup. However, I do know that it can be set up within one or two days.

What about the implementation team?

We have an in-house team for deployment and maintenance.

What's my experience with pricing, setup cost, and licensing?

I am satisfied with the pricing.

What other advice do I have?

In general, I am very satisfied with SonarQube and I highly recommend it. If you are looking for full coverage and quality improvement then it is the best product to use.

I would rate this solution a nine out of ten.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
SonarQube
March 2024
Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,386 professionals have used our research since 2012.
Senior Product Manager at a financial services firm with 10,001+ employees
Real User
Less false positive scans, covers entire developer community, but support could improve
Pros and Cons
  • "When comparing other static code analysis tools, SonarQube has fewer false-positive issues being reported. They have a lot of support for different tech stacks. It covers the entire developer community which includes Salesforce or it could be the regular Java.net project. It has actually sufficed all the needs in one tool for static code analysis."
  • "SonarQube needs to improve its support model. They do not work 24/7, and they do not provide weekend support in case things go wrong. They only have a standard 8:00 am to 5:00 pm support model in which you have to raise a support ticket and wait. The support model is not effective for premium customers."

What is our primary use case?

SonarQube delivers a continuous inspection of code quality.

What is most valuable?

When comparing other static code analysis tools, SonarQube has fewer false-positive issues being reported. They have a lot of support for different tech stacks. It covers the entire developer community which includes Salesforce or it could be the regular Java.net project. It has actually sufficed all the needs in one tool for static code analysis.

For how long have I used the solution?

I have been using SonarQube for approximately two years.

What do I think about the stability of the solution?

The stability of SonarQube is good.

What do I think about the scalability of the solution?

I have found SonarQube to be scalable.

How are customer service and support?

SonarQube needs to improve its support model. They do not work 24/7, and they do not provide weekend support in case things go wrong. They only have a standard 8:00 am to 5:00 pm support model in which you have to raise a support ticket and wait. The support model is not effective for premium customers.

How was the initial setup?

SonarQube is very user-friendly and it works for all tech stacks. It should be easy for any kind of integrations that you need to build. Additionally, SonarQube comes with a lot of in-house APIs.

What other advice do I have?

I rate SonarQube a seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Manager, Software Development Engineering at a computer software company with 51-200 employees
Real User
Does well in scanning and vulnerability; lacking in some specific SAST capabilities
Pros and Cons
  • "Provides local scanning for developers."
  • "Dynamic scanning is missing and there are some issues with security scanning."

What is our primary use case?

I'm a software development engineer and we are customers of SonarQube. 

What is most valuable?

SonarQube does SAST and SCAs pretty well. One of the important things for me, something that is different from a solution like Checkmarx, was that SonarQube had SonarLint that we can use for local scanning for developers. The product does well in scanning and vulnerability.  

What needs improvement?

SonarQube is missing specific SAST capabilities. In addition, when we have security issues we want to mitigate those and it seems that SonarQube doesn't persist with the mitigation. Each time it discovered a new scan it wiped out all the persistence that we had mitigated for previous vulnerabilities. Dynamic scanning is missing and there are issues with security scanning in terms of failing projects where it didn't pass a scan.

For how long have I used the solution?

I've been using this solution for three years. 

What do I think about the stability of the solution?

The solution is quite stable. 

How are customer service and technical support?

We don't have contact with technical support, any issues are solved by our operation team.

How was the initial setup?

The initial setup wasn't too complicated. We have a number of teams of developers and around 150 users together with an operations team who maintain the infrastructure. From a user perspective we scan at least once a day. 

Which other solutions did I evaluate?

I looked at Checkmarx but it wasn't as straightforward as SonarQube because it's only supporting Linux and maybe Windows, but I wasn't able to find any local scanning support for Mac computers, and that was an issue. I'd like to learn more about Checkmarx. 

What other advice do I have?

I would suggest looking at the pipelines and understanding usage scenarios in terms of what the customer is looking for. For instance, the mitigation persistence through the life cycle of a project is not there. For me, it's like a lack of tracking records of what to mitigate. It's something that you thought would be a part of the basics, but it's not there.

I think there's about 40% of the features I'd like to see that are missing in SonarQube, so I'd rate it a six out of 10.  

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Engineer at a pharma/biotech company with 201-500 employees
Real User
Good static code analysis and benchmarking but the library could support more languages
Pros and Cons
  • "The most valuable features are the segregation containment and the suspension of product services."
  • "I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production."

What is our primary use case?

The primary use case of this solution is for static code analysis, and benchmarking our code standards according to our preferences. 

Our builds process through SonarQube and if it passes the required set of requirements we have set, it will then go through to production.

What is most valuable?

The most valuable features are the segregation containment and the suspension of product services. Also, the library that SonarQube covers is good.

What needs improvement?

The library could have more languages that are supported. It would be helpful.

There are a few clauses that are specific to our organization, and it needs to improve. It's the reason that were are evaluating other solutions. It creates the ability for the person who releases the authorized release, which is not good. We would like to be able to expand on our work.

MicroFocus, as an example, would be helping us with that area or creating a dependency tree of the code from where it deployed and branching it into your entire code base. This would be something that is very helpful and has helped in identifying the gaps.

It would be great to have a dependency tree with each line of your code based on an OS top ten plugin that needs to be scanned. For example, a line or branch of code used in a particular site that needs to be branched into my entire codebase, and direct integration with Jira in order to assign that particular root to a developer would be really good.

Automated patching for my library, variable audience, and support for the client in the CICD pipeline is all done with a set of different tools, but it would be nice to have it like a one-stop-shop.

I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production. We would also need the ability to edit those rules.

For how long have I used the solution?

I have been using SonarQube for approximately two years.

What do I think about the stability of the solution?

The stability is good. 

The branch advanced analysis pull request declarations, they are good and highly valuable, but they are not part of the free edition. They are only available as part of the licensed one.

What do I think about the scalability of the solution?

Currently, we have 1.2 to 1.5 million lines of code. Certainly, if that increases, so would the costs expediently. 

We have 50 developers' licenses.

There is quite a bit of maintenance that is needed. We have a couple of people from our operations team to do the maintaining.

It is integrated with our CICD department and is being used extensively.

We do have plans to increase the usage of SonarQube.

Which solution did I use previously and why did I switch?

We have used open-source origins of the tools.

PCI is an open-source solution that we used before, and we used Snyk as well.

How was the initial setup?

The initial setup is straightforward.

What about the implementation team?

We did not use a vendor team, it was done by us.

What's my experience with pricing, setup cost, and licensing?

The developer edition is based on cost per lines of code.

Which other solutions did I evaluate?

Now we are looking for a more mature solution and evaluating other products. We want a complete code analysis platform that is more mature.

We will either go with the paid Developer active license or solutions such as Checkmarx or MicroFocus.

What other advice do I have?

The community edition is quite informative for engineers. The actual code analysis is not conducted on the GitLab flow, but the build pipeline would show the core quantity steps which is part of the criteria.

The trial gives you a way to implement the POC and check if it can be integrated with your own stack. Once the trial expires, you can continue with the same setup for getting the license.

I would rate this solution a six out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Evgen Gulak - PeerSpot reviewer
Head of IT Security Department at a energy/utilities company with 5,001-10,000 employees
Real User
Simple implementation, effective scanning, and tracking
Pros and Cons
  • "SonarQube is useful for controlling all of our Azure task tracking and scanning."
  • "SonarQube could improve by adding automatic creation of tasks after scanning and more support for the Czech language."

What is our primary use case?

We are using SonarQube for static analyzing and finding vulnerabilities in our code.

What is most valuable?

Easy installation. Very accurate finding of vulnerabilities and a minimum of false positives.

What needs improvement?

SonarQube could improve by adding automatic creation of tasks after scanning and more supported languages.

For how long have I used the solution?

I have been using SonarQube for approximately two years.

What do I think about the stability of the solution?

SonarQube is a highly stable solution.

What do I think about the scalability of the solution?

I have found SonarQube to be scalable.

We have 20 to 25 specialists using SonarQube in my organization.

We have plans to increase the usage of the solution.

How are customer service and support?

We search Google for solutions to any problems we may face.

How was the initial setup?

The solution is easy to implement in our process of continuous integration, continuous delivery, and continuous deployment(CI/CD). 

What about the implementation team?

We did the implementation of the solution ourselves.

We have assigned each project one DevOps, and each DevOps is deploying SonarQube in their project and we have in total about 20 projects.

What's my experience with pricing, setup cost, and licensing?

The free version of SonarQube does everything that we need it to.

Licenses of this solution can be purchased annually. We plan to buy the maximum license enterprise edition of the solution.

What other advice do I have?

I highly recommend this solution to others.

I rate SonarQube a nine out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Director IT Security, CISO at a transportation company with 10,001+ employees
Real User
Cost-effective with good out-of-the-box features
Pros and Cons
  • "I like the by-default policies that are they, as they seem to cover most of what I need."
  • "The interface could be a little better and should be enhanced."

What is our primary use case?

I have used SonarQube for static code analysis. I am using it to assess my internal applications.

What is most valuable?

I like the by-default policies that are they, as they seem to cover most of what I need. I see that as an essential feature.

What needs improvement?

The interface could be a little better and should be enhanced.

More support for integration with third-party products would be an improvement.

For how long have I used the solution?

I have been using SonarQube for more than five years.

What do I think about the stability of the solution?

I have not faced any bugs or glitches in SonarQube.

How are customer service and technical support?

I have not been in contact with technical support, although my teams would have definitely reached out.

How was the initial setup?

I would not say that the initial setup was complex, although it was not smooth enough. This was a mixed, hybrid set up because every environment has its own applications to deploy. That said, it was not so critical that we were no able to manage it.

What about the implementation team?

We have an in-house team in charge of maintenance. I have four people who are on payroll and an augmented staff of three more.

What's my experience with pricing, setup cost, and licensing?

SonarQube is an open-source product that can be used free of charge. It is a cost-effective solution.

Which other solutions did I evaluate?

You cannot really compare this product to commercial solutions. However, the features that it provides out of the box are very good.

When it comes to other technologies, such as the Checkmarx of the world, they are better than SonarQube. This is something that they should look at as this project evolves.

What other advice do I have?

This product is leading its class in the open-source community. It is absolutely a product that I can recommend. I think that digital organizations that have budget constraints should look at this technology, and then they can evolve it as per their needs.

In the future, I may look into deploying SonarQube in a hybrid model.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
it_user713202 - PeerSpot reviewer
Vice President at a financial services firm with 1,001-5,000 employees
Real User
Good reporting and works well for code timing, but is lacking in the security space
Pros and Cons
  • "If you want to have your code scanned and timed then this is a good tool."
  • "The reporting is good, but I am not able to download a specific report as a PDF, so downloading reports is something that should be looked at."

What is our primary use case?

We primarily use this solution for code quality purposes. We have a CICD environment, without a lot of manual steps.

How has it helped my organization?

This solution figures out and tells you when there are code quality issues.

What is most valuable?

The quantification and reporting features are really good. 

What needs improvement?

The security portion of this solution needs to be improved. They do have a few rules, but I don't think that they are of much use because you cannot position it as a security scanner. I think that there is a lot more that can be done in the security space. I would like to see, for example, more security updates as part of the scan.

The reporting is good, but I am not able to download a specific report as a PDF, so downloading reports is something that should be looked at.

We would like to be able to perform differential scans for a few modules or a few lines, rather than for the whole source code each time. 

For how long have I used the solution?

Two years.

What do I think about the stability of the solution?

We have been using this for quite a number of applications, and its stability is very good. The scan time is very fast because it is a text-based scan.

What do I think about the scalability of the solution?

We have not had any problems with scalability. We have a big organization with a lot of applications and all of our critical applications are on this platform. We are planning to increase the scope by adding less critical applications over time.

Which solution did I use previously and why did I switch?

We were using some other products, but not on an enterprise level. There were several locally developed applications, but when we tried to consolidate all of these into an enterprise-level solution, we opted for this.

How was the initial setup?

The initial setup was not complex. It is pretty simple and straightforward.

What's my experience with pricing, setup cost, and licensing?

The costs for this application, for the kind of job it does, are pretty decent.

What other advice do I have?

This product is good but it is not meant to be a single solution for all issues.

If you want to have your code scanned and timed then this is a good tool. If you want security to be part of it then you may need multiple tools. Overall, my advice is to use this tool in areas where it is strong.

I would rate this solution a six out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free SonarQube Report and get advice and tips from experienced pros sharing their opinions.
Updated: March 2024
Buyer's Guide
Download our free SonarQube Report and get advice and tips from experienced pros sharing their opinions.