SonarQube Reviews

We are using SonarQube for code reviews. 

Code quality improvement, Secure coding pracitices 

The most valuable feature of SonarQube I have found to be the configuration that has allowed us to can make adjusts to the demands of the code review. It gives a specified classification regarding the skill, prioritization, and it is easy for me to review and make my code.

NA

I have been using SonarQube for approximately five years.

The solution is stable.

I have not needed to use technical support.

Positive

I have used some tools previously, such as Eclipse and Checkmarx. I used some tools directly linked with Eclipse, but SonarQube is much better. It has a better ability to link with Eclipse as well as the standalone features for a code review I have found the SonarQube most efficient.

I deployed SonarQube on my laptop. I found it to be straightforward and easy. I wanted my technical team to do implement it but since they didn't have time I took the initiative and did it myself. I am not exactly from a technical background, and it was very easy for me.

The time it took for me to do the whole process was approximately two hours because I had to download, read the documentation, and do the configurations.

The solution does not require any maintenance.

SonarQube fits my purpose. It doesn't cause any hassles for me.

I rate SonarQube a nine out of ten.

We use SonarQube to scan SAS code for quality control in mostly mobile applications, such as iOS and Android applications.

SonarQube is designed well making it easy to use, simple to identify issues and find solutions to problems.

The solution could improve the management reports by making them easier to understand for the technical team that needs to review them.

I have been using the free version of SonarQube for approximately one year and then I purchased a subscription that I have been using for the last three years.

The solution is stable.

The solution has scaled well for our needs. We have two million lines of code and we have not had a problem.

We work for a large enterprise that has approximately 1,000 IT employees.

There is a lot of information for SonarQube online in the community forums. I only used technical support when I needed to renew my license.

The installation is not difficult.

The solution has a free version and a license version. The license is priced reasonably, the cost of hiring one programmer is more expensive than the solution.

The licensing process could be improved. We need to contact purchasing to receive the key for the license but the process should be automatic, similar to a SAS purchase.

I have evaluated Fortify Application Defender.

I rate SonarQube a nine out of ten.

I'm a software development engineer and we are customers of SonarQube. 

SonarQube does SAST and SCAs pretty well. One of the important things for me, something that is different from a solution like Checkmarx, was that SonarQube had SonarLint that we can use for local scanning for developers. The product does well in scanning and vulnerability.  

SonarQube is missing specific SAST capabilities. In addition, when we have security issues we want to mitigate those and it seems that SonarQube doesn't persist with the mitigation. Each time it discovered a new scan it wiped out all the persistence that we had mitigated for previous vulnerabilities. Dynamic scanning is missing and there are issues with security scanning in terms of failing projects where it didn't pass a scan.

I've been using this solution for three years. 

The solution is quite stable. 

We don't have contact with technical support, any issues are solved by our operation team.

The initial setup wasn't too complicated. We have a number of teams of developers and around 150 users together with an operations team who maintain the infrastructure. From a user perspective we scan at least once a day. 

I looked at Checkmarx but it wasn't as straightforward as SonarQube because it's only supporting Linux and maybe Windows, but I wasn't able to find any local scanning support for Mac computers, and that was an issue. I'd like to learn more about Checkmarx. 

I would suggest looking at the pipelines and understanding usage scenarios in terms of what the customer is looking for. For instance, the mitigation persistence through the life cycle of a project is not there. For me, it's like a lack of tracking records of what to mitigate. It's something that you thought would be a part of the basics, but it's not there.

I think there's about 40% of the features I'd like to see that are missing in SonarQube, so I'd rate it a six out of 10.  

We use the product in our pipeline. We primarily use it for development testing tool.

We can see what's being flagged by whatever requirements in the environment that we're going to. SonarCube has these rules that you set up. You can set the rules and adjust them. It allows us to either be at 80% or whatever the case may be. If you set up these conditions that can tighten down the developer's coding.

It's convenient due to the fact that it's open-source. 

We're able to identify bugs and those kinds of things before we actually push anything into a staging or production area. It helps our developers work more efficiently as we can identify things in a code prior to it being pushed to where it needs to go. It's a great little loop. You see this, fix it, take it back. Versus, putting something into an environment and then everything is all broken. It's a good development test tool. 

Nowadays you can add extensions, similar to what you can do with the Jenkins tool, the CICB tool, the build tool. Jenkins can have a lot of plugins that interface with a lot of vendors or it can do a lot of things. Just like Google Chrome where you can bring in an extension, you can do the same here. In SonarQube, you can add something by just adding an extension that you may have to pay extra for, However, that add-on has additional functionality that the base software may not necessarily have in its core.

For example, Fortify has some kind of special capability that they have for checking and SonarQube has created an extension that allows the Fortify extensions. Right now, I have Fortify, however, it's in this product at a very modular level.

The solution is still maturing a bit.

You may need to purchase add-ons to get the useability you desire.

We've been using the solution for about two years at this point.

The solution is open-source. It's free to use. 

Not everybody uses SonarQube. However, if they do use SonarQube and they're trying to look for functionality, then an extension into SonarQube is the way to go. We, for example, love how we can have Fortify functionality via this product. I can't speak for all the other shops, right. That's just our workflow.

I'd rate the solution at a perfect ten out of ten. For what it does as far as static code analysis, it's pretty good.

We are using SonarQube for many different reasons, but I was interested more in the security metrics based on the new updates for more particular rules.

The depth features I have found most valuable. You receive a quick comprehensive comparison overview regarding the current release and the last release and what type of depths dependency or duplication should be used. This is going to help you to make a more readable code and have more flexibility for the engineers to understand how things should work when they do not know.

I was more focused on the security aspects and not on quality. SonarQube focuses a lot on security and is going to provide some visibility around that area, but if there could be more focus on team management. For example, what type of remediation is going to be provided when the types of scans are being applied based on different rule sets at the SonarQube level, from the security point of view, this would be helpful.

If there was an official Docker image of SonarQube that could easily integrate into the pipeline would help the user to plug in and plug out and use it directly without any custom configuration. I am not sure if this is being offered already in an update but it would be very helpful.

In an upcoming release of the solution, I would like to see more types of programming languages added and improvement in their SaaS offering to compete better with other enterprise solutions, such as Fortify.

I have been using this SonarQube for approximately four years.

We are not relying on this solution as a go-to application security scanning tool. We use it for some minor enhancement regarding security, but we are using it actively in other departments for the code quality scanning. I have not had any problems using the solution, it has been stable.

We have approximately 15,000 engineers in my company and many of them are using this solution.

I have evaluated Fortify.

I rate SonarQube a six out of ten.

We're using the enterprise edition of SonarQube. I'm the head of DevOps engineering and we are customers of SonarQube. 

The most important feature is the software quality gate. When that's implemented we're able to streamline the product's quality. The other good features are SonarQube's code quality scanning and code coverage. If we use it effectively, we can capture the software code bugs early in the software development. It also helps us to identify the test coverage for the code that we're writing. It's a very, very important feature for the software developers and testers. 

There is room for improvement in the code security space which is not as extensive as it could be. There are other products on the market which are much better in terms of code security scanning. I'd also like to see improvement in support which is quite expensive. 

I've been using this solution for six years. 

The product is stable although maintenance is a little cumbersome. 

The product is scalable but there are some concerns. You need to regularly do a cleanup of the lines of codes that are being scanned, otherwise the license will run out. We were not initially aware of having to do that. We have around 700 users in the company and we have three or four people involved with maintenance. 

There's a problem with the technical support because it's offered as a separate paid package and doesn't come by default with the license. Most other products in the market include  technical support with the software. There are various other products in the market, which are much better and offer support without any additional costs.

Licensing costs could be lower. We paid around 60,000 Singapore Dollars for our 20 million lines of code.

SonarQube is a very good tool for code quality.

I rate this solution a seven out of 10.  

We are application support vendors, and we develop applications for our clients. To maintain code quality, we were using SonarQube, and then we presented that to our clients in order to purchase that. That's where this whole thing got started. 

One thing that we were using it majorly for was our work quality. It usually helped us in automating the review and making it more gate-oriented. Recently we were able to see the latest features like security hotspots and all that.

We were trying to serve two purposes; work quality and code security, with one tool. That's where our inclination was more towards Sonar because other tools generally target code security only.

I like that it helps us maintain our work quality and code security.

Code security could be better. They are already focusing on it, but I see a lot of improvement opportunities over there. I can see a lot of false positives in terms of security. They need to make the tests more accurate so that the false positives are not detected so frequently. It would also help if they provided us with an installer. 

I have been using SonarQube for about three or four years. However, in this organization, we have been using it for the last year or so.

In Community Edition, I don't think that we have enough scalability options because it runs only on one instance, plus it runs only one scan at a time. It doesn't even provide a settings capability where multiple scans are running simultaneously. That's why we want to move to the Enterprise Edition because it gives you a possibility of parallel analysis of reports, and that could speed up things.

We're using the Community Edition, and I think support comes only with the paid version. But we had an initial conversation with them, and we got our answers clarified. I certainly look forward to getting in touch with somebody from SonarCloud because I hear that they are separate entities. SonarSource people don't talk about SonarCloud. We want a contact whom we can speak to regarding our security-related concerns, privacy-related concerns, and how we can secure our code in their environment.

The initial setup on-premise may take a while because you have to procure all the servers and do the reconfiguration yourself. But I think they have provided their steps very elaborately, and that certainly helps. However, you need to make an effort to set it up. It doesn't come with an installer, and you have to download it, extract it, then configure it to run on your server automatically with every server system. If they could have provided us with an installer setup, it could have made it much easier.

We're using the Community Edition, and we don't pay for anything.

On a scale from one to ten, I would give SonarQube a nine.

It prevents some vulnerabilities in the production environment.

I like that it covers most programming languages for source code review.

I also like the procedures that are already built-in that cover most of the items that already exist.

SonarQube does not cover BPM programming language. It only covers the Java layer from BPM WebMethods. When we were faced with this issue with one of your applications, we found that we were not able to scan the BPM code for configurations generated from the WebMethod.

The BPM language is important and should be considered in SonarQube.

It utilizes a lot of resources from the servers. I think this issue should be resolved because it takes approx 20% of the CPU utilization.

Reporting related to SonarQube only exists in the enterprise edition, and not in the Community Edition.

There are no limitations in the lines of code with the Community Edition, but with the Enterprise Version, there are limitations related to the lines of code.

I don't understand why you can use an infinite line code amount with the Community Edition and the Enterprise Edition is limited.

We have been dealing with SonarQube for more than one year.

It is stable in the system environment processes.

We haven't used it with the microservices or containers to check the scalability. We have used it on a Windows Server or Linux Server.

We contacted technical support about the BPM and WebMethod programming language. They supported us with a fast response and provided us with a solution that was not covered on SonarQube.

We only use SonarQube with SonarScanner.

The initial setup is simple and straightforward.

I am a consultant and my team completed the system server.

I requested this license for one million lines of code and they accepted this.

I don't know what was already paid.

We evaluated Micro Focus Fortify. From a cost perspective, we selected SonarQube. Now we are using the enterprise license as well. 

We are telecommunication customers, who have purchased a license. We are the largest telecommunications company in Saudi Arabia.

I would rate SonarQube an eight out of ten.