SonarQube Room for Improvement

Wang Dayong - PeerSpot reviewer
Senior Software Engineering Manager at Hill

The product provides false reports sometimes. It also fails to understand the context of the code. It reports that a line of code has issues without considering its relation with the previous line.

The product should improve the report quality. While it asks us to improve the code quality, it would be good if it also suggests how to improve the quality.

View full review »
HimanshuSharma - PeerSpot reviewer
General Manager at Dalmia Bharat Group

There is no automation. You need to put the code there and test. You then pull the results and put them back in the development environment. There is no integration with the development environment. We would like it to be integrated with our development environment, which is basically the CI/CD pipeline or the IDE that we have.

View full review »
Chetan Jayatheertha - PeerSpot reviewer
Lead DevOps Consultant at itcinfotech

We would like to have more visibility and more documentation, starting with the installation. It needs to be more standardized and explain all the features. We'd also like to get an idea of the level of stability we can get for our larger-sized projects. The notifications from the channel queue can be improved including email notifications. We currently rely on getting those notifications passed onto us and that should not be the case. The customization of different languages would also be helpful. If all the above could be implemented, SonarQube would be the best vulnerability security scanning tool.

View full review »
Buyer's Guide
SonarQube
March 2024
Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,386 professionals have used our research since 2012.
SG
Lead Engineer at a healthcare company with 10,001+ employees

The learning curve can be fairly steep at first, but then, it's not an entry-level type of application. It's not like an introduction to C programming. You should know not just C programming and how to make projects but also how to apply its findings to the bigger picture. I've had users who said that they wish it was easier to understand how to configure, but I don't know if that's doable because what it's doing is a very complicated thing. I don't know if it is possible to make a complicated thing trivially simple.

They could improve their documentation. There were some books written about it, but even when we first started using it, the books were out of date. It's more of a plea to some of the authors who have become experts in using it to revise their books. I'd buy a copy of it. SonarQube does a good job of supporting the open-source community, but some of the documentation tends to lag behind. That's not unique to SonarQube. It gives an opportunity to those who have taken the time to learn about it to author books and become resident experts or community experts. It'd be nice if some of those guys made another edition to support the open-source efforts that are there.

In terms of features, at this point, I don't have any requirements. We've been growing into it slowly, and we haven't really exhausted what it already has. When and if we get to a point where we are aggressively applying what it's telling us, we may reach a point where it's like, "If it could tell us this as well, that'd be nice." We haven't reached that point yet. We haven't listened to all of the advice that it's giving us now.

View full review »
SR
Technology Manager at Publicis Sapient

There are times that we have the database crash. However, this might be an issue with how we have configured it and not a software issue. Apart from this, I do not see any issues with the solution.

View full review »
Devid William - PeerSpot reviewer
Application Security Architect at Banco Votorantim

The product must improve security analysis. It must introduce software composition analysis in future releases.

View full review »
MarkRyall - PeerSpot reviewer
Strategist Individual Contributor at Peraton

There could be better integration with other products.

It could have more functionality, and the updates could be faster.

People must be trained extensively before they can use it.

View full review »
Jayashree Acharyya - PeerSpot reviewer
Director at PepsiCo

We had some issues scanning the master branch but when we upgraded to version 7.9 we noticed it does scan the master branch but we had to do a workaround for it to happen. This process could be improved in a future release.

What we are seeing is for some of the Javascript projects SonarQube is not reading all the files. We had to manually configure it to accomplish what we wanted. However, we probably needed some documentation that we did not have that explained this process.

In an upcoming release, it would be beneficial to have the ability to use multiple applications under one project, and if we want to scan one of the applications we can just switch to that application, this would be really helpful.

View full review »
WW
System Quality Assurance Manager at AIS - Advanced Info Services Plc.

The solution could improve the management reports by making them easier to understand for the technical team that needs to review them.

View full review »
Gert Kersten - PeerSpot reviewer
Software Developer at BKWI

We would appreciate having PNC checking, though that's only available in a more expensive license type.

There is also room for improvement in the installation process.

View full review »
Thomas Boltze - PeerSpot reviewer
Cloud Architecture Head at PagoNxt Merchant Solutions S.L.

SonarQube currently requires multiple tools. I'd like to have the ability to use one tool overall. 

View full review »
AF
Senior Security Engineer at a financial services firm with 10,001+ employees

I was more focused on the security aspects and not on quality. SonarQube focuses a lot on security and is going to provide some visibility around that area, but if there could be more focus on team management. For example, what type of remediation is going to be provided when the types of scans are being applied based on different rule sets at the SonarQube level, from the security point of view, this would be helpful.

If there was an official Docker image of SonarQube that could easily integrate into the pipeline would help the user to plug in and plug out and use it directly without any custom configuration. I am not sure if this is being offered already in an update but it would be very helpful.

In an upcoming release of the solution, I would like to see more types of programming languages added and improvement in their SaaS offering to compete better with other enterprise solutions, such as Fortify.

View full review »
AS
Information Technology Security at a consultancy with 10,001+ employees

SonarQube has a community edition and an enterprise edition. The community edition is free, but the enterprise edition is not. In Thailand, we cannot use the enterprise edition because there are no resellers in Thailand. So we found many issues, like when you scan some source code, and if it's a problem, it appears the tool that we need to fix, but after our manual review, we found that we already did have something there. For example, it improves validation. But we did not get the input as it was already validated in another library. We called support and complained but have not received any information as we use the free version. We had to fix it on our own and could not escalate it to the tool's developer.

View full review »
NS
Automation Practice Leader at a financial services firm with 10,001+ employees

There is room for improvement in the code security space which is not as extensive as it could be. There are other products on the market which are much better in terms of code security scanning. I'd also like to see improvement in support which is quite expensive. 

View full review »
BS
IT Developer at PT Oto Multiartha

I think the code security can be improved. Code security should comply with the standard security list. 

I would like to see the feature of Compliance Reporting added to the solution.

View full review »
LJ
System Analyst // System Architect at a tech services company with 10,001+ employees

Currently, we are doing SonarQube's validations for external configuration via XML. It would be better if SonarQube provided a good UI for external configuration.

View full review »
Angelo Quaglia - PeerSpot reviewer
Independent Professional at Studio Dott. Ing. Angelo Quaglia

The Enterprise edition has the additional features we need, but of course we have to pay for that.

View full review »
DA
Sr DevOps Engineer at incatech

The solution is still maturing a bit.

You may need to purchase add-ons to get the useability you desire.

View full review »
Daniel Antonio Jimenez Quintana - PeerSpot reviewer
IT Systems Architect at Banco Ripley

SonarQube is used for static testing, not for dynamic. We found a solution with dynamic testing, and are looking to find a solution that can be used for both types of testing.

I would like to see software included that can be used with Waterfall projects.

View full review »
Jaile Sebes - PeerSpot reviewer
Senior Software Architect at a tech vendor with 10,001+ employees

SonarQube could be improved by implementing inter-procedural code analysis capabilities, allowing for a more comprehensive detection of defects and vulnerabilities across the entire codebase.  Additional functionality that could improve SonarQube includes features like automatic code correction and AI-generated suggestions to streamline code maintenance.

View full review »
VK
Retail Sales Manager at Pine Labs

New plug-ins should be integrated into SonarCloud to give more flexibility to the product.

View full review »
reviewer1812603 - PeerSpot reviewer
Works

It should be user-friendly. I keep looking for improvements after every update. 

PeerSpot users give SonarQube an average rating of 8 out of 10. 

SonarQube is most commonly compared to Checkmarx: SonarQube vs Checkmarx.

The SonarQube brand is trusted by many teams and it has been validated. It is one of the most recommended free application security testing solutions. 

SonarQube is really a good tool for SAST with seamless integration to your CI/CD pipeline. We have used it on our website and had good results.

View full review »
Denis Walrave - PeerSpot reviewer
Project Leader / Technical Expert at La francaise des jeux

The handling of the contents of Docker container images could be better. We are building microservices using Docker containers, and the image is embedding a lot of software. The verification in the image could be improved because you're able to check the image while building it, but if you are using a prebuilt container image then it's more difficult to do.

View full review »
AN
Project Manager at a manufacturing company with 1,001-5,000 employees

The only features which I think are lagging are the reporting to generate a PDF report. That is not available currently in the development version. However, if it is available in the development version, then it will be really helpful for us. I checked with the team and it seems that it is only available in the enterprise version. If the report can be sent over email, that would really help.

For example, let's say if I need to report to management or management wants to see a dashboard based on what each project looks like. Those figures are not available. There needs to be a shareable reporting piece or something we can click and generate easily.  

The only pain area for us is due to the fact that we purchased the 1 million lines of code license for now. We are a service product company, so some projects were finished in maybe less than six months and then maybe that is not useful for us. We need to remove those projects so we can utilize those lines of code for another project. That's something we need to see about. We're not sure how that works.

View full review »
AE
Senior System Analyst at a non-profit with 10,001+ employees

In discussions with the security team, there are many other products that are available that perform better. The security in SonarQube could be better.

SonarQube is more about the quality checks of the source code. It allows us to do a code review but it lacks security. It could perform better.

I would like to have better support for CI/CD as DevOps appliances, in terms of reporting on the issue and to be integrated with the pipeline. 

It integrates well but there is always room in this area to improve and to provide reports on the results. 

The user experience for the on-premises installation, creating a new project, defining the quality gate, and the user interface could be improved. It wasn't a simple experience.

View full review »
AE
Test Expert at Saudi Telecom Company

SonarQube does not cover BPM programming language. It only covers the Java layer from BPM WebMethods. When we were faced with this issue with one of your applications, we found that we were not able to scan the BPM code for configurations generated from the WebMethod.

The BPM language is important and should be considered in SonarQube.

It utilizes a lot of resources from the servers. I think this issue should be resolved because it takes approx 20% of the CPU utilization.

Reporting related to SonarQube only exists in the enterprise edition, and not in the Community Edition.

There are no limitations in the lines of code with the Community Edition, but with the Enterprise Version, there are limitations related to the lines of code.

I don't understand why you can use an infinite line code amount with the Community Edition and the Enterprise Edition is limited.

View full review »
Yash Brahmani - PeerSpot reviewer
Devops Engineer at BNP Paribas

There are various standards that are followed. Awareness is a must.

Product awareness is something that I would recommend. If the users are not aware of how to use the product, they won't understand the features.

View full review »
KG
Cyber Security Architect (USDA) at a government with 10,001+ employees

Although it has Sonar built into it, it is still lacking. Customization features of identifying a particular attack still need to be worked on. To give you an example: if we want to scan and do a false positive analysis, those types of features are missing. If we want to rescan something from a particular point that is a feature that is also missing. It’s in our queue. That will hopefully save a lot of time.

View full review »
HN
Head Section Mobile Developer at a manufacturing company with 10,001+ employees

The product needs to integrate other security tools for security scanning. 

View full review »
VD
Lead Security Architect at a comms service provider with 1,001-5,000 employees

This solution could be offered on Docker and the cloud. The support for this solution could be improved and the customization rules could also be made simpler. 

View full review »
MV
Tools manager at a retailer with 10,001+ employees

SonarQube supports most database languages, like SQL queries, PL/SQL, etc., but some newer programming languages are not there. For example, it's missing some more popular languages like Apache Groovy. I would like to see some support for scanning these new popular languages.

I would also like SonarQube to be able to write custom scanning rules. More documentation would be helpful as well because some of our guys were struggling with the customization script. 

View full review »
RR
Manager at kellton

SonarQube could be improved with more dynamic testing—basically, now, it's a static code analysis scan. For example, when the developer writes the code and does the corresponding unit test, he can cover functional and non-functional. So the SonarQube could be improved by helping to execute unit tests and test dynamically, using various parameters, and to help detect any vulnerabilities. Currently, it'll just give the test case and say whether it passes or fails—it won't give you any other input or dynamic testing. They could use artificial intelligence to build a feature that would help developers identify and fix issues in the early stages, which would help us deliver the product and reduce costs. 

Another area with room for improvement is in regard to automating things, since the process currently needs to be done manually.

Aside from other helpful features, the most important thing that SonarQube needs to do—the key feature—is to detect security vulnerabilities. The rest of the other features are helpful to the developer and the team to deliver the product faster, but security is a mandatory feature. 

As for additional features, SonarQube covers most of the languages, but there is still room for improvement covering the latest version of the tech stack—for example, Java 13. They're still improving, and they're focusing on SonarCloud nowadays. Currently, we aren't using all the top quality features of SonarCloud. I also think it would be helpful if SonarQube could integrate with Jira, a work management tool, or other communication tools, like Skype or Microsoft Teams, so that a bot could report directly to the developer. 

View full review »
DG
Head of Software Delivery at a tech services company with 51-200 employees

It should keep up with newer technologies. As this is primarily open-source, it does require updates from the community. As such, there is sometimes a delay for new technologies to be covered by this too. 

Particularly around the languages that the webpages state they support. The big benefit of Sonar is that it handles so many different languages, problems, and static analysis in one place. 

When that one place has a low coverage for the most basic rules (OWASP top 10 for example) it starts to lose its value add. 

View full review »
SG
Lead Engineer at a healthcare company with 10,001+ employees

We've been using the Community Edition, which means that we get to use it at our leisure, and they're kind enough to literally give it to us. However, it takes a fair amount of effort to figure out how to get everything up and running. Since we didn't go with the professional paid version, we're not entitled to support. Of course, that could be self-correcting if we were to make the step to buy into this and really use it. Then their technical support would be available to us to make strides for using it better.

On the other hand, there are published books available. However, the one problem I ran into is they were a little bit out of date. They're still very helpful, but we had to kind of translate from the previous version that was covered in the published books to what's actually available now.

An improvement I would like to see would be on the part of the authors to come out with a new edition or revision that covers some of the newer features of SonarQube and newer configurations. I'd buy a copy.

In terms of additional features, it's actually a very complete solution from what we have seen. Again, I would like the authors to revise their books. I think even ordinary people that are using the licensed model with direct support could walk through some different use cases, just from having been around the block a few times. There are enough things that the software does that this could be very beneficial. Even beyond the technical issues of installation, there are further use cases that could be helpful. For instance, how to get the big bang from the buck out of it.

View full review »
AJ
DevOps Lead at a marketing services firm with 1,001-5,000 employees

SonarQube could improve its static application security testing as per the industry standard. It would be really great if I could extract the overall report that I see in the dashboard.

View full review »
Rakesh Thakur - PeerSpot reviewer
Technical Architect at a insurance company with 1,001-5,000 employees

Code security could be better. They are already focusing on it, but I see a lot of improvement opportunities over there. I can see a lot of false positives in terms of security. They need to make the tests more accurate so that the false positives are not detected so frequently. It would also help if they provided us with an installer. 

View full review »
HK
Country Manager Senegal at a financial services firm with 10,001+ employees

It would be nice is SonarQube analyzed external libraries, in addition to our current code.

I would like to see more options for security, beyond the basics like SQL injection.

View full review »
RP
Infosec Consultant at Anzen Technologies

It would be a great add-on if SonarQube could update its database for vulnerabilities or plugging parts.

View full review »
AS
Program Manager at a computer software company with 1,001-5,000 employees
BG
Digital Solutions Architect at a tech services company with 1,001-5,000 employees

Having a tool that is comprehensive in nature is very useful because otherwise, we have to run through multiple tools in order to get the entire viewpoint of a particular set of code. For example, we use SonarQube in combination with Nexus, which is another product that gives us some other information. I guess when it comes to the gamut of things that we are looking for including static code quality, static testing, and dynamic testing of security. Having performance regression would be a helpful add on or ability to be able to do during the scan. 

In an upcoming release, I would like to see the dynamic security testing feature available. I would like to point out that they could already offer this feature but I have not been that deep into the solution to know yet.

View full review »
Wang Dayong - PeerSpot reviewer
Senior Software Engineering Manager at Hill

The scanning part could be improved in SonarQube. We have used Coverity for scanning, and we have the critical issues reported by Coverity. When we used SonarQube for scanning and looked at the results, it seems that some of them have incorrect input. This part can be improved for C and C++ languages.

View full review »
Anshuman Kishore - PeerSpot reviewer
Director Product Development at Mycom Osi

When performing the code coverage function, there are a lot of warnings that come up and you may not have time to solve them. You need to have the ability to overrule warnings or issues because it may not be possible to commit the time to resolve them immediately. If the product could assist us with fixing issues by giving us more pointers then it would help to resolve more of the warnings without such a commitment in terms of time.

SonarQube needs some improvement in its ability to find security-related issues.

View full review »
KH
Manager, Software Development Engineering at a computer software company with 51-200 employees

SonarQube is missing specific SAST capabilities. In addition, when we have security issues we want to mitigate those and it seems that SonarQube doesn't persist with the mitigation. Each time it discovered a new scan it wiped out all the persistence that we had mitigated for previous vulnerabilities. Dynamic scanning is missing and there are issues with security scanning in terms of failing projects where it didn't pass a scan.

View full review »
PC
Engineer at a pharma/biotech company with 201-500 employees

The library could have more languages that are supported. It would be helpful.

There are a few clauses that are specific to our organization, and it needs to improve. It's the reason that were are evaluating other solutions. It creates the ability for the person who releases the authorized release, which is not good. We would like to be able to expand on our work.

MicroFocus, as an example, would be helping us with that area or creating a dependency tree of the code from where it deployed and branching it into your entire code base. This would be something that is very helpful and has helped in identifying the gaps.

It would be great to have a dependency tree with each line of your code based on an OS top ten plugin that needs to be scanned. For example, a line or branch of code used in a particular site that needs to be branched into my entire codebase, and direct integration with Jira in order to assign that particular root to a developer would be really good.

Automated patching for my library, variable audience, and support for the client in the CICD pipeline is all done with a set of different tools, but it would be nice to have it like a one-stop-shop.

I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production. We would also need the ability to edit those rules.

View full review »
Evgen Gulak - PeerSpot reviewer
Head of IT Security Department at a energy/utilities company with 5,001-10,000 employees

SonarQube could improve by adding automatic creation of tasks after scanning and more supported languages.

View full review »
AB
Director IT Security, CISO at a transportation company with 10,001+ employees

The interface could be a little better and should be enhanced.

More support for integration with third-party products would be an improvement.

View full review »
it_user713202 - PeerSpot reviewer
Vice President at a financial services firm with 1,001-5,000 employees

The security portion of this solution needs to be improved. They do have a few rules, but I don't think that they are of much use because you cannot position it as a security scanner. I think that there is a lot more that can be done in the security space. I would like to see, for example, more security updates as part of the scan.

The reporting is good, but I am not able to download a specific report as a PDF, so downloading reports is something that should be looked at.

We would like to be able to perform differential scans for a few modules or a few lines, rather than for the whole source code each time. 

View full review »
JI
Automation Tool Specialist at a comms service provider with 1,001-5,000 employees

As far as code quality goes, I like it. It doesn't seem to do well when it comes to vulnerabilities on the security side. It may be that we don't have the right plugins, or we don't have the right add-ons.

View full review »
Axel Niering - PeerSpot reviewer
Software Architect Sales Systems at SV Informatik GmbH

The product's pricing could be lower. 

View full review »
LM
Systems Analyst at a manufacturing company with 5,001-10,000 employees

I am struggling to come up with an area needing improvement. I am a big fan of SonarQube. I do have familiarity with the solution, but not extensively on a daily basis in respect of development. 

This said, we did have some trouble with the LDAP integration for the console. 

View full review »
EG
Backend Architect at Sngular

We also use Fortify, which is another tool to find security errors. Fortify is a better security tool. It is better than SonarQube in finding errors. Sometimes, SonarQube doesn't find some of the errors that Fortify is able to find. Fortify also has a community, which SonarQube doesn't have.

Its installation is a little bit complex. We need to install a database, install the product, and specify the version of the database and the product. They can simplify the installation and make it easier. We use docker for the installation because it is easier to use.

Its dashboard needs to be improved. It is not intuitive. It is hard to understand the interface, and it can be improved to provide a better user experience.

View full review »
DH
Technical Architect at Dwr Cymru Welsh Water

A robust credential scanner would be a huge bonus as it would remove the need for yet another niche product with additional cost, also gives the benefit of a single pane of glass view, although we still need white source bolt for 3rd part library scanning. The integration into docker builds could be better as pulling the latest version of the scanner, setting the path and then invoking the scan is an extra overhead to manage between versions of the scanner. An apt-get and scan start with the key passed as a variable would be a nicer implementation. Have not looked into SSL for the management page yet but hoping that goes smoothly.

View full review »
VS
Product Security Architect at a tech services company with 51-200 employees

SonarQube is not development-centric like Snyk. The product gives an IDE plug-in called SonarLint. It needs to be expanded more. SonarLint is very limited.

View full review »
SP
Deputy Manager Quality Assurance at eInfochips

Technical support and the price could be better.

View full review »
Calinescu Tudor - PeerSpot reviewer
Security Project Leader at ATOSS AG

We have to combine several products in order to cover as many flaws that might exist in the code. We have to integrate several products to set the security functionality of the product. SonarQube should have better functionality to cover all areas of security limiting our need for other products.

We have tens of millions of code to be analyzed and processed. There can be some performance degradation if we are applying Sonar Link to large code or code that is complex. When the code had to be analyzed is when we ran into the main issues. There were several routines involved to solve those performance issues but this process should be improved.

View full review »
PD
Manager at a wireless company with 11-50 employees

I haven't really done a comparative analysis yet.

We're in the process of figuring out how to automate the workflow for QA audit controls on it. I think that's perhaps an area that we could use some buffing. We're a Kubernetes shop, so there are some things that aren't direct fits, which we're struggling with on the component Docker side, nothing major.

Kubernetes is a container-based run-time that works with Docker in terms of container-based applications, so we're a microservice based solution. Microservices are contained inside these containers which are managed by a run-time called Kubernetes. Kubernetes comes out of a Google enterprise. It's used by organizations like Netflix and apps to do continuous development deployment and use integration and development. It means that your container has this application lodging, around which all of the user authentication, run-time controls, and communications integration are handled by Kubernetes.

For instance, an application doesn't really see its DNS at all. It's completely abstract in a way. It is layers away from a virtual hardware. What it does is abstract that patient component into a nice package of business logic that is managed in a dynamic container, which takes care of all the run-time and communication issues that normally become a lot of the configuration overhead of an application.

Once you get your Kubernetes environment behind and organized, that forms a very efficient way to introduce these microservices in a dynamic way and to easily integrate and upgrade components rather than applications. You're much more granular in terms of your release capabilities and much more efficient in terms of how it's released and managed.

I would rate this around seven out of ten, because it has what we need, and it's easy to use.

View full review »
it_user100635 - PeerSpot reviewer
Technical Authority Digital at a insurance company with 1,001-5,000 employees
  • More granular security
  • Simpler integration with JIRA
  • It would be nice for a dashboard server to be able to address more than one database (this limitation tends to encourage either lots of small (team/project) servers or one uber server if you want to report across projects).
View full review »
NP
Team Lead at CNSI

We previously experienced issues with security but a segregated security violation has been implemented and the issues we experienced are being fixed. We have also experienced duplications of rules within the system as well as code samples that are short of ten numbers. 

View full review »
TS
Security consultant at a computer software company with 1,001-5,000 employees

If I configure a project in SonarQube, it generates a token. When we're compiling our code with SonarQube, we have to provide the token for security reasons. If IP-based connectivity is established with the solution, the project should automatically be populated without providing any additional token. It will be easy to provide just the IP address. It currently supports this functionality, but it makes a different branch in the project dashboard.

From the configuration and dashboard point of view, it should have some transformations. There can be dashboard integration so that we can configure the dashboard for different purposes. 

View full review »
SR
Team Lead at a computer software company with 10,001+ employees

Integration could be better in SonarQube in the free version. It does not have any bug tracking tool, like Jira. They are not integrated with enough additional programming tools.  

There is one issue with the dashboard. The dashboard which is there is okay. But sometimes if we have to work on multiple issues the application is giving us errors. Say we have five issues. All five issues might not be very important, so in cases where there are multiple issues, we would just want it to give us a warning about the important issue. It may be we will get to work on the things of greater importance and over-all have a better solution and we do not have to fix all five. Something like that would be good to help us to prioritize things so then we do not have to go into all the issues and fix them.  

We do have this categorization for major and minor issues, but let's say, again, if there are five major issues. I would like to maybe get a score involving the prioritization of these. Out of these five major issues, we should know which issue should be fixed first. This would give us a backup for planning and organizing the prioritization. It is that kind of data that we do not get on the dashboard. If we could, that would be helpful to give priority to the correct issues.  

View full review »
JI
Automation Tool Specialist at a comms service provider with 1,001-5,000 employees

I find that some of the graphs around the measures are too fancy, and they do not mean a whole lot to me.

The solution is a bit lacking on the security side, in terms of finding and identifying vulnerabilities. By comparison, we run the same piece of code through both SonarQube and Checkmarx and there is no comparison between the vulnerabilities that each finds. Checkmarx may find fifty, whereas SonarQube will only find fifteen or twenty.

View full review »
it_user727500 - PeerSpot reviewer
Senior Java Developer at a financial services firm
  • Upgrading the version of the server is a bit cumbersome and could be made slightly easier. Allowing admin users to upgrade the software through the front-end would make upgrading easier.
  • Another improvement is with false positives. Sometimes the tool can say there is an issue in your code but, really, you have to do things in a certain way due to external dependencies, and I think it's very hard to indicate this is the case. There is a way to mark the code/method with the issue number, but having to add comments/annotations in your code for your static analysis tool feels wrong to me.
  • Being able to have different groups or projects within the same server would be nice. Currently, I have a Sonar machine for production code (master branch) and UAT code (UAT branch), so when each branch is built in our continuous integration server it publishes to these two Sonar machines. What would be nice is if I could create subgroups within a single SonarQube server for each environment to remove the need for two separate machines.
View full review »
AJ
DevOps Lead at a marketing services firm with 1,001-5,000 employees

The solution has a very shallow SAST scanning. That is something that can be improved. 

I'm not sure if there is any plan for having DAST, as well, which is the dynamic scanning. If they offered that in SonarQube that would be ideal. I'd like to know if there is a plan or roadmap for Sonar to have that included. However, right now, at least, from the SAST perspective, it can improve.

The pricing could be reduced a bit. It's a little expensive.

View full review »
AR
CEO at ITShare

If you don't have any experience with the configuration or how to configure the files, it can be complicated. The installation needs to be more user-friendly, as well as the interface, which could be more user-friendly.

View full review »
HT
Information Technology Technical Architect at a insurance company with 51-200 employees

We could use some team support, but since we are using the community version, it's not available.

Also, because we are using the community version, we have some problems from time to time regarding the SSO logins.

Sometimes you need more time to configure things, to edit some profiles.

SonarQube has come to the end of the project phase. The development team doesn't really utilize this because it's in the product development phase. They need more paths and delivery — they don't really care about security. But now, since we are also certified technical security, we can go ahead and provide that for them.

In short, communication needs to be better.

Automation could be better. Sometimes by default, you need to configure some rules regarding detection. You need to have some parameters set regarding false-positive risk. 

View full review »
it_user718230 - PeerSpot reviewer
Devops Engineer at a healthcare company with 10,001+ employees

Well, load balancing is something we expect it to have. Also, sometimes the loading dashboards are a little slow. When we have a thousand products published over it, we expect it to be more efficient in terms of serving requests from the browser.

View full review »
RV
Development Team Lead at a financial services firm with 1,001-5,000 employees

SonarQube's detail in the security could be improved. It may be helpful to have additional details, with regards to Oracle PL/SQL. For example, it's neither as built nor as thorough as Java. For now, this is the only additional feature I would like to see. 

View full review »
HT
Information Technology Technical Architect at a insurance company with 51-200 employees

Since we are using the community version, we have had some issues. For example, we have had some difficulties with the Single Sign-On (SSO) login. We tried to integrate with our Azure ID to have access to login, but it doesn't always update. We have to search for more forums, or in other communities for technical IT.

The documentation is not clear and it needs to be updated. As it is the community version we don't have team support and rely on the documentation that is available. We are creating more disciplines to do peer reviews on SonarQube. There is time spent on creating the tools but not the documentation that is needed for support.

It takes time to configure and create profiles. We need to improvise the way we introduce new tools.

We have only integrated the source code, but there are things that are not being utilized because it is product-driven and there needs to be more path and delivery.

Since we are now certified, we are utilizing more and we are creating an environment for security. We need more emphasis on the security side.

Support needs to improve with their response time.

There is a lack of local partners/vendors in our region and we are having difficulties finding vendors looking for another partner.

In the next release, I would like to see some automation scripts. At times by default, you have to configure some of the rules in the detection. You need some parameters to be set that define the source code, such as those required to eliminate a false positive.

They advance their product without addressing security or internal codes.

View full review »
it_user697050 - PeerSpot reviewer
SW Automation Team Leader at a tech services company with 201-500 employees

There is need for support for the additional languages and ease of use in adding new rules for detecting issues. Some issues that were detected after committing to the CSM by SonarQube were not displayed in SonarLint scans (hopefully this was fixed in later versions).

View full review »
it_user327384 - PeerSpot reviewer
Assistant Director Implementation Services at a financial services firm with 5,001-10,000 employees

Widgets - as the world of development expands, SonarQube should have plug-ins to cater to different technologies.

View full review »
FM
Product Manager | Senior Software Developer at RedShift II - Solutions

This is a well-rounded solution, however, some features could be made available on the free version. The price of the solution could be reduced.

View full review »
EG
Senior System Analyst at a tech services company with 1,001-5,000 employees

It would be better if the users could have quick access to the features.

Monitoring is a feature that can be improved in the next version.

View full review »
EK
Director of consultory at a non-tech company with 1,001-5,000 employees

The solution could improve by providing more advanced technologies.

View full review »
PP
Head Innovation Hub at a tech services company with 201-500 employees

It is very expensive. That's something that can be improved. 

I'm not sure if the latest vulnerabilities are being updated. When I compare it with Fortify on Demand (FoD), every now and then, they get all the latest and greatest versions for all these vulnerabilities as a rule pack. I'm not very sure about how that works in SonarQube, and how frequently they are updating the vulnerability databases and other things.

Their dashboarding is very limited. They can improve their dashboards for multiple areas, such as security review, maintainability, etc. They have all this information, so they should publish all this information on the dashboard so that the users can view the summary and then analyze it further. This is something that I would like to see in the next version. 

The portfolio-level dashboard is currently available only in the Enterprise Edition. They can have a similar dashboard in the Community Edition or at least in the Developer Edition. The portfolio-level dashboard is also very limited currently. There is hardly one report.

View full review »
CV
CTO at a computer software company with 11-50 employees

The results of exporting capability could be improved. Currently, exporting is a bit messy and fully dependent on the SonarQube environment. Sonar Qube offers REST API and you could export the results programmatically, but the process is quite slow and limited. You could extract the maximum 10000 results per query, which increases the overall execution process tremendously. I guess the majority of the users are based on Sonar Qube presentation capabilities, which is very restrictive for some use cases.

View full review »
GL
Chief Solutions Officer at CleverIT B.V.

In terms of what can be improved, the areas that need more attention in the solution are its architecture and development.

Additionally, the QA team also needs work in different aspects. When you think about the support area - when the support team has an incident they need to do a hostage. When they do that they do a commit in the version control. These commits trigger a new build process and this process needs validation from SonarQube because we need to validate the quality of the software product for different cases and different aspects.

View full review »
it_user700128 - PeerSpot reviewer
Director at a consultancy with 10,001+ employees

Ease of use/interface.

View full review »
SM
Manager at Dassault Systèmes

The product's user documentation can be vastly improved.

View full review »
it_user697056 - PeerSpot reviewer
Senior Software Developer at a tech vendor

Deep intelligence and smarter code analysis: There are many cases where a bug or critical issue is reported. However, there is very little chance of rewriting the solution in some other way due to several circumstances. The written solution is actually safe.

It requires advanced heuristics to recognize more complex constructs that could be disregarded as issues.

There is a manual false positive feature for that, so it compensates for it. However, time and time again, some issues become annoying, since they are actually not issues. This can be time-tested though and configured/fine-tuned throughout working with the tool.

View full review »
it_user333735 - PeerSpot reviewer
QA Engineer at a tech services company with 51-200 employees

With the new SonarQube versions, the analysis time is increasing, and some projects are difficult to configure due to the different modules and languages that it uses. A few versions ago, it had a multi-language option which was really helpful.

View full review »
PJ
Staff DevOps Specialist at a computer software company with 201-500 employees

A little bit more emphasis on security and a bit more security scanning features would be nice. 

It would also be nice if the discrepancy between the basic or free version and the enterprise version was less. In my opinion, some of the base functionality in the enterprise version should be in the basic version.

Currently, we have static code scanning, and we have the scanning of the Docker containers. It would be great if some sort of penetration testing could easily be implemented in SonarQube for deploying something and doing some basic security scans. Currently, we have to use third-party tools for that. If everything was all under one roof, it would be more comfortable, but I don't know if it is possible or feasible. It is a typical issue of centralization versus distribution. In our particular case, because we're using SonarQube for almost every other project, it would make sense, but that doesn't necessarily mean that it is the same case with everybody else.

View full review »
NB
Security Engineer at a computer software company with 201-500 employees

I have found this solution creates more noise than competitors. 

The documentation and reporting extract can improve because other solutions are far more advanced.

View full review »
KV
Senior Technical Architect at a tech services company with 501-1,000 employees

SonarQube can improve by scanning the internal library which currently it does not do. We are looking for a solution for this.

View full review »
BR
Company Director at Alwyn Technologies

Improvements could be made in terms of security. 

I would like to see dynamic code analysis in the next version of the software.

View full review »
LZ
Application Security Analyst at a agriculture with 501-1,000 employees

This solution finds issues that are similar to what is found by Checkmarx, and it would be nice if the overlap could be eliminated.

The plugins are not well documented.

View full review »
it_user347526 - PeerSpot reviewer
Software Engineer, Agile/Lean Evangelist, Scrum Master at a tech services company with 51-200 employees

The only thing I don't like is that they removed the design libraries and dependencies-checking features from v5.2. I hope they reintroduce these features in the future.

View full review »
RB
Senior Solutions Architec at OSENTERPRISE SAC

The solution could improve by having better-consulting services.

View full review »
AS
Senior/Lead Software Engineer at a government with 51-200 employees

In terms of solving for security breaches in the code, we are looking for different tools to help us catch things much sooner. Right now, we're not doing so well on this front.  Therefore, we are looking for some other options in the market. I'm not the one who is tasked with looking at the moment, however, we are actively seeking out a more effective option for the static code analysis. 

There are sometimes security breaches in our code, which aren't be caught by SonarQube. In the security area, SonarCube has to improve. It needs to better compete with other products.

The solution could offer some sort of alert feature. We've had an incident, where somebody removed the solution from the pipeline and there were a couple of code instances that were pushed and married with the codebase without passing through SonarQube. It would be nice if we were alerted to that. If the solution is off-line or turned off, we'd like to be able to tell so that we can decide if it should be on or if it was a mistake.

It would be great if it could support testing and configurations a bit more. 

View full review »
HJ
IT Infrastructure Head / Facilities Manager - ITIL V3 Certified ,Vmware Vsphere5 at a financial services firm with 51-200 employees

With the aesthetic code analyzer or dynamic code analyzer, we would like to see zero vulnerabilities. This is actually currently not available with any available code analyzer so it is not the fault of this one product. We would like to see that the latest CVE (Common Vulnerabilities and Exposures) gets represented. This would be more useful but does not always happen. 

If we have more of an idea of the likelihood of zero vulnerabilities then the product is more useful for user communities.

View full review »
PR
Scala Contractor at a tech services company with 10,001+ employees

I would like to see something around mutation testing included in SonarQube. I'd like to see some mechanism of quality which has real meaning. The problem in metrics is that they're correlated. I'd like to see how they can add a feature to detect genuine quality, instead of numbers that people can game. The number can be manipulated. There are a few ways to do this, and mutation testing is one of them.

I would also be interested in more security scanning.

View full review »
SK
Independent Consultant at Klusener Consultancy

I am not very pleased with the technical debt computation, it's a bit arbitrary.

The codification metrics could also be improved.

View full review »
JS
DevSecOps Lead at a tech services company with 11-50 employees

Our developers have complained about the Quality Gates and the number of false positives that this product reports. Their older code is breaking and with the Quality Gate on the pipeline, they are not able to safely release at this point. This means that they have to add a lot of things to the whitelist, so there is room for improvement in this regard.

View full review »
it_user347733 - PeerSpot reviewer
DevOps Engineer at Trantor Software Private Limited

It would be great if it also covered XML code.

View full review »
LD
Software Engineer at a tech services company with 11-50 employees

The software testing tool capability could improve. It does not always integrate well. You have to use a specific plugin and the plugin does not always go in Apple's applications.

In the next release, they should add the ability to analyze containers.

View full review »
RP
Senior Manager at Digichorus Technologies

It does not provide deeper scanning of vulnerabilities in an application, on a live session. This is something we are not happy about. Maybe the reason for that is we are running the community edition currently, but other editions may improve on that aspect.

View full review »
KN
Security at a tech services company with 51-200 employees

From a reporting perspective, we sometimes have problems interpreting the vulnerability scan reports. For example, if it finds a possible threat, our analysts have to manually check the provided reports, and sometimes we have issues getting all the data needed to properly verify if it's accurate or not.

This is especially important when considering false positives, and often we have issues getting all the necessary information from SonarQube in order to determine whether it is a true vulnerability or a false positive.

Another suggestion for improvement is that SonarQube could be better when it comes to integration with different development pipelines for continuous monitoring. For example, whether you are scanning manually or on-demand, we would like more ways to integrate SonarQube into our pipeline so that we can get reports quickly and automatically as we work.

View full review »
it_user697038 - PeerSpot reviewer
DevOps at a tech company with 10,001+ employees

We had some issues where the Quality Gate check sometimes gets stuck and it is unclear.

View full review »
RB
Security Information Manager at a tech services company with 10,001+ employees

There isn't a very good enterprise report. They also do not have an application report. We'd like for them to work on this aspect.

View full review »
HM
Founder at a tech services company with 11-50 employees

One thing to improve would be the integration. There is a steep learning curve to get it integrated.

View full review »
it_user344817 - PeerSpot reviewer
Service Line Leader at a tech services company with 10,001+ employees

A better design of the interface and add some new rules.

View full review »
it_user347595 - PeerSpot reviewer
Java Developer at a tech consulting company with 51-200 employees

I'd like to see more API documentation, including, but not limited to, more extensive documentation of provided examples.

View full review »
it_user336438 - PeerSpot reviewer
Web Developer/DevOps Engineer with 501-1,000 employees

The Python code scan has so few rules that it is meaningless.

The support for mobile applications is limited to Android Lint importing, although the Android Lint report is fine on it's own so what it he point of using it.

And the Fortify plugin is deprecated.

View full review »
it_user333624 - PeerSpot reviewer
Software Developer at a tech services company with 501-1,000 employees
  • Explicit checks for issues
  • Severity tab tweaks
  • Optimization into the Settings, such as adding new features/customization
View full review »
TL
Software Engineer at Adfolks

The reporting can be improved. In particular, the portability report can be better.

I would like to see better integration with the various DevOps tools.

View full review »
CR
Senior Architect Information Security & Privacy at a tech services company with 501-1,000 employees

I would like to see SonarQube implement a good amount of improvements to the product's security features. Another aspect of SonarQube that could be improved is the search functionality.

View full review »
Buyer's Guide
SonarQube
March 2024
Learn what your peers think about SonarQube. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,386 professionals have used our research since 2012.