SonarQube Server (formerly SonarQube) Reviews

The feature I find most valuable are--

• Quick access to issues in the code
• The ability to define your own analysis profiles
• Easy integration with Jenkins

For the record, what I do with SonarQube is develop a language plugin for a language not previously covered by SonarQube. As such, my experience of running SonarQube is limited to that necessary to have the plugin tested, nothing more.

I'd like to see more API documentation, including, but not limited to, more extensive documentation of provided examples.

I've used it for eight months.

I only deployed it for development purposes and it was pretty straightforward. You unzip, configure, and run. Of course, production deployments will require more than that.

The provided archives are self running; but since this is a bona fide webapp, you might want to use your own servlet container to run it instead.

No, I didn't. I was employed specifically for this plugin, and while know other code-quality control solutions exist, I didn't explore any of them.

Product is good, but the API documentation is poor, when it exists at all.

Its dashboards, quality profile, quality gates and CI integration features (like as build breaker plugin) are the most valuable features for me.

Personally, I have used SonarQube for educational purposes. SonarQube is helpful for giving motivation to a small development team (10 members or a little above) on code quality improvements with small efforts.

My team uses just two features - dashboards and CI-build-breaker - for checking code quality and the stability of our code base. For those purpose, SonarQube has done its work greatly. We have seen a decrease of about 25% of issues from since we first started using it a few months ago, and my team code bases are getting better.

The only thing I don't like is that they removed the design libraries and dependencies-checking features from v5.2. I hope they reintroduce these features in the future.

I've used it for approximately two years, since December 2013.

I have not encountered any issues.

I have not encountered any issues.

I have not encountered any issues.

I've not had to use them. I thinks it's online documentation is up to date, and it is enough to use them to solve problems and to understand features.

I've not had to use them.

My development team adopted SonarQube in January 2015 for code quality improvement, and had not used any code quality checking tool before.

The initial setup is easy. They provide a step-by-step online guideline to follow for installing it.

It has decreased the efforts of my team for finding and fixing potential issues which exist in our code base.

We are only using the free features.

Just keep following their online installation and plugin development guide.

The rich graphical representation of numbers which are meaningful to dev leads/managers and top management .

It was brought in to help with best practices in writing test cases, and each test should pass given all numbers are highlighted on SonarQube.

Executing sonar analysis on a big chunk of code - with an Oracle database does take up a lot of time.

Widgets - as the world of development expands, SonarQube should have plug-ins to cater to different technologies.

I've used it for three years.

No issues encountered.

No issues encountered.

No issues encountered.

It's very good, and I have personally had conversations with the SonarQube guys regarding plug-ins and modifications.

No previous solution was used.

The documentation is good . It should be fairly simple for someone with database knowledge.

We did it in-house.

Code exploration on the front-end, as well as the ability to import from Fortify, are valuable features.

It allows for better collaboration of our team members on security findings.

The Python code scan has so few rules that it is meaningless.

The support for mobile applications is limited to Android Lint importing, although the Android Lint report is fine on it's own so what it he point of using it.

And the Fortify plugin is deprecated.

I've used it for two years.

It is quality software, even if the plugins are often weaker than would be necessary to have a team centralize around it. It is good for an open source project, but creating plugins is important and so complicated and not well documented that it is rarely done.

No issues encountered.

No issues encountered.

It is open source so I don't try to rely on their technical support.

It was fairly straightforward, although some plugins depend on outside software to run, which is to be expected.

We implemented it ourselves.

It is free, so the price is good. If they had stronger plugins then we would gladly pay.

We evaluated the market, and because security scans are so different, there was not a good COTS or open source solution that met our needs so we went with the best open source solution, which was SonarQube.

To create your own quality profiles and gates is really cool; you can apply different policies depending the maturity grade of the project are you dealing with.

Also, we use a lot the time machine tool to take important decisions to determine if the projects are going in the right direction.

Elastic search is really helpful and also there is a plug-in we use a lot named "3D Code Metrics" that gives us a quick overview about the general situation about the projects.

Also, the integration with different CVS', and the dependency search are nice and helpful features.

This product helps us to determine the maturity and quality of the coding of our software customers, preventing future crashes in the software. We get users used to developing clean code makes SonarQube a valuable tool. Also, we use it for our internal software development helping us to create a good quality software.

With the new SonarQube versions, the analysis time is increasing, and some projects are difficult to configure due to the different modules and languages that it uses. A few versions ago, it had a multi-language option which was really helpful.

I've used it for over two years.

The worst about this tool I think is the upgrade method, and it's really easy to wreck the database when upgrading. It would be better idea to make less versions, but make it easier and consistent to upgrade. Also, sometimes if you are using really old instances and you move to a new version it's possible to lose some information about projects.

Thanks to this tool we can improve old code were developers are not available anymore and display the projects filtering by different fields, we save a lot of time, and time is money.

Once it is up and running, we didn't find any big issues with the stability, but it's important to configure in the right way the properties file according with you system specifications.

I think is good, also there is a new forum named "https://sonarqubehispano.org/display/HOME/Bienvenido" for the spanish community who helps a lot to spanish quality assurance fellas.

I think is good, also there is a new forum, https://sonarqubehispano.org/display/HOME/Bienvenido for the Spanish language community which helps a lot.

I used a few specific tools for the PHP language, that tools were really powerful (Codesniffer, PHPCPD, PHP Mess Detector among others) and provide a good information about the quality of our code. Nowadays, I am mixing that tools with SonarQube, but in shortly, I am thinking of using just SonarQube. The reason is that SonarQube is including more and more PHP rules in every PHP plugin version.

After dealing with configuration files and SonarQube is up and running there is not a big problem to start working with it, SonarQube include some standard quality profiles that makes it easier for the beginners. Also, the option to configure your own dashboard with different widgets exists.

I have experience with both of them and the main problem is not how the tool is working, but it's to make people follow the rules and change bad habits. However, I think that's a common challenge for our QA guild.

Actually SonarQube offers a lot of free plug-ins for different languages, and we add additional paid plug-ins as well, such as PL/SQL, COBOL and Views, and our experience tell us that it is worth it.

Only one option we found competitive was CAST, but the prices and the functionality didn't convince us at all.

• Languages Support - over 20 programming languages
• Pre-commit check directly into Eclipse
• Issues Report into PreviewMode
• Custom coding rules
• Unit tests
• Duplication and code duplication check
• Custom-defined checks

I have fallen in love with SonarQube when I could've easily built custom rules checks. However, doing that manually checking takes tons of time.

• Explicit checks for issues
• Severity tab tweaks
• Optimization into the Settings, such as adding new features/customization

I've used it for almost two years, starting with v4.3.3.

Predefined rules/overriding rules caused some issues.

6.5/10.

• Squale
• Panopticode
• CodePro AnalytiX

It was straightforward to install and setup, but complex to adapt to and learn.

We used a vendor team.

I did not evaluated other options.

I would advise you to think a lot before acting.

We used SonarQube during the development period and AppScan after the system was deployed on the production site.

SonarQube is integrated with the CI/CD infrastructure. It automatically scans for code, detects vulnerabilities, and generates daily reports. SonarQube's integration with the CI/CD infrastructure helps us reduce the effort to scan the code manually.

After scanning our code and generating a report, it would be helpful if SonarQube could also generate a solution to fix vulnerabilities in the report.

I have been using SonarQube for six to seven years.

We haven’t faced any issues with the solution’s performance or stability.

We don't have a support license for SonarQube. We currently use the open-source community, which provides us with much support from communities worldwide.

The solution's initial setup is very easy. We have a team that handles the maintenance of SonarQube in the CI/CD environment.

The solution's deployment takes about two weeks. We have a new software development project, and integrating it into the CI/CD system took about half a working day.

We use the solution free of cost. SonarQube is a cost-efficient solution.

I would recommend the solution to other users.

Overall, I rate the solution ten out of ten.

This solution has the capability to analyze source code in almost all the languages in the market.

This is a well-rounded solution, however, some features could be made available on the free version. The price of the solution could be reduced.

I have used this solution for ten years. 

This is a stable solution. 

This is a scalable solution. We have been using it for all of our critical projects. 

I have never made the calculations to understand the real value of this solution but I know that the return of investment is very good. If not, we wouldn't have continued to use it for the past 10 years.

As a user and a consumer of this solution, it can be pricey for my company to support and use, even though there are many benefits. For this reason, we use the free version. In the future, as our product cycles develop and evolve at a more steady pace, we hope to invest in the licensing for this tool. 

This solution has evolved a lot in the last ten years. 

It comes with good DevOps implementation and security, which is a big problem today.