SonarQube Server (formerly SonarQube) Reviews

The primary use case of this solution is for static code analysis, and benchmarking our code standards according to our preferences. 

Our builds process through SonarQube and if it passes the required set of requirements we have set, it will then go through to production.

The most valuable features are the segregation containment and the suspension of product services. Also, the library that SonarQube covers is good.

The library could have more languages that are supported. It would be helpful.

There are a few clauses that are specific to our organization, and it needs to improve. It's the reason that were are evaluating other solutions. It creates the ability for the person who releases the authorized release, which is not good. We would like to be able to expand on our work.

MicroFocus, as an example, would be helping us with that area or creating a dependency tree of the code from where it deployed and branching it into your entire code base. This would be something that is very helpful and has helped in identifying the gaps.

It would be great to have a dependency tree with each line of your code based on an OS top ten plugin that needs to be scanned. For example, a line or branch of code used in a particular site that needs to be branched into my entire codebase, and direct integration with Jira in order to assign that particular root to a developer would be really good.

Automated patching for my library, variable audience, and support for the client in the CICD pipeline is all done with a set of different tools, but it would be nice to have it like a one-stop-shop.

I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production. We would also need the ability to edit those rules.

I have been using SonarQube for approximately two years.

The stability is good. 

The branch advanced analysis pull request declarations, they are good and highly valuable, but they are not part of the free edition. They are only available as part of the licensed one.

Currently, we have 1.2 to 1.5 million lines of code. Certainly, if that increases, so would the costs expediently. 

We have 50 developers' licenses.

There is quite a bit of maintenance that is needed. We have a couple of people from our operations team to do the maintaining.

It is integrated with our CICD department and is being used extensively.

We do have plans to increase the usage of SonarQube.

We have used open-source origins of the tools.

PCI is an open-source solution that we used before, and we used Snyk as well.

The initial setup is straightforward.

We did not use a vendor team, it was done by us.

The developer edition is based on cost per lines of code.

Now we are looking for a more mature solution and evaluating other products. We want a complete code analysis platform that is more mature.

We will either go with the paid Developer active license or solutions such as Checkmarx or MicroFocus.

The community edition is quite informative for engineers. The actual code analysis is not conducted on the GitLab flow, but the build pipeline would show the core quantity steps which is part of the criteria.

The trial gives you a way to implement the POC and check if it can be integrated with your own stack. Once the trial expires, you can continue with the same setup for getting the license.

I would rate this solution a six out of ten.

Our primary use case is to analyze source code for software bugs, technical debt, vulnerabilities, and test coverage. It provides an automated gated procedure to ensure that engineers are able to deliver great, secure code to production. 

We plug this process into our process right from the start enabling the IDE integrations so that engineers can scan their code before submission. Following on from that we run the scans on every change that has been submitted for review. 

This way we ensure that no core/fundamental issues are added to our codebases. 

It has helped many of the organizations that I have worked at to improve overall security, quality, and test confidence within the codebases. It also provides this in a speed efficient way. Engineers now feel much more proud of their solution as they gain confidence from these scans and their results. 

Engineers have also learned from the results and have improved themselves as engineers. This will help them with their careers. 

We are also able to get reports on our suite and generate a quality rating for ourselves utilizing this data and more. 

By far the quality gate controls. Without this, there would be no way to really utilize the power of this tool. We are able to automatically ensure that no code is delivered to production when it contains severe bugs or vulnerabilities. 

The tight integration to source control also helps us to keep the engineers in the loop with any follow-up actions for issues reported. 

Finally, the historical trend analysis gives us great insight into how we are improving based on our decisions, which are now driven by clear data.

It should keep up with newer technologies. As this is primarily open-source, it does require updates from the community. As such, there is sometimes a delay for new technologies to be covered by this too. 

Particularly around the languages that the webpages state they support. The big benefit of Sonar is that it handles so many different languages, problems, and static analysis in one place. 

When that one place has a low coverage for the most basic rules (OWASP top 10 for example) it starts to lose its value add. 

I have been using SonarQube for five years.

Good, I have not really had many issues with it. No major ones either. 

It all depends on where/how you are hosting it. The tool itself scales well. 

I have used Checkmarx and also tried a demo of Veracode. 

Checkmarx was far too heavy-handed and only handled security concerns for a VERY large price tag. 

Veracode is very good, however, the price vs a free solution was a deciding factor in many cases. 

It's very straightforward for a SaaS setup. 

For a self-hosted setup, it is documented well and fairly easy. 

We implemented in-house.

SonarQube will incur hosting costs. There are SaaS options available at competitive prices too. 

Self-hosting SonarQube is subject to its open-source licenses documented on their website. 

We also evaluated Checkmarx, Veracode and open source solutions specific to each programming language. 

Security analysis is a MUST. 

I work for a government agency and we use this tool. It is lightweight and very cost effective as compared to IBM AppScan, but I wouldn't say it's a very good tool for vulnerability assessment. The dashboard is neat and easy to operate and the information on the dashboard makes it easy for the developers to work on. You can have it automated and set up for you to have an automated process every time the code is checked in. 

It definitely helped our organization in hardening the software, the application itself. This is a part of our process now.

The most valuable features are the dashboard reports and the ease of integrating it with Jenkins. 

Although it has Sonar built into it, it is still lacking. Customization features of identifying a particular attack still need to be worked on. To give you an example: if we want to scan and do a false positive analysis, those types of features are missing. If we want to rescan something from a particular point that is a feature that is also missing. It’s in our queue. That will hopefully save a lot of time.

This solution is very stable.

It supports around 25 plus languages.

The technical support is very good. When a product is good, we don't use them as regularly.

No, not that I am aware of.

Compared to other tools, the initial setup was straightforward. The deployment of the tool didn't take long at all. You need to take intrinsic care but setting up this tool is pretty easy. One can do it in a couple of hours. The dashboard is really neat and easy to operate. It gives a lot of information that makes it very easy for the developers. We haven't ever used more than one resource for operations.

We have this implemented in CSAD pipeline as one of the tools for finding bugs in source code. This kind of tool has the capabilities of debugging abnormalities or finding abnormalities. We use it the same as any other static one level detail, and with a few other static tools like AppScan and Checkmarx.

SonarQube is a very good tool. It is lightweight and very cost effective as compared to IBM AppScan. The dashboard is really neat and easy to operate. It gives a lot of information that makes it very easy for the developers. You can get it set up as an automated process every time the code is checked in. I would say, however, that it is not a vulnerability assessment tool. The dev and security team use this solution very closely. Fifteen to twenty people in total use it.

I would rate this solution an eight out of ten.

We are working on a payment system, and we need it to be secure. We use this solution to analyze our code to ensure that it is clean, easy to understand and maintain, and secure.

SonarQube is good for checking and maintaining code quality.

It would be nice is SonarQube analyzed external libraries, in addition to our current code.

I would like to see more options for security, beyond the basics like SQL injection.

The stability of this solution is quite good.

I think that scalability is fine. We have a large number of users at my company.

The majority of the users for this solution are architects, but some technical managers use it too.

We use this solution in parallel with Checkmarx because both of them are good for different things. SonarQube is good for code quality, whereas Checkmarx is more for security.

This initial setup of this solution is not basic, but it is not complex. If you have some experience in IT then you should be able to do it.

We have this tool integrated with Jenkins.

One or two days is enough for deployment. There is some configuration to do, which takes time, but it is not difficult to deploy.

Three or four staff are enough for deployment and maintenance.

We have seen a return of investment, for sure. It is integrated with jobs on Jenkins and helps to provide stability. 

We did not evaluate other options before choosing this solution.

This is a very nice product and I would recommend it. It is one of the best tools on the market to analyze your code.

If more rules for security were added then we would not have to use Checkmarx or other tools. SonarQube is very nice, but just missing some security rules.

I would rate this solution a seven out of ten.

The tool helps us to monitor and manage violations. It manages the bugs and security violations. 

SonarQube needs to improve its ease of use, integration with third-party platforms, and scalability. 

I have been using the product for five years. 

I rate the tool's stability a six out of ten. 

My company has 150 users for SonarQube. 

The tool's deployment is complex. 

The tool's pricing is reasonable. 

I rate the overall product a seven out of ten and would recommend it to others. 

We used SonarQube for secure code review.

The solution's user interface is very user-friendly. The solution also provides good efficiency.

It would be a great add-on if SonarQube could update its database for vulnerabilities or plugging parts.

I rate the solution a seven out of ten for stability.

I rate the solution a nine out of ten for scalability.

On a scale from one to ten, where one is difficult and ten is easy, I rate the solution's initial setup an eight out of ten.

It takes around one hour to deploy SonarQube.

SonarQube is a fairly affordable solution for a larger scale if you have a specific role or specific department for secure code. We didn't pay for SonarQube. We used a free version of the solution because we had a small amount of code.

We used SonarQube for one project. To improve code quality, we do vulnerability assessment. We have an R&D department, and we collaborate with other teams to do any work related to secure code.

SonarQube simplified our code review process. Since we are new to secure code review, we mostly use freely available or impactful applications. That's why our R&D team suggested using SonarQube.

We use SonarQube to find vulnerabilities in the application code. The code is related to the application used by our client. We find vulnerabilities in their application, and we suggest solutions.

We have experienced challenges related to the client-side code. Sometimes, the server faces downtime, and our R&D team knows how to resolve such errors. It is easy to maintain the solution.

Overall, I rate the solution a nine out of ten.

We use the tool to check our code. It's used for static quality checks. 

The product is simple. 

The product's pricing could be lower. 

I have been using the product for two years. 

The tool is stable. 

The product is easy to deploy and update. 

We use the tool's community edition. 

I would rate the product an eight out of ten. 

We use this solution for qualitative coding. We make use of the SonarLint plugin as well as the dashboard.

We previously experienced issues with security but a segregated security violation has been implemented and the issues we experienced are being fixed. We have also experienced duplications of rules within the system as well as code samples that are short of ten numbers. 

This is a stable solution.

This is a scalable solution. 

The initial setup was straightforward. 

Most of the deployment was done by me. Once a certain level of complexity was involved, a team was used to validate and deploy those parts of the solution. 

I would recommend SonarQube to other users as it is a good solution and the security issues we experienced are being fixed. 
I would rate this solution an eight out of ten.