RF IDeas pcProx Sonar Presence Detector
Mfg # BSE-PCPRX-SNR
CDW # 1299957
Know your gear
pcProx®-Sonar attaches to the PC via the USB port and is configured by the system as a keyboard. When you step away from your computer, pcProx Sonar sends keystrokes to the PC that engages self-locking or logoff mechanisms such as a screen saver, your single sign-on lock, or Window Logoff.
Likewise, when you approach your computer, pcProx sends keystrokes to the PC that pull up your logon or identification dialog box. All individual keystrokes, detection range (1-5 ft.) and specified delays are user-definable.
pcProx Sonar represents the lowest cost solution since there is no drain on IT support resources, software maintenance contracts, and other IT security burdens!
Requires operating system support for USB port. Configuration software requires Windows 98, 2000, XP, or Vista.
Min Operating System Apple MacOS, Linux, Microsoft Windows Vista2000 / XP, Microsoft Windows 98 Second Edition, Microsoft Windows CE (Note: Configuration Application is Windows Compatible Only)
Likewise, when you approach your computer, pcProx sends keystrokes to the PC that pull up your logon or identification dialog box. All individual keystrokes, detection range (1-5 ft.) and specified delays are user-definable.
pcProx Sonar represents the lowest cost solution since there is no drain on IT support resources, software maintenance contracts, and other IT security burdens!
Requires operating system support for USB port. Configuration software requires Windows 98, 2000, XP, or Vista.
Min Operating System Apple MacOS, Linux, Microsoft Windows Vista2000 / XP, Microsoft Windows 98 Second Edition, Microsoft Windows CE (Note: Configuration Application is Windows Compatible Only)
Enhance your purchase
RF IDeas pcProx Sonar Presence Detector is rated
4.23 out of
5 by
44.
Rated 5 out of
5 by
Anuja S from
Stable, beneficial code review, and efficient
What is our primary use case?
We are using SonarQube for code reviews.
How has it helped my organization?
Code quality improvement, Secure coding pracitices
What is most valuable?
The most valuable feature of SonarQube I have found to be the configuration that has allowed us to can make adjusts to the demands of the code review. It gives a specified classification regarding the skill, prioritization, and it is easy for me to review and make my code.
What needs improvement?
NA
For how long have I used the solution?
I have been using SonarQube for approximately five years.
What do I think about the stability of the solution?
The solution is stable.
How are customer service and support?
I have not needed to use technical support.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I have used some tools previously, such as Eclipse and Checkmarx. I used some tools directly linked with Eclipse, but SonarQube is much better. It has a better ability to link with Eclipse as well as the standalone features for a code review I have found the SonarQube most efficient.
How was the initial setup?
I deployed SonarQube on my laptop. I found it to be straightforward and easy. I wanted my technical team to do implement it but since they didn't have time I took the initiative and did it myself. I am not exactly from a technical background, and it was very easy for me.
The time it took for me to do the whole process was approximately two hours because I had to download, read the documentation, and do the configurations.
What about the implementation team?
The solution does not require any maintenance.
What other advice do I have?
SonarQube fits my purpose. It doesn't cause any hassles for me.
I rate SonarQube a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2021-11-19T00:00:00-05:00
Rated 5 out of
5 by
reviewer1522716 from
Great features, good code quality parameters, and is easy to set up
What is our primary use case?
We mainly need to do certain static analyses. While doing the coding, everybody sends a pool request. Before committing the code on the main branch, we need to ensure that the code is up to level. That is basically our way of working to ensure that whatever rules we have configured, whatever gates we have defined, that gets passed before committing the code into the main branch.
What is most valuable?
I like almost all of the features. We were initially using all these techniques by using different tools.
The vulnerabilities and the code quality parameters are really important for us.
The initial setup is easy.
There's plenty of documentation available to users.
The solution is stable.
The scalability is good.
What needs improvement?
The only features which I think are lagging are the reporting to generate a PDF report. That is not available currently in the development version. However, if it is available in the development version, then it will be really helpful for us. I checked with the team and it seems that it is only available in the enterprise version. If the report can be sent over email, that would really help.
For example, let's say if I need to report to management or management wants to see a dashboard based on what each project looks like. Those figures are not available. There needs to be a shareable reporting piece or something we can click and generate easily.
The only pain area for us is due to the fact that we purchased the 1 million lines of code license for now. We are a service product company, so some projects were finished in maybe less than six months and then maybe that is not useful for us. We need to remove those projects so we can utilize those lines of code for another project. That's something we need to see about. We're not sure how that works.
What do I think about the stability of the solution?
The solution is quite stable. Before, I used to generate reports by using some manual techniques. Now those are available right in SonarQube. The flexibility of rule configurations is great.
What do I think about the scalability of the solution?
We found the solution to be scalable. We already integrated SonarQube with our CI/CD pipeline in Azure DevOps, and it works really well. We also integrated with the Jenkins CI/CD pipeline, and we also linked with the Visual Studio using SonarLint. That works really well.
We plan on expanding and need more licenses.
How are customer service and support?
When we purchased the license, they actually charged an additional amount for the support. Therefore, we haven't bought the support. Plus, we already know SonarQube. We have enough team members available who already have experience in it. For that reason, support is not required from us. That said, across the internet or on Google, there is enough documentation available. Even on the SonarQube website, there is enough documentation.
How was the initial setup?
The initial setup is really straightforward. The supports are really good from the SonarQube. Enough documentation is also available. t's really straightforward to figure out how to do it.
What's my experience with pricing, setup cost, and licensing?
We purchased a SonarQube developer license. We do not have the enterprise version.
We pay for licensing on a yearly basis.
On the pricing side, it's 3,000 Euros for 1 million lines of code. Even if you look at the open-source, the open-source almost provide similar functions. Of course, some additional language support, among other things, however, the rest is available in open-source. If they can reduce the price, then I believe more people will join the licensed version rather than open-source. Pricing is a bit high based on the fact that they're already providing the open-source for free, and that also includes almost all the necessary items. People will not pay for the license if they can get most items for free. I would suggest if they reduce the price, that definitely it will boost the business.
What other advice do I have?
We already linked with the CI/CD pipeline, and everything is working really smoothly. We already got the additional language support also, which was not available in the open-source version. In the developer version, we have six-plus additional language support onboard. That is actually helpful for us. Overall, it's going really well.
The overall look and feel, the way of presenting the information, is really nice - including the way we can assign items. Everything looks okay. I also already integrated the APA of SonarQube in my external system and that really works. I don't see any integration problems so far. I would suggest those considering the solution simply go for SonarQube as it works really well for any integration of any software or with any third-party tools, including Azure DevOps.
I'd rate the solution at a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2021-11-05T00:00:00-04:00
Rated 5 out of
5 by
reviewer1526550 from
Code quality assurance solution that supports many coding languages
What is our primary use case?
We use this solution to configure our pipeline using Jenkins. From an integration perspective, it encompasses many languages and this is very useful.
How has it helped my organization?
This solution has helped with the integration and building of our CICD pipeline. Without any scans or assessments, the pipeline and build are not complete. One of the good features of SonarQube is the many languages it supports including Java, dotNET, Typescript and HTML CSS. It also allows us to set custom quality gates and rules.
What needs improvement?
This solution could be offered on Docker and the cloud. The support for this solution could be improved and the customization rules could also be made simpler.
For how long have I used the solution?
I have used this solution for three years.
What do I think about the stability of the solution?
This is a stable solution.
What do I think about the scalability of the solution?
This solution could be scalable, specifically from a reporting perspective.
How are customer service and support?
I would rate the customer support for this solution a seven out of ten.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
I have previously used Checkmarx, Blackbelt and WhiteSource.
What was our ROI?
We have experienced a good return on investment using this solution.
What other advice do I have?
This is a good solution if you are looking for good coverage, quality, and vulnerabilities to be highlighted. That being said, there are better solutions in the market when it comes to SAST scanning.
I would rate this solution an eight out of ten.
Which deployment model are you using for this solution?
Private Cloud
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2022-05-12T00:00:00-04:00
Rated 5 out of
5 by
HimanshuSharma from
Community edition is the best part, but there is no integration with the development environment
What is our primary use case?
We do a lot of development. We were previously doing it internally, and then we hired a couple of development partners. So, day in and day out, a lot of changes were happening. We wanted to ensure that whatever changes happened, they undergo some level of quality assessments. That was one of the reasons why we wanted to use it.
We have started looking into it from the information security side, but it is being used by the core development team.
What is most valuable?
We are using the Community edition. So, we don't have to incur any licensing costs. This is the best part.
What needs improvement?
There is no automation. You need to put the code there and test. You then pull the results and put them back in the development environment. There is no integration with the development environment. We would like it to be integrated with our development environment, which is basically the CI/CD pipeline or the IDE that we have.
What do I think about the stability of the solution?
It's a stable solution.
What do I think about the scalability of the solution?
It is not scalable if you have a bigger workload. Because it is a Community edition, it has its own restrictions and limitations in terms of the number of lines of codes.
We have 15 to 20 people who are using it.
How are customer service and support?
We don't have any experience with them. We don't have any AMCs, and we don't have any technical support.
How was the initial setup?
It was easy, but because we were using it for the first time, it took some time. I would rate it 3.5 out of five in terms of ease of setup.
What about the implementation team?
We deployed it in-house. In terms of maintenance, there is only one person who is taking care of SonarQube as a platform or the services that are provided by SonarQube.
What's my experience with pricing, setup cost, and licensing?
We are using the Community edition of SonarQube.
What other advice do I have?
For a small setup with less number of applications, it is okay because it is easy to deploy and manage with a simple console. When the number of lines of code is high, it takes time, and you have to spend a lot of time in terms of getting the right results.
I would rate it a seven out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2022-04-14T00:00:00-04:00
Rated 5 out of
5 by
Raja_Reddy from
Good integration and has useful feedback features, such as Quality Gate
What is our primary use case?
Our primary use case of SonarQube is getting feedback on code. We are using Spring Boot and Java 8. We are also using SonarLint, which is an Eclipse IDE plugin, to detect vulnerabilities during development. Once the developer finishes the code and commits the code into the Bitbucket code repository, the continuous integration pipeline will automatically run using Jenkins. As part of this pipeline, there is a build unit test and a SonarQube scan. All the parameters are configured as per project requirements, and the SonarQube scan will run immediately once the developer commits the code to the repository. The advantage of this is that we can see immediate feedback: how many vulnerabilities there are, what the code quality is, the code quality metrics, and if there are any issues with the changes that we made. Since the feedback is immediate, the developer can rectify it immediately and can further communicate changes. This helps us with product quality and having less vulnerabilities in the early stages of development.
This solution is deployed on-premise.
What is most valuable?
One of the most valuable features of SonarQube is its ability to detect code quality during development. There are rules that define various technologies—Java, C#, Python, everything—and these rules declare the coding standards and code quality. With SonarQube, everything is detectable during the time of development and continuous integration, which is an advantage. SonarQube also has a Quality Gate, where the code should reach 85%. Below that, the code cannot be promoted to a further environment, it should be in a development environment only. So the checks are there, and SonarQube will provide that increase. It also provides suggestions on how the code can be fixed and methods of going about this, without allowing hackers to exploit the code.
Another valuable feature is that it is tightly integrated with third-party tools. For example, we can see the SonarQube metrics in Bitbucket, the code repository. Once I raise the full request, the developer, team lead, or even the delivery lead can see the code quality metrics of the deliverable so that they can make a decision. SonarQube will also cover all of the top OWASP vulnerabilities, however it doesn't have penetration testing or hacker testing. We use other tools, like Checkmarx, to do penetration testing from the outside.
What needs improvement?
SonarQube could be improved with more dynamic testing—basically, now, it's a static code analysis scan. For example, when the developer writes the code and does the corresponding unit test, he can cover functional and non-functional. So the SonarQube could be improved by helping to execute unit tests and test dynamically, using various parameters, and to help detect any vulnerabilities. Currently, it'll just give the test case and say whether it passes or fails—it won't give you any other input or dynamic testing. They could use artificial intelligence to build a feature that would help developers identify and fix issues in the early stages, which would help us deliver the product and reduce costs.
Another area with room for improvement is in regard to automating things, since the process currently needs to be done manually.
Aside from other helpful features, the most important thing that SonarQube needs to do—the key feature—is to detect security vulnerabilities. The rest of the other features are helpful to the developer and the team to deliver the product faster, but security is a mandatory feature.
As for additional features, SonarQube covers most of the languages, but there is still room for improvement covering the latest version of the tech stack—for example, Java 13. They're still improving, and they're focusing on SonarCloud nowadays. Currently, we aren't using all the top quality features of SonarCloud. I also think it would be helpful if SonarQube could integrate with Jira, a work management tool, or other communication tools, like Skype or Microsoft Teams, so that a bot could report directly to the developer.
For how long have I used the solution?
I have been using SonarQube for the past three years.
What do I think about the stability of the solution?
The stability and performance of SonarQube are good. We use it on a daily basis, as part of our code development.
As far as maintenance, it mainly happens when the product is being developed. There may be some features which can be enhanced, based on customer feedback and the tech stack, such as how we can improve performance of have a deployment with zero downtime. There are so many technologies coming, so many things happening, and there is always room for code improvements and the product we develop. Our top considerations are quality and security, which are being improved in a continuous process. There are many new features and enhancements coming in—for example, if you want to upgrade from the Java 6 version, then you can upgrade the tech stack, which will reduce the number of lines of code and improve performance.
What do I think about the scalability of the solution?
This solution is easy to scale. The instances in which we are deploying it are easy to scale because we are using it in production. We aren't supposed to deploy as part of the development, but the scalability feature is there because we are using Ansible, Kubernetes, and Docker.
In our organization, there are currently around 25,000 people working with SonarQube.
Which solution did I use previously and why did I switch?
We also use Checkmarx and Snyk. One of the main differences between them and SonarQube is that they have dynamic testing and analysis, rather than static analysis.
How was the initial setup?
The initial setup wasn't a complex process. It was straightforward, and I had no issues. The deployment happened automatically and the pipeline was complete in three minutes. It depends on the scale of the project, the number of code repositories, the number of modules you are deploying, and all that. I would say deployment should take five minutes, maximum.
What about the implementation team?
We implemented this solution through an in-house team. Everything happens internally and we have our own internal tools, so there are no third-parties involved in development.
What's my experience with pricing, setup cost, and licensing?
I'm not too aware of the pricing because a different team covers that, but SonarQube has been on the market for a very long time, so I would guess the pricing would be decent.
What other advice do I have?
I rate SonarQube an eight out of ten.
To those looking to implement SonarQube, I would advise you not to run it manually—integrate it with tools like Bitbucket and Jenkins, and make it automatic. If you change one line of code, the SonarQube should run automatically and give you the report. Don't go and run it manually and check the reports and all—it should run automatically to the entire code base, not to your particular module. So you need to configure that, as well as your project requirements and what code quality metrics will be achievable—like 85% or 95%—because you want code quality for a better product, without loopholes. You need to configure these things before starting to work with SonarQube.
Which deployment model are you using for this solution?
On-premises
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2021-12-10T00:00:00-05:00
Rated 5 out of
5 by
Hilman Tehrani from
Provides continuous inspection of code quality
What is our primary use case?
I'm a user also, but I'm also responsible for information security.
I am the principal of security in the office. I'm the one that actually advises people about enhancing or incorporating information security aspects. Right now, we are using a community version. We have yet to subscribe for the enterprise license because we need more disciplined developers first.
Within our organization, there are roughly 14 people using this solution.
We use it to find the scoop, or the use, for peer review for the developers. It will require more time, to get used to it and to get trained. My team is very small and I am part of the development team — I'm in the security team but I'm also part of the development team. I am helping to build this along with the team.
What is most valuable?
The product itself has a friendly UI. It's easy to use and we understand how to manage the admin control panel, it's really quick. It's really easy to perform admin jobs using the control panel.
The tools are really easy to use. With the coding, we can build a bunch of rules that apply for each programming language, for example, CSS, Java, and more. Even with the community version, we can still set up rules. We accommodate them and they give us the best quality. It's been a great experience so far.
What needs improvement?
We could use some team support, but since we are using the community version, it's not available.
Also, because we are using the community version, we have some problems from time to time regarding the SSO logins.
Sometimes you need more time to configure things, to edit some profiles.
SonarQube has come to the end of the project phase. The development team doesn't really utilize this because it's in the product development phase. They need more paths and delivery — they don't really care about security. But now, since we are also certified technical security, we can go ahead and provide that for them.
In short, communication needs to be better.
Automation could be better. Sometimes by default, you need to configure some rules regarding detection. You need to have some parameters set regarding false-positive risk.
For how long have I used the solution?
We have had SonarQube for over a year, but we have only been using it for the past two months.
How are customer service and technical support?
With the use of community version, we already have utilized and carried out our needs to fulfil application security at the earlier stage with small medium SDLC Team.
How was the initial setup?
The initial setup was very straightforward. Overall, deployment took roughly one week.
What other advice do I have?
There are so many qualitative tools other than SonarQube, but I think it's the only platform that is open-source; however, it doesn't cover you end-to-end — from the static, dynamic, and interactive source.
Once we're done with SonarQube, we will switch to a proprietary tool, like Qualys — something that provides more end-to-end — but before we can do that, we need more people who know how to properly run the software.
Overall, I would recommend SonarQube for your initial software quality.
On a scale from one to ten, I would give this solution a rating of eight.
Which deployment model are you using for this solution?
Public Cloud
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2020-10-30T00:00:00-04:00
Rated 5 out of
5 by
AhmedSaber from
Stable with good static code analysis but needs better security
What is most valuable?
When it comes to security, this solution is pretty great.
The static code analysis of the solution is the most important aspect for us. When it comes to security breaches within the code, we can leverage some rules to allow us to identify the repetition in our code and the possible targets that we may have. It makes it very easy to review our code for security purposes.
The solution is quite stable.
You can scale the solution if you need to.
What needs improvement?
In terms of solving for security breaches in the code, we are looking for different tools to help us catch things much sooner. Right now, we're not doing so well on this front. Therefore, we are looking for some other options in the market. I'm not the one who is tasked with looking at the moment, however, we are actively seeking out a more effective option for the static code analysis.
There are sometimes security breaches in our code, which aren't be caught by SonarQube. In the security area, SonarCube has to improve. It needs to better compete with other products.
The solution could offer some sort of alert feature. We've had an incident, where somebody removed the solution from the pipeline and there were a couple of code instances that were pushed and married with the codebase without passing through SonarQube. It would be nice if we were alerted to that. If the solution is off-line or turned off, we'd like to be able to tell so that we can decide if it should be on or if it was a mistake.
It would be great if it could support testing and configurations a bit more.
For how long have I used the solution?
We've only been working with the solution for one year. It hasn't been that long.
What do I think about the stability of the solution?
The solution is very stable. We don't have any issues with its reliability. It's been quite good so far.
What do I think about the scalability of the solution?
The architecture that we have is not that big, however, from the scalability point of view, SonarQube supports scalability quite well.
At the moment, we have a hybrid working model on the vendor side, as well as on the in-house team. The in-house team has 5 members and the vendor has maybe 20 people, more or less. All in all, we can say we have about 25 people using the solution at any given time.
Which solution did I use previously and why did I switch?
We did not previously use a different solution. It was always manual code reviewing via the most experienced team members who would offer guidance on adjustments.
What's my experience with pricing, setup cost, and licensing?
Right now, we are not using the enterprise features of the solution. I don't know about the licensing as I was not the one who introduced SonarQube into the pipeline. I believe we are using the free community edition and therefore aren't actually paying any money for it.
Which other solutions did I evaluate?
I did an exercise a couple of months ago with my colleague. After this, I listed other products and their security aspects. I don't know if we found a solution that can offer us better features for security. I don't know if we will keep SonarQube in the pipeline or we will sell the product and get another product. I'm not sure at this point.
What other advice do I have?
We're just customers. We don't have a business relationship with the company.
I believe we are using the latest version of the solution, however, I don't know the exact number.
I would advise others considering the solution to consider the level of security they need. If they are very concerned about security and the application is very sensitive, then SonarQube may not be the best option and they should seek out other products.
Overall, I would rate the solution seven out of ten.
Which deployment model are you using for this solution?
On-premises
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2020-10-27T00:00:00-04:00
Rated 5 out of
5 by
Angelo Quaglia from
Useful dashboard, user-friendly, and effective drill down ability
What is our primary use case?
We have many developers and we use SonarQube to ensure that we don't have badly written code. We must have a way to write code that can be understood by different people.
How has it helped my organization?
Our developers are learning how to improve their code.
What is most valuable?
The most valuable features are the dashboard, the ability to drill down to the code, the technical debt estimation and the overall user-friendliness of the user interface.
What needs improvement?
The Enterprise edition has the additional features we need, but of course we have to pay for that.
For how long have I used the solution?
I have been using SonarQube for approximately three months.
What do I think about the stability of the solution?
SonarQube is a reliable solution.
What do I think about the scalability of the solution?
I have not tried to scale the solution. I am looking to integrate SonarQube with the 45 secure solutions.
How are customer service and support?
I have not needed to contact technical support.
I found the user interface messages quite explanatory about issues. I didn't have to look up many issues elsewhere.
Which solution did I use previously and why did I switch?
No.
How was the initial setup?
The implementation of the solution is straightforward and it is well integrated with Atlassian software, i.e. Jira, Confluence, Bamboo and Butler.
What about the implementation team?
We have a different group that is managing the SonarQube installation and setup.
What's my experience with pricing, setup cost, and licensing?
SonarQube enterprise, I am not sure of the price but from what I understand they are charging a fee. It's is not clear if it is an annual fee or a one-off.
I don't know the global figure but they are asking each director general approximately a lump sum of $5,000, which doesn't sound like a lot for what the solution does.
Which other solutions did I evaluate?
No.
What other advice do I have?
My advice to others would be to take a look at the community edition of the SonarQube because it might be enough for their use case.
I rate SonarQube a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2022-01-10T00:00:00-05:00
Rated 5 out of
5 by
TUDOR CALINESCU from
Plenty of features, but needs multiple other products to function well
What is our primary use case?
SonarQube can be used to analyze application code. We are testing SonarQube with some of our other products. We use the Sonar Link plugin with Teamscale, which is then applied to the main product we are using.
What is most valuable?
I am only interested in the security features in SonarQube. There are plenty of features other features, such as test coverage, code anomalies, and pointer access are handled by the business logic teams. They get the reports and they have to fix them in JIRA or Bugzilla.
What needs improvement?
We have to combine several products in order to cover as many flaws that might exist in the code. We have to integrate several products to set the security functionality of the product. SonarQube should have better functionality to cover all areas of security limiting our need for other products.
We have tens of millions of code to be analyzed and processed. There can be some performance degradation if we are applying Sonar Link to large code or code that is complex. When the code had to be analyzed is when we ran into the main issues. There were several routines involved to solve those performance issues but this process should be improved.
For how long have I used the solution?
I have been using this solution for approximately three years.
What do I think about the stability of the solution?
There can be some stability issues.
Which solution did I use previously and why did I switch?
I have used Veracode.
Which other solutions did I evaluate?
I have evaluated many other solutions similar to SonarQube.
What other advice do I have?
I rate SonarQube a six out of ten.
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2021-08-10T00:00:00-04:00
Rated 5 out of
5 by
reviewer1587588 from
Works fine and provides good value for money
What is our primary use case?
We use it as a gatekeeper for our external developers to follow the rules. If they don't comply with the rules within the source code, they cannot commit.
What is most valuable?
It is working fine. It provides good value for money.
What needs improvement?
One thing to improve would be the integration. There is a steep learning curve to get it integrated.
For how long have I used the solution?
I have been using this solution for maybe two years.
What do I think about the stability of the solution?
It is stable.
What do I think about the scalability of the solution?
It is definitely scalable. Currently, we have six users.
How are customer service and technical support?
We didn't contact them.
Which solution did I use previously and why did I switch?
This was our first one.
How was the initial setup?
Its initial setup is okay. It is not too difficult. It probably took a couple of hours.
One developer is enough for its deployment.
What's my experience with pricing, setup cost, and licensing?
We pay €10 per month for this solution, which is good. It provides good value for money.
What other advice do I have?
I would recommend this solution to others. I would rate SonarQube a nine out of 10.
Which deployment model are you using for this solution?
Public Cloud
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2021-08-11T00:00:00-04:00
Rated 5 out of
5 by
reviewer1503354 from
A stable solution for analysis and security vulnerability checking
What is our primary use case?
We use SonarQube to scan our security protection.
What is most valuable?
It is a very good tool for analysis and security vulnerability checking.
What needs improvement?
The scanning part could be improved in SonarQube. We have used Coverity for scanning, and we have the critical issues reported by Coverity. When we used SonarQube for scanning and looked at the results, it seems that some of them have incorrect input. This part can be improved for C and C++ languages.
For how long have I used the solution?
I have been using this solution for a couple of weeks.
What do I think about the stability of the solution?
It is stable.
What do I think about the scalability of the solution?
We haven't evaluated its scalability.
How are customer service and technical support?
I just use our internal IT to get support for SonarQube. That is enough for me.
Which solution did I use previously and why did I switch?
We were previously using Coverity. We used it for three years or so.
How was the initial setup?
We just use the Enterprise SonarQube instance provided by our company.
What other advice do I have?
I would recommend this solution. I would rate SonarQube an eight out of ten.
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2021-02-13T00:00:00-05:00
Rated 5 out of
5 by
Costas-Voliotis from
An open-source platform for the continuous inspection of code quality
What is our primary use case?
There are two versions: a free, open-source community version, and a subscription-based version.We use the community version, not the enterprise version.
We are a very small organization. In total, there are four of us who use this solution. We will keep using SonarQube, with some additions, in the future.
Firstly, we use SonarQube to evaluate code for M&A projects. Secondly, we use it to detect vulnerabilities while performing security audits. Our third use case is the detection of violation of programming practices towards code refactoring and code maintenance.
What needs improvement?
The results of exporting capability could be improved. Currently, exporting is a bit messy and fully dependent on the SonarQube environment. Sonar Qube offers REST API and you could export the results programmatically, but the process is quite slow and limited. You could extract the maximum 10000 results per query, which increases the overall execution process tremendously. I guess the majority of the users are based on Sonar Qube presentation capabilities, which is very restrictive for some use cases.
For how long have I used the solution?
I have been using SonarQube, every day, for more than two years.
What do I think about the stability of the solution?
SonarQube is stable.
What do I think about the scalability of the solution?
I wouldn't say that isn't fully scalable. It's damn slow. It takes a lot of time parsing an average size codebase. If you'd like to scale up and deploy it on a cloud environment, it's a completely different scale of difficulty. We have done this but it's really hard.
How are customer service and technical support?
As we are using the community version, there is no technical support.
Which solution did I use previously and why did I switch?
I have used a wide variety of tools.SonarQube covers a wide variety of issues and it is well well designed robust framework.
How was the initial setup?
To be honest, for me, the initial setup was a piece of cake; however, other colleagues and clients of mine have said that it's damn difficult to install it and extract the results, at least the first time. Initially, It took me some time to go through the process. It is not straightforward at all, it's quite complicated — it's a tool developed by developers for developers. If you are not a core developer, and I am not, it's super difficult to figure out the installation process thanks to the multiple steps involved. The autogenerated script, isn't functional, it needs some tweaking.
My clients report that it takes about a week to install it properly, and you need about two weeks more to configure it, let alone the performance optimization.
The installation should be much simpler. There are competitive tools that come with a self-contained installation and configuration process. It requires a time investment to configure it properly. . In short, it should come with a self-contained functional configuration set.
Overall, the initial setup should be easier.
What about the implementation team?
Currently, I could configure SonarQube by myself. Only one person, knowledgeable enough, is required to deploy it.
What's my experience with pricing, setup cost, and licensing?
Unless you use a tech stack that is not supported, use the community version; there are no hidden costs or licensing required.
Which other solutions did I evaluate?
Yes, we have evaluated plenty of alternatives nothing really comparable.
What other advice do I have?
I would recommend this solution to others. It easily outperforms other static code tools — It's perfect as a static code analysis tool.
Overall, on a scale from one to ten, I would give SonarQube a rating of eight.
Which deployment model are you using for this solution?
On-premises
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2021-01-08T00:00:00-05:00
Rated 5 out of
5 by
ErnestoGonzalez from
It has very good scalability and stability
What is our primary use case?
We usually do the development in Java, and when we finish the development, we usually run the SonarQube tests and review the critical level, bugs, and security issues. We also review the license and the web issues and try to solve them, and then pass again through SonarQube.
We usually deploy it in the cloud, but sometimes we also have on-premises solutions.
What is most valuable?
It has very good scalability and stability.
What needs improvement?
We also use Fortify, which is another tool to find security errors. Fortify is a better security tool. It is better than SonarQube in finding errors. Sometimes, SonarQube doesn't find some of the errors that Fortify is able to find. Fortify also has a community, which SonarQube doesn't have.
Its installation is a little bit complex. We need to install a database, install the product, and specify the version of the database and the product. They can simplify the installation and make it easier. We use docker for the installation because it is easier to use.
Its dashboard needs to be improved. It is not intuitive. It is hard to understand the interface, and it can be improved to provide a better user experience.
For how long have I used the solution?
I have been using SonarQube for two years.
What do I think about the stability of the solution?
Its stability is very good.
What do I think about the scalability of the solution?
It has very good scalability. In my company, we have less than 15 users. They are mostly developers.
How are customer service and technical support?
I have not used the support.
Which solution did I use previously and why did I switch?
I have used Codestyle and a few other tools. SonarQube is similar to other tools.
How was the initial setup?
Its installation is a little bit complex. They can simplify the installation and make it easier.
Which other solutions did I evaluate?
We didn't evaluate other options.
What other advice do I have?
I would rate SonarQube a nine out of ten.
Which deployment model are you using for this solution?
Private Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2020-12-11T00:00:00-05:00
Rated 5 out of
5 by
Kien-Nguyen from
Secures our code against threats and bugs, but needs better pipeline integration
What is our primary use case?
We use SonarQube to help with our software development and testing. At the moment, we're mainly using it for static analysis and code inspection. We have an on-premises server and we connect to it from there.
Our main use case is testing software for security weaknesses, but we also use it to help eliminate code smells and to make sure our code is compliant with established coding standards.
How has it helped my organization?
SonarQube lets us find security issues during development and testing so that we can release more secure and higher quality applications.
What is most valuable?
Apart from the security point of view, I like that it makes it easy to detect code smells and other issues in terms of code quality and standards.
What needs improvement?
From a reporting perspective, we sometimes have problems interpreting the vulnerability scan reports. For example, if it finds a possible threat, our analysts have to manually check the provided reports, and sometimes we have issues getting all the data needed to properly verify if it's accurate or not.
This is especially important when considering false positives, and often we have issues getting all the necessary information from SonarQube in order to determine whether it is a true vulnerability or a false positive.
Another suggestion for improvement is that SonarQube could be better when it comes to integration with different development pipelines for continuous monitoring. For example, whether you are scanning manually or on-demand, we would like more ways to integrate SonarQube into our pipeline so that we can get reports quickly and automatically as we work.
For how long have I used the solution?
I have been using SonarQube for about two years now.
What do I think about the stability of the solution?
I have not run into major issues or bugs and it works well when it comes to stability.
What do I think about the scalability of the solution?
I don't think we have had any problem with traffic or things like that.
How are customer service and technical support?
I don't have experience with SonarQube support because we do it all ourselves.
Which solution did I use previously and why did I switch?
I have not used any other similar solutions in the past. SonarQube is the first of its kind in my experience.
How was the initial setup?
It's quite easy to set up, not too complex.
What's my experience with pricing, setup cost, and licensing?
The development license cost is reasonable, and we've had no concerns about SonarQube when it comes to cost.
What other advice do I have?
Personally, I can't compare it to other similar solutions like Fortify, but SonarQube does a good job when it comes to making sure our code is compliant with standards and free of any obvious security weaknesses.
I would rate SonarQube a six out of ten.
Which deployment model are you using for this solution?
On-premises
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2021-01-07T00:00:00-05:00
Rated 5 out of
5 by
Elham-Gharegozloo from
User-friendly, easy to access, and it has good training documentation
What is our primary use case?
We are using this solution for analyzing sales, profit, and FI documents. We are using the HR section as well.
How has it helped my organization?
SonarQube simplified some of the processes and made others more complex.
What is most valuable?
The most valuable features are that it is user-friendly, easy to access, and they provide good training files. Ability to manage and customize reports. Sonar also models the relationship between packages and classes
What needs improvement?
It would be better if the users could have quick access to the features.
Monitoring is a feature that can be improved in the next version.
For how long have I used the solution?
I have been using SonarQube for three years.
What do I think about the stability of the solution?
This solution is stable. Stability is not an issue for us.
What do I think about the scalability of the solution?
It's scalable. Scaling is not a problem.
How are customer service and technical support?
Because of the sanctions in our country, we cannot contact technical support directly.
Which solution did I use previously and why did I switch?
How was the initial setup?
The initial setup was straightforward. It was a normal installation.
It took approximately five days to deploy.
What's my experience with pricing, setup cost, and licensing?
It's a bit expensive for us. The currency rate of the dollar is a problem but it may be fine for other countries.
This solution provides good features for users.
What other advice do I have?
Before implementing, they should have more knowledge about the performance, and the features. It will be helpful in learning the hardware also.
If you have good resources for the performance, you won't worry about it. It will also be dependent on your information, and how much knowledge you have.
I would rate SonarQube an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2020-12-09T00:00:00-05:00
Rated 5 out of
5 by
reviewer1565832 from
Very stable and easy to integrate, but is a bit expensive
What is our primary use case?
We generally use the solution in order to do static code analysis.
What is most valuable?
What I like about SonarQube is the integration of the pipelines. It is pretty easy.
The reporting and the results are quick. It gets integrated within the pipeline well.
The solution is very stable.
The scalability is very good.
We found the initial setup to be straightforward.
What needs improvement?
The solution has a very shallow SAST scanning. That is something that can be improved.
I'm not sure if there is any plan for having DAST, as well, which is the dynamic scanning. If they offered that in SonarQube that would be ideal. I'd like to know if there is a plan or roadmap for Sonar to have that included. However, right now, at least, from the SAST perspective, it can improve.
The pricing could be reduced a bit. It's a little expensive.
For how long have I used the solution?
We've been using the solution for the past two years or so. It's been a while.
What do I think about the stability of the solution?
The solution is pretty much stable. Sometimes we have observed some issues when there are a lot of services getting deployed together. We have noticed some resource constraints sometimes. Occasionally the CPU and memory get affected. That was the only thing. It could be due to the resources that we have provided and maybe not the fault of the product itself.
What do I think about the scalability of the solution?
I don't have the user count, however, from the application perspective, we have around 30 to 50 applications, which are on SonarQube. All of the teams that are managing those applications have access to that.
It is integrated within our pipelines. It gets used every day.
Right now we are not scaling the solution. It is just one server that we have. It is static of sizing and we do not scale it.
How are customer service and technical support?
We do have an enterprise version, however, that does not include the support right now.
If we have any issues we're trying to resolve them on your own. So far, that has been sufficient.
Which solution did I use previously and why did I switch?
We are also onboarding Checkmarx. We use both solutions.
We are not replacing anything. Maybe we will use both in conjunction. Checkmarx provides DAST, whereas this product does not.
How was the initial setup?
The initial setup is pretty simple.
I do not recall the exact amount of time it took to deploy the solution.
It does not require a lot of maintenance. It's just that whenever any latest version is coming in, we just have to upgrade it.
What about the implementation team?
We did the installation on our own. We did not need the assistance of any outside resources such as consultants or integrtors. It was all handled in-house.
What's my experience with pricing, setup cost, and licensing?
What we are looking at in the future is a bit of a price reduction. The pricing that we have been quoted for the next version is a little expensive. The pricing could be also a bit reduced.
What other advice do I have?
We are just a customer and an end-user.
While we installed the solution on the cloud, we host it on our machines.
I would recommend the product to the companies or the teams who are building from scratch, and they don't have anything for doing the scanning of their products. That is something where SonarQube can be pretty helpful.
It's good for a very small company with a limited number of products, which do not have a lot of compliance and security-related requirements that big enterprises might have.
I would rate the solution at a six out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2021-04-29T00:00:00-04:00
Rated 5 out of
5 by
Warayuth Wongpaiboonwattana from
Easy to use, stable, and installation straightforward
What is our primary use case?
We use SonarQube to scan SAS code for quality control in mostly mobile applications, such as iOS and Android applications.
What is most valuable?
SonarQube is designed well making it easy to use, simple to identify issues and find solutions to problems.
What needs improvement?
The solution could improve the management reports by making them easier to understand for the technical team that needs to review them.
For how long have I used the solution?
I have been using the free version of SonarQube for approximately one year and then I purchased a subscription that I have been using for the last three years.
What do I think about the stability of the solution?
The solution is stable.
What do I think about the scalability of the solution?
The solution has scaled well for our needs. We have two million lines of code and we have not had a problem.
We work for a large enterprise that has approximately 1,000 IT employees.
How are customer service and technical support?
There is a lot of information for SonarQube online in the community forums. I only used technical support when I needed to renew my license.
How was the initial setup?
The installation is not difficult.
What's my experience with pricing, setup cost, and licensing?
The solution has a free version and a license version. The license is priced reasonably, the cost of hiring one programmer is more expensive than the solution.
The licensing process could be improved. We need to contact purchasing to receive the key for the license but the process should be automatic, similar to a SAS purchase.
Which other solutions did I evaluate?
I have evaluated Fortify Application Defender.
What other advice do I have?
I rate SonarQube a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2021-09-13T00:00:00-04:00
Rated 5 out of
5 by
RakeshPal from
Good code review and reporting of basic vulnerabilities in your applications
What is our primary use case?
We are using it for scanning our web applications, some internal applications and using it for code reviews.
What is most valuable?
SonarQube is good in terms of code review and to report on basic vulnerabilities in your applications. The code writing standard of SonarQube is good. It may be better in other editions but as we don't use those we're not able to find out with SonarQube. We are using the community, developer version for 14 days. If this version is successful we will go to the full version. We're using it on-premises.
What needs improvement?
It does not provide deeper scanning of vulnerabilities in an application, on a live session. This is something we are not happy about. Maybe the reason for that is we are running the community edition currently, but other editions may improve on that aspect.
For how long have I used the solution?
We have been using SonarQube for one year.
What do I think about the stability of the solution?
It is stable.
What do I think about the scalability of the solution?
SonarQube is scalable.
How was the initial setup?
SonarQube was easy to setup.
Which other solutions did I evaluate?
We considered using Fortify.
What other advice do I have?
I would rate SonarQube an eight out of 10.
Which deployment model are you using for this solution?
On-premises
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2020-11-30T00:00:00-05:00
Rated 5 out of
5 by
reviewer1157322 from
Open-source, secure static testing, but cannot be used for dynamic testing
What is our primary use case?
We use SonarQube for testing and quality assurance. We use this in banks for testing.
We also use SonarQube for security static testing.
What is most valuable?
It provides the security that is required from a solution for financial businesses.
What needs improvement?
SonarQube is used for static testing, not for dynamic. We found a solution with dynamic testing, and are looking to find a solution that can be used for both types of testing.
I would like to see software included that can be used with Waterfall projects.
Which solution did I use previously and why did I switch?
We try to primarily use open-source solutions. The organization tries not to spend money for the moment. Many clients do not want to pay for solutions during this time, especially in the case of products that are expensive.
What's my experience with pricing, setup cost, and licensing?
We have partnered with B2B American to help with the purchasing of the license.
We have just been approved to purchase SonarQube Developer Edition.
We have a license with 125,000 lines of code. We did not purchase a lot of lines but it is specific to our code environment.
It's an open-source solution.
Which other solutions did I evaluate?
We are currently evaluating other solutions that are open-source. The company is trying to reduce the amount of money spent on solutions.
We are looking for the newest technologies but the biggest stopper for us is money.
What other advice do I have?
For the units of architecture, we have tried to find the newest technology that would benefit the manifest of their orientation.
It has been very difficult. Last year many projects stopped.
I would rate SonarQube a six out of ten.
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2021-02-28T00:00:00-05:00
Rated 5 out of
5 by
Sirish Reddy from
Supports multiple program languages, highly scalable, and has open-source version
What is our primary use case?
We are using the solution for code quality and security.
What is most valuable?
The solution has a wide variety of features and an open-source community that you are able to learn Java, JavaScript, or any other programing language. The quality profile rules that it provides based on the architect are set across the board, this provides continuity. Being able to fix all the application vulnerabilities before it reaches production is a huge benefit.
What needs improvement?
There are times that we have the database crash. However, this might be an issue with how we have configured it and not a software issue. Apart from this, I do not see any issues with the solution.
For how long have I used the solution?
I have been using the solution for approximately eight years.
What do I think about the scalability of the solution?
The scalability depends on the use case. You cannot install it with minimal resources and expect it to run thousands of jobs. It is scalable based on your environment. How big is your project? How many APIs do you want to scan? How many APIs per minute, etc. Based on that information you need to first decide upfront how much memory or how much storage you want to give to it. You need to have clear data with you and then use the resources to design accordingly. I think it is highly scalable and can operate seamlessly if you give it the environment that is sufficient. You cannot expect magic from it.
We have some projects that have 150 users with ten teams using the solution.
How are customer service and technical support?
We had to contact technical support back several years ago because we had an issue with one of the new SQL plugins which ended up being resolved. The support is not required anymore because they have very good documentation that meets our needs.
How was the initial setup?
The initial setup is straightforward.
What's my experience with pricing, setup cost, and licensing?
I do not know the price of the solution since I have not been involved in purchasing licenses. However, this solution requires a license and we have enterprise-level licenses for our organization and for our client.
The beauty of this solution is the free open-source version is capable enough in doing pretty much what an enterprise-level version can do. The enterprise-level has only a few more options, such as better reporting and generating PDFs. If you have a small-scale project or if you do not have a high budget, I think open-source will do wonders.
What other advice do I have?
For those wanting to implement this solution, I would suggest it is the best tool. It has a big open-source community where you learn any language. There are many extra plugins you can apply to scan in your code. It has support for Android, iOS, COBOL, Java, JavaScript databases, and more. It has everything you need.
I rate SonarQube a nine out of ten.
Disclaimer: My company has a business relationship with this vendor other than being a customer:Partner
Date published: 2021-04-25T00:00:00-04:00
Rated 5 out of
5 by
Ahmed Elkholy from
Prevents vulnerabilities, supports most languages and built-in procedures
How has it helped my organization?
It prevents some vulnerabilities in the production environment.
What is most valuable?
I like that it covers most programming languages for source code review.
I also like the procedures that are already built-in that cover most of the items that already exist.
What needs improvement?
SonarQube does not cover BPM programming language. It only covers the Java layer from BPM WebMethods. When we were faced with this issue with one of your applications, we found that we were not able to scan the BPM code for configurations generated from the WebMethod.
The BPM language is important and should be considered in SonarQube.
It utilizes a lot of resources from the servers. I think this issue should be resolved because it takes approx 20% of the CPU utilization.
Reporting related to SonarQube only exists in the enterprise edition, and not in the Community Edition.
There are no limitations in the lines of code with the Community Edition, but with the Enterprise Version, there are limitations related to the lines of code.
I don't understand why you can use an infinite line code amount with the Community Edition and the Enterprise Edition is limited.
For how long have I used the solution?
We have been dealing with SonarQube for more than one year.
What do I think about the stability of the solution?
It is stable in the system environment processes.
What do I think about the scalability of the solution?
We haven't used it with the microservices or containers to check the scalability. We have used it on a Windows Server or Linux Server.
How are customer service and technical support?
We contacted technical support about the BPM and WebMethod programming language. They supported us with a fast response and provided us with a solution that was not covered on SonarQube.
Which solution did I use previously and why did I switch?
We only use SonarQube with SonarScanner.
How was the initial setup?
The initial setup is simple and straightforward.
What about the implementation team?
I am a consultant and my team completed the system server.
What's my experience with pricing, setup cost, and licensing?
I requested this license for one million lines of code and they accepted this.
I don't know what was already paid.
Which other solutions did I evaluate?
We evaluated Micro Focus Fortify. From a cost perspective, we selected SonarQube. Now we are using the enterprise license as well.
What other advice do I have?
We are telecommunication customers, who have purchased a license. We are the largest telecommunications company in Saudi Arabia.
I would rate SonarQube an eight out of ten.
Which deployment model are you using for this solution?
Private Cloud
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2021-05-03T00:00:00-04:00
Rated 5 out of
5 by
AdhamEnaya from
Open-source, feature-rich, integrates well, and has good community support but the user experience could be better
What is most valuable?
There is a large support system in the community. When we have issues we can get answers quickly and easily.
It provides you with many features, as it does with the premium model, but there are still extra features that can be purchased if needed.
It's very flexible.
I am from the application development team and for me, it is very good because it offers a lot of features in terms of code review, quality check, and more.
What needs improvement?
In discussions with the security team, there are many other products that are available that perform better. The security in SonarQube could be better.
SonarQube is more about the quality checks of the source code. It allows us to do a code review but it lacks security. It could perform better.
I would like to have better support for CI/CD as DevOps appliances, in terms of reporting on the issue and to be integrated with the pipeline.
It integrates well but there is always room in this area to improve and to provide reports on the results.
The user experience for the on-premises installation, creating a new project, defining the quality gate, and the user interface could be improved. It wasn't a simple experience.
For how long have I used the solution?
I have been using SonarQube for six months. We implemented it in September of last year.
What do I think about the stability of the solution?
It is very stable. We are still new to this product and learning, but there are times where SonarQube disconnects from the server with no alert or notification, and we have to run it again.
It can be managed by running different scripts. From time to time we have claims that SonarQube is not running on the server and discovered that the server was restarted but SonarQube did not restart.
I don't know if it is a flaw in the product itself or if we can manage it from our infrastructure.
It's stable but could be improved.
What do I think about the scalability of the solution?
I believe that it is scalable, but this is an area that we have not yet explored.
I know that there is an option to add a new rule. For example, if we are creating an application using Java, there is a list of predefined rules to check the quality against.
It's expandable at least in terms of code quality checks.
For now, I am the only user of this solution.
How was the initial setup?
The initial setup wasn't straightforward, but still, it was manageable.
This is an area that can also be improved to make it easier to install and setup. There are many other products that are easy to set up and install.
What about the implementation team?
I called an expert or a technical person who could work on it and manage it.
What's my experience with pricing, setup cost, and licensing?
SonarQube is a free, open-source product.
There are many different packages with different pricing options available. We are able to try what we have and if we need extra features we can upgrade the license.
What other advice do I have?
We will be using this solution for the next year, but we are considering migrating to the cloud.
From my experience, I would rate SonarQube a seven out of ten.
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2021-03-15T00:00:00-04:00
Rated 5 out of
5 by
Ahmed Rabea from
Good static code analysis but it's not stable and the installation is not user-friendly
What is our primary use case?
We use it for the static analysis of the source code to find issues or vulnerabilities.
What is most valuable?
The static code analysis is very good. In the banking sector, we have found several vulnerabilities and many issues in the source code.
What needs improvement?
If you don't have any experience with the configuration or how to configure the files, it can be complicated. The installation needs to be more user-friendly, as well as the interface, which could be more user-friendly.
For how long have I used the solution?
I use the full trial version of SonarQube. I have been using the latest version of SonarQube for six months.
What do I think about the stability of the solution?
There are issues with stability. It needs improvement.
We have four members in our organization who are using this solution.
What do I think about the scalability of the solution?
I am not able to evaluate the scalability. Once we go with the Enterprise version, we will know after three months, how efficient and scalable it is with large applications.
How are customer service and technical support?
I have not contacted technical support.
How was the initial setup?
The initial setup is straightforward. This solution is easy to install. It only takes five minutes.
We require a team of five to deploy and maintain it.
What about the implementation team?
I completed the installation myself.
Which other solutions did I evaluate?
We are also evaluating Acunetix and will know what direction we want to go in the next few weeks.
Based on the testing, Acunetix offers something different. Acunetix has many features that are not found in SonarQube.
What other advice do I have?
The enterprise version comes with many features. I have not been able to test it all because I am using the evaluation version. After three months of using this solution, I will have a better understanding of it.
We plan to continue using SonarQube. Some feel that it is unfair to compare SonarQube with other solutions as it has so many features.
I would rate this solution a seven out of ten.
Which deployment model are you using for this solution?
On-premises
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2021-03-11T00:00:00-05:00
Rated 5 out of
5 by
Nachu Subramanian from
Provides great code coverage; code security scanning could be improved
What is our primary use case?
We're using the enterprise edition of SonarQube. I'm the head of DevOps engineering and we are customers of SonarQube.
What is most valuable?
The most important feature is the software quality gate. When that's implemented we're able to streamline the product's quality. The other good features are SonarQube's code quality scanning and code coverage. If we use it effectively, we can capture the software code bugs early in the software development. It also helps us to identify the test coverage for the code that we're writing. It's a very, very important feature for the software developers and testers.
What needs improvement?
There is room for improvement in the code security space which is not as extensive as it could be. There are other products on the market which are much better in terms of code security scanning. I'd also like to see improvement in support which is quite expensive.
For how long have I used the solution?
I've been using this solution for six years.
What do I think about the stability of the solution?
The product is stable although maintenance is a little cumbersome.
What do I think about the scalability of the solution?
The product is scalable but there are some concerns. You need to regularly do a cleanup of the lines of codes that are being scanned, otherwise the license will run out. We were not initially aware of having to do that. We have around 700 users in the company and we have three or four people involved with maintenance.
How are customer service and technical support?
There's a problem with the technical support because it's offered as a separate paid package and doesn't come by default with the license. Most other products in the market include technical support with the software. There are various other products in the market, which are much better and offer support without any additional costs.
What's my experience with pricing, setup cost, and licensing?
Licensing costs could be lower. We paid around 60,000 Singapore Dollars for our 20 million lines of code.
What other advice do I have?
SonarQube is a very good tool for code quality.
I rate this solution a seven out of 10.
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2021-06-20T00:00:00-04:00
Rated 5 out of
5 by
reviewer1593939 from
Frees up time to focus on daily tasks, meet delivery requirements and deliver more reliable code
What is our primary use case?
We use the solution to do quality code analysis for keeping track of security hotspots. We also use it to avoid the delivery of problems as the result of new code from our partners who may be developing software for systems, making improvements and carrying out bug corrections. These are the features of SonarQube of which I am aware.
What is most valuable?
SonarQube is a fantastic tool which saves us precious time. Prior to using the solution, all our code analysis was manual and this was very time consuming. The increase in the number of projects, including those involving the development team, meant that it was becoming increasingly challenging to keep up with our delivery schedules. SonarQube helped a lot in this regard. So too, the wonderful tool from Eclipse, SonarLint, was very helpful. These solutions allow the partners who develop our system, our code, to receive on-the-fly analysis of their computers. This affords delivery of a much more reliable code, something which allows us to focus our work on more aggregated value operations.
What needs improvement?
I am struggling to come up with an area needing improvement. I am a big fan of SonarQube. I do have familiarity with the solution, but not extensively on a daily basis in respect of development.
This said, we did have some trouble with the LDAP integration for the console.
For how long have I used the solution?
As our company is not primarily IT-related we are late comers when it comes to adopting new technology. As such, we started using the community version of SonarQube around eight to ten months ago.
What about the implementation team?
I have limited personal experience working with the solution. I have a colleague who works with me and she is actually engaged in its operation. My role is to provide guidance in how to implement products.
She works more in implementing the installation of the solution, in deploying the projects on SonarQube. But, I have a little more context with this tool.
What other advice do I have?
I am a customer of SonarQube.
At the moment, SonarQube is deployed on-premises. We have an installation running in one of our servers.
When we deploy on-cloud, we normally use Amazon Web Services.
I rate SonarQube as a ten out of ten, easily. I think its fantastic, a wonderful tool. Even if I don't use it directly, it frees me up to focus on other tasks in my daily routine.
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2021-06-13T00:00:00-04:00
Rated 5 out of
5 by
reviewer1073967 from
Well featured, easily manageable, identifies production issues
What is our primary use case?
We decided to implement the solution to keep up to date with testing, security, and other issues with developments, such as bugs.
What is most valuable?
In regards to features, overall the product is good. It minimizes the difficulty or issues that we encountered during the production. We are using the open-sourced version and issues can easily be resolved.
For how long have I used the solution?
I have been using the solution for four to five years.
What do I think about the stability of the solution?
We are using everything that is open-source and this allows us when we have the regular day to day issues, our team works on them directly to identifying their causes and they resolve them quickly.
What about the implementation team?
We have our internal team that is very knowledgeable, experienced, and have extreme abilities that handle our needs.
What's my experience with pricing, setup cost, and licensing?
I think comparing the product to competitors it should be less expensive.
What other advice do I have?
I would recommend SonarQube. It is a good deal compared to all other tools on the market. It certainly helped us, it is a good tool and should be definitely used.
I rate SonarQube a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2020-12-31T00:00:00-05:00
Rated 5 out of
5 by
reviewer1537167 from
Effective security scanning, uncomplicated installation , and reliable
What is our primary use case?
We are a $4 billion valuation large company and we use the solution for status security, scanning, and code quality. I am currently in the process of building a pipeline for one of my customers and for that we are utilizing this solution for the static analysis.
What is most valuable?
The fact that the solution does security scanning is valuable. This is primarily why we use it. For code quality, we could utilize other tools, such as unit test coverage, which it gives you too, but having a more comprehensive tool is useful.
What needs improvement?
Having a tool that is comprehensive in nature is very useful because otherwise, we have to run through multiple tools in order to get the entire viewpoint of a particular set of code. For example, we use SonarQube in combination with Nexus, which is another product that gives us some other information. I guess when it comes to the gamut of things that we are looking for including static code quality, static testing, and dynamic testing of security. Having performance regression would be a helpful add on or ability to be able to do during the scan.
In an upcoming release, I would like to see the dynamic security testing feature available. I would like to point out that they could already offer this feature but I have not been that deep into the solution to know yet.
For how long have I used the solution?
I have been using the solution for approximately one year.
What do I think about the stability of the solution?
I have not run into any bugs or glitches. However, I have only been using it for a short time.
What do I think about the scalability of the solution?
The pipeline that I am currently building is being used by the platforms team, which is approximately three people. We use the solution as part of the automated code review process. As far as a larger perspective of who is actually benefiting from it, the development team is about 35 people.
How are customer service and technical support?
I have not needed to use technical support.
How was the initial setup?
The set up was very easy.
What other advice do I have?
I would recommend to those wanting to implement this solution to read the documentation, they are clear and easy to follow.
I rate SonarQube a nine out of ten.
Which deployment model are you using for this solution?
Private Cloud
Disclaimer: My company has a business relationship with this vendor other than being a customer:Partner
Date published: 2021-04-08T00:00:00-04:00
Rated 5 out of
5 by
FilipeMarcelino from
Coding quality assurance tool that comes with good DevOps implementation
What is our primary use case?
This solution has the capability to analyze source code in almost all the languages in the market.
What needs improvement?
This is a well-rounded solution, however, some features could be made available on the free version. The price of the solution could be reduced.
For how long have I used the solution?
I have used this solution for ten years.
What do I think about the stability of the solution?
This is a stable solution.
What do I think about the scalability of the solution?
This is a scalable solution. We have been using it for all of our critical projects.
What was our ROI?
I have never made the calculations to understand the real value of this solution but I know that the return of investment is very good. If not, we wouldn't have continued to use it for the past 10 years.
What's my experience with pricing, setup cost, and licensing?
As a user and a consumer of this solution, it can be pricey for my company to support and use, even though there are many benefits. For this reason, we use the free version. In the future, as our product cycles develop and evolve at a more steady pace, we hope to invest in the licensing for this tool.
What other advice do I have?
This solution has evolved a lot in the last ten years.
It comes with good DevOps implementation and security, which is a big problem today.
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2022-02-26T00:00:00-05:00
Rated 5 out of
5 by
reviewer841284 from
Open-source, stable, and finds the problems for you and tells you where they are
What is our primary use case?
I have it integrated with our continuous integration server. On a scheduled basis, typically in the middle of the night, it'll do performance scans so that the results are available and viewable by the developers on the website. The scans are done automatically by using a continuous integration server, which is TeamCity.
We are using version 5.6.6. It is a very old version, but that's what we've been using. We haven't gotten around to updating it.
What is most valuable?
I like that it's easy to navigate not just in terms of code findings but you can actually see them in the context of your source code because it gives you a copy of your code with the items that it found and highlights them. You can see it directly in your code, so you can easily go back and make the corrections in the code. It basically finds the problems for you and tells you where they are.
What needs improvement?
The learning curve can be fairly steep at first, but then, it's not an entry-level type of application. It's not like an introduction to C programming. You should know not just C programming and how to make projects but also how to apply its findings to the bigger picture. I've had users who said that they wish it was easier to understand how to configure, but I don't know if that's doable because what it's doing is a very complicated thing. I don't know if it is possible to make a complicated thing trivially simple.
They could improve their documentation. There were some books written about it, but even when we first started using it, the books were out of date. It's more of a plea to some of the authors who have become experts in using it to revise their books. I'd buy a copy of it. SonarQube does a good job of supporting the open-source community, but some of the documentation tends to lag behind. That's not unique to SonarQube. It gives an opportunity to those who have taken the time to learn about it to author books and become resident experts or community experts. It'd be nice if some of those guys made another edition to support the open-source efforts that are there.
In terms of features, at this point, I don't have any requirements. We've been growing into it slowly, and we haven't really exhausted what it already has. When and if we get to a point where we are aggressively applying what it's telling us, we may reach a point where it's like, "If it could tell us this as well, that'd be nice." We haven't reached that point yet. We haven't listened to all of the advice that it's giving us now.
For how long have I used the solution?
It has been a couple of years.
What do I think about the stability of the solution?
Any lack of stability is because it's being expanded and updated pretty much constantly. We haven't experienced any crashes or bugs. We do have an opportunity here coming up within the next few weeks of revisiting some of the ways we do things there.
What do I think about the scalability of the solution?
It is definitely scalable. We plan to increase its usage.
How are customer service and support?
Since we're using the open-source components, we use web searches and online resources. Once you get a little used to their website, they have a lot of information. The support, even for an older version, is pretty good. I've been able to find workable solutions. You just have to do a little searching.
We don't have stability issues. It hasn't crashed since we got it up and running, but there are some configurations or different options you can apply when you're scanning. So, you have to learn its language, and the information is available if you search the web.
Which solution did I use previously and why did I switch?
Way back in the past, we used other static analysis tools like PC-lint or Gimpel Lint. I still have plans to resurrect some of that, but I'm of the mindset that the more opinions you get about your code, the better off you are. You get to look from different angles with different tools. In terms of the automated tool, SonarQube was the first one we had for getting into the DevOps generation of stuff.
How was the initial setup?
We did have some issues, but they were because we didn't understand the relationship between different flavors. You've got the server, and the SonarQube service itself provides an HTTP type input. There are also versions of the scanners for different tools we're using, which are typically C++. We started with a mismatch of that. It may have been the server and the scanner, which runs on your client workstations. We had a mismatch of versions. After we dug into it a little bit and realized that was the problem, it was pretty straightforward. The setup from there was pretty trivial.
You do need to know how to use a database. I most certainly use MySQL just because it's easily available on a minimal Linux install, CentOS. It's a Red Hat 7. It's BaseOS, a minimal install. It probably needed Java and a few tools that are fairly common. If you know how to set up a MySQL database, you can do it. If you know how to set up Java on Red Hat, which is pretty straightforward other than the fact that some path issues come into play, but that's just part of the game. Once you do that, it installs pretty easily.
What about the implementation team?
We did have a consultant. He was looking at our overall engineering infrastructure, things beyond SonarQube. He was helpful in finding out, or pointing out, that it was the issue with the revisions. The versions of the different pieces weren't matching up. He did help with that, but in terms of putting it in, I did the validation work for validating the installation process and reproducibility for future users in case I leave the company and they need to recreate it. They've got the documentation to do so. So, I did all that. For an application of its complexity, it was fairly straightforward once we resolved the version issue.
Its deployment and maintenance can be done by one engineer.
What's my experience with pricing, setup cost, and licensing?
We're using an older version because it is the open-source flavor of it and we can continue using it at no cost. We're not paying any licensing at all, which was another factor in choosing this route so that we can learn and grow with it and not be committed to licenses and other similar things. If we choose to get something else, we have to relearn, but we don't have to relicense. Basically, we're paying no license costs.
Which other solutions did I evaluate?
We did look at a lot of other ones. Some of the names I actually can't recall. There were code quality analyzers out there besides that. We did review them and settled on this one because it's very widely used, and the open-source capabilities are pretty well-supported to where you can use it without obligation. None of them are trivial to set up and use because they are doing a very complicated process. They all have their different ways of going about things, but you've got to understand any one of them. We picked this route.
What other advice do I have?
You have to be willing to invest. For any tool of this magnitude, if you're going to say, "Well, we want to do the least we can possibly do and see what's the least we can get by with," you'll get the least possible benefit. My recommendation is that you do the opposite. You should consider everything it's telling you. You may not want to fix everything, but you should be aware of everything that's showing in your code. After that, you have the opportunity to look at your whole development process and just the way you do things and go back to your roots and look for ways to change things at the beginning that can have an impact. You have a big impact on the output of things towards the end, but maybe change the way you start things. Instead of trying to get the least that you can get with the least amount of effort, partner yourself with it as much as possible.
I would rate it an eight out of 10.
Which deployment model are you using for this solution?
On-premises
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2022-02-02T00:00:00-05:00
Rated 5 out of
5 by
reviewer1812603 from
Good analysis of code quality, great for even junior developers, and improves a website's look/feel
What is our primary use case?
I have used it to test clients' websites. After testing, it gives a deep overview of website bugs and issues.
A good point about SonarQube is that it gives you the solutions to resolve your issues. At times, I find the blocker (during times of emergency code deployment) doesn't allow the code to be checked-in to the repository unless the violations are fixed, which should enable the user to bypass the number of lines that should be part of the written method.
How has it helped my organization?
It improved our website's look and feel.
We consider it a handy tool that helps to resolve our issues immediately.
It is a good tool for evaluating technical debt and introducing junior developers to codification standards and good practices. There is an amazing code quality application that defines coding standards.
The tool is pretty much useful for a technical lead to reduce his efforts in reviewing the codes. The tool has integration with several languages.
What is most valuable?
SonarQube is a Code Quality Assurance tool that collects and analyzes source code and provides reports on the code quality of your project. It combines static and dynamic analysis tools and enables quality to be measured continuously over time.
The solution's most valuable features are its:
* Code quality
* Release quality code
* Code security
* Security analysis
SonarQube empowers all developers to write cleaner and safer code. You can grow as a developer.
Integrations Analysis results are right where your code lives.
It works well with GitHub.
What needs improvement?
It should be user-friendly. I keep looking for improvements after every update.
PeerSpot users give SonarQube an average rating of 8 out of 10.
SonarQube is most commonly compared to Checkmarx: SonarQube vs Checkmarx.
The SonarQube brand is trusted by many teams and it has been validated. It is one of the most recommended free application security testing solutions.
SonarQube is really a good tool for SAST with seamless integration to your CI/CD pipeline. We have used it on our website and had good results.
For how long have I used the solution?
I have been using SonarQube 8.9.7 for a long time (since we had some issues in our software dealing with many critical issues that needed to be resolved for clients).
I recommend SonarQube as it is beginner-friendly and can resolve your issues with the proper usage of your website.
What do I think about the stability of the solution?
The dimensional stability of the impression materials depends on the time elapsed between the completion of the impression and their casting, thus storage time is critical to obtaining reliable casts.
How are customer service and support?
Beyond listening, customer service is doing everything in one's power to efficiently and accurately serve each customer.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We did use another solution, however, we found issues such as:
* Ineffective time management
* Lack of instant communication
* Not receiving timely feedback
* Not receiving clear instructions or expectations
* Share time management apps and resources for students
* Utilize educational technology (“EdTech”)
* There's also a need to increase peer review
How was the initial setup?
The solution is easy to do and understand. It's not complicated and it's easy. It's a relatively straightforward process.
What was our ROI?
According to conventional wisdom, an annual ROI of approximately 7% or greater is considered a good ROI for an investment in stocks.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Google
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2022-03-31T00:00:00-04:00
Rated 5 out of
5 by
reviewer1643052 from
Does well in scanning and vulnerability; lacking in some specific SAST capabilities
What is our primary use case?
I'm a software development engineer and we are customers of SonarQube.
What is most valuable?
SonarQube does SAST and SCAs pretty well. One of the important things for me, something that is different from a solution like Checkmarx, was that SonarQube had SonarLint that we can use for local scanning for developers. The product does well in scanning and vulnerability.
What needs improvement?
SonarQube is missing specific SAST capabilities. In addition, when we have security issues we want to mitigate those and it seems that SonarQube doesn't persist with the mitigation. Each time it discovered a new scan it wiped out all the persistence that we had mitigated for previous vulnerabilities. Dynamic scanning is missing and there are issues with security scanning in terms of failing projects where it didn't pass a scan.
For how long have I used the solution?
I've been using this solution for three years.
What do I think about the stability of the solution?
The solution is quite stable.
How are customer service and technical support?
We don't have contact with technical support, any issues are solved by our operation team.
How was the initial setup?
The initial setup wasn't too complicated. We have a number of teams of developers and around 150 users together with an operations team who maintain the infrastructure. From a user perspective we scan at least once a day.
Which other solutions did I evaluate?
I looked at Checkmarx but it wasn't as straightforward as SonarQube because it's only supporting Linux and maybe Windows, but I wasn't able to find any local scanning support for Mac computers, and that was an issue. I'd like to learn more about Checkmarx.
What other advice do I have?
I would suggest looking at the pipelines and understanding usage scenarios in terms of what the customer is looking for. For instance, the mitigation persistence through the life cycle of a project is not there. For me, it's like a lack of tracking records of what to mitigate. It's something that you thought would be a part of the basics, but it's not there.
I think there's about 40% of the features I'd like to see that are missing in SonarQube, so I'd rate it a six out of 10.
Which deployment model are you using for this solution?
On-premises
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2021-08-08T00:00:00-04:00
Rated 5 out of
5 by
Mohanraj Vellingiri from
It supports 29 languages
What is our primary use case?
SonarQube is a code-scanning tool that ensures people follow the right coding standard. It detects any memory leaks or unwanted functions that have been written so developers can optimize the code for better performance. We don't know too much about how our customers use SonarQube because we just set it up for them. We show them how the reporting works and what to do to fix common issues.
What is most valuable?
SonarQube is one of the more popular solutions because it supports 29 languages.
What needs improvement?
SonarQube supports most database languages, like SQL queries, PL/SQL, etc., but some newer programming languages are not there. For example, it's missing some more popular languages like Apache Groovy. I would like to see some support for scanning these new popular languages.
I would also like SonarQube to be able to write custom scanning rules. More documentation would be helpful as well because some of our guys were struggling with the customization script.
For how long have I used the solution?
I've been using SonarQube for the past eight years or so. I am a DevOps consultant who helps the end-users set up their environments. My clients operate in various industries, including the service industry.
How was the initial setup?
SonarQube takes five to 10 minutes to install, and I train people on this technology, so I install it for them and teach them how to use it. On Linux, it maybe takes another five or 10 minutes, but it is straightforward.
We first try it out with a limited number of users, so four or five users will run it, but the report is shared with multiple users. The report generated will go to thousands of users. You run the report from the DevOps point of view, then share it with everyone.
What's my experience with pricing, setup cost, and licensing?
I'm involved in the price discussions, so I'm unaware of the cost. However, I don't see any other competitors in the same space. There are one or two, but they're not popular. SonarQube is free for one user, so people can explore it, but if they need enterprise support, they can buy licenses, and we can go forward.
Which other solutions did I evaluate?
SonarQube is the only code scanning software I've tried, but I've also seen Nexus Scanner. However, it's not for binary scanning and so forth. It won't scan your source code. It's just an artifact scanner.
What other advice do I have?
I rate SonarQube eight out of 10. I always recommend SonarQube because it is also available in an open-source version, so people can understand the power of this tool and how it can help in an IT setting.
Which deployment model are you using for this solution?
On-premises
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2022-01-16T00:00:00-05:00
Rated 5 out of
5 by
Purushothaman K from
Reliable and secure solution used for qualitative coding, including the SonarLint plugin
What is our primary use case?
We use this solution for qualitative coding. We make use of the SonarLint plugin as well as the dashboard.
What needs improvement?
We previously experienced issues with security but a segregated security violation has been implemented and the issues we experienced are being fixed. We have also experienced duplications of rules within the system as well as code samples that are short of ten numbers.
What do I think about the stability of the solution?
This is a stable solution.
What do I think about the scalability of the solution?
This is a scalable solution.
How was the initial setup?
The initial setup was straightforward.
What about the implementation team?
Most of the deployment was done by me. Once a certain level of complexity was involved, a team was used to validate and deploy those parts of the solution.
What other advice do I have?
I would recommend SonarQube to other users as it is a good solution and the security issues we experienced are being fixed.
I would rate this solution an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2022-02-22T00:00:00-05:00
Rated 5 out of
5 by
reviewer1250178 from
Reliable with a nice web interface but needs better reporting
What is most valuable?
We find it very similar to Fortify and has the same advantages.
The web interface is very good.
We have found the solution to be stable.
The solution offers a very good community edition.
What needs improvement?
There isn't a very good enterprise report. They also do not have an application report. We'd like for them to work on this aspect.
For how long have I used the solution?
I've used the solution for three years. I've used it for a while now.
What do I think about the stability of the solution?
In terms of stability, the solution is reliable and the performance is good. There are no bugs. It's not glitchy. It doesn't crash or freeze.
How are customer service and support?
I've never used technical support. I can't talk about how helpful they are, never spoken with them personally.
If I do need to troubleshoot, I tend to rely on the community and search for answers there.
Which solution did I use previously and why did I switch?
We've also used Fortify.
How was the initial setup?
I didn't participate in the installation process. I can't speak to how easy or difficult the process was.
What's my experience with pricing, setup cost, and licensing?
I use the community version of the product.
What other advice do I have?
We are a customer and an end-user.
I'd rate the solution at a seven out of ten. It's mostly reliable.
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2022-01-30T00:00:00-05:00
Rated 5 out of
5 by
Jayashree Acharyya from
Scalable, good technical support, but multiple application project option needed
What is our primary use case?
SonarQube is used for in-production scanning of applications. We are only doing unit testing to improve the overall quality of the code.
How has it helped my organization?
The developers have responsibility for unit testing, but it is very important that we check what they have been doing. SonarQube allows us to see the result directly in the pipeline.
What needs improvement?
We had some issues scanning the master branch but when we upgraded to version 7.9 we noticed it does scan the master branch but we had to do a workaround for it to happen. This process could be improved in a future release.
What we are seeing is for some of the Javascript projects SonarQube is not reading all the files. We had to manually configure it to accomplish what we wanted. However, we probably needed some documentation that we did not have that explained this process.
In an upcoming release, it would be beneficial to have the ability to use multiple applications under one project, and if we want to scan one of the applications we can just switch to that application, this would be really helpful.
For how long have I used the solution?
I have been using SonarQube for approximately two years.
What do I think about the scalability of the solution?
The solution is scalable.
We have plans to increase the number of users using this solution because we have approximately 3,000 applications but only 200 are being used.
There are a lot of people using this solution in my organization because they are able to scan directly from their IDs.
How are customer service and technical support?
We have worked with the support from SonarQube and we have had good experiences.
How was the initial setup?
The initial setup was simple. When we did the upgrade and it took our team approximately two hours.
What about the implementation team?
Our internal team did the implementation of the solution.
What's my experience with pricing, setup cost, and licensing?
We are using the community version of the solution and we plan on purchasing licenses for the upgraded version soon. There is a limitation on how many lines of code can be scanned and this is why we are going to purchase a license for an increased amount.
What other advice do I have?
SonarQube is a very nice tool and people can learn to code better from the analysis it provides. We needed to make sure our code is maintained properly and has high quality and this tool helped.
The solution has made the developers have more confidence in their code because from the scanning they can fix bugs and problems easily.
I rate SonarQube a seven out of ten.
Which deployment model are you using for this solution?
On-premises
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2021-09-14T00:00:00-04:00
Rated 5 out of
5 by
reviewer1689996 from
Beneficial testing tool, helps developer become sharper, and makes software more secure
What is our primary use case?
I use SonarQube for testing software.
What is most valuable?
The solution can verify vulnerabilities, code smells, and hotspots. It makes the software more secure and it helps make a junior or novice developer sharper.
What needs improvement?
The software testing tool capability could improve. It does not always integrate well. You have to use a specific plugin and the plugin does not always go in Apple's applications.
In the next release, they should add the ability to analyze containers.
For how long have I used the solution?
I have been using SonarQube for approximately three years.
What do I think about the scalability of the solution?
We have mostly software developers using this solution are there are approximately 50 using it.
Which solution did I use previously and why did I switch?
I have used Snyk and it is more catered to a different audience than SolarQube.SolarQube is more for software developers.
How was the initial setup?
The installation is straightforward, especially with the new Docker implementation.
What about the implementation team?
I did the implementation of the solution myself.
What's my experience with pricing, setup cost, and licensing?
The process of purchasing the solution could improve.
What other advice do I have?
This solution is a good static test tool for developers. It helps keep the maintainability and security of software.
I rate SonarQube an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2021-10-13T00:00:00-04:00
Rated 5 out of
5 by
reviewer1023003 from
IDE plugins are easy to use and integrate
What is our primary use case?
I use SonarQube for Google's web services, from a security perspective, as well as Oracle Forms, HTML Forms, and script.
SonarQube is deployed on-premises.
What is most valuable?
Some of the most valuable features have been the latest up-to-date of the OWASP, the monitoring, the reporting, and the ease of use with the IDE plugins, in terms of integration.
What needs improvement?
SonarQube's detail in the security could be improved. It may be helpful to have additional details, with regards to Oracle PL/SQL. For example, it's neither as built nor as thorough as Java. For now, this is the only additional feature I would like to see.
For how long have I used the solution?
I have been working with the Community Edition for at least ten years, and I have been working with the Enterprise version for about a year.
What do I think about the stability of the solution?
So far, we are happy and haven't had any issues with stability.
The only maintenance this product needs, for now, is just updates and patches.
SonarQube is an auditing requirement from our side and for our SDLC, so it is a gate in our SDLC.
What do I think about the scalability of the solution?
SonarQube is easy to scale. As we've opted for the Docker builds, we haven't had issues yet.
At this point, there are at least 300 people in my company who are working with SonarQube.
Which solution did I use previously and why did I switch?
I have minor experience with Q One. The main difference is in the licensing structure, with regards to lines of code. We have noticed that Q One has a bit more details, but support for various languages is lacking.
How was the initial setup?
The setup process of SonarQube is straightforward. Deployment took about a week, but the integration of the multiple teams—introducing them and getting them on board—took about a month.
What about the implementation team?
We implemented this solution through an in-house team.
What's my experience with pricing, setup cost, and licensing?
Compared to similar solutions, SonarQube was more accessible to us and had more benefits, with regards to size of the code base and supported languages. Apart from the Enterprise licensing fee, there are no additional costs.
What other advice do I have?
I rate SonarQube an eight out of ten.
To anyone who is looking into implementing SonarQube, I would recommend they look at what their requirements are, with regards to languages. If it's just Java, then the Community Edition is fine, but if there are any additional languages, then I would recommend Enterprise.
Which deployment model are you using for this solution?
On-premises
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2021-12-10T00:00:00-05:00
Rated 5 out of
5 by
David Alaga from
Open-source with great extensions and great for identifying bugs
What is our primary use case?
We use the product in our pipeline. We primarily use it for development testing tool.
How has it helped my organization?
We can see what's being flagged by whatever requirements in the environment that we're going to. SonarCube has these rules that you set up. You can set the rules and adjust them. It allows us to either be at 80% or whatever the case may be. If you set up these conditions that can tighten down the developer's coding.
What is most valuable?
It's convenient due to the fact that it's open-source.
We're able to identify bugs and those kinds of things before we actually push anything into a staging or production area. It helps our developers work more efficiently as we can identify things in a code prior to it being pushed to where it needs to go. It's a great little loop. You see this, fix it, take it back. Versus, putting something into an environment and then everything is all broken. It's a good development test tool.
Nowadays you can add extensions, similar to what you can do with the Jenkins tool, the CICB tool, the build tool. Jenkins can have a lot of plugins that interface with a lot of vendors or it can do a lot of things. Just like Google Chrome where you can bring in an extension, you can do the same here. In SonarQube, you can add something by just adding an extension that you may have to pay extra for, However, that add-on has additional functionality that the base software may not necessarily have in its core.
For example, Fortify has some kind of special capability that they have for checking and SonarQube has created an extension that allows the Fortify extensions. Right now, I have Fortify, however, it's in this product at a very modular level.
What needs improvement?
The solution is still maturing a bit.
You may need to purchase add-ons to get the useability you desire.
For how long have I used the solution?
We've been using the solution for about two years at this point.
What's my experience with pricing, setup cost, and licensing?
The solution is open-source. It's free to use.
What other advice do I have?
Not everybody uses SonarQube. However, if they do use SonarQube and they're trying to look for functionality, then an extension into SonarQube is the way to go. We, for example, love how we can have Fortify functionality via this product. I can't speak for all the other shops, right. That's just our workflow.
I'd rate the solution at a perfect ten out of ten. For what it does as far as static code analysis, it's pretty good.
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2021-07-14T00:00:00-04:00
Rated 5 out of
5 by
Rodolfo Barzola from
Installation straightforward, stable, and reliable
What is our primary use case?
We are using this solution to check and monitor application code to ensure security quality.
How has it helped my organization?
The solution has helped us mitigate problems in applications before they were a bigger issue.
What needs improvement?
The solution could improve by having better-consulting services.
For how long have I used the solution?
I have been using SonarQube within the last 12 months.
What do I think about the stability of the solution?
The stability is good.
How was the initial setup?
The installation was straightforward, we have an internal team that does it.
What about the implementation team?
We have a team in our organization that does the implementation, configuration, and maintenance of the solution.
What's my experience with pricing, setup cost, and licensing?
The price of the solution could be reduced.
What other advice do I have?
I rate SonarQube a ten out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2021-07-11T00:00:00-04:00
Rated 5 out of
5 by
reviewer1599105 from
Useful depth features, stable, but more programming languages needed
What is our primary use case?
We are using SonarQube for many different reasons, but I was interested more in the security metrics based on the new updates for more particular rules.
What is most valuable?
The depth features I have found most valuable. You receive a quick comprehensive comparison overview regarding the current release and the last release and what type of depths dependency or duplication should be used. This is going to help you to make a more readable code and have more flexibility for the engineers to understand how things should work when they do not know.
What needs improvement?
I was more focused on the security aspects and not on quality. SonarQube focuses a lot on security and is going to provide some visibility around that area, but if there could be more focus on team management. For example, what type of remediation is going to be provided when the types of scans are being applied based on different rule sets at the SonarQube level, from the security point of view, this would be helpful.
If there was an official Docker image of SonarQube that could easily integrate into the pipeline would help the user to plug in and plug out and use it directly without any custom configuration. I am not sure if this is being offered already in an update but it would be very helpful.
In an upcoming release of the solution, I would like to see more types of programming languages added and improvement in their SaaS offering to compete better with other enterprise solutions, such as Fortify.
For how long have I used the solution?
I have been using this SonarQube for approximately four years.
What do I think about the stability of the solution?
We are not relying on this solution as a go-to application security scanning tool. We use it for some minor enhancement regarding security, but we are using it actively in other departments for the code quality scanning. I have not had any problems using the solution, it has been stable.
What do I think about the scalability of the solution?
We have approximately 15,000 engineers in my company and many of them are using this solution.
Which other solutions did I evaluate?
I have evaluated Fortify.
What other advice do I have?
I rate SonarQube a six out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2021-06-30T00:00:00-04:00
Rated 5 out of
5 by
reviewer1141026 from
Simple implementation, effective scanning, and tracking
What is our primary use case?
We are using SonarQube for static analyzing and finding vulnerabilities in our code.
What is most valuable?
Easy installation. Very accurate finding of vulnerabilities and a minimum of false positives.
What needs improvement?
SonarQube could improve by adding automatic creation of tasks after scanning and more supported languages.
For how long have I used the solution?
I have been using SonarQube for approximately two years.
What do I think about the stability of the solution?
SonarQube is a highly stable solution.
What do I think about the scalability of the solution?
I have found SonarQube to be scalable.
We have 20 to 25 specialists using SonarQube in my organization.
We have plans to increase the usage of the solution.
How are customer service and support?
We search Google for solutions to any problems we may face.
How was the initial setup?
The solution is easy to implement in our process of continuous integration, continuous delivery, and continuous deployment(CI/CD).
What about the implementation team?
We did the implementation of the solution ourselves.
We have assigned each project one DevOps, and each DevOps is deploying SonarQube in their project and we have in total about 20 projects.
What's my experience with pricing, setup cost, and licensing?
The free version of SonarQube does everything that we need it to.
Licenses of this solution can be purchased annually. We plan to buy the maximum license enterprise edition of the solution.
What other advice do I have?
I highly recommend this solution to others.
I rate SonarQube a nine out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2022-01-15T00:00:00-05:00
Rated 5 out of
5 by
Denis Walrave from
Good performance, improves the security of our applications, helpful technical support
What is our primary use case?
We primarily use SonarQube for quality control on the software being deployed in our company. We had to control the open-source software we use. We develop software and have to create builds around it. As part of this process, we want to be sure of the security conformity for each module.
It is installed and plugged into a Kubernetes pipeline build system.
How has it helped my organization?
Using SonarQube benefits us because we are able to avoid the inclusion of malware in our applications. We can repair vulnerabilities and exploits from outside of the organization.
What is most valuable?
The performance is good.
What needs improvement?
The handling of the contents of Docker container images could be better. We are building microservices using Docker containers, and the image is embedding a lot of software. The verification in the image could be improved because you're able to check the image while building it, but if you are using a prebuilt container image then it's more difficult to do.
For how long have I used the solution?
I have been using SonarQube for between three and four years.
What do I think about the stability of the solution?
This solution consumes resources but that's something that is needed. In terms of performance, it's okay. It depends on the power of the hardware and servers that you have.
This is a product that we use on a daily basis. We are constantly developing software and this is used as part of the process.
What do I think about the scalability of the solution?
We have never had problems in terms of scalability, so it's good. We have a license for approximately 250 users.
How are customer service and support?
The technical support is good.
Which solution did I use previously and why did I switch?
We did not use another similar solution prior to this one.
How was the initial setup?
The initial setup is a little bit complex, although that's because of the type of tooling that it is. It took one person perhaps two months to deploy it.
The main thing that takes time during deployment is to get the users accustomed to it and use it properly. Essentially, the longest part of the deployment is the training time. Change management for people is time-consuming.
What about the implementation team?
We handled the deployment completely in-house.
What was our ROI?
It is difficult to estimate ROI because this product is similar to insurance. If things were broken then it could cause a lot of damage to the company.
Which other solutions did I evaluate?
Once we identified the need, I researched different solutions. I tried SonarQube and one or two others.
What other advice do I have?
My advice for anybody who is implementing this solution varies based on the use case and infrastructure that they have. For large scale-deployment, it needs more container images because it's easier to maintain. For a small company, it may be fine without them.
Overall, this is a good product. The only suggestion that I have for improvement is deeper container image analysis. The verification is already good but it depends on the format of the image. If you are speaking about a classical format, like a table or a zip file, it's okay. But, if you are talking about container images, there is room for improvement.
I would rate this solution an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2022-02-10T00:00:00-05:00
Rated 5 out of
5 by
reviewer1078050 from
Greatly improves the quality, straightforward to use, and stable
What is our primary use case?
It is mainly used as part of the CI/CD pipeline through Azure DevOps and Jenkins to do static code analysis.
We have the enterprise version. In terms of deployment, on-premise is the best description because they have their own cloud, but it is not a real cloud. It is like VMware.
How has it helped my organization?
In some instances, the project stakeholders were able to implement quality gate control for code coverage, security alerts, and things like that. It greatly improved the quality of the product. If our test code coverage is 80% and a person commits a change that brings the code coverage to below 80%, that code cannot be merged. We've been able to improve the quality of the products that we produce by using SonarQube. We are using it as a gate.
It is a great tool in a situation where you have a dynamic team, and you sometimes hire staff or subcontractors from other companies. It provided us with the ability to implement quality gates in our project. We could look at the data and see which developers were producing quality code and which developers were not too worried about the quality. It helped us out with our junior devs. I know of a few cases where having this system helped our junior devs in taking their skills one level up because we had set up a hard quality gate.
What is most valuable?
My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it.
What needs improvement?
A little bit more emphasis on security and a bit more security scanning features would be nice.
It would also be nice if the discrepancy between the basic or free version and the enterprise version was less. In my opinion, some of the base functionality in the enterprise version should be in the basic version.
Currently, we have static code scanning, and we have the scanning of the Docker containers. It would be great if some sort of penetration testing could easily be implemented in SonarQube for deploying something and doing some basic security scans. Currently, we have to use third-party tools for that. If everything was all under one roof, it would be more comfortable, but I don't know if it is possible or feasible. It is a typical issue of centralization versus distribution. In our particular case, because we're using SonarQube for almost every other project, it would make sense, but that doesn't necessarily mean that it is the same case with everybody else.
For how long have I used the solution?
I have been using this solution for four years in my current job.
What do I think about the stability of the solution?
I don't think I ever had a problem.
What do I think about the scalability of the solution?
We haven't reached a point where it is anywhere near saturation. We haven't scaled it yet, and I don't know if it will ever happen. The way it is implemented right now is more than enough for what we need.
We have used it in almost all projects of our client. It is a part of their process. It is used extensively, and it will be used for any future work that they might have where they develop any code that can be analyzed with SonarQube.
We probably have 30 or 40 users. Their roles are developer team leads, developers, and DevOps people. These are the three roles of people who use it on a daily basis and look at the reports and work with the system. At some point, the data might be shown to the actual client or somebody else.
How are customer service and support?
I've never been in a situation where I needed their support.
Which solution did I use previously and why did I switch?
I don't think that we used anything else previously. SonarQube was the first one.
How was the initial setup?
It was straightforward. I wasn't technically involved in the deployment of SonarQube, but as far as I know, it was a matter of a few days.
What about the implementation team?
We probably just bought the license and did it ourselves. For its deployment and maintenance, we don't have a dedicated person. It is one of the many systems that our internal IT team manages.
What was our ROI?
I don't have that data. I don't think that we've ever calculated that.
What's my experience with pricing, setup cost, and licensing?
My guess is that we have a yearly subscription. We use it quite extensively, so a monthly license wouldn't make sense. Yearly subscriptions are usually cheaper.
In addition to the standard licensing fee, there is just the cost of running the hardware where it is hosted.
What other advice do I have?
It is pretty straightforward, but if you don't intend to use it as a gate, it would just be a waste of time. You should invest in implementing such tools only when you have a clear understanding of how their results are going to be a part of a business process.
I would rate it a 10 out of 10. I've never had any kind of problems with it. I have some products because of which I have had a bad day, but I never had a bad day because of it.
Which deployment model are you using for this solution?
On-premises
Disclaimer: I am a real user, and this review is based on my own experience and opinions.
Date published: 2021-12-04T00:00:00-05:00
Rated 5 out of
5 by
reviewer1620009 from
Helps in improving the coding style and allows us to customize the rules
What is our primary use case?
I have used it in my previous company. In my current company, which I have joined recently, we don't use any of these tools. That's why I want to implement something for the company. I have the Community Edition of SonarQube. I am using one version prior to the latest one.
It was integrated with our build pipeline, and we had also customized the rules for the quality gate. For each release that got through SonarQube, it gave the results in terms of whether it was releasable or not.
SLA was another use case. We internally had a rule that in case there are severity defects, they need to be fixed. If there is a false positive, it needs to be justified. That's the way it was used.
What is most valuable?
It assists during the development with SonarLint and helps the developer to change his approach or rather improve his coding pattern or style. That's one advantage I've seen. Another advantage is that we can customize the rules.
I did an evaluation of the Enterprise Edition. It has the Portfolio view, which means you can roll up all your projects to the Portfolio level, and then it gives a visualization of each and every project's state in terms of security and other vulnerabilities.
What needs improvement?
It is very expensive. That's something that can be improved.
I'm not sure if the latest vulnerabilities are being updated. When I compare it with Fortify on Demand (FoD), every now and then, they get all the latest and greatest versions for all these vulnerabilities as a rule pack. I'm not very sure about how that works in SonarQube, and how frequently they are updating the vulnerability databases and other things.
Their dashboarding is very limited. They can improve their dashboards for multiple areas, such as security review, maintainability, etc. They have all this information, so they should publish all this information on the dashboard so that the users can view the summary and then analyze it further. This is something that I would like to see in the next version.
The portfolio-level dashboard is currently available only in the Enterprise Edition. They can have a similar dashboard in the Community Edition or at least in the Developer Edition. The portfolio-level dashboard is also very limited currently. There is hardly one report.
For how long have I used the solution?
I have been using this solution for four years.
What do I think about the stability of the solution?
It looks stable. So far, we haven't found any issues.
How are customer service and technical support?
I contacted them once or twice. I am very satisfied with their support. I didn't have any concerns in terms of support.
How was the initial setup?
It is straightforward. It takes very little time as compared to the other solutions.
What's my experience with pricing, setup cost, and licensing?
It is very expensive. Its price should be improved.
What other advice do I have?
I have worked on only two tools: one is Fortify on Demand, and the other one is SonarQube. Comparing these two, I would rate SonarQube an eight out of 10.
Which deployment model are you using for this solution?
On-premises
Disclaimer: My company has a business relationship with this vendor other than being a customer:Partner
Date published: 2021-07-10T00:00:00-04:00