SonarQube Server (formerly SonarQube) Reviews & Product Details

What I love about SonarQube is how it digs deep into my code and finds hidden issues which are not as obvious when writing the code, especially bugs and security problems, across different programming languages. It hooks up smoothly with my CI/CD pipelines, which means I can keep an eye on code quality at every step. The reports it generates are super detailed and really help the team see where we can improve. Plus, you can customize the rules and use tons of plugins to make it work just how you need it. Review collected by and hosted on G2.com.

The one thing that I dislike is how much it can slow things down when you're working with big projects. The scans can take a while, which sometimes messes with our workflow, and we cannot use parallel analysis as we are on the Developer license since the Enterprise is too costly for us. Also, setting it up and getting everything configured right can be a bit of a headache and takes some time. Review collected by and hosted on G2.com.

Our development process is helped alot by SonarQube as it will detect some bugs such as running out of memory, or simple error that we might not see at the first time. Our team is happy to use the product. Review collected by and hosted on G2.com.

Getting it to start is a long process. We are having some trouble trying to understand how sonarqube judges our code. As our team is using it for the embedded environment, some suggestions (such as atomic implementations etc) are not really applicable to us. At first we were frustated as it always suggested that our code is wrong, but now we can find a way to silence it. Review collected by and hosted on G2.com.

SonarQube has a great way of examining code quality as a whole. It has the capability of discovering mistakes, threats, as well as unfavorable practices found in different programming languages to maintain superior coding norms. It generates detailed dashboards and reports which give specific views allowing for developing incrementally in addition to keeping code clean and gracious throughout its life span. Review collected by and hosted on G2.com.

SonarQube's complicated setup and configuration process remains trail and discouraging being time consuming for newbies. In addition one may also suffer from performance degradation caused by big code bases as well as when they discover that some extra skills need payment before using them; hence would be so costly particularly among little groups or small enterprises. Review collected by and hosted on G2.com.

I use SonarQube mainly for analyzing C, C++ and Python programming languages, and that's why I need a SonarQube developer license. The $160 I spent for a year is really worth it. Think of SonarQube as your peer review, friend and supervisor for your software development.

Analyzing C/C++ is really easy and not tied to an IDE. I simply host SonarQube in Docker, build my software with build-wrapper and analyze it with Sonar-scanner. The analysis results then appear in the SonarQube dashboard.

I use SonarQube both at work and at home for my personal project. Due to the affordable price and ease of use, I have been loyal to SonarQube for 3 years now.

Sonar also has responsive customer support, and I mainly contact them to get a new license due to an issue with my Docker image. The response consistently within 1-2 days, and I always communicate via email. No website to report or form to fill out, which for me is convenience. Review collected by and hosted on G2.com.

I develop embedded software that adheres to MISRA C/C++, and SonarQube does have some MISRA rules, but not all of them are implemented. I really love to see SonarQube being able to adopt all these rules.

A few times I have found alternatives to SonarQube for this reason, but since other tools are expensive, tied to an IDE and the learning curve is unknown (unlike SonarQube, we only need 3 steps to analyze the code), I keep coming back to SonarQube. Review collected by and hosted on G2.com.

Identification of coding issues across whole codebases, while providing a manageable way to gradually improve the code quality over time by enforcing that new code is of good quality. Developers can be gently guided to better practices without having to solve thousands of code smells all at once. We can refactor code as we work in different areas without introducing new risk of regressions.

Easy to setup and manage and pretty hands off. It integrates well with Azure DevOps and our pull request and CI workflows. Review collected by and hosted on G2.com.

Some churn recently in how Sonarqube manages quality gates and what the bar is.

We have a number of limitations in our analysis, particularly in collecting code coverage information. Review collected by and hosted on G2.com.

Being able to filter issues and assign them to different team members allows each developer to focus on high-priority issues. SonarQube allows you to enable to disable specific rules, and to set the severity of each rule. This further help to prioritize the issues needing attention.

When a developer determines that a particular issue should NOT result in a code change, they can mark that issue as "won't fix" and enter an explanation. This helps provide detailed reports.

SonarQube also provides clear, high-level overviews of the status of your software projects (for managers), along with reports (for customers). This helps take much of the communication burden off of the development team. Review collected by and hosted on G2.com.

Like any static analysis tool, there are occasional false-positives. And depending on your code, there may be issues flagged as "problems" which are really just stylistic differences or deviations from best practices.

But it is fairly easy to mitigate these issues. False-positives need to be reviewed, but the detailed analysis provided by SonarQube (including traces through earlier statements showing how the issue was identified) help with the review. As for issues that are merely stylistic differences, these can be given a lower severity rating or even eliminated by customizing the underlying rules. Review collected by and hosted on G2.com.

- We are using a self hosted SonarQube server - hosting and upgrading our instance is a relatively painless process. The online documentation is clear and easy to follow

- The SonarQube scanner integrated easily into our existing Bitbucket and Cloud Build CI/CDs

- When comparing the findings with other SAST tooling, out-of-the-box SonarQube analysis had a low false positive rate, yet found extensive legitimate security/code quality issues

- Very happy with the speed of analysis, completes in only a few minutes on large repos (an order of magnitude faster than certain other SAST services)

- Surprised that language support is actually slightly better than documented - we were able to sucessfully analyze projects with older versions of .NET framework (4.5 and 4.0) than indicated in the documenation

- The triage and review process is easy for individual teams to execute on a regular basis

- The WEB API is well documented and enabled automating steps around user maintenance

- Bitbucket OAuth worked seamlesses to onboard users

- Installing additional plugins is also easy - we use Dependency-Check to add SCA to projects

- Bug fixes and features added to each new release are well documented, I appreciate being able to review all changes on the sonarsource atlassian page (and not just rely on the high-level marketing notes) Review collected by and hosted on G2.com.

- While SonarQube is a SAST tool, better support for SCA would be beneficial. The Dependency-Check plugn does not integrate well into the existing triage/remediation process.

- Other tooling does a better job of proving a high level overview of users and their productivity, ie. # of assigned open issues by engineer, # of fixed issues by engineer, etc. Review collected by and hosted on G2.com.

Simple deployment. Very easy installing is practiced particularly on Kubernetes using YAML formats. Moreover, integration with GitHub by means of GitHub actions is fluent because it enables developers to conduct their scans, therefore, receiving their notifications once they complete them. On the other side when it comes to flexibility, SonarQube is unmatched. It offers so much when you want to configure it letting you even prevent vulnerability detection until pull request merges are halted for example while at the same time providing a good way of looking at detected exploitation points - such as their exact location that has been pointed out about them. Review collected by and hosted on G2.com.

This tool is exclusively for Static Application Security Testing , other tools provides integrating Dynamic (DAST) and Static (SAST). Review collected by and hosted on G2.com.

Quick, easy way to see major issues with code, duplications, security issues, etc. Easy to setup and maintain. Support has been very quick and helpful when I have needed them. Review collected by and hosted on G2.com.

While it supports a decent ammount of prgoramming languages, it definitely doesn't support all of them. Specifically Dart projects in Flutter which we use for mobile app developement (though apparently there are plans to add it in the future). Review collected by and hosted on G2.com.

We have implemented it across our org, and it has been awesome. Code coverage everywhere has gone up, more bugs are being fixed, and there is more visibility into team's tech debt. Review collected by and hosted on G2.com.

The one downside to the new versions is lack of support for older node versions. Our monolith is still using some old versions (which of course we need to work on upgrading!), keeping us from upgrading sonarqube. Review collected by and hosted on G2.com.