Reviews (1-13 of 13)
Every new commit on Jenkins also motivates SonarQube to run all possible tests. A very useful tool to find different issues, test code coverage, code smells, and get whole statistics in percentage. Such analysis allows achieving the best quality code. Also, it works as a SonarLint plugin in IntelliJ to highlight different errors and wrong syntax.
- We can tune this tool to set the threshold test level of acceptance.
- Shows green and red bars in front of lines of code that does (not) covered by tests.
- Allows to be part of Jenkins pipeline to make the correct decision before the merge.
- Detect code smells where we have possible not clean code.
- Detailed result report with percentage test coverage.
- Reduce time of code review.
- SonarQube motivates us to get a big team to write these endless tests to cover everything.
- Integration with Jira and Jenkins has some tricky moments.
- Setup process could take a lot of time.
- Sometimes check rules could be very strict, like 'too many parameters in constructor.'
- Check rules could be tight and motivate developers to change the source code.
- Sonar rules insist on their own rules and no way for trade.
- Sometimes we missed that some piece of code does not cover by the test, so we need to return to the task again
- SonarCube + SonarLint helps us to achieve the best quality source code but takes so much time for it.
It being used in our Azure devops Continuous Integration pipeline to identify the vulnerabilities in code and provides detailed issue descriptions and code highlights that explain why your code is at risk.
- Identify Security Vulnerabilities and highlights the code
- Highlight suspicious code snippets that developers should review
- Providing security feedback during code review
- Identify technical debts in code
- The community version have some issues, example Integrating with Azure or Single Sign On
- Automation scripts can be improved. At times you have to configure some of the rules in the detection
- It takes time to configure and create profiles
- Ability to provide static code coverage in integration with Jenkins CI/CD pipeline.
- Ability to define custom rule sets, based on our organizational requirements.
- Ability to add custom toll-gating for different applications.
- Enterprise license is very costly.
- Runs only on Java 11.
- Another major issue is the way elastic search is used in Sonarqube, it makes it slightly challenging to run on a cloud environment like AWS.
- Code scanning & determining static code issues and bad practices.
- Customizing these rules and blockers at the application/module level.
- Easy integration with Jenkins CI/CD pipeline.
- Enterprise version provides the ability to integrate the scanning results with the code review process.
- If you are a small organization & can't afford the enterprise license costs. You can go ahead with a free community version in this case albeit with limited features.
- Needs Java 11 & PostgresSQL database, which are not very common in most companies.
- Best thing about it is that it offers an online instance (SonarCloud) where we can dry run an open source project by forking a github repository
- Provides detailed analysis of the stacks that it checks for bugs and issues in code stacks.
- Provides a good amount of documentation on how for configuration and installation and how to use it.
- Provides a strong integration with azure devops and jenkins for creating DSL pipelines.
- Local dashboard wont work without java installed on your machine
- If talking about the local ui the configuration may be quite complex. Needs an experts advise
- Its enterprise edition cost a fortune depending on a company size or users that may use it.
- Code review
- Bugs dedection
- vulnerability Assessment
- Installation process can be smooth
- Easy to integrate with MS tech stack
- Scans can be configured
- Endpoints can are setup on central server
- Reporting on SonarQube is poor
- The configuration is not intuitive
- Role and IAM access is not accurate, too much dependence on admin
- Nice UI.
- Easy to see a project status and if it is passing/failing.
- Simple but explanatory bug descriptions.
- Code smells could be better at reducing repeated findings.
- Finding security flaws.
- Finding code that does not follow best practices and standards.
- Looking for code coverage.
- For code "smells" it would be nice to have different levels of issues.
- It could be easier to define policies for different levels of code "smells."
- Prioritize different types of code "smells."
The business problem we had in the past was that we weren't folloiwng a standard deveopment process. SonarQube offered us the ability to see code smells and apply our own development standards. Our code has become more robust and resilient because SonarQube helps catch problems before they're checked in.
- SonarQube allows us to apply our own coding stardards during the check-in process so that our code is more standardized.
- SonarQube forces our team members to write enough unit tests to have code coverage which in turn helps us not to break existing code during check-ins.
- One area where SonarQube is lacking is letting us know how much code coverage we have before we start our check-in process. A live code coverage percentage built into Visual Studio would be very handy.
It is also very handy to have SonarQube built right into our continuous integration process. Doing it this way results in having less worry around whether our coding standards have been followed. They are automatically applied before code is checked in.
- Quality scan on code convention, best practices, coding standards, unit test coverage.
- Detailed report on estimated time to fix the issue.
- Graphing to show the current status of the project with a number of issues, which area has a problem and the history of the project over time.
- Flexible on customizing the rule-set and importing more rules based on the application.
- Easy to give a comment, assignment on the issue, could generate a good S report in the form of PDF so the PM or tech lead can have a look at it.
- Have a way to ignore the issues that the team decides not to fix.
- JUnit Testing and Integration testing.
- Easy to find bugs and track the code. Highlights the issues separately.
- Code analytics on demand.
- Checkup for the code and projects.
- Easy to integrate with IDE.
- JIRA plugin has no support forum.
- Weak Open Source forums, this can be grown by spreading the word around the community.
- Every IDE does not support SonarQube and vice versa, thus you have to select.
- Test scripts coverage data. It provides a line by line coverage stats, showing which condition is covered and which one is not
- Checking the code quality. We have a particular coding standard which we need to adhere, so it helps in detecting if the code is written in that standard or not
- Code smells
- In terms of security of the code, it can improve. It is mostly used to check for coding standards but it would have been nice if we could have got a vulnerability check as well.
- Core competency of static analysis. This is why SonarQube exists and it does it exceedingly well.
- Customized quality settings let you tailor the tool for your specific needs.
- Support for many languages including C, C++, Python, and more.
- Ability to set automated alerts. For instance, when code hasn't been scanned in a long period of time.
- Tighter integration with issue tracking systems such as jira and Gitlab.
SonarQube Scorecard Summary
What is SonarQube?
SonarQube is a tool for continuously inspecting Code Quality and Code Security, and guiding development teams during code reviews. SonarQube provides remediation guidance for 27 languages so developers can understand and fix issues, and so teams can deliver better and safer software. SonarQube integrates into the user's workflow to provide the right feedback at the right time: in-IDE with SonarLint, in pull requests, and in SonarQube itself. Boasting over 225,000 deployments helping small development teams and global organizations, SonarQube provides a means for teams and companies around the world to own and impact their Code Quality and Code Security.
- Has featureFree Trial Available?Yes
- Has featureFree or Freemium Version Available?Yes
- Has featurePremium Consulting/Integration Services Available?Yes
- Entry-level set up fee?No
|Developer EDITION||Starts at $150||100,000 Lines of Code|
|Enterprise EDITION||Starts at $20,000||1 Million Lines of Code|
|Data Center EDITION||Starts at $130,000||20 Million Lines of Code|
SonarQube Support Options
|Video Tutorials / Webinar|
SonarQube Technical Details
|Deployment Types:||On-premise, SaaS|
|Operating Systems:||Windows, Linux, Mac, Cloud|
|Supported Languages:||Community localization plugins support several languages.|