SonarQube to make your project secure
January 18, 2023

SonarQube to make your project secure

Anonymous | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User

Overall Satisfaction with SonarQube

We use Sonar in order to ensure our code is secure. We have used it on APIs and on our Frontend. We have also used the Sonar lint for Android. We have a plug in for our Jenkins account which will check our project code coverage etc in Sonar if this fails then our code cannot go live or merged into master

Pros

  • Code coverage
  • Shows potential fixes
  • Speed

Cons

  • Sometimes the messages can be long and for someone's first time seeing this it can be hard to find what to look for
  • Sometimes potential fixes are not available
  • Documentation on setting up with Jenkins was hard to follow at some parts
  • Code Quality
  • Jenkins Plugin
  • Test coverage
  • Less bad code
  • Faster testing
  • More confidence in project security as stakeholders can see our code Quality and coverage
I have used GitHub more that fortify so I am more familiar with GitHub for checking for vulnerabilities. I have noticed GitHub is good for checking different packages within your project but as far as checking code Quality and coverage Sonar is the better one in my opinion. Fortify is not used much in my org as we do proof of concepts and fortify is more expensive for us so it is rarely used

Do you think SonarQube delivers good value for the price?

Yes

Are you happy with SonarQube's feature set?

Yes

Did SonarQube live up to sales and marketing promises?

I wasn't involved with the selection/purchase process

Did implementation of SonarQube go as expected?

Yes

Would you buy SonarQube again?

Yes

I think having SonarQube in your project is a big bonus as it can spot small vulnerabilities that you might not think of. This also will improve your overall skill in coding securely. They also update regularly so that it can spot new vulnerabilities which may not be known. As package updates there can be more vulnerabilities deep in your project that you may not know about

Comments

More Reviews of SonarQube