SonarQube Erfahrungen

One of the outstanding values about SonarQube is the speed of analysis. It makes it easy to collaborate with other features to generate clean codes. I and my team had an easy time during deployment. It was quite easy to relate with our needs. Combining all this benefits leads to a consistent and reliable coding behavior.

Installation of the tool was troublesome. We were forced to buy a new device with higher processing speed to avoid the numerous rebooting. Later, deployment and use was smooth.

SonarQube is good at enforcing minimum code coverage on PRs

It is really difficult to run it locally, however once set up on github it runs well, and provides valuable insights on code coverage.

For a while, I used the SonarQube product demo which is great and interactive giving the best experience. The dashboard is easy to use since it is designed with a lot of clarity and motivation. While in use, SonarQube can detect and help remove secrets in code but at the same time offering security against any breaches. Dealing with security vulnerabilities in codes is now made possible. Lastly, there are clear security reports in PDF form which helps us to evaluate the risks on our systems.

It meets our quality and security expectations. No setbacks.

The main feature of SonarQube is that it detects code complexities within the code so that the developer can optimize it. It also detects accessibility and security issues; code smells and suggests changes.

It is a bit difficult to integrate with existing services and the quality checks may also conflict with other integrations.

- It supports almost all commonly used languages like JAVA, Python, Javascript, etc.
- Integrates well with CI/CD pipeline established in tools like Jenkins and GitHub.
- Detects code duplication, bugs and vulnerabilities in code.

- May be complex to understand the reports for new users.
- May block delivery/deployment if hard gates are enabled by DevOps team which may delay project delivery.

I love SonarQube's real-time code analysis, providing instant feedback. Recently, while working on a project, it flagged potential code smells, helping me enhance code quality preemptively.

It is sometimes overwhelming amount of information and alerts, which can make it challenging to prioritize and address issues effectively.

Easy to use interface
Rules flexibility
Broad set of rules to activate

No roadmap for dynamic analysis
Reports API not so flexible
Fixed price approach

SonarQube provides important metrics such as code smells, bugs, vulnerabilities, and code coverage. Easy integration with CI/CD tools.

SonarQube may produce false positives, as with any static analysis tool.

Envió de campañas de phising a usuarios de la empresa para reforzar ciberseguridad de las empresas

la configuración inicial es complicada y la gestión de seguridad envió de correos, hay pocos ejemplos practicos o estan fuera de actualizacion

SonarQube est complet. Il permet l'analyse de nombreux langages de développement sur plusieurs projets. Il propose de base plusieurs jeux de règles de qualité à appliquer et permet d'en ajouter d'autre. Pour chaque règle un exemple est fourni et des explications assez claire. Certaines règles concernent la qualité du code, mais pas que. Certaines touchent à la sécurité et d'autres aux performances. L'intégration dans un process de build via des tâches ou des jobs est assez facile.

Le plus gros inconvénient de SonarQube est son coût qui peut s'avérer, selon les projets, un peu élevé. L'outil est néanmoins très facile à utiliser et à mettre en place.

Report both security and code quality vulnerabilities, indicating the reason for the flaw and the possible resolution. It allows you to set thresholds so as not to compromise too much the quality of the code and the coverage of the tests.

It is necessary to configure it to avoid false positives in terms of code quality that can block the release of the code.

Me gusta mucho la integración con el servicio de devops de azure, gracias a ello puedo integrar las tareas de revisión de código de SonartiQube en la integración continua. Los reportes que genera son de gran utilidad para detectar malas prácticas o brechas de seguridad en el código.

Me gustaría que el panel de administración de la herramienta fuera más configurable, para poder hacer que el análisis de código sea más efectivo.

Le fait que l'on puis enregistrer nos propre metriques pour les tests de qualités

La documentation n'est pas forcément la plus aisée

Easy-to-administer tool, with good functionality to monitor security part of your code (using SAST methodology), with ability to integrate with Jenkins, GitHub and other tools. You are able to fail the build if the code doesn't meet percentage score.

When new repository is added - there should be pop-up suggestion to create SonarQube project for it, coming from SonarQube. At the moment the user/administrator must watch out for new repositories in the organisation, without a note from the system itself that there is a new repository which you might want to add for scanning.

This product has actually improved productivity within my team by making sure there’s no duplicate code and by making code easily understandable.

Code maintenance is actually a difficult part.

Comprehensive code quality analysis. Really good to detect bugs, vulnerabilities and code smells. And integration with popular CI/CD pipelines is really impressive.

Setup and configuration can be complex for begineers. And limited support for some programming languages is what could be improved.

What I find most useful in this software is the code analysis, which gives detailed reports of the errors found and then suggests possible solutions. This saves time in software development.In addition, their large community helps solve problems that arise along the way.

Sometimes the reports can give false positives, which requires that the personnel in charge of handling the software carefully review the results to avoid false positives.

- integrate CI/CD- customizable Quality Profiles- easy to use

- performance Impact- limited programming language- open-source, some advanced features are only available in the commercial version

The ability to analyze the quality of the code in each deployment or integration, together with the possibility of modifying the rules to allow deployment or not (quantity or criticality of errors or defects), as well as vulnerability analysis allows for better software, always keeping in mind of the developers the quality and security of the code.

Like everything, the time it takes to leave it well configured and integrated with the rest of the systems, as well as the maintenance and updating of the standards, rules and vulnerabilities depending on the programming language and the news that are published at the level of security.

This is very good and user friendly application.

As such i didn't found any con for this application.