Opiniones de SonarQube

Me gusta mucho la integración con el servicio de devops de azure, gracias a ello puedo integrar las tareas de revisión de código de SonartiQube en la integración continua. Los reportes que genera son de gran utilidad para detectar malas prácticas o brechas de seguridad en el código.

Me gustaría que el panel de administración de la herramienta fuera más configurable, para poder hacer que el análisis de código sea más efectivo.

Easy-to-administer tool, with good functionality to monitor security part of your code (using SAST methodology), with ability to integrate with Jenkins, GitHub and other tools. You are able to fail the build if the code doesn't meet percentage score.

When new repository is added - there should be pop-up suggestion to create SonarQube project for it, coming from SonarQube. At the moment the user/administrator must watch out for new repositories in the organisation, without a note from the system itself that there is a new repository which you might want to add for scanning.

This product has actually improved productivity within my team by making sure there’s no duplicate code and by making code easily understandable.

Code maintenance is actually a difficult part.

I like sonarqube dashboard and the flexibility that quality gates provide to measure your software quality. You can set up you own thresholds for maintenance, reliability, security, code coverage and many other metrics, and allow only versions passing this quality gate to be deployed.

Unfortunately it lacks an easy way to see trends and go deep into which developers are the best/the worst. Also, it is paid if you need to analyse software in some languages, available only on the cloud.

The ability to analyze the quality of the code in each deployment or integration, together with the possibility of modifying the rules to allow deployment or not (quantity or criticality of errors or defects), as well as vulnerability analysis allows for better software, always keeping in mind of the developers the quality and security of the code.

Like everything, the time it takes to leave it well configured and integrated with the rest of the systems, as well as the maintenance and updating of the standards, rules and vulnerabilities depending on the programming language and the news that are published at the level of security.

We really like the IDE tool called SonarLint which makes it easy for developers to integrate with most IDEs and lint their code even before committing it to the repos. Another advantage was that we were able to self host our own instance on our Kubernetes cluster and keep the versions based on the containers we specify to pull.

Other engines tend to scan the same code base faster. Not too much of a con since this is all automated.

What I find most useful in this software is the code analysis, which gives detailed reports of the errors found and then suggests possible solutions. This saves time in software development.In addition, their large community helps solve problems that arise along the way.

Sometimes the reports can give false positives, which requires that the personnel in charge of handling the software carefully review the results to avoid false positives.

il s'intègre dans le pipeline de compilation

L'analyse du code prend du temps et parfois, il y a des recommandations qu'on ne peut pas corriger

Sonarqube allows anyone to run a scan for code smells, bugs or vulnerabilities. There is no reason not to use it or integrate it into your CI/CD pipelines. Even if you do not enforce passing the quality gate, it helps a lot in tracking and highlighting where are your weaknesses. Code duplication and Code coverage are very useful tools to understand the overall quality of your development.

It is hard to view historic data, and once you run a new analysis you cannot see the previous ones anymore from the same unified dashboard, you have to enter into each metric and check the history link. Please bring back the history dashboard from sonar 5!

Sonarqube helps me find out if there are any repetitive lines in my code. Since the code sometimes get lengthy or at times missed by me to recheck. It is added in continuous integration in jenkins which when runs code smells, coverage and quality will be detected.

At times we need to precisely set all the settings for the issues to be detected. If any small mistake happens then no result can be seen. We use traditional sonarqube where we install and integrate rather then plugin in jenkins. So the traditional method needs to be more careful in installing and running it.

The amount of errors it catches and that developers code look somewhat similar in mindset after using it for some time.

The setup with CodeCoverage is a nightmare and it seems is not working equallty well all the time. We also have a solution where it doesn't even work.

The vulnerability scans that it uses encompasses a lot of languages. It also has ability where user can define custom profiles and rules. Dashboards created are easy to use and decipher.

Technical support is very expensive and need to use their community forums to get support.

it allows us to correct the grammatically wrong code , unused imports ,variables etc. It Helps us to optimize the code with the rules specified for that project. Allows us to remove the duplicate code as well.

Integration with visual studio code and binding with project is tad difficult . Duplicate code block appears only after the build , so we have to wait till the build is completed to view whether any duplicate is present in our code.

Static code analysis, support for Java, .Net, JavaScript, typescript, html, CSS, etc. Helps you set custom quality gates and rules as well

Community version does not support high availability. You need to pay for this feature, would have preferred it to be free. Tools upgrade process can be improved as we have to take down the tool instance.

First of all, The tool has a great user interface highlighting all of the errors and bugs. It also shows how much effort is needed to fix those as well. We integrated it with our CI/CD pipelines in GitLab.

Enterprise licensing cost is a bit expensive. We faced rarely memory issues running the CI/CD pipelines.

SonarQube can integrate with CI/CD tools such as Jenkins, GitLab, and Travis CI, making it easy to automate code analysis as part of the development process. SonarQube allows developers to customize the rules and profiles used for code analysis.SonarQube provides a dashboard and reporting features that allow developers to track the progress of code quality metrics and identify areas that require attention. This feature can help developers stay on top of code quality issues and make data-driven decisions about where to focus their efforts.

Improving documentation could help users better understand how to use the tool effectively.

Great tool to check the code quality like unit test cases, number of repetitive lines and other checks for coments and other. This helps us to set the rules which should be followed by the developer which maintains the consistency of the software for customers.

I don't have any much cons on this. But we need little good knowledge to handle this. It is little tricky to manage the application.

Code review could be more focused on the new features implementation than trying to identify silly basic faults.

The Eclipse Sonarqube plugin was not easy to make it work in the same manner was it was setup in the CI/CD machines.