What are Differences of SonarQube Editions?

Initially written in January 2022. Last update: April 2023

I’m frequently asked what the differences are between SonarQube versions.
From the questions it is clear that the licensing options are not so clear and quite confusing, so I decided to write down the essential points and help make things right.

In the following article I explain the differences, and besides we’ve recently made a spreadsheet that easily gives you see all the features in the product, in detail, and by Editions (so you can use filters  and see for example what features are are only in Developer / Enterprise editions; what features are not in a certain edition etc.) . You can email us (sonarqube@almtoolbox.com) and get that spreadsheet.

Click to enlarge. Email us to get the full spreadsheet.

SonarQube Editions

Core Differences in SonarQube Editions

In this article I explain the main differences in SonarQube editions.

SonarQube was built in an “Open Core” model, which means it’s an open source built by layers: each layer contains the former layer plus extra capabilities:

• Community (Free) Edition is the basis
• Then you have Developer Edition on top of it
• Then the Enterprise Edition on top of it
• and then the Data Center Edition on top of it

See illustration to the right side.

Let’s see the main capabilites which are added in each edition (layer).

What’s in the Community Edition?

That edition is free open source and it offers the following:

1. Core of SonarQube

and 60+ plugins.
You have a variety of plugins made for SonarQube (some are free while you have to pay for some others). You may also build your own plugins (and we can build it for you).

2. Scanning Code languages (static code analysis)

Community edition supports a basic scanning of 16 languages:
Java, JavaScript, C#, Terraform, TypeScript, Kotlin, Ruby, Go, Scala, Flex, Python, PHP, HTML, CSS, XML, VB.NET

3. Scanning the master (main) branch

Scan the master (main) git branch.

Note you can’t scan other branches (e.g. feature branches) using the community edition, so you can’t apply “Shift Left” methodology using that edition.

4. SonarLint

SonarLint helps you get notifications about code issues and bugs, in real time, into the developers’ IDE (e.g. IntelliJ / VS Code) – which helps them develop more “clean code”.
Note: SonarLint cannot be configured in that version (You can do so in the Developer Edition as explained below)

Developer Edition vs Community Edition

Developer Edition offers all in Community edition PLUS:

1. Branch Analysis

You can scan any branches you want (rather than the master branch only), so you can detect problems much earlier – even before the code is merged upstream to main branches

2. Pull Request Decoration & Analysis

This enables you to integrate SonarQube with your version control tools and add SonarQube analysis and a Quality Gate to your Pull Requests (or Merge Requests) in your ALM / DevOps provider’s interface, including GitLab, GitHub, Bitbucket and Azure DevOps.
It helps you get fast feedback (of scanning results) into the dashboard.

Illustration: Pull (Merge) request decoration with SonarQube and GitLab. Click to enlarge

3. Code Security Analysis / Capabilities

Security scanning with a variety of rules for each code language (our spreadsheet specifies how many rules you have for each language)

Note: the Community (free) Edition does not scan for security vulnerabilities

4. Extra SonarLint Capabilities

In this version it’s possible to configure and receive Smart Notifications (not available in Community free Edition),
so if you (as a developer) use SonarLint through your IDE, you can configure and receive notifications.
For example: You can receive a message if you have not passed the Quality Gates.

Note: SonarLint in the Community (free) Edition does not scan languages that are not supported in the free version (e.g. C, C++ and others as detailed below)

5. Supporting more Languages:

Developer Edition also scans the following code languages:

1. C
2. C++
3. Objective-C
4. PL/SQL
5. ABAP
6. TSQL
7. Swift

Developer Edition supports 24 code languages in total.

Enterprise Edition vs Developer Edition

1. Supporting more Languages

Enterprise Edition also scans the following code languages:

1. Apex (of Salesforce)
2. Cobol
3. PL/1
4. RPG
5. VB 6 (Visual Basic)

Enterprise Edition supports 29 code languages in total.

2. Portfolio and Reporting

This feature is useful when you have many projects. It shows you the projects status in high-level (which is often needed by development managers, team managers, CTOs, etc.).

This also enables you to aggregate projects by groups so you can visualize the information and makes it much more clear and readable.

Relevant features here:

• Aggregation of projects. For instance, you can decide what to group together according to criteria that you decide, e.g. common code language; legacy projects; groups ; teams etc.
• You can automate the report and send it by email (as a PDF report)

Watch a demo (2 min):

3. Security Reports

Security reports are available in Enterprise edition only.
Those reports help you get faster feedback and fix security vulnerabilities much faster.
SonarQube helps you see your security posture by OWASP Top 10 and CWE Top 25 standards.

For example:

Security Reports (click to enlarge) 

4. Security Hotspot + Security Vulnerabilities

Security Hotspots are code areas where SonarQube highlights suspicious code snippets that developers need to check (because there might be vulnerabilities).

See an example (click to enlarge):

Security Hotspot (Hashing data is security-sensitive)

That feature also helps improve developers’ development skills and empower them: as they write code and find out hotspots, they learn about security risks and best practices on how to prevent them.

Security Vulnerabilities require immediate attention. SonarQube provides a detailed description and highlights thre relevant code, which helps to understand what the risk is in the given code.
For example (click to enlarge):

Identify the problematic code and provide a solution on how to solve it (in this case: use a key length that provides enough entropy against brute-force attacks. For the RSA algorithm it should be at least 2048 bits long)

5. Parallel Processing of Analysis Reports

Enables you to manage scans and reports in parallel. This is useful if you have to run many scans and reports.
You can run up to 10 workers in parallel.

6. Staging License

Using the Enterprise Edition you can get an additional license for setting up a staging / testing environment.
This is useful when SonarQube is part of a critical system and / or using plugins, and you want to test it (as a “dry” run) before upgrading the real server (in order to mitigate risks and ensure minimal downtime and success upgrade).

Data Center Edition vs Enterprise

Data Center Edition provides you high availability for massive (global) deployments.
High availability is achieved by adding redundancy to every node in the system.

1. Component Redundancy

2. Data Resiliency

3. Horizontal Scalability

FAQ

• • Q: What’s the pricing of SonarQube?
    A: SonarQube pricing depends on several parameters:
    Edition type (as explained above in the article);
    The amount of lines of code you have
    Whether you take customer support

    Contact us to get exact pricing and quotes: sonarqube@almtoolbox.com or call us

• Q: I’m using a code language supported by the Community (Free) Edition (e.g. Java or C#).
  Does it mean I get all the capabilities of SonarQube?
  A: No. If you use the free edition you have access to features available in Free Community Edition only.
  For instance: if you use Java (that’s available in free edition) you won’t get security rules; No branch analysis; No reports, etc.

Related Links:

• How SonarQube is integrated with GitLab (Demo)
• Our Git Marketplace
• Sonar website