SonarQube is a static code analysis tool that helps developers improve the quality of their codebase by detecting potential issues, code smells, security vulnerabilities and technical debt.
I’m frequently asked how SonarQube helps developers and R&D managers on their daily tasks, so I decided to write an article that sums up all points and benefits.
First, I’ll explain the issue in high level and then include details (separate by different SonarQube editions).
Also note we have a detailed sheet with all functionality in SonarQube (separate by editions and filterable + sortable) you can download here.
Legend:
How SonarQube helps developers – in high level:
SonarQube helps developers with several aspects of their job:
- Code Quality: SonarQube acts like a code coach, analyzing developers’ work for bugs, potential security vulnerabilities (in commercial editions), and areas that could be written more efficiently. This helps developers catch issues early and write cleaner, more maintainable code.
- Improved Efficiency: By identifying problems early, SonarQube saves developers time by preventing them from spending hours debugging complex issues later in the development cycle.
- Skill Development: SonarQube’s feedback helps developers of all levels understand best practices and make better coding decisions. It empowers developers and can be a valuable tool for continuous learning.
- Teamwork: SonarQube helps enforce consistent coding standards across a team. This makes code easier for everyone to understand and reduces the time spent deciphering someone else’s work.
How SonarQube helps developers – in details:
SonarQube is offered in 4 different editions, while developers and R&D managers can enjoy all functionality starting from Enterprise edition (the 3rd edition out of 4).
Let’s see main functionality offered in each edition:
What’s in the Community Edition for developers?
That edition is free open source and it offers the following:
1. Core of SonarQube
and 60+ plugins.
You have a variety of plugins made for SonarQube (some are free while you have to pay for some others). You may also build your own plugins (and we can build it for you).
2. Scanning Code languages (static code analysis)
Community edition supports a basic scanning of 16 languages:
Java, JavaScript, C#, Terraform, TypeScript, Kotlin, Ruby, Go, Scala, Flex, Python, PHP, HTML, CSS, XML, VB.NET
3. Scanning the master (main) branch only
Scan the master (main) git branch.
Note you can’t scan other branches (e.g. feature branches) using the community edition, so you can’t apply “Shift Left” methodology using that edition.
4. SonarLint (basics)
SonarLint helps you get notifications about code issues and bugs, in real time, into the developers’ IDE (e.g. IntelliJ / VS Code) – which helps them develop more “clean code”.
Watch a quick demo:
Note: SonarLint cannot be configured in that version (You can do so in the Developer Edition as explained below)
What’s in SonarQube Developer Edition for developers?
Developer Edition offers all in Community edition PLUS:
- Branch Analysis
You can scan any branches you want – e.g. task or feature branches (rather than the main [master] branch only), so you can detect problems much earlier – even before the code is merged upstream to main branches
- Pull Request Decoration & Analysis
This enables you to integrate SonarQube with your version control tools and add SonarQube analysis and a Quality Gate to your Pull Requests (or Merge Requests) in your ALM / DevOps provider’s interface, including GitLab, GitHub, Bitbucket and Azure DevOps.
It helps you get fast feedback (of scanning results) into the dashboard.
- Code Security Analysis / Capabilities
Security scanning with a variety of rules for each code language – e.g. detection of injection flaws
(our spreadsheet [download here] specifies how many rules you have for each language)
Note: the Community (free) Edition does not scan for security vulnerabilities
- Extra SonarLint Capabilities (e.g. smart notifications)
In this version it’s possible to configure and receive Smart Notifications (not available in Community free Edition),
so if you (as a developer) use SonarLint through your IDE, you can configure and receive notifications.
For example: You can receive a message if you have not passed the Quality Gates.
Note: SonarLint in the Community (free) Edition does not scan languages that are not supported in the free version (e.g. C, C++ and others as detailed below)
- Supporting more Languages:
Developer Edition also scans the following code languages:
- C
- C++
- Objective-C
- PL/SQL
- ABAP
- TSQL
- Swift
Developer Edition supports 24 code languages in total.
What’s in SonarQube Enterprise Edition for developers and R&D managers?
The Enterprise Edition offers all in Developer edition PLUS:
-
Supporting more Languages
Enterprise Edition also scans the following code languages:
- Apex (of Salesforce)
- Cobol
- PL/1
- RPG
- VB 6 (Visual Basic)
SonarQube Enterprise Edition supports 29 code languages in total.
2. Portfolio and Reporting
This feature is useful when you have many projects. It shows you the projects status in high-level (which is often needed by development managers, team managers, CTOs, etc.).
This also enables you to aggregate projects by groups so you can visualize the information and makes it much more clear and readable.
Relevant features here:
- Aggregation of projects. For instance, you can decide what to group together according to criteria that you decide, e.g. common code language; legacy projects; groups ; teams etc.
- You can automate the report and send it by email (as a PDF report)
Watch a demo (2 min):
3. Security Reports
Security reports are available in Enterprise edition only.
Those reports help you get faster feedback and fix security vulnerabilities much faster.
SonarQube helps you see your security posture by OWASP Top 10 and CWE Top 25 standards.
For example:
4. Security Hotspot + Security Vulnerabilities
Security Hotspots are code areas where SonarQube highlights suspicious code snippets that developers need to check (because there might be vulnerabilities).
See an example (click to enlarge):
That feature also helps improve developers’ development skills and empower them: as they write code and find out hotspots, they learn about security risks and best practices on how to prevent them.
Security Vulnerabilities require immediate attention. SonarQube provides a detailed description and highlights thre relevant code, which helps to understand what the risk is in the given code.
For example (click to enlarge):
5. Parallel Processing of Analysis Reports
Enables you to manage scans and reports in parallel. This is useful if you have to run many scans and reports.
You can run up to 10 workers in parallel.
FAQ (Frequently Asked Questions):
- Q: What’s the pricing of SonarQube?
A: SonarQube pricing depends on several parameters:
Edition type (as explained above in the article);
The amount of lines of code you have
Whether you take customer supportContact us to get exact pricing and quotes: sonarqube@almtoolbox.com or call us
- Q: I’m using a code language supported by the Community (Free) Edition (e.g. Java or C#).
Does it mean I get all the capabilities of SonarQube?
A: No. If you use the free edition you have access to features available in Free Community Edition only.
For instance: if you use Java (that’s available in free edition) you won’t get security rules; No branch analysis; No reports, etc.
ALM-Toolbox is an official distributor of SonarQube and provides consulting, SonarQube and SonarCloud licenses, implementation, training, managed services and help customers to integrate SonarQube with business flows and CI/CD pipelines.
Contact us for any questions including pricing and quotes: sonarqube@almtoolbox.com or call us: 866-503-1471 (USA / Canada) or +972-722-405-222
