Initially written in January 2022. Last update: April 2023
I’m frequently asked what the differences are between SonarQube versions.
From the questions it is clear that the licensing options are not so clear and quite confusing, so I decided to write down the essential points and help make things right.
In the following article I explain the differences, and besides we’ve recently made a spreadsheet that easily gives you see all the features in the product, in detail, and by Editions (so you can use filters and see for example what features are are only in Developer / Enterprise editions; what features are not in a certain edition etc.) . You can email us (email@example.com) and get that spreadsheet.
Core Differences in SonarQube Editions
In this article I explain the main differences in SonarQube editions.
SonarQube was built in an “Open Core” model, which means it’s an open source built by layers: each layer contains the former layer plus extra capabilities:
- Community (Free) Edition is the basis
- Then you have Developer Edition on top of it
- Then the Enterprise Edition on top of it
- and then the Data Center Edition on top of it
See illustration to the right side.
Let’s see the main capabilites which are added in each edition (layer).
What’s in the Community Edition?
That edition is free open source and it offers the following:
1. Core of SonarQube
and 60+ plugins.
You have a variety of plugins made for SonarQube (some are free while you have to pay for some others). You may also build your own plugins (and we can build it for you).
2. Scanning Code languages (static code analysis)
Community edition supports a basic scanning of 16 languages:
3. Scanning the master (main) branch
Scan the master (main) git branch.
Note you can’t scan other branches (e.g. feature branches) using the community edition, so you can’t apply “Shift Left” methodology using that edition.
SonarLint helps you get notifications about code issues and bugs, in real time, into the developers’ IDE (e.g. IntelliJ / VS Code) – which helps them develop more “clean code”.
Note: SonarLint cannot be configured in that version (You can do so in the Developer Edition as explained below)
Developer Edition vs Community Edition
Developer Edition offers all in Community edition PLUS:
You can scan any branches you want (rather than the master branch only), so you can detect problems much earlier – even before the code is merged upstream to main branches
Pull Request Decoration & Analysis
This enables you to integrate SonarQube with your version control tools and add SonarQube analysis and a Quality Gate to your Pull Requests (or Merge Requests) in your ALM / DevOps provider’s interface, including GitLab, GitHub, Bitbucket and Azure DevOps.
It helps you get fast feedback (of scanning results) into the dashboard.
Code Security Analysis / Capabilities
Security scanning with a variety of rules for each code language (our spreadsheet specifies how many rules you have for each language)
Note: the Community (free) Edition does not scan for security vulnerabilities
Extra SonarLint Capabilities
In this version it’s possible to configure and receive Smart Notifications (not available in Community free Edition),
so if you (as a developer) use SonarLint through your IDE, you can configure and receive notifications.
For example: You can receive a message if you have not passed the Quality Gates.
Note: SonarLint in the Community (free) Edition does not scan languages that are not supported in the free version (e.g. C, C++ and others as detailed below)
Supporting more Languages:
Developer Edition also scans the following code languages:
Developer Edition supports 24 code languages in total.
Enterprise Edition vs Developer Edition
Supporting more Languages
Enterprise Edition also scans the following code languages:
- Apex (of Salesforce)
- VB 6 (Visual Basic)
Enterprise Edition supports 29 code languages in total.
2. Portfolio and Reporting
This feature is useful when you have many projects. It shows you the projects status in high-level (which is often needed by development managers, team managers, CTOs, etc.).
This also enables you to aggregate projects by groups so you can visualize the information and makes it much more clear and readable.
Relevant features here:
- Aggregation of projects. For instance, you can decide what to group together according to criteria that you decide, e.g. common code language; legacy projects; groups ; teams etc.
- You can automate the report and send it by email (as a PDF report)
Watch a demo (2 min):
3. Security Reports
Security reports are available in Enterprise edition only.
Those reports help you get faster feedback and fix security vulnerabilities much faster.
SonarQube helps you see your security posture by OWASP Top 10 and CWE Top 25 standards.
4. Security Hotspot + Security Vulnerabilities
Security Hotspots are code areas where SonarQube highlights suspicious code snippets that developers need to check (because there might be vulnerabilities).
See an example (click to enlarge):
That feature also helps improve developers’ development skills and empower them: as they write code and find out hotspots, they learn about security risks and best practices on how to prevent them.
Security Vulnerabilities require immediate attention. SonarQube provides a detailed description and highlights thre relevant code, which helps to understand what the risk is in the given code.
For example (click to enlarge):
5. Parallel Processing of Analysis Reports
Enables you to manage scans and reports in parallel. This is useful if you have to run many scans and reports.
You can run up to 10 workers in parallel.
6. Staging License
Using the Enterprise Edition you can get an additional license for setting up a staging / testing environment.
This is useful when SonarQube is part of a critical system and / or using plugins, and you want to test it (as a “dry” run) before upgrading the real server (in order to mitigate risks and ensure minimal downtime and success upgrade).
Data Center Edition vs Enterprise
Data Center Edition provides you high availability for massive (global) deployments.
High availability is achieved by adding redundancy to every node in the system.
- Q: What’s the pricing of SonarQube?
A: SonarQube pricing depends on several parameters:
Edition type (as explained above in the article);
The amount of lines of code you have
Whether you take customer support
Contact us to get exact pricing and quotes: firstname.lastname@example.org or call us
- Q: What’s the pricing of SonarQube?
- Q: I’m using a code language supported by the Community (Free) Edition (e.g. Java or C#).
Does it mean I get all the capabilities of SonarQube?
A: No. If you use the free edition you have access to features available in Free Community Edition only.
For instance: if you use Java (that’s available in free edition) you won’t get security rules; No branch analysis; No reports, etc.
ALM-Toolbox is an official distributor of SonarQube and provides consulting, SonarQube and SonarCloud licenses, implementation, training and help customers to integrate SonarQube with business flows and CI/CD pipelines.
Contact us for any questions including pricing and quotes: email@example.com or call us: 866-503-1471 (USA / Canada) or +972-722-405-222