I'm not sure how much value sonar adds where I work (dotnet). It enormously affects build times, and I've yet to experience a single true positive in 2 years (apart from the code coverage dashboard). The amount of MRR you can generate by vaguely being related to mitigating vulnerabilities is incredible.
I worked at a place that was full of junior contractors who had a large incentive to ship and no incentives for support. Sonar was good about finding bugs that they should have fixed but didn’t give a rip about (e.g. not closing database connections on all paths)
