What is our primary use case?
I work on multiple projects using various programming languages, and Coverity provides more security and quality checks than CodeSonar, resulting in more robust results.
The second point is that CodeSonar created many intermediate directories, consuming almost three-fourths of my hard disk space. In contrast, Coverity occupies less than half of the space that CodeSonar used.
How has it helped my organization?
If someone is starting their security journey, they are looking for a code scanning tool and considering the entire portfolio that a vendor can offer. From this perspective, Synopsys provides a comprehensive suite of application security tools that can be used at various stages of the SDLC, which CodeSonar lacks. CodeSonar primarily offers static analysis and binary analysis tools, and while it can perform open-source analysis, it does so with limited programming language coverage. This limitation does not meet our long-term requirements.
Therefore, considering the long-term vision, we decided that Synopsys, recognized as a leader in the industry for seven consecutive years, offers a broader range of tools and greater value.
What is most valuable?
Coverity has excellent integration capabilities. The best part is that the add-ons come at no additional cost, making them compatible with most IDEs. This helps achieve shift-left testing, enabling early-stage code analysis within the IDE environment. Additionally, Coverity can be integrated with numerous CI/CD tools like Jenkins, Bamboo, Hudson, and Azure DevOps. It also supports integration with binary repositories, such as Artifactory and Nexus. For deployment, Coverity offers flexibility as it can be deployed on Docker, Kubernetes, OpenShift, and more. On-premises and SaaS models provide options tailored to different infrastructure needs.
The main benefits of the integration were complete automation and end-to-end. Coverity seamlessly fits into our process. Coverity integrates with issue-tracking systems like Jira and provides email notifications, alerts, and other features. It works as a complete, comprehensive solution, offering a holistic approach. We gained this bundled plugin approach from integrating Coverity.
What needs improvement?
Coverity concerns its dashboards and reporting. While Coverity is developer-friendly, it is not particularly intuitive for non-technical users. For instance, a solution architect or C-level executive might want to understand the current state of an application through bar graphs and charts without delving into the technical details. Coverity lacks the ability to generate such executive reports and doesn't offer much customization in its reporting. As a result, we have to rely on other business intelligence tools like Power BI or Splunk to integrate with Coverity, pull the data, and create the desired reports and charts.
Coverity has significantly expanded its support for various programming languages. Currently, it supports more than 24 programming languages. They have also introduced an IDE plugin and a SaaS version of Coverity, where users can upload their code and receive reports. One area of improvement could be expanding incremental scanning to more programming languages. Currently, incremental scanning is supported for only a few languages, but expanding this feature to all the supported languages would be highly beneficial.
For how long have I used the solution?
I have been using Coverity for four years.
What do I think about the scalability of the solution?
Around four users are using this solution. If you're talking about on-premise deployment, the more hardware resources we have, the more scalable it is. It's a direct proportional relationship. However, in terms of the cloud model, it has been pretty easy. They can scale it effectively.
How are customer service and support?
They provide us access to their technical support team as part of their commercial product agreement. However, they work five days a week. They also offer a premium support package, which comes at an additional cost and includes 24/7 critical priority support. We have opted for the default support that comes with the product.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
The data that CodeSonar generated as output was huge—gigabytes—and used to clog my hard disk. The second step is that Coverity and CodeSonar have good results, with both having a low false positive ratio. They both do a fair job of identifying defects.
In terms of scale, scalability, and stability, Coverity is on par with CodeSonar due to its architecture and fast response. Coverity uses a built-in PostgreSQL database, which has a good schema interface. Additionally, the incremental scanning is efficient. Coverity supports over 27 programming languages, whereas CodeSonar only supports around five to six. So, if you are working on a project that uses languages like Go, PHP, or others that CodeSonar doesn’t support, CodeSonar would not be suitable.
Moreover, Coverity offers extensive IDE support with add-ons for around seven to eight IDEs, whereas CodeSonar primarily targets a few IDEs like Eclipse and Visual Studio.
How was the initial setup?
The initial setup is pretty straightforward. Coverity offers both on-premise and SaaS models, and we are using both. We have a hybrid license, including several on-premise licenses. For the on-premise setup, you download an executable file, double-click on it, and complete the installation easily. The SaaS model is equally simple: log in to the browser with your credentials, upload the files, and generate the report. The process is mainly agent-free.
What was our ROI?
The tool identified many defects before our source code reached a QA or staging environment. The most impressive feature is the IDE plugin, which identifies crucial defects as the developer writes the code. This means developers can know whether they write defective or proper code before pushing it into the repository. Identifying defects at the initial stages of the development lifecycle can save much money in the long run, providing a good ROI. This is why our organization has been using Coverity for over four years.
What other advice do I have?
When discussing the on-prem portal, if you are a customer handling numerous projects with heavy daily activity, such as triggering various types of scans and integrations with CASD, you should know that Coverity on-device has a built-in database. It is crucial to maintain this database diligently. Regular maintenance and monitoring are essential to ensure smooth operation. In case of any issues, creating a backup server is advisable as a precautionary measure.
We are working on a microservices model, where each small module is considered a separate project for an NTP. We have more than 300 critical business projects. Multiple departments use Coverity: developers use it for local scanning, and the security team uses it to ensure coding practices adhere to standards such as OWASP or PCI.
I suggest conducting a fair analysis. Let them pick the same project for a POC and scan it using their existing tools and Coverity. They can evaluate scalability, language support, compiler support, incremental scanning, IDE plugins, and CI/CD plugins.
During COVID or post-COVID, if we look at the incidents in the security market, most data breaches happen at the application layer. While network layer security is well understood, application security remains a significant challenge. Synopsys addresses this with a comprehensive portfolio, including code scanning, static analysis, SCA, open source analysis, IAST, fuzz testing, and more. Additionally, they offer extensive security services with over 600 consultants who can help eliminate false positives and address security concerns.
Overall, I rate the solution an eight out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
*Disclosure: My company does not have a business relationship with this vendor other than being a customer.