We performed a comparison between Coverity and SonarQube based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison Result: Based on the parameters we compared, SonarQube comes out ahead of Coverity. Although both products have valuable features and can be estimated as high-end solutions, our reviewers found that Coverity is an expensive solution with an unfriendly licensing mechanism and a difficult exit process, which may make it less accessible for smaller teams or companies with budgetary constraints.
"Provides software security, and helps to find potential security bugs or defects."
"It's very stable."
"Coverity gives advisory and deviation features, which are some of the parts I liked."
"The features I find most valuable is that our entire company can publish the analysis results into our central space."
"We were very comfortable with the initial setup."
"The solution has helped to increase staff productivity and improved our work significantly by approximately 20 percent."
"I encountered a bug with Coverity, and I opened a ticket. Support provided me with a workaround. So it's working at the moment, or at least it seems to be."
"The solution effectively identifies bugs in code."
"It assists during the development with SonarLint and helps the developer to change his approach or rather improve his coding pattern or style. That's one advantage I've seen. Another advantage is that we can customize the rules."
"The product has a friendly UI that is easy to use and understand."
"It provides the security that is required from a solution for financial businesses."
"The solution has a wide variety of features and an open-source community that you are able to learn Java, JavaScript, or any other programing language."
"SonarQube is good in terms of code review and to report on basic vulnerabilities in your applications."
"Improve the code coverage and evaluates the technical steps and percentage of code being resolved."
"My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it."
"If code coverage is a low number then that's of great value to me."
"Its price can be improved. Price is always an issue with Synopsys."
"The product could be enhanced by providing video troubleshooting guides, making issue resolution more accessible. Troubleshooting without visual guides can be time-consuming."
"We actually specified several checkers, but we found some checkers had a higher false positive rate. I think this is a problem. Because we have to waste some time is really the issue because the issue is not an issue. I mean, the tool pauses or an issue, but the same issue is the filter now.Some check checkers cannot find some issues, but sometimes they find issues that are not relevant, right, that are not really issues. Some customisation mechanism can be added in the next release so that we can define our Checker. The Modelling feature provided by Coverity helps in finding more information for potential issues but it is not mature enough, it should be mature. The fast testing feature for security testing campaign can be added as well. So if you correctly integrate it with the training team, maybe you can help us to find more potential issues."
"It would be great if we could customize the rules to focus on critical issues."
"The product could be enhanced by providing video troubleshooting guides, making issue resolution more accessible. Troubleshooting without visual guides can be time-consuming."
"SCM integration is very poor in Coverity."
"The tool needs to improve its reporting."
"Reporting engine needs to be more robust."
"We have tens of millions of code to be analyzed and processed. There can be some performance degradation if we are applying Sonar Link to large code or code that is complex. When the code had to be analyzed is when we ran into the main issues. There were several routines involved to solve those performance issues but this process should be improved."
"It would be a great add-on if SonarQube could update its database for vulnerabilities or plugging parts."
"We found a solution with dynamic testing, and are looking to find a solution that can be used for both types of testing."
"The reporting is good, but I am not able to download a specific report as a PDF, so downloading reports is something that should be looked at."
"There are limitations to the free version that limit development options as far as languages."
"The time it took for me to do the whole process was approximately two hours because I had to download, read the documentation, and do the configurations."
"The solution is a bit lacking on the security side, in terms of finding and identifying vulnerabilities."
"The scanning part could be improved in SonarQube. We have used Coverity for scanning, and we have the critical issues reported by Coverity. When we used SonarQube for scanning and looked at the results, it seems that some of them have incorrect input. This part can be improved for C and C++ languages."
Coverity is ranked 4th in Application Security Testing (AST) with 33 reviews while SonarQube is ranked 1st in Application Security Testing (AST) with 108 reviews. Coverity is rated 7.8, while SonarQube is rated 8.0. The top reviewer of Coverity writes "Best SAST tool to check software quality issues". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Coverity is most compared with Klocwork, Fortify on Demand, Checkmarx, Veracode and Polyspace Code Prover, whereas SonarQube is most compared with Checkmarx, SonarCloud, Veracode, Snyk and Sonatype Lifecycle. See our Coverity vs. SonarQube report.
See our list of best Application Security Testing (AST) vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.