Comparison Buyer's Guide

Executive SummaryUpdated on Mar 20, 2023
 

Categories and Ranking

Coverity
Ranking in Static Application Security Testing (SAST)
4th
Average Rating
7.8
Number of Reviews
35
Ranking in other categories
No ranking in other categories
SonarQube
Ranking in Static Application Security Testing (SAST)
1st
Average Rating
8.0
Number of Reviews
112
Ranking in other categories
Application Security Tools (1st), Software Development Analytics (1st)
 

Mindshare comparison

As of June 2024, in the Static Application Security Testing (SAST) category, the mindshare of Coverity is 8.1%, up from 6.6% compared to the previous year. The mindshare of SonarQube is 31.5%, up from 29.8% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Static Application Security Testing (SAST)
Unique Categories:
No other categories found
Application Security Tools
27.7%
Software Development Analytics
47.2%
 

Featured Reviews

AP
Nov 9, 2023
A tool to fix bug issues and detect errors with code analysis
I rate the initial setup of Coverity an eight on a scale of one to ten, where one is difficult, and ten is easy. The setup phase of Coverity can sometimes be straightforward, and if there are some issues, it can be a little bit complex. When involved in some tracking activity, sometimes, Coverity uses looping logic, making it quite difficult to handle bugs. Sometimes, the tracking activity in Coverity will be straightforward with a very good interface. Marking the positive rates and giving some green and red bars can be helpful in Coverity. The solution is deployed on an on-premises model. The solution can be deployed in a day. My company uses the git repository for the implementation of Coverity. Five people are required to deploy the solution. Around thirty people might be required to take care of the maintenance process of the product since there will be an increase in the team members in our company.
BS
Dec 21, 2023
This solution is simple to use and can be quickly deployed
We use SonarQube to check for vulnerabilities and quality.  The solution has helped us to find flaws in the Syntax and comply with requirements.  I have found the most valuable features to be scanning for bugs or fixing the hotspot. These features have helped to improve the code quality.  I…

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The reporting feature is up to the mark."
"It's very stable."
"The app analysis is the most valuable feature as I know other solutions don't have that."
"The most valuable feature of Coverity is that it shows examples of what is actually wrong with the code."
"Coverity is easy to set up and has a less lengthy process to find vulnerabilities."
"The tool as it is can be used for code quality improvement."
"Coverity gives advisory and deviation features, which are some of the parts I liked."
"One of the most valuable features is Contributing Events. That particular feature helps the developer understand the root cause of a defect. So you can locate the starting point of the defect and figure out exactly how it is being exploited."
"Improve the code coverage and evaluates the technical steps and percentage of code being resolved."
"Engineers have also learned from the results and have improved themselves as engineers. This will help them with their careers."
"It helps our developers work more efficiently as we can identify things in a code prior to it being pushed to where it needs to go."
"Apart from the security point of view, I like that it makes it easy to detect code smells and other issues in terms of code quality and standards."
"The depth features I have found most valuable. You receive a quick comprehensive comparison overview regarding the current release and the last release and what type of depths dependency or duplication should be used. This is going to help you to make a more readable code and have more flexibility for the engineers to understand how things should work when they do not know."
"The most valuable features are the segregation containment and the suspension of product services."
"The most valuable features are the dashboard reports and the ease of integrating it with Jenkins."
"The most valuable features are the analysis and detection of issues within the application code."
 

Cons

"Coverity could improve the ease of use. Sometimes things become difficult and you need to follow the guides from the website but the guides could be better."
"The solution could use more rules."
"Sometimes it's a bit hard to figure out how to use the product’s UI."
"I had tried integrating the tool with Azure DevOps, but the report I got stated that my team faced many challenges."
"The solution is a bit complex to use in comparison to other products that have many plugins."
"The product lacks sufficient customization options."
"Coverity is not stable."
"We actually specified several checkers, but we found some checkers had a higher false positive rate. I think this is a problem. Because we have to waste some time is really the issue because the issue is not an issue. I mean, the tool pauses or an issue, but the same issue is the filter now.Some check checkers cannot find some issues, but sometimes they find issues that are not relevant, right, that are not really issues. Some customisation mechanism can be added in the next release so that we can define our Checker. The Modelling feature provided by Coverity helps in finding more information for potential issues but it is not mature enough, it should be mature. The fast testing feature for security testing campaign can be added as well. So if you correctly integrate it with the training team, maybe you can help us to find more potential issues."
"A little bit more emphasis on security and a bit more security scanning features would be nice."
"One thing to improve would be the integration. There is a steep learning curve to get it integrated."
"In terms of what can be improved, the areas that need more attention in the solution are its architecture and development."
"This solution finds issues that are similar to what is found by Checkmarx, and it would be nice if the overlap could be eliminated."
"Having performance regression would be a helpful add on or ability to be able to do during the scan."
"After scanning our code and generating a report, it would be helpful if SonarQube could also generate a solution to fix vulnerabilities in the report."
"If there was an official Docker image of SonarQube that could easily integrate into the pipeline would help the user to plug in and plug out and use it directly without any custom configuration. I am not sure if this is being offered already in an update but it would be very helpful."
"There isn't a very good enterprise report."
 

Pricing and Cost Advice

"The tool's price is somewhere in the middle. It's neither cheap nor expensive. I would rate the pricing a five out of ten."
"The pricing is on the expensive side, and we are paying for a couple of items."
"It is expensive."
"The pricing is very reasonable compared to other platforms. It is based on a three year license."
"This is a pretty expensive solution. The overall value of the solution could be improved if the price was reduced. Licensing is done on an annual basis."
"The tool was fairly priced."
"The licensing fees are based on the number of lines of code."
"Offers varying prices for different companies"
"SonarQube is an open-source product that can be used free of charge."
"The price of this solution is more expensive than competitors. However, it works better than competitors."
"The development license cost is reasonable, and we've had no concerns about SonarQube when it comes to cost."
"I am satisfied with the pricing."
"My guess is that we have a yearly subscription. We use it quite extensively, so a monthly license wouldn't make sense. Yearly subscriptions are usually cheaper. In addition to the standard licensing fee, there is just the cost of running the hardware where it is hosted."
"SonarQube enterprise, I am not sure of the price but from what I understand they are charging a fee. It's is not clear if it is an annual fee or a one-off."
"On the pricing side, it's 3,000 Euros for 1 million lines of code."
"For the Community edition, there is no extra cost. It's totally free. The Enterprise edition, Data Center edition, and Developer edition are the paid versions."
report
Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.
789,728 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Manufacturing Company
29%
Computer Software Company
16%
Financial Services Firm
7%
Government
4%
Financial Services Firm
17%
Computer Software Company
15%
Manufacturing Company
12%
Government
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

How would you decide between Coverity and Sonarqube?
We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing rem...
What do you like most about Coverity?
The solution has improved our code quality and security very well.
What is your experience regarding pricing and costs for Coverity?
Coverity offers varying prices for different companies. Our company has a five-year licensing contract with Coverity, so the licensing posture is seamless. As our organization is based in Banglades...
Is SonarQube the best tool for static analysis?
I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have a look...
Which gives you more for your money - SonarQube or Veracode?
SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...
How does Snyk compare with SonarQube?
Snyk does a great job identifying and reducing vulnerabilities. This solution is fully automated and monitors 24/7 to find any issues reported on the internet. It will store dependencies that you a...
 

Comparisons

 

Also Known As

Synopsys Static Analysis
Sonar
 

Learn More

 

Interactive Demo

Demo not available
 

Overview

 

Sample Customers

MStar Semiconductor, Alcatel-Lucent
Find out what your peers are saying about Coverity vs. SonarQube and other solutions. Updated: May 2024.
789,728 professionals have used our research since 2012.