Coverity OverviewUNIXBusinessApplication

Coverity is the #9 ranked solution in AST tools. PeerSpot users give Coverity an average rating of 7.8 out of 10. Coverity is most commonly compared to SonarQube: Coverity vs SonarQube. Coverity is popular among the large enterprise segment, accounting for 75% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a manufacturing company, accounting for 21% of all views.
Buyer's Guide

Download the Application Security Testing (AST) Buyer's Guide including reviews and more. Updated: November 2022

What is Coverity?

Coverity gives you the speed, ease of use, accuracy, industry standards compliance, and scalability that you need to develop high-quality, secure applications. Coverity identifies critical software quality defects and security vulnerabilities in code as it’s written, early in the development process, when it’s least costly and easiest to fix. With the Code Sight integrated development environment (IDE) plugin, developers get accurate analysis in seconds in their IDE as they code. Precise actionable remediation advice and context-specific eLearning help your developers understand how to fix their prioritized issues quickly, without having to become security experts. 

Coverity seamlessly integrates automated security testing into your CI/CD pipelines and supports your existing development tools and workflows. Choose where and how to do your development: on-premises or in the cloud with the Polaris Software Integrity Platform (SaaS), a highly scalable, cloud-based application security platform. Coverity supports 22 languages and over 70 frameworks and templates.

Coverity was previously known as Synopsys Static Analysis.

Coverity Customers

MStar Semiconductor, Alcatel-Lucent

Coverity Video

Coverity Pricing Advice

What users are saying about Coverity pricing:
  • "This is a pretty expensive solution. The overall value of the solution could be improved if the price was reduced. Licensing is done on an annual basis."
  • "Coverity is very expensive."
  • Coverity Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Senior Solutions Architect at a computer software company with 11-50 employees
    Real User
    Top 20
    Broad integration capacity and works with more languages than some competitors
    Pros and Cons
    • "One of the most valuable features is Contributing Events. That particular feature helps the developer understand the root cause of a defect. So you can locate the starting point of the defect and figure out exactly how it is being exploited."
    • "Right now, the Coverity executable is around 1.2GB to download. If they can reduce it to approximately 600 or 700MB, that would be great. If they decrease the executable, it will be much easier to work in an environment like Docker."

    What is our primary use case?

    We write thousands of lines of code on a daily basis, and we cannot say that our code is free because there are a lot of other developers contributing to the source code and things like that. And this process is prone to human error, defects in the source code, etc.

    How has it helped my organization?

    To automate detection, we use Coverity's static analysis, which has a low false-positive ratio. That's because Coverity's analysis engine includes 20-plus patented technologies. A lot of other static analysis tools use pattern-based analysis, but Coverity's is flow based. That's why we ended up using it. Coverity is helping us identify some of the critical defects at the early stages of the development life cycle. So overall, it is giving us a greater ROI and making our application more mature and robust.

    What is most valuable?

    One of the most valuable features is Contributing Events. That particular feature helps the developer understand the root cause of a defect. So you can locate the starting point of the defect and figure out exactly how it is being exploited. So contributing Events lets you create that kind of a workflow. 

    We also need a tool that works in an environment that isn't dependent on the built environment. You point it to a folder. Then the tool picks it up, runs the scan, and gives you the report. That feature is available in Coverity. So you don't have to rely upon build artifacts or developer artifacts. So these are the two key features we use daily, and we've gotten good results. 

    What needs improvement?

    Coverity's UI is the one thing that needs improvement. Technically speaking, it's doing an outstanding job otherwise. Also, they could reduce their executable size. Right now, the Coverity executable is around 1.2GB to download. If they can reduce it to approximately 600 or 700MB, that would be great. If they decrease the executable, it will be much easier to work in an environment like Docker.

    Buyer's Guide
    Application Security Testing (AST)
    November 2022
    Find out what your peers are saying about Synopsys, Sonar, Veracode and others in Application Security Testing (AST). Updated: November 2022.
    654,218 professionals have used our research since 2012.

    For how long have I used the solution?

    I've been using it for the past two years.

    What do I think about the stability of the solution?

    This product has been in the industry for more than 30 years, so it's pretty robust.

    How are customer service and support?

    Coverity has a decent SLA. The moment you purchase the tool, you also get an SLA agreement with all the email support. They have email support, call support, as well as WebEx and Zoom sessions on demand. Of course, that depends on the nature of the technical issue. If it's simple, it can be resolved with a couple of email exchanges, but if it really needs some attention, they're happy to get on a call. They've even delivered some custom patches as well. 

    Which solution did I use previously and why did I switch?

    I used CodeSonar a few years back. Both tools have their advantages. In any static analysis tool, the first stage is the instrumentation of the source code. It'll try to capture the skeleton of your source code. So when I compare them based on the first phase alone, Coverity is far better than CodeSonar. 

    They both use a similar technique, but CodeSonar uses up way more storage resources. For example, to scan a 1GB code base, CodeSonar generates more than 5GB of instrumented files for every 1GB of code base. In total, that is 6GB. Coverity generates 500MB extra on top of 1GB, so that equals 1.5GB all in. That's a huge difference. CodeStar would eat up my disc space and hardware resources when I used it, whereas Coverity is minimal. 

    In terms of checkers, both CodeSonar and Coverity cover a good length and breadth, especially for C and C++ programming languages. But CodeSonar focuses only on four languages—C, C++, Java, and C#—only four programming languages, whereas Coverity supports more than 20-plus programming languages.

    Also, the two are comparable with respect to their plugin offerings, but there are crucial differences. For example, CodeSonar only focuses on well-known integrations, like Jenkins and JIRA, but you cannot expect all customers to use the same tools. Coverity supports almost all CI/CD tools, including Jenkins and Bamboo. It also integrates with service providers like Azure DevOps Pipelines, AWS CodePipelines that CodeSonar hasn't added yet. The plugins are available in the marketplace, and you don't have to pay extra. You just have to download it from the marketplace, hook the plugin in your pipeline, and ready to use kind of approach. So these are some of the major use cases, three major use cases I would say when you compare apples to apples with CodeSonar and Coverity.

    How was the initial setup?

    Setting up Coverity is pretty simple. It comes with a normal executable. You just double click, follow the wizard, and complete the setup. It also have on screen instructions as well, which makes it pretty easy and cool. Deployment is a much broader question. It depends on how many projects you are trying to scan using Coverity and whether you are integrating this static analysis solution with your CI/CD setup, ID, bug tracking, etc. That all factors in to the total deployment time. So if we're talking about overall deployment, including bug tracking, integration, email notification, CI/CD integration, and everything, it took us 15 to 20 days to onboard 600 projects with 20 users, including all integration.

    We don't have a lot of maintenance. There is a major release every quarter, and we get information on new upgrades, patches, and things like that. And we do have the option to not upgrade. The maintenance is mostly covered by the vendor itself, meaning they deliver the patches and upgrades on time. So I don't see that as a hurdle right now. It's been taken care of.

    What's my experience with pricing, setup cost, and licensing?

    I'm not sure about the licensing. My commercial team deals with that.

    What other advice do I have?

    I rate Coverity nine out of 10. It's a good choice. If you plan to use Coverity, you should read through the manual to really understand its settings. You have to tune the Coverity engine to get the best research and scalability out of it. A Coverity recently added some smart features that automatically compute the hardware requirements in your current machine. It automatically scales up. For example, it can detect how much multi-core CPU power it needs to run an analysis and how much memory is required, so it makes resources available for other applications running on the same machine. That intelligence has been built on. So initially, I recommend going over the fundamentals and fine-tuning it based on one's own requirements.

    Which deployment model are you using for this solution?

    Hybrid Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Jaile Sebes - PeerSpot reviewer
    Senior Software Architect at a tech vendor with 10,001+ employees
    Real User
    Easy to set up with good static order analysis but is expensive
    Pros and Cons
    • "We were very comfortable with the initial setup."
    • "We'd like it to be faster."

    What is our primary use case?

    We primarily use the solution for quality purposes. We also use it for security. That's one subset of quality. However, it's used for more dynamic behavior, such as memory leaks, et cetera. 

    What is most valuable?

    They have a good memory-related box and a static order analysis that's very good, especially around leaks.

    We were very comfortable with the initial setup.

    It is stable.

    What needs improvement?

    The cost is very high.

    They don't have SonarQube compatibility with the dashboard, which is a big negative. They were actually arrogant for not providing it. We wanted to see all the problems in a single SonarQube dashboard, and we can't do that. They need SonarQube integration. They claim that they have SonarQube integration, yet it is not there.

    We'd like it to be faster.

    The solution could always use a bit more security. 

    For how long have I used the solution?

    I've been using the solution for around 12 years. 

    What do I think about the stability of the solution?

    I consider the solution very stable. There are no bugs or glitches and it doesn't crash or freeze. It is reliable. 

    That said, when we are doing security analysis on bigger projects, it can be slow. 

    What do I think about the scalability of the solution?

    To scale, you need more hardware. That way it is scalable. That said, it is already handling quite a big amount. We have a specific problem when analyzing security in a big project. It can get slow. 

    I'd rate it four out of five in its ability to scale. 

    We have around 200 people using the solution currently. 30 to 40 use it on a daily basis. 

    We do not have plans to increase usage based on the cost. We're actually looking for an alternative.

    How are customer service and support?

    Support is not so good. They're too slow. In contrast, Clockwork has very good support.

    How would you rate customer service and support?

    Neutral

    Which solution did I use previously and why did I switch?

    We've used Clockwork before. However, it has the same issues as this product. They're more for C# and C++.

    How was the initial setup?

    The solution was very simple to set up. The frontend, backend, and UI are very good and easy to navigate.

    I'd rate the initial setup process a four out of five in terms of how easy it was.

    What's my experience with pricing, setup cost, and licensing?

    It is an expensive solution. 

    Their sales team is very arrogant. 

    I don't like their licensing mechanism. Everything is on very unfriendly terms. 

    There are other tools you can use that are free and open-source. 

    In a collaborative environment, they are very tricky. When it comes to looking at the bugs on a web interface, they try to block them. When you discuss it with them, they are quite unfriendly. Once you got stuck into the tool, they know that it's hard to leave due to the history. When you get into a tool, you need the history since the history needs to be built up, and therefore, over time, you have a dependency on the tool.

    I'd rate the product a three out of five in terms of affordability.

    What other advice do I have?

    We're a customer.

    I would rate the solution seven out of ten.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Application Security Testing (AST)
    November 2022
    Find out what your peers are saying about Synopsys, Sonar, Veracode and others in Application Security Testing (AST). Updated: November 2022.
    654,218 professionals have used our research since 2012.
    Yantao Zhao - PeerSpot reviewer
    Software Integration Engineer at Thales
    Real User
    Top 5
    Powerful capabilities, reliable, and good support
    Pros and Cons
    • "The most valuable feature of Coverity is the wrapper. We use the wrapper to build the C++ component, then we use the other code analysis to analyze the code to the build object, and then send back the result to the SonarQube server. Additionally, it is a powerful capabilities solution."
    • "Coverity could improve the ease of use. Sometimes things become difficult and you need to follow the guides from the website but the guides could be better."

    What is our primary use case?

    We use Coverity because we have a SonarQube server and we have a lot of software components that use different languages, such as Java, C, C++, and above. For C and C++ components we use Coverity.

    What is most valuable?

    The most valuable feature of Coverity is the wrapper. We use the wrapper to build the C++ component, then we use the other code analysis to analyze the code to the build object, and then send back the result to the SonarQube server. Additionally, it is a powerful capabilities solution.

    What needs improvement?

    Coverity could improve the ease of use. Sometimes things become difficult and you need to follow the guides from the website but the guides could be better.

    For how long have I used the solution?

    I have been using Coverity for approximately four years.

    What do I think about the stability of the solution?

    Coverity is stable.

    What do I think about the scalability of the solution?

    The scalability of Coverity is good. We have more than around 15 software components and other components involved.

    We have 20 developers that are using the solution in my organization.

    How are customer service and support?

    We had support from Coverity for the first six months of usage but later we did not.

    I rate the support from Coverity a four out of five.

    Which solution did I use previously and why did I switch?

    We have used other solutions, such as SonarQube.

    How was the initial setup?

    In the beginning, it takes two weeks to learn how to set up Coverity, but later the maintenance work is very easy. The beginning involves soft code, that we need to set up before using SonarQube, we have created SonarQube property itself for every component and inside we need to copy different options for Coverity. We had global Coverity roles or vendors we had to allow it to work with global rules and according to the component itself and the setup. The full implementation process can take approximately one month to complete.

    What about the implementation team?

    We have two teams to set up the server and install Coverity. I set up the project in Coverity and the different roles in the soft code. The developers use Coverity in their daily work.

    What other advice do I have?

    My advice to other is the first few steps of using Coverity takes time. It's better to have an experienced user to support it. For new users, it will be hard for them to set it up. If they can get someone to support it directly at the beginning it would be better because for me it's very hard at the beginning for a few weeks.

    And on a scale from one to 10, how would you rate Coverity?

    I rate Coverity an eight out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Vice President at a tech vendor with 1,001-5,000 employees
    Real User
    Static analysis solution that exposes existing and future vulnerabilities
    Pros and Cons
    • "The ability to scan code gives us details of existing and potential vulnerabilities. What really matters for us is to ensure that we are able to catch vulnerabilities ahead of time."
    • "When I put my code into Coverity for scanning, the code information of the product is in the system. The solution could be improved by providing a SBOM, a software bill of material."

    What is our primary use case?

    We use this solution to scan our products. We've integrated with our build system and it automatically completes the scanning.

    What is most valuable?

    The ability to scan code gives us details of existing and potential vulnerabilities. What really matters for us is to ensure that we are able to catch vulnerabilities ahead of time.

    What needs improvement?

    When I put my code into Coverity for scanning, the code information of the product is in the system. The solution could be improved by providing a SBOM, a software bill of material. They could also integrate a software composition analysis scan. This would make my job a bit easier.

    There is scope for Coverity to look beyond static analysis. Most of people that I have spoken to use Coverity from a pure static analysis perspective. However, we also need to be able to view dynamic pages and APIs using dynamic scanning and SES scans. Currently we would need to use another solution to be able to do this. 

    For how long have I used the solution?

    I have been using this solution for 10 years.

    What do I think about the stability of the solution?

    This is a stable solution.

    What do I think about the scalability of the solution?

    This is a scalable solution.

    How are customer service and support?

    From a support perspective, they are pretty responsive. I would rate them a five out of five. 

    What was our ROI?

    The the last ten years, our company has derived value from using this solution. We continuously evaluate our tech stack and if a better solution came along, we would consider it if it provided more value. 

    What's my experience with pricing, setup cost, and licensing?

    This is a pretty expensive solution. The overall value of the solution could be improved if the price was reduced. Licensing is done on an annual basis. 

    There are other new tools like Veracode, Java Icon and Javascript which are better than Coverity when it comes to visualization. Their cost is significantly lower compared to Synopsys. 

    What other advice do I have?

    Coverity is really good with CC+ and legacy technologies. However, there are other products that are probably as good or even better than Coverity when it comes to Java or cloud applications. 

    If someone were to ask me what tool I would recommend, my answer would depend on what technology they're using and what their use case is. My advice would be based on how they're going to use the product and what they're expecting from the tool.

    I would rate this solution an eight out of ten. 

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Sr. QA Engineer at a computer software company with 1-10 employees
    Real User
    Top 20
    Good tech support but it doesn't report errors like it should
    Pros and Cons
    • "I encountered a bug with Coverity, and I opened a ticket. Support provided me with a workaround. So it's working at the moment, or at least it seems to be."
    • "Coverity is far from perfection, and I'm not 100 percent sure it's helping me find what I need to find in my role. We need exactly what we are looking for, i.e. security errors and vulnerabilities. It doesn't seem to be reporting while we are changing our code."

    What is our primary use case?

    We use Coverity for static analysis of our code.

    What needs improvement?

    Coverity is far from perfection, and I'm not 100 percent sure it's helping me find what I need to find in my role. We need exactly what we are looking for, i.e. security errors and vulnerabilities. It doesn't seem to be reporting while we are changing our code. So either we are perfect, or the tool is missing something. 

    For how long have I used the solution?

    I've been using Coverity for a couple of years.

    What do I think about the scalability of the solution?

    I haven't had much experience trying to scale up Coverity. Only three people at our company work with it.

    How are customer service and support?

    I encountered a bug with Coverity, and I opened a ticket. Support provided me with a workaround. So it's working at the moment, or at least it seems to be. They are on par with other tech support in terms of knowledge. However, their style of communication could use some improvement.

    How was the initial setup?

    Setting up Coverity is highly complex. The upgrade procedure is also pretty tough. We've had trouble with it on at least one occasion. When I went ahead with it, it destroyed the installation. I couldn't go back. So it's challenging to understand from the documentation. It seems like they tried to cover all possible topics in their manuals, so they ended up scratching the surface of everything in the world except for the particular practical items that I needed.

    What's my experience with pricing, setup cost, and licensing?

    Coverity is very expensive.

    What other advice do I have?

    I rate Coverity five out of 10, but it's tough for me to judge because we decided to purchase it based on one requirement that no other static analysis tool could satisfy. For that reason, we haven't tried anything else. So, let's make an analogy. Let's say I used Sony TVs my entire life, and someone comes up and says, "Hey, there is a new brand of TVs. What do you think of them? Do you think they are good?" How would I know? By comparison, SonarQube seems to be more feature-rich for a standard programming language, and it works with more continuous integration tools.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Estefania Ramirez - PeerSpot reviewer
    Application Security Auditor at Softtek
    Real User
    Top 10
    Great app analysis, support, and pricing
    Pros and Cons
    • "The app analysis is the most valuable feature as I know other solutions don't have that."
    • "The solution could use more rules."

    What is our primary use case?

    We use the product only as a solution for defect code, to find more build liabilities in the code.

    How has it helped my organization?

    The product allows us to find vulnerabilities while testing our apps. 

    What is most valuable?

    The app analysis is the most valuable feature as I know other solutions don't have that.

    It's a good tool. The interface, support, pricing, and integration do not have any limitations.

    What needs improvement?

    The solution could use more rules. For example, if I have a lot of rules in many languages, it helps my company as having access to more rules works for us.

    We'd like a bit more integration.

    For how long have I used the solution?

    I've been using the solution for maybe three months. 

    What do I think about the stability of the solution?

    The solution is stable. There are no bugs or glitches and it doesn't crash or freeze. It's reliable and the performance has been good overall. 

    What do I think about the scalability of the solution?

    We find the solution to be scalable. 

    I'm not sure exactly how many people are using the product.

    I can't say if we have plans to increase usage or not in the future. 

    How are customer service and support?

    We haven't had any issues with technical support. They are helpful and responsive. 

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We also use SonarQube.

    In the past, I used Checkmarx and Fortify, and Coverity had the better price.

    How was the initial setup?

    I have access only to the interface part and I didn't do the configuration of the tool. I do not handle the initial setup of the product.

    As I recall, the deployment itself only took days. 

    What about the implementation team?

    Our company managed the setup in-house without the help of outside vendors. 

    What's my experience with pricing, setup cost, and licensing?

    We find the pricing to be reasonable.

    What other advice do I have?

    We're a customer and end-user.

    We are using a recent version of the solution. 

    I'd like potential new users to be aware that it's a good tool to implement basic code.

    I'd rate the solution nine out of ten.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Birbal Sain - PeerSpot reviewer
    Software Developer at Altair
    Real User
    Top 20
    Scalable, good for cluster structures, and has helpful technical support

    What is our primary use case?

    We are using GK and the latest version for port deployment.

    For how long have I used the solution?

    I have been using Coverity for three and a half years.

    What do I think about the stability of the solution?

    Coverity is not stable but it is sufficient for our organization's requirements.

    What do I think about the scalability of the solution?

    Coverity is scalable.

    How are customer service and support?

    We contacted technical support to help us clean up an issue we had.

    What other advice do I have?

    If they have a cluster structure, then definitely they should use Coverity. I would rate Coverity a nine out of ten.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Download our free Application Security Testing (AST) Report and find out what your peers are saying about Synopsys, Sonar, Veracode, and more!
    Updated: November 2022
    Buyer's Guide
    Download our free Application Security Testing (AST) Report and find out what your peers are saying about Synopsys, Sonar, Veracode, and more!