Coverity Reviews

We use the solution to perform security scans on our application. We worked on a healthcare product. We wanted to submit it for FDA approval. It was mandatory to validate security issues, static code analysis, and dynamic code analysis. We evaluated multiple tools and shortlisted Coverity. I worked with the Synopsys team for integration and initial setup to allow the tool to scan our application implementation and identify static and dynamic code issues.

The solution has improved our code quality and security very well. It has multiple reports. I wanted good reports as evidence that we are doing security scans. We got them from Coverity. We were able to keep track of all the issues. Genuine issues were identified. It improved our code quality and provided us with the ability to keep track of all the issues that were identified.

Our product was not on the market yet. It was under development. Almost 90% of the development was already done. At that stage, we introduced Coverity as part of the compliance required for medical device products. It would have been good if we had introduced Coverity when the development was at 40%. It would have helped us address the incremental issues right then. We wouldn’t have had to go back and redo all the fixes for issues reported by Coverity.

The scan of the repository has been most effective in identifying critical vulnerabilities. The product provided visibility over security-related issues like hard coding and values getting exposed in a log. It helped us resolve difficult issues. With CI/CD integration, we could scan the incremental commits done by different developers. We were able to report them, and the developers were able to fix them.

The product identifies the issues and has an informative dashboard that gives us strains of incremental issues and resolutions. It also keeps track of whether the reported issues were fixed and what the resolution was. Sometimes, we find duplicate issues. Those were very well managed from the dashboard. Our primary requirement was for compliance, and it was good. The reports were significant and looked very professional.

The product must allow users to customize the issues they want to identify. Some of the issues reported by the tool were not that critical. We had a long list of low-priority issues that were piling up. It would be great if we could customize the rules to focus on critical issues.

I have been using the solution for two years.

I never encountered any issue that can raise a question about the tool’s stability. I rate the stability a ten out of ten.

The tool is highly scalable. I rate the scalability a ten out of ten. Our clients are medium-sized businesses.

The technical support was very good. We were engaged with one of the representatives from Synopsys. He continuously assisted us throughout the setup and actual usage. The support team also followed up proactively to check if we were struggling with any issues or seeking help.

Positive

I rate the ease of setup a nine out of ten. I explored the cloud version, too. However, we used the on-premise version. The deployment took almost one week.

The tool was fairly priced.

I will definitely recommend the product to others. We evaluated many solutions. I found Coverity easy to use, fairly priced, and it does the expected job. Overall, I rate the tool a ten out of ten.

We are using Coverity for Android, cluster programs, and infotainment.

Coverity's setup takes a long time. Coverity gives advisory and deviation features, which are some of the parts I liked.

SCM integration is very poor in Coverity. The IDR file is not portable. After the analysis, it generates an IDR file. It cannot be ported from the machine since it is machine specific. Also, the component mapping has to be done manually. We cannot upload in one shot through automation or an Excel sheet. That is also a drawback.

In terms of the additional features that the solution should possess, I would say that it should have very good and sound features for Android-related stuff and embedded features should be supported. Also, infotainment programs for people who are using HMI should be supported very well.

I have been using Coverity for more than one year. In my company, we use the tool. Also, we go to the vendor for support. I am using Coverity 2022.

Speaking about stability, I would say that product-wise, there is no such complaint. There are no alarming complaints. However, some minor things we have to fix, use and tune it. With the newer versions, the only problem is if any new version or any new tool or new plugin comes to our infotainment program, then even with vendor support, we won't get a solution since maybe the tool is not supported or because there is something else that has to be looked into. We are facing problems due to such cases. Otherwise, it's fine, so it is good enough for an existing tool and program.

The product is scalable if provided if the tool is supported well, and if new features are incorporated parallelly, then definitely it's scalable.

To speak exactly about the number of users is difficult, but above 300 people in my company use the solution.

There are four or five members out there who manage Coverity's administration from a project point of view.

My opinion on support depends on what kind of support my company has adopted. I need to check. I don't know what company support they have provided. If they have taken golden support, support will come like that. In that way, I don't want to comment on that.

Initially, I worked with Klocwork in my previous company.

Regarding Klocwork, if you can provide me with its information, then we would definitely like to explore it.

Initial setup for the infotainment program is not easy. This is because the template, specifically code template files, have to be generated, and that itself takes time since they talk to the vendor and they get the template files. We are using the same template file for most of the programs. It is not fixed that this program has to use this template file, so it is not like that. since it has to be fine-tuned.

For a few programs, like cluster programs, it takes only half a day or a day to get the setup done since everything is ready. But for infotainment, it sometimes takes three to four days, and issues keep coming in for the new enablement. Hence, it may take even three weeks to one month sometimes.

Coverity’s price is on the higher side. It should be lower. It's definitely priced on the higher side, and in that sense, I will definitely give a big alert stating that it is on the higher side of the price.

I use Coverity in my company mainly to fix bug issues and detect errors with code analysis.

The ability of Coverity to fix bug issues is important to me. Coverity actually helps to debug and deal really fast when it comes to code analysis. Coverity does have a higher detection rate. It is easy to integrate Coverity into the CI/CD pipeline. Coverity is helpful in marking false positives. Though Coverity has some pros and cons, its pros make it a quite good tool.

The scanning ability of Coverity is good since it helps fix bug issues. The interface of Coverity is quite good, and it is also easy to use.

Coverity takes a lot of time to dereference null pointers. The product's price is one of its shortcomings, where improvements are required. In general, the price of the product should be kept low.

In the future, Coverity should provide more flexibility.

I have been using Coverity for a year. I use the solution's latest version. I am a customer of the tool.

Stability-wise, I rate the solution a seven out of ten.

Scalability-wise, I rate the solution an eight out of ten. I rate the coverage of the product a six out of ten.

Currently, five people in my company use Coverity. My company plans to increase the use of the tool for twenty people.

The solution's technical support is good. I rate the technical support a nine out of ten.

Positive

I have experience with SonarQube. I switched to Coverity from SonarQube since the former mainly focuses on scanning and detection of bugs, while the latter focuses on the security of the code. If you want only to fix bugs, then the focus of the product should also be quite good, like Coverity. SonarQube's focus area is different from Coverity.

I rate the initial setup of Coverity an eight on a scale of one to ten, where one is difficult, and ten is easy.

The setup phase of Coverity can sometimes be straightforward, and if there are some issues, it can be a little bit complex. When involved in some tracking activity, sometimes, Coverity uses looping logic, making it quite difficult to handle bugs. Sometimes, the tracking activity in Coverity will be straightforward with a very good interface. Marking the positive rates and giving some green and red bars can be helpful in Coverity.

The solution is deployed on an on-premises model.

The solution can be deployed in a day.

My company uses the git repository for the implementation of Coverity.

Five people are required to deploy the solution. Around thirty people might be required to take care of the maintenance process of the product since there will be an increase in the team members in our company.

I haven't seen any return on investment from the use of Coverity.

Coverity's cost is quite high. Coverity costs for a year are too high. I rate Coverity's price a ten on a scale of one to ten, where one is cheap and ten is expensive. There are no additional costs apart from the licensing costs attached to the product.

Though my company had other options apart from Coverity, we chose to continue with Coverity as we were already using it for some projects in our organization.

Coverity is quite a good tool that helps fix big issues and deal with code analysis. Coverity's scanning features and scalability are also quite good. The only drawback of the product stems from the fact that it is quite an expensive product. The product's cost can seem too high for a normal user. If your organization is quite good and okay with exploring the tool with its current costs, then you can opt for Coverity. Otherwise, you can use other solutions, like the free community edition from SonarQube.

I rate the overall solution an eight out of ten.

It is used to check software quality compliant with standards.

It taking compliance with standards like MISRA is crucial, especially for the automotive market.

There should be additional IDE support. IDE stands for an integrated development environment, like Eclipse. It would be helpful if we could enhance the integration between Coverity and IDEs. Additionally, it would be beneficial to increase the support for different IDEs.

In future releases, there should be a slightly more user-friendly reporting interface.

I have been using Coverity for two years. However, our company has been working with Coverity for at least seven years, and also in the past. 

We are using Version 2023.1 of the solution. 

It's pretty stable. I rate the stability of Coverity a nine out of ten.

Around 100 end users are currently using this solution. I would rate the scalability a seven out of ten.  

The solution is scalable but may reach a limit where you need to build the second instance to avoid performance issues. Scalability could be better using containers, which the vendor supports. Then it's going to be easier. 

The customer service and support team is very efficient and fast.

It takes nearly one quarter to deploy to one team as a part of our business groups. This is an onboarding process that takes time.

After installing the tool in Sandbox for running short POCs, and proof of concept, you add Q&A and production environments that are supposed to be. The next step is to conduct onboarding and training sessions with vendor support.

I rate my experience an eight out of ten.

I would rate the pricing a six out of ten, where one is low, and ten is high price. It's comparable with other solutions, if not cheaper, but in my opinion, Coverity has the best quality.

I would advise following an onboarding program proposed by the vendor. Do not just jump on the tool on their own, but apply it with the documentation. I suggest an adoption program.

Overall, I rate the solution a nine out of ten. I think it's one of the best SAST tools on the market.

I use my company's solution for code quality and secure code analysis.

The tool as it is can be used for code quality improvement. Whatever rules are in the tool are useful.

I don't use it directly on a day-to-day basis.

I expect the product to offer ease of integration with the built pipelines. I had tried integrating the tool with Azure DevOps, but the report I got stated that my team faced many challenges. I do not know the exact details.

I have been using Coverity for a few years.

I use Coverity simultaneously with Fortify but for different purposes.

I don't deal with the pricing.

I am satisfied with the product.

The tool is used for specific use cases like embedded systems.

I would not recommend the tool for web application technologies, Java, or cloud-native technologies since the tool is meant for embedded codes.

I rate the tool a six out of ten.

We've integrated Coverity into our CI/CD pipeline to check our source code against quality gates before deployment. It alerts us to issues so we can halt the pipeline, fix critical problems, and then run it again.

What I find most effective about Coverity is its low rate of false positives. I've seen other platforms with many false positives, but with Coverity, most vulnerabilities it identifies are genuine. This allows me to focus on real issues.

As for code remediation, although I can fix issues myself as a security engineer, the tool provides helpful remediation guidance for each vulnerability. It lists how to fix each issue, which I find useful. The solution has increased our development speed.  

The solution needs to improve its false positives. 

I have been using the product for one and a half years. 

I rate the tool's scalability a nine out of ten. We have 20-25 users who use it daily. 

I rate the solution's deployment ease a nine out of ten, and it can be completed in a few minutes. 

The solution's pricing is comparable to other products. 

I rate the overall solution a nine out of ten. 

My primary use case is performing static application security testing on various code bases, including Java, PHP, and HTML. I use it to create review reports of assets and categorize the issues based on severity.

The product has been beneficial in logging functionality, allowing me to categorize vulnerabilities based on severity. This aids in providing updated reports on subsequent scans.

The product could be enhanced by providing video troubleshooting guides, making issue resolution more accessible. Troubleshooting without visual guides can be time-consuming.

I have been using Coverity for about two to three months, between June 2023 and August 2023.

There were occasional issues with lag during the initial setup and scans, especially in a cloud environment.

Due to the subscription-based model, I had to contact customer service, mainly to add new users. Response times varied, sometimes taking more than a week.

Neutral

I had experience with SonarQube as an alternative. Coverity excelled in code scanning because it did not require installation prerequisites. Its reports are also clear and informational. It provides us with a better idea of troubleshooting vulnerabilities.

The initial setup was elaborate and somewhat complicated. The information from the Synopsys website was more than enough. First-time users will struggle with many tools, packages, and libraries. Deployment took 30 minutes to complete. Two to three resources were involved in the process.

An integrator helped with the tool's deployment. 

I rate the solution a nine out of ten. 

We use the solution for SaaS support.

The most valuable feature is the security advisor. It also provides a very detailed report.

Triage history has many bugs and needs to be improved. There could be a subsection. The solution could provide a graphical representation like other tools.

We have OS 2021, which is not the latest one. It should be updated regularly.

I have been using Coverity for almost a year.

The product is stable.

I rate the solution’s stability a nine out of ten.

Our organization has 20-30 users using this solution.

I rate the solution’s scalability an eight out of ten.

Technical support has expert hours and is available anytime. Also, we don't need to raise a ticket now because we have direct support from Coverity.

Positive

We are exploring Black Duck, which has more precise things. Coverity has a clear view. The report is very much clear rather than confusing like other tools. It also has a PDF option, and it gives precise information.

The initial setup is simple.

The solution has higher pricing. The price should be based on the user count. Suppose there is a ten-user license per pack. However, this could be adjusted to five users if needed.

Overall, I rate the solution an eight out of ten.