Coverity Static Reviews

We use Coverity because we have a SonarQube server and we have a lot of software components that use different languages, such as Java, C, C++, and above. For C and C++ components we use Coverity.

The most valuable feature of Coverity is the wrapper. We use the wrapper to build the C++ component, then we use the other code analysis to analyze the code to the build object, and then send back the result to the SonarQube server. Additionally, it is a powerful capabilities solution.

Coverity could improve the ease of use. Sometimes things become difficult and you need to follow the guides from the website but the guides could be better.

I have been using Coverity for approximately four years.

Coverity is stable.

The scalability of Coverity is good. We have more than around 15 software components and other components involved.

We have 20 developers that are using the solution in my organization.

We had support from Coverity for the first six months of usage but later we did not.

I rate the support from Coverity a four out of five.

We have used other solutions, such as SonarQube.

In the beginning, it takes two weeks to learn how to set up Coverity, but later the maintenance work is very easy. The beginning involves soft code, that we need to set up before using SonarQube, we have created SonarQube property itself for every component and inside we need to copy different options for Coverity. We had global Coverity roles or vendors we had to allow it to work with global rules and according to the component itself and the setup. The full implementation process can take approximately one month to complete.

We have two teams to set up the server and install Coverity. I set up the project in Coverity and the different roles in the soft code. The developers use Coverity in their daily work.

My advice to other is the first few steps of using Coverity takes time. It's better to have an experienced user to support it. For new users, it will be hard for them to set it up. If they can get someone to support it directly at the beginning it would be better because for me it's very hard at the beginning for a few weeks.

And on a scale from one to 10, how would you rate Coverity?

I rate Coverity an eight out of ten.

We use the product only as a solution for defect code, to find more build liabilities in the code.

The product allows us to find vulnerabilities while testing our apps. 

The app analysis is the most valuable feature as I know other solutions don't have that.

It's a good tool. The interface, support, pricing, and integration do not have any limitations.

The solution could use more rules. For example, if I have a lot of rules in many languages, it helps my company as having access to more rules works for us.

We'd like a bit more integration.

I've been using the solution for maybe three months. 

The solution is stable. There are no bugs or glitches and it doesn't crash or freeze. It's reliable and the performance has been good overall. 

We find the solution to be scalable. 

I'm not sure exactly how many people are using the product.

I can't say if we have plans to increase usage or not in the future. 

We haven't had any issues with technical support. They are helpful and responsive. 

Positive

We also use SonarQube.

In the past, I used Checkmarx and Fortify, and Coverity had the better price.

I have access only to the interface part and I didn't do the configuration of the tool. I do not handle the initial setup of the product.

As I recall, the deployment itself only took days. 

Our company managed the setup in-house without the help of outside vendors. 

We find the pricing to be reasonable.

We're a customer and end-user.

We are using a recent version of the solution. 

I'd like potential new users to be aware that it's a good tool to implement basic code.

I'd rate the solution nine out of ten.

We write thousands of lines of code on a daily basis, and we cannot say that our code is free because there are a lot of other developers contributing to the source code and things like that. And this process is prone to human error, defects in the source code, etc.

To automate detection, we use Coverity's static analysis, which has a low false-positive ratio. That's because Coverity's analysis engine includes 20-plus patented technologies. A lot of other static analysis tools use pattern-based analysis, but Coverity's is flow based. That's why we ended up using it. Coverity is helping us identify some of the critical defects at the early stages of the development life cycle. So overall, it is giving us a greater ROI and making our application more mature and robust.

One of the most valuable features is Contributing Events. That particular feature helps the developer understand the root cause of a defect. So you can locate the starting point of the defect and figure out exactly how it is being exploited. So contributing Events lets you create that kind of a workflow. 

We also need a tool that works in an environment that isn't dependent on the built environment. You point it to a folder. Then the tool picks it up, runs the scan, and gives you the report. That feature is available in Coverity. So you don't have to rely upon build artifacts or developer artifacts. So these are the two key features we use daily, and we've gotten good results. 

Coverity's UI is the one thing that needs improvement. Technically speaking, it's doing an outstanding job otherwise. Also, they could reduce their executable size. Right now, the Coverity executable is around 1.2GB to download. If they can reduce it to approximately 600 or 700MB, that would be great. If they decrease the executable, it will be much easier to work in an environment like Docker.

I've been using it for the past two years.

This product has been in the industry for more than 30 years, so it's pretty robust.

Coverity has a decent SLA. The moment you purchase the tool, you also get an SLA agreement with all the email support. They have email support, call support, as well as WebEx and Zoom sessions on demand. Of course, that depends on the nature of the technical issue. If it's simple, it can be resolved with a couple of email exchanges, but if it really needs some attention, they're happy to get on a call. They've even delivered some custom patches as well. 

I used CodeSonar a few years back. Both tools have their advantages. In any static analysis tool, the first stage is the instrumentation of the source code. It'll try to capture the skeleton of your source code. So when I compare them based on the first phase alone, Coverity is far better than CodeSonar. 

They both use a similar technique, but CodeSonar uses up way more storage resources. For example, to scan a 1GB code base, CodeSonar generates more than 5GB of instrumented files for every 1GB of code base. In total, that is 6GB. Coverity generates 500MB extra on top of 1GB, so that equals 1.5GB all in. That's a huge difference. CodeStar would eat up my disc space and hardware resources when I used it, whereas Coverity is minimal. 

In terms of checkers, both CodeSonar and Coverity cover a good length and breadth, especially for C and C++ programming languages. But CodeSonar focuses only on four languages—C, C++, Java, and C#—only four programming languages, whereas Coverity supports more than 20-plus programming languages.

Also, the two are comparable with respect to their plugin offerings, but there are crucial differences. For example, CodeSonar only focuses on well-known integrations, like Jenkins and JIRA, but you cannot expect all customers to use the same tools. Coverity supports almost all CI/CD tools, including Jenkins and Bamboo. It also integrates with service providers like Azure DevOps Pipelines, AWS CodePipelines that CodeSonar hasn't added yet. The plugins are available in the marketplace, and you don't have to pay extra. You just have to download it from the marketplace, hook the plugin in your pipeline, and ready to use kind of approach. So these are some of the major use cases, three major use cases I would say when you compare apples to apples with CodeSonar and Coverity.

Setting up Coverity is pretty simple. It comes with a normal executable. You just double click, follow the wizard, and complete the setup. It also have on screen instructions as well, which makes it pretty easy and cool. Deployment is a much broader question. It depends on how many projects you are trying to scan using Coverity and whether you are integrating this static analysis solution with your CI/CD setup, ID, bug tracking, etc. That all factors in to the total deployment time. So if we're talking about overall deployment, including bug tracking, integration, email notification, CI/CD integration, and everything, it took us 15 to 20 days to onboard 600 projects with 20 users, including all integration.

We don't have a lot of maintenance. There is a major release every quarter, and we get information on new upgrades, patches, and things like that. And we do have the option to not upgrade. The maintenance is mostly covered by the vendor itself, meaning they deliver the patches and upgrades on time. So I don't see that as a hurdle right now. It's been taken care of.

I'm not sure about the licensing. My commercial team deals with that.

I rate Coverity nine out of 10. It's a good choice. If you plan to use Coverity, you should read through the manual to really understand its settings. You have to tune the Coverity engine to get the best research and scalability out of it. A Coverity recently added some smart features that automatically compute the hardware requirements in your current machine. It automatically scales up. For example, it can detect how much multi-core CPU power it needs to run an analysis and how much memory is required, so it makes resources available for other applications running on the same machine. That intelligence has been built on. So initially, I recommend going over the fundamentals and fine-tuning it based on one's own requirements.

I use my company's solution for code quality and secure code analysis.

The tool as it is can be used for code quality improvement. Whatever rules are in the tool are useful.

I don't use it directly on a day-to-day basis.

I expect the product to offer ease of integration with the built pipelines. I had tried integrating the tool with Azure DevOps, but the report I got stated that my team faced many challenges. I do not know the exact details.

I have been using Coverity for a few years.

I use Coverity simultaneously with Fortify but for different purposes.

I don't deal with the pricing.

I am satisfied with the product.

The tool is used for specific use cases like embedded systems.

I would not recommend the tool for web application technologies, Java, or cloud-native technologies since the tool is meant for embedded codes.

I rate the tool a six out of ten.

We use this tool for call scans in order to improve call quality. We implement testing and this tool cleans up our potential feedback. We are a semiconductor company and provide software solutions to our clients. I'm a senior manager. 

Coverity has improved our functionality and efficiency.

This product provides software security, and helps to find potential security bugs or defects with its checker feature. The solution also enables us to implement secure coding. 

We've found that there is a quite high false positive rate. It's a problem because we end up wasting time on something that's not an issue. The tracker reports too many issues that are not relevant. I'd like to see some kind of customization mechanism in the future. 

We've been using this solution for over 10 years. 

The solution is stable. 

The solution is scalable, we have several thousand users. 

The technical support is reasonable. 

Neutral

I rate this solution eight out of 10. 

Our company has 500 developers and engineers who the solution for C/C++ core static analysis. One engineer handles all ongoing maintenance. 

The solution effectively identifies bugs in code. 

The solution is a bit complex to use in comparison to other products that have many plugins.

More features could be included for finding bugs and analyzing code. For example, more information could be included to explain errors such as memory leaks. 

I have been using the solution for one year. 

The solution is stable. 

The solution is scalable. 

Technical support is helpful and responsive. 

I rate support an eight out of ten. 

Positive

I have not used another solution. 

I would recommend the solution if it includes more features. 

I rate the solution an eight out of ten. 

The product has deeper scanning capabilities. 

The tool needs to improve its reporting. 

I have been working with the product for one and a half years. 

The product's stability is good. 

The product is scalable since it can integrate CI/CD tools. My company has 10 users for the product. 

The solution's support is fast. 

Positive

The solution's setup is easy. 

The tool's price is somewhere in the middle. It's neither cheap nor expensive. I would rate the pricing a five out of ten. 

I would rate the solution a ten out of ten. 

We use the solution to scan the static code and identify vulnerabilities. We can verify the rules and scripting during various applications' implementation processes.

The solution has a low false positive rate compared to other vendors. Also, it can scan complex codes. In addition, it has the best features for trial analysis, integration, and language support.

Sometimes, vulnerabilities are not identified even after setting up the automated scanning rules. They should include a feature combining automated scanning tools with manual code reviews for better output.

I have been using the solution for five years.

I rate the solution's stability a nine out of ten.

It is a scalable solution. We can quickly scan around 100 DLS using it. I rate its scalability a nine.

I interact with the solution's technical support team in terms of tuning the tool and improvements. They acknowledge the emails and respond to them quickly.

Positive

The solution integrates well with different tools. Thus, its setup process is relatively straightforward.

The solution is affordable. I rate its pricing a six out of ten.

I recommend the solution to others and rate it a ten.

I use the solution for static analysis.

The product has good API documentation. I’m quite happy with it. The product is easy to use.

Sometimes it's a bit hard to figure out how to use the product’s UI.

I have been using the solution for some years.

I have not faced any issues with the product’s stability.

The solution is scalable. Four people in my organization use the solution.

The initial setup is easy.

I am using the latest version of the product. I have also used Clang Static Analyzer. People planning to use the solution should try the open-source version first to understand how it works. We must have the paid version of the product to get all the resources and documentation. Overall, I rate the product an eight out of ten.

We use this solution to scan our products. We've integrated with our build system and it automatically completes the scanning.

The ability to scan code gives us details of existing and potential vulnerabilities. What really matters for us is to ensure that we are able to catch vulnerabilities ahead of time.

When I put my code into Coverity for scanning, the code information of the product is in the system. The solution could be improved by providing a SBOM, a software bill of material. They could also integrate a software composition analysis scan. This would make my job a bit easier.

There is scope for Coverity to look beyond static analysis. Most of people that I have spoken to use Coverity from a pure static analysis perspective. However, we also need to be able to view dynamic pages and APIs using dynamic scanning and SES scans. Currently we would need to use another solution to be able to do this. 

I have been using this solution for 10 years.

This is a stable solution.

This is a scalable solution.

From a support perspective, they are pretty responsive. I would rate them a five out of five. 

The the last ten years, our company has derived value from using this solution. We continuously evaluate our tech stack and if a better solution came along, we would consider it if it provided more value. 

This is a pretty expensive solution. The overall value of the solution could be improved if the price was reduced. Licensing is done on an annual basis. 

There are other new tools like Veracode, Java Icon and Javascript which are better than Coverity when it comes to visualization. Their cost is significantly lower compared to Synopsys. 

Coverity is really good with CC+ and legacy technologies. However, there are other products that are probably as good or even better than Coverity when it comes to Java or cloud applications. 

If someone were to ask me what tool I would recommend, my answer would depend on what technology they're using and what their use case is. My advice would be based on how they're going to use the product and what they're expecting from the tool.

I would rate this solution an eight out of ten.