IT Central Station is now PeerSpot: Here's why

Coverity OverviewUNIXBusinessApplication

Coverity is #11 ranked solution in application security tools. PeerSpot users give Coverity an average rating of 8 out of 10. Coverity is most commonly compared to SonarQube: Coverity vs SonarQube. Coverity is popular among the large enterprise segment, accounting for 75% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 28% of all views.
Buyer's Guide

Download the Application Security Buyer's Guide including reviews and more. Updated: June 2022

What is Coverity?

Coverity® gives you the speed, ease of use, accuracy, industry standards compliance, and scalability that you need to develop high-quality, secure applications. Coverity identifies critical software quality defects and security vulnerabilities in code as it’s written, early in the development process, when it’s least costly and easiest to fix. With the Code Sight™ integrated development environment (IDE) plugin, developers get accurate analysis in seconds in their IDE as they code. Precise actionable remediation advice and context-specific eLearning help your developers understand how to fix their prioritized issues quickly, without having to become security experts. 

Coverity seamlessly integrates automated security testing into your CI/CD pipelines and supports your existing development tools and workflows. Choose where and how to do your development: on-premises or in the cloud with the Polaris Software Integrity Platform™ (SaaS), a highly scalable, cloud-based application security platform. Coverity supports 22 languages and over 70 frameworks and templates.

Coverity was previously known as Synopsys Static Analysis.

Coverity Customers

MStar Semiconductor, Alcatel-Lucent

Coverity Video

Archived Coverity Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Nachu Subramanian - PeerSpot reviewer
Automation Practice Leader at a financial services firm with 10,001+ employees
Real User
Top 5Leaderboard
Improves security by detecting vulnerabilities in code, but it needs integration with popular development environments
Pros and Cons
  • "Coverity is quite stable and we haven’t had any issues or any downtime."
  • "I would like to see integration with popular IDEs, such as Eclipse."

What is our primary use case?

I am the administrator and I use this solution to do the calibrating and security scanning of the code in my bank. We are trying to find any vulnerabilities in our code and we are integrating the process with our DevOps.

What is most valuable?

The most valuable feature is the ability to find vulnerabilities in our code.

What needs improvement?

I would like to see integration with popular IDEs, such as Eclipse. If Coverity were available as a plugin then developers could use it to find security issues while they are coding because right now, as we are using Coverity, it is a reactive way of finding vulnerabilities. We need to find these kinds of problems during the coding phase, rather than waiting for the code to be analyzed after it is written.

For how long have I used the solution?

I have been working with Coverity for about eight months.
Buyer's Guide
Application Security
June 2022
Find out what your peers are saying about Synopsys, Sonar, Veracode and others in Application Security. Updated: June 2022.
610,336 professionals have used our research since 2012.

What do I think about the stability of the solution?

Coverity is quite stable and we haven’t had any issues or any downtime.

What do I think about the scalability of the solution?

We did not have to scale drastically on any of our applications, so it would be difficult for me to judge how scalable it is. Because of the price, we only purchased 20 licenses. We do plan on scaling the number of users and increasing our usage.

How are customer service and support?

The technical support is quite responsive and most of the time, we received a response really quickly. We have not had any timeline-related issues with them.

Which solution did I use previously and why did I switch?

We did not use another solution before Coverty, although in my previous company, I used Veracode. We also use SonarQube for code analysis. Compared to SonarQube, Coverity finds more vulnerabilities. SonarQube is stronger on core quality, such as duplicate lines of code, but the security issues are found by Coverity. SonarQube is available as a plugin for development environments such as Eclipse, which allows us to find vulnerabilities proactively. SonarQube was easier to deploy and I did not require assistance from the vendor for installation or configuration.

How was the initial setup?

We found that during installation and configuration, it takes pipelines for continuous integration and continuous deployment. It was a bit challenging because the necessary base integration was not easy to configure. It took us slightly over a week to deploy, whereas, with SonarQube, we were able to complete it in less than a day. It was due to complexities in Coverity that it took us more than a week. The complexities were related to missing API features and hooks.

What about the implementation team?

I had assistance from the vendor, Synopsys, during the deployment.

What's my experience with pricing, setup cost, and licensing?

Coverity is quite expensive. Generally, for security scanning products, the pricing is very expensive. Some solutions have pricing that is based on the number of millions of lines of code, but Coverity is priced based on the number of users. I believe that pricing based on the number of lines of codes is cheaper than billing on a per-user basis. If we have 400 or 500 developers and each needs a license then it will be cheaper to have a solution where the cost depends on the size of the code.

What other advice do I have?

We also purchased Black Duck Binary Analysis and the Black Duck Hub from Synopsys. My advice for anybody who is implementing this solution is to try to best capture security issues while the code is being written, rather than waiting until it is compiling. It’s easier and much more cost-effective to find vulnerabilities at the earlier, code-writing stage. The other thing to keep in mind is that you should not rely on one approach to code security. You need to make sure that binary security is also in place, which is not done using Coverity. Any company that wants to secure its environment will need multiple levels of security scanning, and only one of these is handled by Coverity. The second one, binary scanning, can be done by using Black Duck or Veracode. This continues onto other security concerns, such as network scanning. I would rate this solution a seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Yantao Zhao - PeerSpot reviewer
Software Integration Engineer at Thales Australia
Real User
Enables our entire company to publish the analysis results into our central space
Pros and Cons
  • "The features I find most valuable is that our entire company can publish the analysis results into our central space."
  • "The setup takes very long."

What is our primary use case?

We use Coverity during the software integration phase. We have a lot of components so we use Coverity to build the components, analyze and publish the data into sonar server and that's our work.

How has it helped my organization?

Depending on our product's needs, we defined the rule set to check and improve the source code.

What is most valuable?

The features I find most valuable is that our entire company can publish the analysis results into our central space. That allows us to see the latest quality of all components on the sonar web page.

What needs improvement?

My personal opinion is that the webpage of the last version of Coverity is not very easy to use. They've made some unnecessary changes and now I can't see all the analysis results or my status from when we started using the solution up to now. Because we have many components on the integration field, it is sometimes hard to find files of one specific component because we use relative path. When I look at the components, they all look very similar. But that is just my personal opinion.

I would also like to see a more user-friendly user interface and configuration. I can see the menu on the left but it's a little different from the other tools that I use, but this is perhaps only a personal thing. 

For how long have I used the solution?

We have been working on Coverity for about a year and a half

What do I think about the stability of the solution?

Coverity is a very stable solution.

What do I think about the scalability of the solution?

I believe the solution is scalable. Sometimes I want to put one component in a certain project, and I need to find what's the best way for us. We have a lot of users using Coverity and we will adapt it into our program. 

How are customer service and technical support?

Most of the time I just do some research myself and Google their webpage to see how I can find a solution for my problem. The program has a tools team to help find the solutions. 

Which solution did I use previously and why did I switch?

My personal business used other tools that offered sonar language tracking. We used a mix of programs with specific options and some standard gcc options. But last year our team preferred to use more visual tools to follow the whole company's policy. That is why we chose Coverity.

How was the initial setup?

We have an administrator for the deployment, so I am only a user. I just added a few projects and streams, and use the data extracted from the compilation, and run the analysis. The setup did take a long time, however.

What about the implementation team?

We implement through an in-house tools team.

What was our ROI?

I don't care it so much.

What's my experience with pricing, setup cost, and licensing?

For the setup, it's better to adapt the solution from the mature projects.

Don't care so much the pricing and licensing being the end user.

Which other solutions did I evaluate?

Before choosing, we tried to use gcc compiler options, i.e. 

EXT_GCOV_FLAGS='-fprofile-arcs -ftest-coverage'
EXT_GCOV_LDFLAGS=-fprofile-arcs
EXT_CC_FLAGS=-fdiagnostics-show-option
GCOV_LIB=-lgcov

What other advice do I have?

I will suggest that when they use the program for a new project, they should just copy the data from a mature solution to the new project because the setup really takes a long time. We spent a lot of time to set Coverity up because I thought of creating the project in the Coverity server and use Coverity for the sonar part properly. But it took a long time. I will give the solution a 7.5 rating out of ten. When we officially use all the data, it will accumulate more experiences and then we will have different opinions.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Application Security
June 2022
Find out what your peers are saying about Synopsys, Sonar, Veracode and others in Application Security. Updated: June 2022.
610,336 professionals have used our research since 2012.
Security Engineer at a comms service provider with 10,001+ employees
Real User
Good security analysis features but it should support more languages and the user interface is not user-friendly
Pros and Cons
  • "The security analysis features are the most valuable features of this solution."
  • "The quality of the code needs improvement."

What is our primary use case?

We use the on-premise deployment model of this solution. Our primary use case of this solution is for auditing. 

What is most valuable?

The security analysis features are the most valuable features of this solution. 

What needs improvement?

The quality of the code needs improvement. They should develop a better code. 

The interface, efficiency, and the performance also need improvement as well as the languages that it offers. It should have more language options.

The user interface is not user-friendly.

For how long have I used the solution?

I have been using this solution for around three years.

What do I think about the stability of the solution?

It is stable. 

What do I think about the scalability of the solution?

We have 30 users licensed for this solution. We use it when we need it. 

How are customer service and technical support?

Their technical support isn't so good. That needs improvement. They don't address the problems I bring up. It's not a priority for them. 

Which solution did I use previously and why did I switch?

We previously used an open-source solution before Coverity. 

How was the initial setup?

The initial setup was easy. The solution is complex to use but not complex to deploy. 

What about the implementation team?

We deployed the solution ourselves. 

What's my experience with pricing, setup cost, and licensing?

Licensing is on a yearly basis. 

What other advice do I have?

I would recommend this solution depending on the language you're using, Java and C++.

I would rate it a five out of ten. Not a ten because it's not efficient for the language we use. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Real User
It gives advice and training on how to resolve the most common quality issues, but the REST implementation is sub-par

What is our primary use case?

  • Raising the level of code quality, security, and robustness in the codebase
  • Tracking and addressing code quality issues.

How has it helped my organization?

Coverity provides developers with a good, best practice, coding advice, and tracks risks of poor coding quality. Coverity reports have urged developers to improve the quality of their code.

What is most valuable?

  • I like that it gives advice and training on how to resolve the most common quality issues. 
  • Links to more details on each issue and the background and risks.

What needs improvement?

  • Ability to follow source file s-links into the target location for issuing assignments through GIT.  Our current build environment uses symbolic links into the git repo and Coverity does not follow the link into the actual location of the source file to determine the git author.
  • Single API for all interactions. I am not a fan of using both SOAP and REST APIs and Coverity offers a mix of functionality depending on the interface used. I would greatly prefer a full REST API with improved documentation for all actions including issuing assignments, streaming, and project creation. 

For how long have I used the solution?

One to three years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Chief Specialist at a government with 501-1,000 employees
Real User
The product improves the quality of my work, but the usability could be improved
Pros and Cons
  • "The solution has helped to increase staff productivity and improved our work significantly by approximately 20 percent."
  • "They could improve the usability. For example, how you set things up, even though it's straightforward, it could be still be easier."

What is our primary use case?

I am using the latest version for my business. I personally do product evaluations, and this product has improved the efficiency of my work.

How has it helped my organization?

The product improves the way that we do product evaluations.

What is most valuable?

It improves the quality of my work. 

What needs improvement?

They could improve the usability. For example, how you set things up, even though it's straightforward, it could be still be easier.

What do I think about the stability of the solution?

The stability works quite well.

What do I think about the scalability of the solution?

The scalability is good enough.

How are customer service and technical support?

We haven't had any problems with the product so far.

Which solution did I use previously and why did I switch?

We did not have another solution before. We decided to purchase Coverity because the way we were working previously wasn't efficient. So, we were trying to improve our efficiency.

How was the initial setup?

The initial setup was straightforward.

What was our ROI?

We have seen ROI.

The solution has helped to increase staff productivity and improved our work significantly by approximately 20 percent.

Which other solutions did I evaluate?

This solution seemed to fit our purposes.

What other advice do I have?

Try it out for yourself, and decide whether it's useful for you.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Sr. Manager/Sr. Architect at Cognizant
Consultant
It has the lowest false positives with customizable triage options
Pros and Cons
  • "It has the lowest false positives."
  • "Reporting engine needs to be more robust."

What is our primary use case?

We did a comprehensive evaluation on a number of critical parameters in the environment that we are in. Other popular tools that we evaluated failed to meet our expectations.

How has it helped my organization?

  • Ease of development teams to adopt.
  • Faster scanning
  • Lowest false positives
  • No unnecessary bloating of a huge defect list.

These have helped us to focus on the things which need attention.

What is most valuable?

  • Lowest false positive rate
  • Faster scanning time
  • Inline context-sensitive help and other supportive artifacts which help developers.
  • Customizable triage options
  • Integrations with CI/CD tools, etc.

What needs improvement?

  • Reporting engine needs to be more robust.
  • Custom reporting is a must have.
  • Perhaps, the availability of connectors to popular open source BI tools, such as BIRT, JasperReports, or Pentaho may add value.

For how long have I used the solution?

Less than one year.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Application Security Report and find out what your peers are saying about Synopsys, Sonar, Veracode, and more!
Updated: June 2022
Product Categories
Application Security
Buyer's Guide
Download our free Application Security Report and find out what your peers are saying about Synopsys, Sonar, Veracode, and more!