Klocwork Reviews

Klocwork is part of our automated system, continuously improving the pipeline. Whenever the software is merged into the project control system, it is going to reduce Klocwork scanning automatically.

Klocwork's most valuable feature is the static code analysis feature. It detects the potential problem earlier to allow the developer to receive feedback quickly and then address it before it becomes a problem.

Klocwork has to improve its features to stay ahead of other free or low-cost solutions, like Visual Studio Code Analyzer.

I have used Klocwork within the last 12 months.

Klocwork is a stable solution but the performance could improve when compared to other solutions.

I have used the support from Klocwork. There was a transition time when we started using the solution which was not smooth. However, we didn't need to report any problems after that.

I have previously used Apple Xcode and Microsoft Visual Studio static code analysis and then JetBrains ReSharper type of the code analysis from the third-party tool, which is much cheaper than the Klocwork. Additionally, they are faster. I do not think we will be using Klocwork for much longer.

Klocwork was straightforward to implement and took us a half-day to implement and the upgrade took less time.

There are other solutions on the market such as Microsoft Visual Studio. They have been adding more static code analysis features that come for free. It is getting better all the time. That is one of the possibilities is that we've been considering that we may stop using the Klocwork because it doesn't give us any added value.

Klocwork is an expensive solution.

When we first purchased Klocwork I would have rated it a nine or ten out of ten. However, because of the performance of the execution and cost, I would no longer rate it that high.

I rate Klocwork a six out of ten.

Klocwork is part of the DevOps process. It is scaling the code on every request.

It saves a lot of time when it comes to finding defects, it's basically inputted in every access we do.

The most valuable feature is the Incremental analysis.

I believe it should support more languages, such as Python and JavaScript.

I would like to see dynamic analysis as well.

I have been working with Klocwork for seven years.

We are using version 2021.2.

Klocwork is very stable and very mature.

It is very scalable.

In our organization, we have 50 users.

It is used on a daily basis. It's one of the most important tools that every developer has.

The support is good. We have no problems with the support.

We used Coverity in the past, but they shifted their focus, and we switched to Klocwork.

The initial setup is straightforward.

It is simple to set up and can be done by any developer.

The initial deployment took a couple of days.

We have one person, working half-time to maintain this solution. That is all that is needed.

I didn't require any assistance because I installed it myself.

We have seen a return on investment. Each developer invests at least half an hour a day less on defects. 

Licensing fees are paid annually, but they also have a perpetual license.

There are no additional costs.

I would recommend, first creating a baseline of their source code with all of the issues, and then handling the new issues on a daily basis while gradually resolving the old ones.

I would rate Klocwork a nine out of ten.

We are using the latest version.

We use the solution for regular code scanning for C and C++, as well as for MISRA rules

When an upgrade is carried out it must be done on both the server and client side, which can make it a bit hectic for all projects to be configured on the private server. Every update that we receive requires of us a lengthy and involved process.

The project reporting status dashboard should also be addressed. As I am on the compliance team, I must open every project to resolve all issues.  The solution does not provide consolidated views. Meanwhile, Kuiwan has a very good feature on its dashboard.

Moreover, Klocwork makes a limited number of languages available to the user, only four. In addition, a good consolidated dashboard, in respect of compliance, would be nice to see.

I have been working with Klocwork for seven or eight years.

Technical support is quite good. We have a vendor partner in India and they do a good job of supporting us. 

Klocwork was easy to install. But, as we are using an on-premises server, our client's configuration needs are different. Since this is on the user's machine the installation part is easy. Yet, the receipt of frequent updates means that time which could be spent on the project side is consumed by that of development.

When it comes to licensing, the solution has two packages, one for a fixed and the other for a floating server. The former is more cost effective than the latter. 

We are currently using SonarQube for other languages, those of Python and Android.

At present, we make use of both the Klocwork and SonarQube tools. However, as we wish to have a combined tool, we are planning to switch to Kuiwan.

I rate Klocwork as a seven out of 10. 

I'm a product architect and belong to a classic management system team. We're a Klocwork customer. We have around 50-60 developers in the team and I'm involved in the utilization of the tool and I am familiar with its capability. We've just started using the latest version which is the first one that's compatible with .NET framework 4.7.2. The previous version was not fully compatible with Visual Studio 2017.

In our case, the use is for static code analysis for each baseline in order to see what kind of violation we have.

Parallel to that, we use the results and apply some refactoring in order to solve this violation. For us, the violation is considered the highest priority according to our risk assessment model.

For an improved product, we'd like to see integration with Agile DevOps and Agile methodologies. Some capability of the tool that allows us to trigger the status analysis report based on actions like regular builds. We would like to have better integration with Microsoft Agile DevOps tools. This would save us a lot of time. In addition, we also sometimes experience issues with false-positive detections - phantom issues.

For the previous version, we realized it wasn't possible to have a quick dashboard for the number of violations. A feature like business intelligence or code coverage could be included. 

I've been using Klocwork since I joined the company over two years ago.

We consider it a stable product.

I didn't have the chance to test it deeply.

I haven't had direct contact with technical support. 

Where I worked previously we used SonarQube. I have also used the Microsoft standard rule set by Visual Studio. 

The initial setup is quite straightforward and the configuration from the client-side is also simple. The more difficult part aspect relates to the definition of the rule sets. For instance, if we want to compare a list of rule sets coming from external sources other than Klocwork we don't have native tools. We need to bring the profile list from Microsoft or from another static analysis tool or measuring tool and embed it inside Klocwork. The profiles need to be merged using Excel or something similar.

They provide support and knowledge about the tool. So if we are not able to use a particular function, we ask the central team.

I'm not involved in the financial or licensing aspect of the solution. 

We use Klocwork in two different configurations, on-prem and cloud. Basically we can summarize on-premises. We connect the client directly to the server on-premises remotely. But for certain products and features, we also use a local server that is on-premise but with different configurations. In this case, the server is deployed with some rule set and configured in a certain manner locally with the second option of redirecting the connection directly to our headquarter.

I would recommend the latest version. In the roadmap of the product, a lot of improvements have been made. We are currently on hold with moving over to this tool because of the license but once we're able to, we'll import our profiles from the previous version to the new one.

The previous version was not compatible with the .NET framework. 4.7.2 it didn't fully consider the retargeting option of C++

I would rate Klocwork seven out of ten.

It is a static analysis tool for application security. It does more than that because it does look for code, such as a NULL pointer dereference. Basically, just attempting to get the code as clean and free of errors as possible.

I think of application security as a vulnerability within the application that could actually lead to other vulnerabilities, escalation of privileges, or a hostile take-over the computer. I tend to think of denial of service attacks against an application as someone being a problem. They are denying the application from executing.

Klocwork goes beyond this and finds things like coding problems, such as you need to divide by zero. 

It would be great if we could use Klocwork at the company. However, I work at a government facility, and I analyze government software. My company should also be using Klocwork, and they should be acquiring licenses which allow them to operate and use it on all their code.

The limitation that we have is that Klocwork is licensed to certain programs, and if you want to license them to other programs, you have to pay more money.

The lack of false positives or low false positive rate; I like not having to dig through false positives. Chasing down a false positive can take anywhere from five minutes for a small easy one, then something that is complicated and goes through a whole bunch of different class cases, and it can take up to 45 minutes to an hour to find out if it is a false positive or not.

If you get several thousand findings in code, you want your false positive rate to be very low. If you wind up with 3,000 findings, and if you are going through and trying to determine if each one of those things is a true positive or a false positive, and you find out that a large portion of your findings are false positives, then you've averaged 30 minutes each to find out each one. That is 6,000 hours spent chasing down potentially false positives, which is three man years.

I can print reports out with several thousand findings.

It is not a panacea, because there is no tool that is a panacea.

We bought Klocwork, but it was limited to one little program, but the program is now sort of failing. So, we have a license for usage on a program that is sort of failing, and we really can't use the license on anything else. It is a terrrible shame.

Klocwork is still tight on their licensing. If Klocwork would loosen up on the licensing, and where the license could be used, and how many different programs could be run on it, then we have several development programs that I would love to be able to use it for going forward.

I would like to have a tool developed by a vendor that picks out all of the NSA Juliet Test Suite cases, then is generous with the licensing. It might be expensive, but it is generous.

Klocwork does have a problem with true positives. It only found 30% of true positives in the Juliet test case.

If I run into a problem with stability on Klocwork, it is usually because the machine that I am using does not have enough memory or cache.

I have not issues with scalability. I was able to analyze the Juliet test cases on my baseline machine in three days, and I have got eight processors with 8Gs of memory. However, when I tried to do the same analysis with Fortify, my system died.

I was able to run Fortify's Juliet test cases, but I had to use a big Linux machine. It took 498Gs of memory and a week and a half to finish the analysis.

Technical support is very good. Most of my tickets have been closed.

If I put in a report, request, show a bug to Klocwork, put it on a trouble ticket, then I can expect, then there is a 50% chance that it will be in the next couple of releases. If it is not in the next couple of releases after that, it will be in the next major release. If it is not in the next major release, when I go back into the trouble system, I will see a message, "We will have to rearchitect our entire tool to accommodate your request."

I previously used David Wheeler's Flawfinder. I still use it for sanity checks, but it has a 70% to 80% false positive rate.

The setup has always been pretty much the same. Although, I have had one longstanding ticket that I have had open forever, from either Klocwork 8 or Klocwork 9 when I put in the ticket. I have always told them that the setup should not be installed on the applications as a service on the Windows side. Guess what? If you tell it not to install as a service, when you reboot your computer after you do all your installs, it is set up as a service. Then, you have to go and manually remove it.

If I request it not to be installed as a service, don't install it as a service automatically. The latest version of Klocwork is still setting it up this way. It is still installing Klocwork and all of its programs, the database, the license manager, and the analyzer as a service. It starts up every single time that you fire up your computer, even though I have told it not to during setup.

Klocwork should not to be quite so heavy handed on the licensing for very specific programs. 

We paid a very high price for Klocwork, and the reason why we paid such a high price for it is that we wanted to make sure we could run it. We did not want slot count limitations. We wanted to be able to work multiple programs to support the entire program office, so the program office had anything that they needed analyzed. I did not want to have to worry about whether or not I was violating a license.

Back in 2006, our one analysis seat was $75,000.

Fortify is not trying very hard anymore. Fortify is lagging behind. Fortify used to be the leader. Klocwork has caught up to them and surpassed them. They have a higher detection and false positive rate than Fortify does.

Fortify's detection rate is about 15%, and that's not too bad. Defining the results that I get between Klocwork and Fortify, there is probably only a one percent overlay of findings of the things that they detect and things that are used. By combining the two tools, while Klocwork finds 30% and Fortify finds 15%, I am getting about 44% coverage by using the two tools together, which is not bad. However, I am having to use a supplemental tool to increase my results and increase my coverage.

Coverity is having good test results with from Juliet test cases and lower pricing, but they still high false positive rates. When we originally looked at vendors, they did not want to release their source code to the government.

We also looked at CodeSonar and Polyspace, who was bought out by MATLAB.

Make sure before you go to a new major upgrade of Klocwork that you copy your database. Shut down Klocwork and all of its services. Then, back up the database before you decide to migrate, or before you decide to run the JavaScript that checks databases. Back it up first, before you do anything. Otherwise, you could lose everything. The databases are finicky.

Our primary use case of Klocwork is for static project analysis and for getting ratios.

I really like Klocwork's server client build because it allows collaboration between the team members. It takes the ratios and it has a portal where one can justify the issues.

There are many things that can be improved. The code used between projects is one of the very painful points in Klocwork. So if you are using a code and the product is shared between projects, you have to analyze the different projects just to comment if it is good or to justify it in the different projects. And the solutions they provide for the issues, are not fully correct. So this is the main issue is using the code between projects.

I have been using Klocwork for around four months now.

I think the solution is fairly stable. We've had some issues in the GUI, and even in the server portal and in the server application. We've also had issues with an outside application that is  also a GUI client. So I will say it is stable but there are some issues.

One can increase the number of vendors, so the solution is scalable. We currently have around 3,000 users.

We don't deal with the technical team directly, because we have a service line. So if I have an issue, we report to our service line and they report to the technical support team.

The initial setup wasn't complex - it was really straightforward.

My advice to others would be that they should determine their use case before buying the program. If they have many codes, I would not recommend it. If they have a separate project where not many codes are shared between projects, I will recommend it. 

I would like to see better codes between projects and a more user-friendly desktop in the next release. 

On a scale from one to 10, I rate this product a seven.

Our main test case is to check for some of our internal standards which we usually do manually. But when we got Klocwork, it completely changed the scenario. We are writing a simple logic for checking our internal standards without much overhead. 

One more is on the fly analysis which is the most important feature which Klocwork provides I believe. 

• It has reduced the manual analysis for a lot of scenarios like checking for internal standards.
• It has saved a lot of time in developing a code through on the fly analysis mode.
• Klocwork team is regularly updating their checkers which is the good one where we can get more accurate and new kind of issues or bugs in our code can be identified.

First will be the on the fly analysis as it is reducing the time for developing a code. One more best thing is the reports section which is very nice to understand. Also the support which is available for Industry Standards as well as we can also write our own internal standards and we can check during the analysis.

Not much as of now. But I am feeling Klocwork should support more number of languages like other static code analyzers do. Right now Klocwork has supportability available only to C, C++, Java, and C#. 

Very good.

I evaluated some other tools, but I don't want to reveal the names of these tools. I didn't find them as good tools when compared with Klocwork. 

It has a straightforward setup from my scenario. Just installing a few .exe files. Not much complexity is involved in this.

Vendor team. Very good, and they are friendly.

I don't know much about cost and licensing as my management is looking at these things.

I evaluated some other tools, but I don't want to reveal the names of these tools. I didn't find them as good tools when compared with Klocwork.

Not much as of now.

We currently use Klocwork mainly for static code analysis.

Now the only issue we have is that whenever we need to get the code we have to build it first. Then we can get the report. Without building the source code we have to get the static code and the source code. That's what we are looking into. It would be better if they could provide a solution for this issue, regarding code building, when compiling the report.

I would like to see a dashboard added to provide a clear look and feel. The dashboard would then supplement the users to enable them to get a quick view of the content, as long is it is clear. A presentational dashboard would be good.

The stability is good. We can run it on multiple machines without an issue.

We have a server license here for two servers and ten users.

The technical support is good. They support us whenever we need it.

The initial setup was straightforward, not too complicated.

Klocwork is a good product, but keep in mind that before building the code you have to get a report. Then you use the code. If you don't need to get a report after building the source code then this is a good solution for you. I prefer this tool.

I would rate Klocwork as eight out of ten.