Under NIST cybersecurity standards, we must address vulnerabilities within a specified time after discovering them. When we try to propagate those updates and fixes through the system, it would be nice if the clients could reconnect to the existing server or have the server dynamically updated in some way. I know that isn't easy, but maybe processes could be enhanced to make that more streamlined from a DevOps perspective.

Maybe there could be a process by which the clients can update themselves as they reconnect to the new server when there's a new version available and install all of the tools currently within that installation environment.

The main problem is that since it only parses the code, the warnings or the problems that are given as a result of the report can sometimes require a lot of effort to analyze. It will show all possible problems in the code. However, many are not actual problems. So you need to analyze and check if certain items flagged can lead to an actual problem or not. Since it's only static, it doesn't run the code itself and there's always a huge number of findings. You have to analyze all of them to know which ones can lead to actual problems.

What needs improvement in Klocwork, compared to other products in the market, is the dashboard or reporting mechanisms that need to be a bit more flexible. The Klocwork dashboard could be improved. Though it's good, it's not as good as some of the other products in the market, which is a problem. The reporting could be more detailed and easier to sort out because sorting in Klocwork could be a bit more time-consuming, mainly when sorting defects based on filters, compared to how it's done on other tools such as Coverity.

What I'd like added in the next release of Klocwork is the peer code review Cahoots which used to be a part of Klocwork, and the architecture analysis and both have been taken out of Klocwork. I found the two critical for specific deployments, so if those can be brought back to Klocwork, that would be very good.

It is not a panacea, because there is no tool that is a panacea.

We bought Klocwork, but it was limited to one little program, but the program is now sort of failing. So, we have a license for usage on a program that is sort of failing, and we really can't use the license on anything else. It is a terrrible shame.

Klocwork is still tight on their licensing. If Klocwork would loosen up on the licensing, and where the license could be used, and how many different programs could be run on it, then we have several development programs that I would love to be able to use it for going forward.

I would like to have a tool developed by a vendor that picks out all of the NSA Juliet Test Suite cases, then is generous with the licensing. It might be expensive, but it is generous.

Klocwork does have a problem with true positives. It only found 30% of true positives in the Juliet test case.

For an improved product, we'd like to see integration with Agile DevOps and Agile methodologies. Some capability of the tool that allows us to trigger the status analysis report based on actions like regular builds. We would like to have better integration with Microsoft Agile DevOps tools. This would save us a lot of time. In addition, we also sometimes experience issues with false-positive detections - phantom issues.

For the previous version, we realized it wasn't possible to have a quick dashboard for the number of violations. A feature like business intelligence or code coverage could be included. 

Klocwork has to improve its features to stay ahead of other free or low-cost solutions, like Visual Studio Code Analyzer.

When an upgrade is carried out it must be done on both the server and client side, which can make it a bit hectic for all projects to be configured on the private server. Every update that we receive requires of us a lengthy and involved process.

The project reporting status dashboard should also be addressed. As I am on the compliance team, I must open every project to resolve all issues.  The solution does not provide consolidated views. Meanwhile, Kuiwan has a very good feature on its dashboard.

Moreover, Klocwork makes a limited number of languages available to the user, only four. In addition, a good consolidated dashboard, in respect of compliance, would be nice to see.

I believe it should support more languages, such as Python and JavaScript.

I would like to see dynamic analysis as well.

• Global variables sometimes generate false positives. Variables with global scopes sometimes produce False Positives. It means, I get violations from KW which after personal analysis turn out to be not true. At the moment it seems Klocwork is not able to track the values of variables with global scope. Thus the tool makes assumptions for the value range. It occurs that I get violations due to values which simply cannot occur > as the global variables are not tracked. This is annoying and time consuming. One simpler thing on variables with global scope: unused variables with global scope cannot be detected by checkers. This is highly recommended to have it in order to clean the code.
• The preprocessor needs better integration for custom checkers as the tool focuses more on static code analysis; after preprocessing the file.- Updating from one version to the other takes too much time. The process somehow needs too much CPU power.
• Once there are bugs detected and accepted by KW, it takes some time to integrate the changes. This means that what does not fit on the Rogue Wave road map is not definitely considered.

This solution could be improved if they offered support of more languages including Ada and Golang. They currently only support seven languages. 

In a future release, we would like to have architecture management added.

There are many things that can be improved. The code used between projects is one of the very painful points in Klocwork. So if you are using a code and the product is shared between projects, you have to analyze the different projects just to comment if it is good or to justify it in the different projects. And the solutions they provide for the issues, are not fully correct. So this is the main issue is using the code between projects.

There are some false warnings found which eventually are not considered for a fix after the team reviewed the source code.

Modern languages, such as Angular and .NET, should be included as a part of Klocwork. They have recently added Kotlin as a part of their project, but we would like to see more languages in Klocwork. That's the reason we are using Coverity as a backup for some of the other languages. 

I would like to see some more new guidelines added. As you know, this Klocwork tool is fully compliant with MISRA, CERT, and CWE, but a few coding guidelines are still not supported by Klocwork.

It would be nice to consider having more language support ability. Currently Klocwork supports C/C++, Java and C#, (Android*)

Not much as of now. But I am feeling Klocwork should support more number of languages like other static code analyzers do. Right now Klocwork has supportability available only to C, C++, Java, and C#. 

Nothing as of now. I hope that in each new release they add new features relating to the addition of checkers, improving their analysis engines etc. In the near future I will discuss additional features that need to be added.

Support for AUTOSAR C++14 by adding a new taxonomy that you can use to ensure compliance with the AUTOSAR C++14 Standard, release 18-03.

Now the only issue we have is that whenever we need to get the code we have to build it first. Then we can get the report. Without building the source code we have to get the static code and the source code. That's what we are looking into. It would be better if they could provide a solution for this issue, regarding code building, when compiling the report.

I would like to see a dashboard added to provide a clear look and feel. The dashboard would then supplement the users to enable them to get a quick view of the content, as long is it is clear. A presentational dashboard would be good.

Nothing much as of now. I feel Klocwork is going in a great way. The one thing I personally feel is that Klocwork must increase their support to some other languages.

The way to define the rules is too complex. The definition/rules for static analysis could be automated according to various SILs, so as to avoid confusion. 

It should be semi-flexible. However, this may be due to my limited experience.