Coming October 25: PeerSpot Awards will be announced! Learn more

Klocwork OverviewUNIXBusinessApplication

Klocwork is #16 ranked solution in AST tools and #24 ranked solution in application security solutions. PeerSpot users give Klocwork an average rating of 7.6 out of 10. Klocwork is most commonly compared to SonarQube: Klocwork vs SonarQube. Klocwork is popular among the large enterprise segment, accounting for 74% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a manufacturing company, accounting for 22% of all views.
Buyer's Guide

Download the Application Security Tools Buyer's Guide including reviews and more. Updated: August 2022

What is Klocwork?

Klocwork detects security, safety, and reliability issues in real-time by using this static code analysis toolkit that works alongside developers, finding issues as early as possible, and integrates with teams, supporting continuous integration and actionable reporting.

Klocwork Customers

ACCESS Co Ltd, Risk-AI, Winbond Electronics, Bristol-Myers Squibb Pharmaceutical Research Institute, University of Southern California, Alebra Technologies, SIMULIA, Risk Management Solutions, Brigham Young University, SRD, HRL

Klocwork Video

Archived Klocwork Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Software Chief Engineer at a transportation company with 10,001+ employees
Real User
It allows our team members to collaborate, but the codes between projects need to improve
Pros and Cons
  • "One can increase the number of vendors, so the solution is scalable."
  • "I would like to see better codes between projects and a more user-friendly desktop in the next release."

What is our primary use case?

Our primary use case of Klocwork is for static project analysis and for getting ratios.

What is most valuable?

I really like Klocwork's server client build because it allows collaboration between the team members. It takes the ratios and it has a portal where one can justify the issues.

What needs improvement?

There are many things that can be improved. The code used between projects is one of the very painful points in Klocwork. So if you are using a code and the product is shared between projects, you have to analyze the different projects just to comment if it is good or to justify it in the different projects. And the solutions they provide for the issues, are not fully correct. So this is the main issue is using the code between projects.

For how long have I used the solution?

I have been using Klocwork for around four months now.

Buyer's Guide
Application Security Tools
August 2022
Find out what your peers are saying about Perforce, Sonar, Synopsys and others in Application Security Tools. Updated: August 2022.
633,184 professionals have used our research since 2012.

What do I think about the stability of the solution?

I think the solution is fairly stable. We've had some issues in the GUI, and even in the server portal and in the server application. We've also had issues with an outside application that is  also a GUI client. So I will say it is stable but there are some issues.

What do I think about the scalability of the solution?

One can increase the number of vendors, so the solution is scalable. We currently have around 3,000 users.

How are customer service and support?

We don't deal with the technical team directly, because we have a service line. So if I have an issue, we report to our service line and they report to the technical support team.

How was the initial setup?

The initial setup wasn't complex - it was really straightforward.

What other advice do I have?

My advice to others would be that they should determine their use case before buying the program. If they have many codes, I would not recommend it. If they have a separate project where not many codes are shared between projects, I will recommend it. 

I would like to see better codes between projects and a more user-friendly desktop in the next release. 

On a scale from one to 10, I rate this product a seven.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Real Klocwork User - PeerSpot reviewer
TMS Product Architect with 10,001+ employees
Real User
Enables us to resolve violations but it needs integration with Agile DevOps and Agile methodologies
Pros and Cons
  • "There is a central Klocwork server at our headquarter in France so we connect the client directly to the server on-premises remotely."
  • "We'd like to see integration with Agile DevOps and Agile methodologies."

What is our primary use case?

I'm a product architect and belong to a classic management system team. We're a Klocwork customer. We have around 50-60 developers in the team and I'm involved in the utilization of the tool and I am familiar with its capability. We've just started using the latest version which is the first one that's compatible with .NET framework 4.7.2. The previous version was not fully compatible with Visual Studio 2017.

In our case, the use is for static code analysis for each baseline in order to see what kind of violation we have.

Parallel to that, we use the results and apply some refactoring in order to solve this violation. For us, the violation is considered the highest priority according to our risk assessment model.

What needs improvement?

For an improved product, we'd like to see integration with Agile DevOps and Agile methodologies. Some capability of the tool that allows us to trigger the status analysis report based on actions like regular builds. We would like to have better integration with Microsoft Agile DevOps tools. This would save us a lot of time. In addition, we also sometimes experience issues with false-positive detections - phantom issues.

For the previous version, we realized it wasn't possible to have a quick dashboard for the number of violations. A feature like business intelligence or code coverage could be included. 

For how long have I used the solution?

I've been using Klocwork since I joined the company over two years ago.

What do I think about the stability of the solution?

We consider it a stable product.

What do I think about the scalability of the solution?

I didn't have the chance to test it deeply.

How are customer service and technical support?

I haven't had direct contact with technical support. 

Which solution did I use previously and why did I switch?

Where I worked previously we used SonarQube. I have also used the Microsoft standard rule set by Visual Studio. 

How was the initial setup?

The initial setup is quite straightforward and the configuration from the client-side is also simple. The more difficult part aspect relates to the definition of the rule sets. For instance, if we want to compare a list of rule sets coming from external sources other than Klocwork we don't have native tools. We need to bring the profile list from Microsoft or from another static analysis tool or measuring tool and embed it inside Klocwork. The profiles need to be merged using Excel or something similar.

What about the implementation team?

They provide support and knowledge about the tool. So if we are not able to use a particular function, we ask the central team.

What's my experience with pricing, setup cost, and licensing?

I'm not involved in the financial or licensing aspect of the solution. 

What other advice do I have?

We use Klocwork in two different configurations, on-prem and cloud. Basically we can summarize on-premises. We connect the client directly to the server on-premises remotely. But for certain products and features, we also use a local server that is on-premise but with different configurations. In this case, the server is deployed with some rule set and configured in a certain manner locally with the second option of redirecting the connection directly to our headquarter.

I would recommend the latest version. In the roadmap of the product, a lot of improvements have been made. We are currently on hold with moving over to this tool because of the license but once we're able to, we'll import our profiles from the previous version to the new one.

The previous version was not compatible with the .NET framework. 4.7.2 it didn't fully consider the retargeting option of C++

I would rate Klocwork seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Application Security Tools
August 2022
Find out what your peers are saying about Perforce, Sonar, Synopsys and others in Application Security Tools. Updated: August 2022.
633,184 professionals have used our research since 2012.
Software Solutions Engineer at Meteonic Innovations
User
It has saved a lot of time in developing a code through on the fly analysis mode

What is our primary use case?

Our main test case is to check for some of our internal standards which we usually do manually. But when we got Klocwork, it completely changed the scenario. We are writing a simple logic for checking our internal standards without much overhead. 

One more is on the fly analysis which is the most important feature which Klocwork provides I believe. 

How has it helped my organization?

  • It has reduced the manual analysis for a lot of scenarios like checking for internal standards.
  • It has saved a lot of time in developing a code through on the fly analysis mode.
  • Klocwork team is regularly updating their checkers which is the good one where we can get more accurate and new kind of issues or bugs in our code can be identified.

What is most valuable?

First will be the on the fly analysis as it is reducing the time for developing a code. One more best thing is the reports section which is very nice to understand. Also the support which is available for Industry Standards as well as we can also write our own internal standards and we can check during the analysis.

What needs improvement?

Not much as of now. But I am feeling Klocwork should support more number of languages like other static code analyzers do. Right now Klocwork has supportability available only to C, C++, Java, and C#. 

For how long have I used the solution?

Still implementing.

How are customer service and technical support?

Very good.

Which solution did I use previously and why did I switch?

I evaluated some other tools, but I don't want to reveal the names of these tools. I didn't find them as good tools when compared with Klocwork. 

How was the initial setup?

It has a straightforward setup from my scenario. Just installing a few .exe files. Not much complexity is involved in this.

What about the implementation team?

Vendor team. Very good, and they are friendly.

What's my experience with pricing, setup cost, and licensing?

I don't know much about cost and licensing as my management is looking at these things.

Which other solutions did I evaluate?

I evaluated some other tools, but I don't want to reveal the names of these tools. I didn't find them as good tools when compared with Klocwork.

What other advice do I have?

Not much as of now.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Specialist at a non-tech company with 5,001-10,000 employees
Real User
Good stability and tech support and the setup is straightforward
Pros and Cons
    • "Now the only issue we have is that whenever we need to get the code we have to build it first. Then we can get the report."

    What is our primary use case?

    We currently use Klocwork mainly for static code analysis.

    What needs improvement?

    Now the only issue we have is that whenever we need to get the code we have to build it first. Then we can get the report. Without building the source code we have to get the static code and the source code. That's what we are looking into. It would be better if they could provide a solution for this issue, regarding code building, when compiling the report.

    I would like to see a dashboard added to provide a clear look and feel. The dashboard would then supplement the users to enable them to get a quick view of the content, as long is it is clear. A presentational dashboard would be good.

    For how long have I used the solution?

    We've been using Klocwork for two years.

    What do I think about the stability of the solution?

    The stability is good. We can run it on multiple machines without an issue.

    What do I think about the scalability of the solution?

    We have a server license here for two servers and ten users.

    How are customer service and technical support?

    The technical support is good. They support us whenever we need it.

    How was the initial setup?

    The initial setup was straightforward, not too complicated.

    What other advice do I have?

    Klocwork is a good product, but keep in mind that before building the code you have to get a report. Then you use the code. If you don't need to get a report after building the source code then this is a good solution for you. I prefer this tool.

    I would rate Klocwork as eight out of ten.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Sivanesh Waran - PeerSpot reviewer
    Sr. Software Solution Engineer at Meteonic Innovation Pvt Ltd at Meteonic Innovation Pvt Ltd
    Real User
    We were able to produce the non-defective code at the developer's desktop

    What is our primary use case?

    our primary use case was to find and fix all possible static vulnerabilities like Buffer over flow, null pointer check, array out of bounds, concurrency violations, etc.., We work on Linux platform with gcc compiler. 

    How has it helped my organization?

    It has helped our organization to produce the non-defective code right at the developer's desktop. So we were able to deliver releases on time.

    What is most valuable?

    The pre-checkin code review, industry standard checks, continuous integration (CI) and customized checkers are the most valuable features.

    What needs improvement?

    It would be nice to consider having more language support ability. Currently Klocwork supports C/C++, Java and C#, (Android*)

    For how long have I used the solution?

    More than five years.

    What do I think about the stability of the solution?

    Klocwork is very stable. i have seen Klocwork running on 40 million lines of code without any problem. 

    What do I think about the scalability of the solution?

    Klocwork has almost all the features what an advanced Static code analyser should have. 

    How are customer service and technical support?

    Customer Service:

    Customer service is great. We are getting responses from support within a day. The local support (I am from India) is also good.

    Technical Support:

    Technical support from Klocwork is great. The Klocwork documentations are available online so we hardly contact the Klocwork support.

    Which solution did I use previously and why did I switch?

    We were using three Open Source static analyzers and faced lots of false-positives and false-negatives. Klocwork has given us better results with real issues.

    How was the initial setup?

    Setup was straightforward with the installation shields (a single .exe for Windows and .sh file for Linux).

    What about the implementation team?

    For the very first time, the vendor team had helped us in the deployment. Their support was great. From the second time onwards, our internal team was able to upgrade and install with the help of online documentations.

    What was our ROI?

    We got what we have expected. Klocwork worth the price. 

    What's my experience with pricing, setup cost, and licensing?

    The Klocwork tool is worth the price that they have quoted.

    Which other solutions did I evaluate?

    we have evaluated multiple open source tools and few commercial tools.

    What other advice do I have?

    Unlike other static code analysis tools, Klocwork integrates seamlessly into desktop IDEs, build systems, continuous integration tools, and any team's natural workflow. Mirroring how code is developed at any stage, Klocwork prevents defects and finds vulnerabilities on-the-fly, as code is being written.

    Klocwork also helps prioritize work with SmartRank, the revolutionary new recommendation engine that prioritizes issues and helps select which ones to work on first.

    Take prioritized, corrective action immediately to deliver more secure and reliable code.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    PeerSpot user
    .Net Developer at Sure Shield Infotech
    Real User
    The on-the-fly analysis reduces the time for developing code and report generation

    What is our primary use case?

    Our main test case is to check for some of our internal standards which we usually do manually. But when we got Klocwork, it completely changed the scenario. We are writing a simple logic for checking our internal standards without much overhead.

    How has it helped my organization?

    One more is on-the-fly analysis which is the most important feature, and CI which Klocwork provides I believe.

    What is most valuable?

    • First will be the on-the-fly analysis as it is reducing the time for developing code and report generation.
    • One more best thing is the reports section which is very nice to understand.

    What needs improvement?

    Support for AUTOSAR C++14 by adding a new taxonomy that you can use to ensure compliance with the AUTOSAR C++14 Standard, release 18-03.

    For how long have I used the solution?

    Three to five years.

    What's my experience with pricing, setup cost, and licensing?

    I don't know much about cost and licensing as my management is looking at these things.

    Which other solutions did I evaluate?

    No.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Prasad D - PeerSpot reviewer
    Senior H.R - DevOps & Infrastructure Recruitment Consultant at Meteonic Innovation Pvt Ltd
    Real User
    Support to a vast number of IDEs and so on

    What is our primary use case?

    My primary case would be checking for memory related issues and some null pointer issues where Klocwork is too strong in this section. We used to check these issues most often, and Klocwork is the one which provides us this clear way.

    How has it helped my organization?

    We are very concerned about these issues for some of the critical projects which are very important for us. Using Klocwork, we have cleared all these issues without much difficulty.

    What is most valuable?

    • Its vast checkers supportability
    • Custom checker creation
    • Industry standards supportability
    • Support to a vast number of IDEs and so on.

    What needs improvement?

    Nothing much as of now. I feel Klocwork is going in a great way. The one thing I personally feel is that Klocwork must increase their support to some other languages.

    For how long have I used the solution?

    One to three years.
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Software Solutions Engineer at Meteonic Innovations
    User
    Its strong Capability in On the fly analysis
    Pros and Cons
    • "The ability to create custom checkers is a plus."
    • "I hope that in each new release they add new features relating to the addition of checkers, improving their analysis engines etc."

    What is our primary use case?

    Our primary use case is to check our Internal Standards which is always a burden because it involves lot of manual checking. We are using Klocwork for this by writing some algorithms and implementing it in Klocwork. Klocwork is very strong in this section.

    How has it helped my organization?

    As said earlier checking our industry standards is main burden which involves lot of manual work. Now Klocwork has completely removed this and we are very easily checking our internal standards.

    What is most valuable?

    The ability to create custom checkers, which is an important part of most of the projects. Its on the fly capability is very good. 

    What needs improvement?

    Nothing as of now. I hope that in each new release they add new features relating to the addition of checkers, improving their analysis engines etc. In the near future I will discuss additional features that need to be added.

    For how long have I used the solution?

    Still implementing.

    What do I think about the stability of the solution?


    What do I think about the scalability of the solution?


    How are customer service and technical support?

    Technical Support is very good. They took only hours to resolve most of my issues.

    Which solution did I use previously and why did I switch?

    I didn't use any tools other than Klocwork.

    How was the initial setup?

    Initial setup is straightforward. There is no complexity in the initial setup.

    What about the implementation team?

    I have implemented it with the help of a vendor team. They are really very good with Klocwork.

    What's my experience with pricing, setup cost, and licensing?

    It is worth it for the price that the vendor quoted.

    Which other solutions did I evaluate?

    I evaluated two other tools, which were not matched with Klocwork at any point. I don't want to reveal the names of the tools.

    What other advice do I have?

    Support for more languages would be helpful since this is my trustworthy tool. One more advice from my side would be to do some webinars on Klocwork will be helpful for some new users.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Principle Engineer at MTSI
    Real User
    The product has a low false positive rate, but they could loosen up on their licensing
    Pros and Cons
    • "I like not having to dig through false positives. Chasing down a false positive can take anywhere from five minutes for a small easy one, then something that is complicated and goes through a whole bunch of different class cases, and it can take up to 45 minutes to an hour to find out if it is a false positive or not."
    • "Klocwork does have a problem with true positives. It only found 30% of true positives in the Juliet test case."
    • "We bought Klocwork, but it was limited to one little program, but the program is now sort of failing. So, we have a license for usage on a program that is sort of failing, and we really can't use the license on anything else."

    What is our primary use case?

    It is a static analysis tool for application security. It does more than that because it does look for code, such as a NULL pointer dereference. Basically, just attempting to get the code as clean and free of errors as possible.

    I think of application security as a vulnerability within the application that could actually lead to other vulnerabilities, escalation of privileges, or a hostile take-over the computer. I tend to think of denial of service attacks against an application as someone being a problem. They are denying the application from executing.

    Klocwork goes beyond this and finds things like coding problems, such as you need to divide by zero. 

    How has it helped my organization?

    It would be great if we could use Klocwork at the company. However, I work at a government facility, and I analyze government software. My company should also be using Klocwork, and they should be acquiring licenses which allow them to operate and use it on all their code.

    The limitation that we have is that Klocwork is licensed to certain programs, and if you want to license them to other programs, you have to pay more money.

    What is most valuable?

    The lack of false positives or low false positive rate; I like not having to dig through false positives. Chasing down a false positive can take anywhere from five minutes for a small easy one, then something that is complicated and goes through a whole bunch of different class cases, and it can take up to 45 minutes to an hour to find out if it is a false positive or not.

    If you get several thousand findings in code, you want your false positive rate to be very low. If you wind up with 3,000 findings, and if you are going through and trying to determine if each one of those things is a true positive or a false positive, and you find out that a large portion of your findings are false positives, then you've averaged 30 minutes each to find out each one. That is 6,000 hours spent chasing down potentially false positives, which is three man years.

    I can print reports out with several thousand findings.

    What needs improvement?

    It is not a panacea, because there is no tool that is a panacea.

    We bought Klocwork, but it was limited to one little program, but the program is now sort of failing. So, we have a license for usage on a program that is sort of failing, and we really can't use the license on anything else. It is a terrrible shame.

    Klocwork is still tight on their licensing. If Klocwork would loosen up on the licensing, and where the license could be used, and how many different programs could be run on it, then we have several development programs that I would love to be able to use it for going forward.

    I would like to have a tool developed by a vendor that picks out all of the NSA Juliet Test Suite cases, then is generous with the licensing. It might be expensive, but it is generous.

    Klocwork does have a problem with true positives. It only found 30% of true positives in the Juliet test case.

    For how long have I used the solution?

    More than five years.

    What do I think about the stability of the solution?

    If I run into a problem with stability on Klocwork, it is usually because the machine that I am using does not have enough memory or cache.

    What do I think about the scalability of the solution?

    I have not issues with scalability. I was able to analyze the Juliet test cases on my baseline machine in three days, and I have got eight processors with 8Gs of memory. However, when I tried to do the same analysis with Fortify, my system died.

    I was able to run Fortify's Juliet test cases, but I had to use a big Linux machine. It took 498Gs of memory and a week and a half to finish the analysis.

    How are customer service and technical support?

    Technical support is very good. Most of my tickets have been closed.

    If I put in a report, request, show a bug to Klocwork, put it on a trouble ticket, then I can expect, then there is a 50% chance that it will be in the next couple of releases. If it is not in the next couple of releases after that, it will be in the next major release. If it is not in the next major release, when I go back into the trouble system, I will see a message, "We will have to rearchitect our entire tool to accommodate your request."

    Which solution did I use previously and why did I switch?

    I previously used David Wheeler's Flawfinder. I still use it for sanity checks, but it has a 70% to 80% false positive rate.

    How was the initial setup?

    The setup has always been pretty much the same. Although, I have had one longstanding ticket that I have had open forever, from either Klocwork 8 or Klocwork 9 when I put in the ticket. I have always told them that the setup should not be installed on the applications as a service on the Windows side. Guess what? If you tell it not to install as a service, when you reboot your computer after you do all your installs, it is set up as a service. Then, you have to go and manually remove it.

    If I request it not to be installed as a service, don't install it as a service automatically. The latest version of Klocwork is still setting it up this way. It is still installing Klocwork and all of its programs, the database, the license manager, and the analyzer as a service. It starts up every single time that you fire up your computer, even though I have told it not to during setup.

    What's my experience with pricing, setup cost, and licensing?

    Klocwork should not to be quite so heavy handed on the licensing for very specific programs. 

    We paid a very high price for Klocwork, and the reason why we paid such a high price for it is that we wanted to make sure we could run it. We did not want slot count limitations. We wanted to be able to work multiple programs to support the entire program office, so the program office had anything that they needed analyzed. I did not want to have to worry about whether or not I was violating a license.

    Back in 2006, our one analysis seat was $75,000.

    Which other solutions did I evaluate?

    Fortify is not trying very hard anymore. Fortify is lagging behind. Fortify used to be the leader. Klocwork has caught up to them and surpassed them. They have a higher detection and false positive rate than Fortify does.

    Fortify's detection rate is about 15%, and that's not too bad. Defining the results that I get between Klocwork and Fortify, there is probably only a one percent overlay of findings of the things that they detect and things that are used. By combining the two tools, while Klocwork finds 30% and Fortify finds 15%, I am getting about 44% coverage by using the two tools together, which is not bad. However, I am having to use a supplemental tool to increase my results and increase my coverage.

    Coverity is having good test results with from Juliet test cases and lower pricing, but they still high false positive rates. When we originally looked at vendors, they did not want to release their source code to the government.

    We also looked at CodeSonar and Polyspace, who was bought out by MATLAB.

    What other advice do I have?

    Make sure before you go to a new major upgrade of Klocwork that you copy your database. Shut down Klocwork and all of its services. Then, back up the database before you decide to migrate, or before you decide to run the JavaScript that checks databases. Back it up first, before you do anything. Otherwise, you could lose everything. The databases are finicky.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    it_user854769 - PeerSpot reviewer
    Embedded Software Developer at a tech services company with 10,001+ employees
    Real User
    The tool has good support for static analysis
    Pros and Cons
    • "The tool helps the team to think beforehand about corner cases or potential bugs that might arise in real-time."
    • "We like using the static analysis and code refactoring, which are very valuable because of our requirements to meet safety critical levels and reliability."
    • "The way to define the rules is too complex. The definition/rules for static analysis could be automated according to various SILs, so as to avoid confusion."

    What is our primary use case?

    We are using Klocwork to perform static code analysis of our solutions towards an embedded project. The project is built on an RTOS, and the relevant middleware and applications are developed in C++.

    How has it helped my organization?

    The tool helps the team to think beforehand about corner cases or potential bugs that might arise in real-time. This, in turn, increases the efficiency of the project as well as the team.

    What is most valuable?

    We like using the static analysis and code refactoring, which are very valuable because of our requirements to meet safety critical levels and reliability.

    What needs improvement?

    The way to define the rules is too complex. The definition/rules for static analysis could be automated according to various SILs, so as to avoid confusion. 

    It should be semi-flexible. However, this may be due to my limited experience.

    For how long have I used the solution?

    Less than one year.

    How is customer service and technical support?

    The tool has good support for static analysis.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    it_user701436 - PeerSpot reviewer
    Senior Software Engineer at a manufacturing company
    Vendor
    One of the best tools available for static analysis. There are some false warnings issued.

    What is most valuable?

    It is one of the best tools available for static analysis.

    How has it helped my organization?

    This tool was already rolled out in our projects at Delphi Technical Center in Bangalore, India. Though we had a QAC tool for MISRA checks, Klocwork was preferred for complete code base static analysis before projects go to production.

    For all GM projects, this tool is used to perform static analysis. It provides a nice report, so all manual efforts in analyzing the code base are completely removed.

    What needs improvement?

    There are some false warnings found which eventually are not considered for a fix after the team reviewed the source code.

    For how long have I used the solution?

    We have been using the system for around three years.

    What do I think about the stability of the solution?

    It is quite stable, reliable and has not shown any difference in the results for multiple runs.

    What do I think about the scalability of the solution?

    We have not tried to scale yet, but it was sufficient for our current projects.

    How are customer service and technical support?

    We have not encountered any problems at my level. I have no idea how the technical support is.

    Which solution did I use previously and why did I switch?

    We were using QAC and Klocwork at my previous company. At my current organization, we use Polyspace.

    How was the initial setup?

    The setup was in place when I arrived.

    What's my experience with pricing, setup cost, and licensing?

    I have no idea about pricing.

    Which other solutions did I evaluate?

    I was not involved in the tool evaluation process.

    What other advice do I have?

    I recommend this tool as one of the best to be used for static analysis and should at least be tried.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    it_user496041 - PeerSpot reviewer
    Senior Embedded Software Engineer at a engineering company with 10,001+ employees
    Real User
    It provides a good set of checks for static code analysis and cybersecurity. While coding, developers see code violations. Global variables sometimes generate false positives.

    What is most valuable?

    • Good set of checkers for static code analysis, cyber security
    • Possibility of creating custom checkers- Good and easy integration into continuous integration (CI)
    • The whole package offers a lot of possibilities: add-ons for Eclipse, standalone clients, access via web site, support, documentation, command line.

    How has it helped my organization?

    More and more departments are targeting static code analysis now, as they see the benefits. Klocwork with its capabilities is helping with this, providing the integration. The advantage is that while coding, developers see code violations.

    What needs improvement?

    • Global variables sometimes generate false positives. Variables with global scopes sometimes produce False Positives. It means, I get violations from KW which after personal analysis turn out to be not true. At the moment it seems Klocwork is not able to track the values of variables with global scope. Thus the tool makes assumptions for the value range. It occurs that I get violations due to values which simply cannot occur > as the global variables are not tracked. This is annoying and time consuming. One simpler thing on variables with global scope: unused variables with global scope cannot be detected by checkers. This is highly recommended to have it in order to clean the code.
    • The preprocessor needs better integration for custom checkers as the tool focuses more on static code analysis; after preprocessing the file.- Updating from one version to the other takes too much time. The process somehow needs too much CPU power.
    • Once there are bugs detected and accepted by KW, it takes some time to integrate the changes. This means that what does not fit on the Rogue Wave road map is not definitely considered.

    For how long have I used the solution?

    I have used it for four years.

    What do I think about the stability of the solution?

    I did not encounter any stability issues; only that the update process takes too long. Here, the process could be speeded up.

    What do I think about the scalability of the solution?

    Scalability is good, from small teams to multisite project teams.

    How are customer service and technical support?

    Technical support is good (7/10).

    Which solution did I use previously and why did I switch?

    I previously used PC-lint. I switched because KW is more mature.

    How was the initial setup?

    Initial setup is going well; very straightforward and following its documentation.

    Which other solutions did I evaluate?

    I evaluated QAC/QAC++, LDRA Testbed.

    What other advice do I have?

    A good thing is that you are rapidly ramped up and can use the tool.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Buyer's Guide
    Download our free Application Security Tools Report and find out what your peers are saying about Perforce, Sonar, Synopsys, and more!
    Updated: August 2022
    Buyer's Guide
    Download our free Application Security Tools Report and find out what your peers are saying about Perforce, Sonar, Synopsys, and more!