Coverity Static Reviews

It is used to check software quality compliant with standards.

It taking compliance with standards like MISRA is crucial, especially for the automotive market.

There should be additional IDE support. IDE stands for an integrated development environment, like Eclipse. It would be helpful if we could enhance the integration between Coverity and IDEs. Additionally, it would be beneficial to increase the support for different IDEs.

In future releases, there should be a slightly more user-friendly reporting interface.

I have been using Coverity for two years. However, our company has been working with Coverity for at least seven years, and also in the past. 

We are using Version 2023.1 of the solution. 

It's pretty stable. I rate the stability of Coverity a nine out of ten.

Around 100 end users are currently using this solution. I would rate the scalability a seven out of ten.  

The solution is scalable but may reach a limit where you need to build the second instance to avoid performance issues. Scalability could be better using containers, which the vendor supports. Then it's going to be easier. 

The customer service and support team is very efficient and fast.

It takes nearly one quarter to deploy to one team as a part of our business groups. This is an onboarding process that takes time.

After installing the tool in Sandbox for running short POCs, and proof of concept, you add Q&A and production environments that are supposed to be. The next step is to conduct onboarding and training sessions with vendor support.

I rate my experience an eight out of ten.

I would rate the pricing a six out of ten, where one is low, and ten is high price. It's comparable with other solutions, if not cheaper, but in my opinion, Coverity has the best quality.

I would advise following an onboarding program proposed by the vendor. Do not just jump on the tool on their own, but apply it with the documentation. I suggest an adoption program.

Overall, I rate the solution a nine out of ten. I think it's one of the best SAST tools on the market.

We've integrated Coverity into our CI/CD pipeline to check our source code against quality gates before deployment. It alerts us to issues so we can halt the pipeline, fix critical problems, and then run it again.

What I find most effective about Coverity is its low rate of false positives. I've seen other platforms with many false positives, but with Coverity, most vulnerabilities it identifies are genuine. This allows me to focus on real issues.

As for code remediation, although I can fix issues myself as a security engineer, the tool provides helpful remediation guidance for each vulnerability. It lists how to fix each issue, which I find useful. The solution has increased our development speed.  

The solution needs to improve its false positives. 

I have been using the product for one and a half years. 

I rate the tool's scalability a nine out of ten. We have 20-25 users who use it daily. 

I rate the solution's deployment ease a nine out of ten, and it can be completed in a few minutes. 

The solution's pricing is comparable to other products. 

I rate the overall solution a nine out of ten. 

My primary use case is performing static application security testing on various code bases, including Java, PHP, and HTML. I use it to create review reports of assets and categorize the issues based on severity.

The product has been beneficial in logging functionality, allowing me to categorize vulnerabilities based on severity. This aids in providing updated reports on subsequent scans.

The product could be enhanced by providing video troubleshooting guides, making issue resolution more accessible. Troubleshooting without visual guides can be time-consuming.

I have been using Coverity for about two to three months, between June 2023 and August 2023.

There were occasional issues with lag during the initial setup and scans, especially in a cloud environment.

Due to the subscription-based model, I had to contact customer service, mainly to add new users. Response times varied, sometimes taking more than a week.

Neutral

I had experience with SonarQube as an alternative. Coverity excelled in code scanning because it did not require installation prerequisites. Its reports are also clear and informational. It provides us with a better idea of troubleshooting vulnerabilities.

The initial setup was elaborate and somewhat complicated. The information from the Synopsys website was more than enough. First-time users will struggle with many tools, packages, and libraries. Deployment took 30 minutes to complete. Two to three resources were involved in the process.

An integrator helped with the tool's deployment. 

I rate the solution a nine out of ten. 

We use the solution for SaaS support.

The most valuable feature is the security advisor. It also provides a very detailed report.

Triage history has many bugs and needs to be improved. There could be a subsection. The solution could provide a graphical representation like other tools.

We have OS 2021, which is not the latest one. It should be updated regularly.

I have been using Coverity for almost a year.

The product is stable.

I rate the solution’s stability a nine out of ten.

Our organization has 20-30 users using this solution.

I rate the solution’s scalability an eight out of ten.

Technical support has expert hours and is available anytime. Also, we don't need to raise a ticket now because we have direct support from Coverity.

Positive

We are exploring Black Duck, which has more precise things. Coverity has a clear view. The report is very much clear rather than confusing like other tools. It also has a PDF option, and it gives precise information.

The initial setup is simple.

The solution has higher pricing. The price should be based on the user count. Suppose there is a ten-user license per pack. However, this could be adjusted to five users if needed.

Overall, I rate the solution an eight out of ten.

We are using Coverity for Android, cluster programs, and infotainment.

Coverity's setup takes a long time. Coverity gives advisory and deviation features, which are some of the parts I liked.

SCM integration is very poor in Coverity. The IDR file is not portable. After the analysis, it generates an IDR file. It cannot be ported from the machine since it is machine specific. Also, the component mapping has to be done manually. We cannot upload in one shot through automation or an Excel sheet. That is also a drawback.

In terms of the additional features that the solution should possess, I would say that it should have very good and sound features for Android-related stuff and embedded features should be supported. Also, infotainment programs for people who are using HMI should be supported very well.

I have been using Coverity for more than one year. In my company, we use the tool. Also, we go to the vendor for support. I am using Coverity 2022.

Speaking about stability, I would say that product-wise, there is no such complaint. There are no alarming complaints. However, some minor things we have to fix, use and tune it. With the newer versions, the only problem is if any new version or any new tool or new plugin comes to our infotainment program, then even with vendor support, we won't get a solution since maybe the tool is not supported or because there is something else that has to be looked into. We are facing problems due to such cases. Otherwise, it's fine, so it is good enough for an existing tool and program.

The product is scalable if provided if the tool is supported well, and if new features are incorporated parallelly, then definitely it's scalable.

To speak exactly about the number of users is difficult, but above 300 people in my company use the solution.

There are four or five members out there who manage Coverity's administration from a project point of view.

My opinion on support depends on what kind of support my company has adopted. I need to check. I don't know what company support they have provided. If they have taken golden support, support will come like that. In that way, I don't want to comment on that.

Initially, I worked with Klocwork in my previous company.

Regarding Klocwork, if you can provide me with its information, then we would definitely like to explore it.

Initial setup for the infotainment program is not easy. This is because the template, specifically code template files, have to be generated, and that itself takes time since they talk to the vendor and they get the template files. We are using the same template file for most of the programs. It is not fixed that this program has to use this template file, so it is not like that. since it has to be fine-tuned.

For a few programs, like cluster programs, it takes only half a day or a day to get the setup done since everything is ready. But for infotainment, it sometimes takes three to four days, and issues keep coming in for the new enablement. Hence, it may take even three weeks to one month sometimes.

Coverity’s price is on the higher side. It should be lower. It's definitely priced on the higher side, and in that sense, I will definitely give a big alert stating that it is on the higher side of the price.

We have to prepare our software solution for our customers. So in our environment, my cycle. We have a seven hour phase and requirement for design, implement testing, And before testing, we used this tool to clean up our potential feedback as our use case.

.

This product improves functionality and efficiency.

We cannot find any issues in the early stages.

The most valuable feature of Coverity is its software security feature called the Checker. If you share some vulnerability or weakness then the software can find any potential security bug or defect. The code integration tool enables some secure coding standards and implements some Checkers for Live Duo. So we can enable secure coding and Azure in this tool. So in our software, we can make sure our software combines some industry supervised data.

We actually specified several checkers, but we found some checkers had a higher false positive rate. I think this is a problem. Because we have to waste some time is really the issue because the issue is not an issue. I mean, the tool pauses or an issue, but the same issue is the filter now.Some check checkers cannot

find some issues, but sometimes they find issues that are not relevant, right, that are not really issues.

Some customisation mechanism can be added in the next release so that we can define our Checker. The Modelling feature provided by Coverity helps in finding more information for potential issues but it is not mature enough, it should be mature. The fast testing feature for security testing campaign can be added as well. So if you correctly integrate it with the training team, maybe you can help us to find more potential issues.

We've been using this solution for over 10 years. 

The solution is stable.

I rate it eight out of ten.

It is a scalable solution. Several thousand users are using the solution , precisely five thousand software engineers. We plan to increase the usage in future because our software engineer, we are to in their software coding or deployments in our engineering team. We try to integrate this tool into some other tool.

The technical support is reasonable. 

I rate them seven out of ten.

Neutral

I was not involved in the deployment process. Ten partner lines are required for the setting up and launch of the tool.

I have seen a Return on Investment.

I rate the solution eight out of ten.

We use Coverity to help with code security and code vulnerability.

The most valuable feature of Coverity is that it shows examples of what is actually wrong with the code.

We use GitHub and Gitflow, and Coverity does not fit with Gitflow. I have to create a screen for our branches, and it's a pain for developers. It has been difficult to integrate Coverity with our system.

In the next release, I would like to have the ability to easily add screens to branches myself as a developer.

I've been using this solution for about five years.

It is a stable product.

It's scalable, and approximately 200 developers use Coverity in my organization. We have 10 administrators at present.

Technical support is good, but they do not have a user ticketing system. Therefore, we have to go through an to administrator to get support. For the support itself, I would give a rating of eight out of ten.

Positive

The pricing is on the expensive side, and we are paying for a couple of items.

My advice would be to look at other solutions and evaluate on-premises or SaaS options.

Overall, I would rate Coverity at six out of ten.

We use Coverity to scan our code and identify any flow issues in the code that need to be fixed.

Coverity is the most popular product for scanning the code. It's much better than other products like Clockwork, PC Link, and other similar products. It's a better scanning product than others.

The sales strategy needs to improve. First of all, Coverity will give you a low price; then, one year later, they will raise the price. So it becomes expensive later.

Moreover, Coverity is not doing good in terms of some specific features. For example, in the for loop, they can only check the point of the plus statement and cannot handle the sub-encryption. It can only handle the increase and not the decreased logic. So they will miss critical issues in some conditions.

In future releases, the price and policy could be improved, and also the script for the loop.

I have been using Coverity for one year and a half. We don't use the latest version, just a version from about half a year before.

There's not much difference between that and the latest version, just minor changes. 

It's very stable. I would rate it a nine. The stability of Coverity was very good. 

I would rate scalability a seven out of ten. 

However, we stopped using Coverity due to pricing issues. I don't have the exact number, but only a few in my department used it for security tasks. They were common employees and engineers.

In the beginning,  customer service and support were very helpful, but now I would say their helpfulness is maybe a six out of ten.

Neutral

The initial setup is easy. It just takes a couple of minutes. I could do it myself. Coverity gave me a document with instructions, and the installation was successful. There is a guide for installation.

Moreover, the maintenance of Coverity doesn't require many people. It was done by maybe one or two engineers.

We use the yearly-based license. I would rate the pricing a three out of ten, where one is very expensive, and ten is not expensive at all.

Overall, I would rate Coverity a seven out of ten. I can rate it higher because there are a few areas of improvement in Coverity. The first problem is the pricing. The second one is some features not performing well, like duplicate detection and switch case situations.

We have been working on a POC for this solution. It is an on-prem solution and we have 50 internal users. 

This solution is easy to use. 

The level of vulnerability that this solution covers could be improved compared to other open source tools. The UI could also be improved. We also cannot directly report the vulnerability. We need to add filters to projects and only then can we download reports. 

I have been using this solution for three months. 

This is a stable solution. 

The pricing is very reasonable compared to other platforms. It is based on a three year license. 

I would rate this solution a seven out of ten. 

We primarily use the solution for quality purposes. We also use it for security. That's one subset of quality. However, it's used for more dynamic behavior, such as memory leaks, et cetera. 

They have a good memory-related box and a static order analysis that's very good, especially around leaks.

We were very comfortable with the initial setup.

It is stable.

The cost is very high.

They don't have SonarQube compatibility with the dashboard, which is a big negative. They were actually arrogant for not providing it. We wanted to see all the problems in a single SonarQube dashboard, and we can't do that. They need SonarQube integration. They claim that they have SonarQube integration, yet it is not there.

We'd like it to be faster.

The solution could always use a bit more security. 

I've been using the solution for around 12 years. 

I consider the solution very stable. There are no bugs or glitches and it doesn't crash or freeze. It is reliable. 

That said, when we are doing security analysis on bigger projects, it can be slow. 

To scale, you need more hardware. That way it is scalable. That said, it is already handling quite a big amount. We have a specific problem when analyzing security in a big project. It can get slow. 

I'd rate it four out of five in its ability to scale. 

We have around 200 people using the solution currently. 30 to 40 use it on a daily basis. 

We do not have plans to increase usage based on the cost. We're actually looking for an alternative.

Support is not so good. They're too slow. In contrast, Clockwork has very good support.

Neutral

We've used Clockwork before. However, it has the same issues as this product. They're more for C# and C++.

The solution was very simple to set up. The frontend, backend, and UI are very good and easy to navigate.

I'd rate the initial setup process a four out of five in terms of how easy it was.

It is an expensive solution. 

Their sales team is very arrogant. 

I don't like their licensing mechanism. Everything is on very unfriendly terms. 

There are other tools you can use that are free and open-source. 

In a collaborative environment, they are very tricky. When it comes to looking at the bugs on a web interface, they try to block them. When you discuss it with them, they are quite unfriendly. Once you got stuck into the tool, they know that it's hard to leave due to the history. When you get into a tool, you need the history since the history needs to be built up, and therefore, over time, you have a dependency on the tool.

I'd rate the product a three out of five in terms of affordability.

We're a customer.

I would rate the solution seven out of ten.