Coverity Static Reviews

I use Coverity for static code analysis, covering different kinds of malware issues that can arise and ensuring robustness in terms of security.

Coverity is easy to use and easy to integrate with CI. However, in my organization, there is an additional step that involves uploading to servers, which creates an overhead. 

Apart from this, tools like Check Point and Trivy were very easy to get started with. Overall, the solution offers good scalability and is straightforward to deploy.

There is an extra step in my organization that involves uploading to servers, which adds overhead. Understanding the reporting in the beginning was challenging, especially when figuring out which mode to run on and the different arguments to use.

I have been using Coverity for a few months.

I have not faced any challenges with the stability of Coverity.

Both tools have very good scalability. Understanding the flow and pipeline helps in scaling effectively, and it is highly scalable.

I have not contacted the support team yet.

The initial setup was straightforward.

I do not know about the pricing.

The overall rating I give to Coverity is seven out of ten. The additional step that needs to be taken is a factor in my rating.

I use Coverity in my company mainly to fix bug issues and detect errors with code analysis.

The ability of Coverity to fix bug issues is important to me. Coverity actually helps to debug and deal really fast when it comes to code analysis. Coverity does have a higher detection rate. It is easy to integrate Coverity into the CI/CD pipeline. Coverity is helpful in marking false positives. Though Coverity has some pros and cons, its pros make it a quite good tool.

The scanning ability of Coverity is good since it helps fix bug issues. The interface of Coverity is quite good, and it is also easy to use.

Coverity takes a lot of time to dereference null pointers. The product's price is one of its shortcomings, where improvements are required. In general, the price of the product should be kept low.

In the future, Coverity should provide more flexibility.

I have been using Coverity for a year. I use the solution's latest version. I am a customer of the tool.

Stability-wise, I rate the solution a seven out of ten.

Scalability-wise, I rate the solution an eight out of ten. I rate the coverage of the product a six out of ten.

Currently, five people in my company use Coverity. My company plans to increase the use of the tool for twenty people.

The solution's technical support is good. I rate the technical support a nine out of ten.

Positive

I have experience with SonarQube. I switched to Coverity from SonarQube since the former mainly focuses on scanning and detection of bugs, while the latter focuses on the security of the code. If you want only to fix bugs, then the focus of the product should also be quite good, like Coverity. SonarQube's focus area is different from Coverity.

I rate the initial setup of Coverity an eight on a scale of one to ten, where one is difficult, and ten is easy.

The setup phase of Coverity can sometimes be straightforward, and if there are some issues, it can be a little bit complex. When involved in some tracking activity, sometimes, Coverity uses looping logic, making it quite difficult to handle bugs. Sometimes, the tracking activity in Coverity will be straightforward with a very good interface. Marking the positive rates and giving some green and red bars can be helpful in Coverity.

The solution is deployed on an on-premises model.

The solution can be deployed in a day.

My company uses the git repository for the implementation of Coverity.

Five people are required to deploy the solution. Around thirty people might be required to take care of the maintenance process of the product since there will be an increase in the team members in our company.

I haven't seen any return on investment from the use of Coverity.

Coverity's cost is quite high. Coverity costs for a year are too high. I rate Coverity's price a ten on a scale of one to ten, where one is cheap and ten is expensive. There are no additional costs apart from the licensing costs attached to the product.

Though my company had other options apart from Coverity, we chose to continue with Coverity as we were already using it for some projects in our organization.

Coverity is quite a good tool that helps fix big issues and deal with code analysis. Coverity's scanning features and scalability are also quite good. The only drawback of the product stems from the fact that it is quite an expensive product. The product's cost can seem too high for a normal user. If your organization is quite good and okay with exploring the tool with its current costs, then you can opt for Coverity. Otherwise, you can use other solutions, like the free community edition from SonarQube.

I rate the overall solution an eight out of ten.

We are using Coverity for Android, cluster programs, and infotainment.

Coverity's setup takes a long time. Coverity gives advisory and deviation features, which are some of the parts I liked.

SCM integration is very poor in Coverity. The IDR file is not portable. After the analysis, it generates an IDR file. It cannot be ported from the machine since it is machine specific. Also, the component mapping has to be done manually. We cannot upload in one shot through automation or an Excel sheet. That is also a drawback.

In terms of the additional features that the solution should possess, I would say that it should have very good and sound features for Android-related stuff and embedded features should be supported. Also, infotainment programs for people who are using HMI should be supported very well.

I have been using Coverity for more than one year. In my company, we use the tool. Also, we go to the vendor for support. I am using Coverity 2022.

Speaking about stability, I would say that product-wise, there is no such complaint. There are no alarming complaints. However, some minor things we have to fix, use and tune it. With the newer versions, the only problem is if any new version or any new tool or new plugin comes to our infotainment program, then even with vendor support, we won't get a solution since maybe the tool is not supported or because there is something else that has to be looked into. We are facing problems due to such cases. Otherwise, it's fine, so it is good enough for an existing tool and program.

The product is scalable if provided if the tool is supported well, and if new features are incorporated parallelly, then definitely it's scalable.

To speak exactly about the number of users is difficult, but above 300 people in my company use the solution.

There are four or five members out there who manage Coverity's administration from a project point of view.

My opinion on support depends on what kind of support my company has adopted. I need to check. I don't know what company support they have provided. If they have taken golden support, support will come like that. In that way, I don't want to comment on that.

Initially, I worked with Klocwork in my previous company.

Regarding Klocwork, if you can provide me with its information, then we would definitely like to explore it.

Initial setup for the infotainment program is not easy. This is because the template, specifically code template files, have to be generated, and that itself takes time since they talk to the vendor and they get the template files. We are using the same template file for most of the programs. It is not fixed that this program has to use this template file, so it is not like that. since it has to be fine-tuned.

For a few programs, like cluster programs, it takes only half a day or a day to get the setup done since everything is ready. But for infotainment, it sometimes takes three to four days, and issues keep coming in for the new enablement. Hence, it may take even three weeks to one month sometimes.

Coverity’s price is on the higher side. It should be lower. It's definitely priced on the higher side, and in that sense, I will definitely give a big alert stating that it is on the higher side of the price.

We use Coverity to help with code security and code vulnerability.

The most valuable feature of Coverity is that it shows examples of what is actually wrong with the code.

We use GitHub and Gitflow, and Coverity does not fit with Gitflow. I have to create a screen for our branches, and it's a pain for developers. It has been difficult to integrate Coverity with our system.

In the next release, I would like to have the ability to easily add screens to branches myself as a developer.

I've been using this solution for about five years.

It is a stable product.

It's scalable, and approximately 200 developers use Coverity in my organization. We have 10 administrators at present.

Technical support is good, but they do not have a user ticketing system. Therefore, we have to go through an to administrator to get support. For the support itself, I would give a rating of eight out of ten.

Positive

The pricing is on the expensive side, and we are paying for a couple of items.

My advice would be to look at other solutions and evaluate on-premises or SaaS options.

Overall, I would rate Coverity at six out of ten.

I have not used the product for my projects in the company recently, but I know that some other teams use it for certain work.

Coverity is used as a static code analysis tool in my company.

Compared to the other tools in the market, Coverity is not a user-friendly product. Coverity fails to provide the same comfort as other solutions in the market, which provides better visibility of reports.

I have experience with Coverity. I am a customer of the tool.

I have not directly contacted the product's support team, but there is a group within the corporate circles that maintains the tool, and so they communicate with the tool's technical team. I believe that the support offered was satisfactory.

I don't use any other products which are similar to Coverity.

I was involved in the tool's deployment phase.

Depending on the usage types, one has to opt for different types of licenses from Coverity, especially to be able to use areas like report viewing or report generation. Reviewers may have to opt for a different license. For report generation, I used the product two to three ago for a project, and it was done mainly for benchmarking. The setting of the jobs or the configurations was pretty difficult compared to the other products in the market. Working with the product is a bit difficult in general.

I don't have accurate information about the prices associated with the product.

I am not the person in authority who makes decisions over whether the company should look at other options apart from Coverity. The higher management makes such decisions while I am just a part of the product development team.

In terms of the satisfaction derived from the use of the product in our company, I would say that there was another person in my company who benchmarked against Coverity with other products like SonarQube and some other LDRA solutions. Products are used considering that different projects would have different requirements.

I can't say whether the product has helped my company maintain compliance with coding standards since we are not currently using Coverity. Many projects have strict guidelines when it comes to the static code analysis part. In the future, the tool's ability to maintain compliance with coding standards can be useful.

My company has licenses to use the product.

I don't have vast experience with Coverity to be able to say whether I would recommend the product to others or not.

I did not use the tool's AI capabilities.

Considering the analysis part and the benchmarking process involving the product that my company carried out, the solution is good for finding bugs and violations. I rate the tool at eight to nine out of ten.

We use the solution to perform security scans on our application. We worked on a healthcare product. We wanted to submit it for FDA approval. It was mandatory to validate security issues, static code analysis, and dynamic code analysis. We evaluated multiple tools and shortlisted Coverity. I worked with the Synopsys team for integration and initial setup to allow the tool to scan our application implementation and identify static and dynamic code issues.

The solution has improved our code quality and security very well. It has multiple reports. I wanted good reports as evidence that we are doing security scans. We got them from Coverity. We were able to keep track of all the issues. Genuine issues were identified. It improved our code quality and provided us with the ability to keep track of all the issues that were identified.

Our product was not on the market yet. It was under development. Almost 90% of the development was already done. At that stage, we introduced Coverity as part of the compliance required for medical device products. It would have been good if we had introduced Coverity when the development was at 40%. It would have helped us address the incremental issues right then. We wouldn’t have had to go back and redo all the fixes for issues reported by Coverity.

The scan of the repository has been most effective in identifying critical vulnerabilities. The product provided visibility over security-related issues like hard coding and values getting exposed in a log. It helped us resolve difficult issues. With CI/CD integration, we could scan the incremental commits done by different developers. We were able to report them, and the developers were able to fix them.

The product identifies the issues and has an informative dashboard that gives us strains of incremental issues and resolutions. It also keeps track of whether the reported issues were fixed and what the resolution was. Sometimes, we find duplicate issues. Those were very well managed from the dashboard. Our primary requirement was for compliance, and it was good. The reports were significant and looked very professional.

The product must allow users to customize the issues they want to identify. Some of the issues reported by the tool were not that critical. We had a long list of low-priority issues that were piling up. It would be great if we could customize the rules to focus on critical issues.

I have been using the solution for two years.

I never encountered any issue that can raise a question about the tool’s stability. I rate the stability a ten out of ten.

The tool is highly scalable. I rate the scalability a ten out of ten. Our clients are medium-sized businesses.

The technical support was very good. We were engaged with one of the representatives from Synopsys. He continuously assisted us throughout the setup and actual usage. The support team also followed up proactively to check if we were struggling with any issues or seeking help.

Positive

I rate the ease of setup a nine out of ten. I explored the cloud version, too. However, we used the on-premise version. The deployment took almost one week.

The tool was fairly priced.

I will definitely recommend the product to others. We evaluated many solutions. I found Coverity easy to use, fairly priced, and it does the expected job. Overall, I rate the tool a ten out of ten.

We use this tool for call scans in order to improve call quality. We implement testing and this tool cleans up our potential feedback. We are a semiconductor company and provide software solutions to our clients. I'm a senior manager. 

Coverity has improved our functionality and efficiency.

This product provides software security, and helps to find potential security bugs or defects with its checker feature. The solution also enables us to implement secure coding. 

We've found that there is a quite high false positive rate. It's a problem because we end up wasting time on something that's not an issue. The tracker reports too many issues that are not relevant. I'd like to see some kind of customization mechanism in the future. 

We've been using this solution for over 10 years. 

The solution is stable. 

The solution is scalable, we have several thousand users. 

The technical support is reasonable. 

Neutral

I rate this solution eight out of 10. 

We use Coverity to scan our code and identify any flow issues in the code that need to be fixed.

Coverity is the most popular product for scanning the code. It's much better than other products like Clockwork, PC Link, and other similar products. It's a better scanning product than others.

The sales strategy needs to improve. First of all, Coverity will give you a low price; then, one year later, they will raise the price. So it becomes expensive later.

Moreover, Coverity is not doing good in terms of some specific features. For example, in the for loop, they can only check the point of the plus statement and cannot handle the sub-encryption. It can only handle the increase and not the decreased logic. So they will miss critical issues in some conditions.

In future releases, the price and policy could be improved, and also the script for the loop.

I have been using Coverity for one year and a half. We don't use the latest version, just a version from about half a year before.

There's not much difference between that and the latest version, just minor changes. 

It's very stable. I would rate it a nine. The stability of Coverity was very good. 

I would rate scalability a seven out of ten. 

However, we stopped using Coverity due to pricing issues. I don't have the exact number, but only a few in my department used it for security tasks. They were common employees and engineers.

In the beginning,  customer service and support were very helpful, but now I would say their helpfulness is maybe a six out of ten.

Neutral

The initial setup is easy. It just takes a couple of minutes. I could do it myself. Coverity gave me a document with instructions, and the installation was successful. There is a guide for installation.

Moreover, the maintenance of Coverity doesn't require many people. It was done by maybe one or two engineers.

We use the yearly-based license. I would rate the pricing a three out of ten, where one is very expensive, and ten is not expensive at all.

Overall, I would rate Coverity a seven out of ten. I can rate it higher because there are a few areas of improvement in Coverity. The first problem is the pricing. The second one is some features not performing well, like duplicate detection and switch case situations.