Coverity Static Reviews

In my opinion, the most effective Coverity feature for identifying critical vulnerabilities is the extra checks, which offers deep analysis.

We're currently facing a primary challenge with automation using Coverity. Each developer has a license and can perform manual checks, and we also have a nightly build that analyzes the entire software. The main issue is that the tool can't look behind submodules in our code base, so it doesn't see changes stored there.

This limitation means it can't detect changes accurately, forcing us to analyze all files instead of just the modified ones. It struggles with repositories organized with different submodules. Although documentation suggests it's possible to configure Coverity to handle this, it requires effort.

The solution's analysis tools are high-quality, but the web design could improve. For example, the data is organized into pages when there are many findings, such as ten thousand lines of information. Each page shows about a hundred items, and navigating through these pages (from items 100 to 200, 200 to 300, and so on) can be cumbersome.

I've heard from a colleague about another Synopsys tool with a very good GUI. It might be a solution for us to include with Coverity. We invested in Coverity, but compared to SonarQube, it lacks a good interface. SonarQube has a responsive, intuitive GUI, but its analysis quality isn't as good as Coverity's. Coverity's interface isn't great, but its analysis is much better. We hope Synopsys will improve Coverity because it doesn't make a good impression when you first use it. We started with the command line and saw the results were very good. We moved from another tool with a slightly better GUI, but it crashed often, so Coverity was an improvement. 

When I used the solution earlier, I noticed some issues. It supports C++, which we use, but there's room for improvement. Coverity has two plug-ins. The newer one works well for languages like C# or Java and is very responsive. When we evaluated it with Synopsys, they presented it as easy to configure and install.

However, C++ slows down significantly because it's analyzing in the background. It's not very responsive when typing, likely due to the many included files in C++ that need analysis. It's not as quick as with C# or other languages, where you get immediate feedback from Coverity.

The classic plug-in is still supported but old-fashioned. It has a manual option, but I haven't checked it. The main problem for C++ users who prefer the old plug-in is responsiveness.

I have been working with the product for two years. 

I rate the solution's stability a nine out of ten. 

I rate the solution's scalability an eight to nine out of ten. We have about 45 licenses for our whole organization. We use Coverity every sprint, which is every three weeks. On one day during the sprint, everybody logs on to the server. There's a box with the findings; we need to solve them. We don't do it more frequently due to issues with sub-modules where we would like analysis to occur.

We started with Klockwork, but it was a bad tool. Then we moved to Parasoft. Now, we're using Coverity because we want to deploy it across all departments in the company. However, some departments are still using SonarQube. We could convince them to switch to Coverity if it had a better GUI or was easier for developers to integrate into their development process.

I would rate the initial setup experience as a five out of ten. The documentation is really good compared to other competing products. It's well-structured and complete, especially for command-line usage. However, the setup process is complex.

One area for improvement is how findings are presented. When you click on a finding, it refers to a high-level, abstract description of the problem. It would be better if it provided a direct example of the issue in the same programming language, showing what to do and what not to do, similar to how Parasoft does it.

It took about six months to get the first deployment running. It was hard to read all the documentation and contact people who could install it on the desktops because that's not my job. My job was to review documentation and give people the commands they needed. So, for them to be able to set up a server and get everything working, it took about six months.

I would rate Coverity's pricing as a nine out of ten. It's already very expensive, and it's a problem for us to get more licenses due to the price. The pricing model has some good aspects - for example, a personal license gives access to all languages without code limitations, which is better than some competitors. However, it's still a lot of money for us to spend.

Currently, we have only 45 licenses. If we were to take more licenses, we might get a better price.

I would recommend the solution for C# but not for C++. I rate the overall product a six out of ten. 

The use case is basically the code-scanning activity we perform. It helps us identify security vulnerabilities in the development phase. 

It aids in mitigating security risks in the initial phase of software development, so the potential risks become minimal. Those are the main use cases for this.

It effectively help us identify the latest security vulnerabilities. The database is updated, and it provides a plugin for the developer IDE. As a developer writes the code, they can identify security vulnerabilities on the fly during the coding visit. That is the effective feature of Coverity.

I would like this product to identify zero-day vulnerabilities. 

Zero-day vulnerability identification can be an add-on feature that Coverity can provide.

It is quite stable.

It is scalable. There are around 50 to 60 end users. 

It is customer-friendly. The technical expertise and the overall support we received were quite fantastic. We got the resolution for all the queries we raised.

I also use SonarQube. It is for code-quality related use cases. 

The initial setup is good. When I use the product to scan the code in the DevOps pipeline, the issue coverage can be greater, which can help speed up risk identification in the CI/CD pipeline. That is one area where improvement can be made. Corresponding steps can be taken for that.

It integrates with most of the tools, like ticketing tools, configuration tools, Jenkins, and the pipeline. That is fantastic.

Benefits are early identification of the security risk and making secure products for the clients and end users. So that is the value.

We do it yearly.

We did evaluate Checkmarx. We did evaluate Veracode. We did evaluate Fortify on Demand.

Coverity offered more scalability, more feature-oriented, more user-friendly.

Overall, I would rate it a nine out of ten. 

I would recommend this tool to people who are working on secure software development. I’ll recommend this tool to all the developers and security folks who want to scale their processes and incorporate code-scanning technology into their processes.

I work on multiple projects using various programming languages, and Coverity provides more security and quality checks than CodeSonar, resulting in more robust results.

The second point is that CodeSonar created many intermediate directories, consuming almost three-fourths of my hard disk space. In contrast, Coverity occupies less than half of the space that CodeSonar used. 

If someone is starting their security journey, they are looking for a code scanning tool and considering the entire portfolio that a vendor can offer. From this perspective, Synopsys provides a comprehensive suite of application security tools that can be used at various stages of the SDLC, which CodeSonar lacks. CodeSonar primarily offers static analysis and binary analysis tools, and while it can perform open-source analysis, it does so with limited programming language coverage. This limitation does not meet our long-term requirements. 

Therefore, considering the long-term vision, we decided that Synopsys, recognized as a leader in the industry for seven consecutive years, offers a broader range of tools and greater value.

Coverity has excellent integration capabilities. The best part is that the add-ons come at no additional cost, making them compatible with most IDEs. This helps achieve shift-left testing, enabling early-stage code analysis within the IDE environment. Additionally, Coverity can be integrated with numerous CI/CD tools like Jenkins, Bamboo, Hudson, and Azure DevOps. It also supports integration with binary repositories, such as Artifactory and Nexus. For deployment, Coverity offers flexibility as it can be deployed on Docker, Kubernetes, OpenShift, and more. On-premises and SaaS models provide options tailored to different infrastructure needs.

The main benefits of the integration were complete automation and end-to-end. Coverity seamlessly fits into our process. Coverity integrates with issue-tracking systems like Jira and provides email notifications, alerts, and other features. It works as a complete, comprehensive solution, offering a holistic approach. We gained this bundled plugin approach from integrating Coverity.

Coverity concerns its dashboards and reporting. While Coverity is developer-friendly, it is not particularly intuitive for non-technical users. For instance, a solution architect or C-level executive might want to understand the current state of an application through bar graphs and charts without delving into the technical details. Coverity lacks the ability to generate such executive reports and doesn't offer much customization in its reporting. As a result, we have to rely on other business intelligence tools like Power BI or Splunk to integrate with Coverity, pull the data, and create the desired reports and charts. 

Coverity has significantly expanded its support for various programming languages. Currently, it supports more than 24 programming languages. They have also introduced an IDE plugin and a SaaS version of Coverity, where users can upload their code and receive reports. One area of improvement could be expanding incremental scanning to more programming languages. Currently, incremental scanning is supported for only a few languages, but expanding this feature to all the supported languages would be highly beneficial.

I have been using Coverity for four years.

Around four users are using this solution. If you're talking about on-premise deployment, the more hardware resources we have, the more scalable it is. It's a direct proportional relationship. However, in terms of the cloud model, it has been pretty easy. They can scale it effectively.

They provide us access to their technical support team as part of their commercial product agreement. However, they work five days a week. They also offer a premium support package, which comes at an additional cost and includes 24/7 critical priority support. We have opted for the default support that comes with the product.

Positive

The data that CodeSonar generated as output was huge—gigabytes—and used to clog my hard disk. The second step is that Coverity and CodeSonar have good results, with both having a low false positive ratio. They both do a fair job of identifying defects.

In terms of scale, scalability, and stability, Coverity is on par with CodeSonar due to its architecture and fast response. Coverity uses a built-in PostgreSQL database, which has a good schema interface. Additionally, the incremental scanning is efficient. Coverity supports over 27 programming languages, whereas CodeSonar only supports around five to six. So, if you are working on a project that uses languages like Go, PHP, or others that CodeSonar doesn’t support, CodeSonar would not be suitable.

Moreover, Coverity offers extensive IDE support with add-ons for around seven to eight IDEs, whereas CodeSonar primarily targets a few IDEs like Eclipse and Visual Studio. 

The initial setup is pretty straightforward. Coverity offers both on-premise and SaaS models, and we are using both. We have a hybrid license, including several on-premise licenses. For the on-premise setup, you download an executable file, double-click on it, and complete the installation easily. The SaaS model is equally simple: log in to the browser with your credentials, upload the files, and generate the report. The process is mainly agent-free.

The tool identified many defects before our source code reached a QA or staging environment. The most impressive feature is the IDE plugin, which identifies crucial defects as the developer writes the code. This means developers can know whether they write defective or proper code before pushing it into the repository. Identifying defects at the initial stages of the development lifecycle can save much money in the long run, providing a good ROI. This is why our organization has been using Coverity for over four years.

When discussing the on-prem portal, if you are a customer handling numerous projects with heavy daily activity, such as triggering various types of scans and integrations with CASD, you should know that Coverity on-device has a built-in database. It is crucial to maintain this database diligently. Regular maintenance and monitoring are essential to ensure smooth operation. In case of any issues, creating a backup server is advisable as a precautionary measure.

We are working on a microservices model, where each small module is considered a separate project for an NTP. We have more than 300 critical business projects. Multiple departments use Coverity: developers use it for local scanning, and the security team uses it to ensure coding practices adhere to standards such as OWASP or PCI.

I suggest conducting a fair analysis. Let them pick the same project for a POC and scan it using their existing tools and Coverity. They can evaluate scalability, language support, compiler support, incremental scanning, IDE plugins, and CI/CD plugins. 

During COVID or post-COVID, if we look at the incidents in the security market, most data breaches happen at the application layer. While network layer security is well understood, application security remains a significant challenge. Synopsys addresses this with a comprehensive portfolio, including code scanning, static analysis, SCA, open source analysis, IAST, fuzz testing, and more. Additionally, they offer extensive security services with over 600 consultants who can help eliminate false positives and address security concerns. 

Overall, I rate the solution an eight out of ten.

We use Coverity primarily to find issues such as software bugs and memory leaks, especially in C++ and C# projects. It helps us identify deadlocks, synchronization issues, and product crashes.

Coverity has been instrumental in resolving product crashes by detecting various issues like deadlocks. It helped us resolve synchronization issues in automobile companies where products were not able to shut down.

The most valuable feature of Coverity is its interprocedural analysis, which is advantageous because it compares favorably with other tools in terms of security and code analysis. It is particularly effective for C++ and C# languages.

Coverity's implementation cycle is very slow when integrating changes, especially for problems related to event handling and memory leaks. The dashboard is not well integrated with SonarQube, presenting compatibility issues. Additionally, the Coverity license fee is very high, making it tricky for individual developers.

I have been working with Coverity for more than 15 years.

There may be financial allocation challenges. They are not due to Coverity itself.

The customer service is friendly and responsive to existing issues. That said, they have limitations when the solution lacks certain features. They still try their best to help with what is within their control.

Positive

SonarQube is used for comparison as it is cheaper. However, Coverity is preferred for its specific advantages.

The setup process is reasonably easy for minimal deployment, though some issues may arise with new licenses.

Coverity is considered expensive compared to other tools like SonarQube, which is much cheaper.

We also evaluated SonarQube.

Coverity is highly recommended for organizations using C++ or C# due to its advantages in interprocedural analysis, which detects various issues efficiently.

I'd rate the solution eight out of ten.

I am using Coverity in my company.

We had a lot of tools, but Coverity provides excellent compliance and other features, which is a very good part.

The price is a concern, and there are a lot of false positives coming through.

Support with Coverity is adequate, but they take a longer time to respond. The core support is not straightforward, and it takes a minimum of one to two weeks to get feedback.

We have been working with Coverity for the last five to six years.

I actually moved on to a different tool. We have now moved to a different platform.

The cost with the new platform is significantly less, and it works better with our usage requirements.

We have been using Coverity for quite a long period. It has been fine for our needs.

I would rate Coverity between eight to nine, though the cost is high.

I would rate their support from Coverity as six.

That is the main complaint, but we still appreciate having it.

The SourceForge benchmark, along with OWASP Top 50 and Top 10, can be implemented with Coverity. When talking about the product's source code, through the code analysis, the security issues, whether related to confidentiality, integrity, run-time error, or application crash incidents, can be identified and fixed by the developer before a solution goes for production. 

The user-friendliness of the tool is the most valuable feature. The reporting feature is up to the mark and easy to use in comparison to other solutions. 

The OWASP and the programming stands are changing every year, including OWASP Top 10 for API, mobile apps and LLM. There are multiple platform-specific guidelines or benchmarks, so Coverity should update the reporting tool with such aforementioned standards more frequently.

The reporting tool integration process is sometimes slow, so Coverity should take some initiatives to improve the process duration. For instance, the OWASP Top 10 benchmark is different for the year 2024 than 2021 for any particular platform, but when I am creating the reports now, I am unable to utilize the 2024 standard. 

I have been using Coverity for five years. 

It's a stable solution, but whenever an update is released every quarter, a user should avail it to experience proper stability for seamless use. The product doesn't demand you to alter the OS configuration frequently; for instance, I didn't change the OS until recently since the last five years of use. I would rate the stability a nine out of ten. 

The product is highly scalable. For a company belonging to a field other than the software industry, Coverity can prove to be immensely scalable. The solution might not be equally scalable for a software company that manages more than 120 projects in a year. I would rate the scalability a nine out of ten. 

There are about five Coverity users in our organization. We don't have plans to increase the number of users because it might increase the licensing cost. In our organization, one Coverity user is dedicated to each department. 

Coverity's customer support is highly responsive when you raise a ticket with high priority. The response time depends upon the priority rating and the communication skills of the support seeker. 

I would rate the customer support an eight out of ten. Most of the time, when we contacted support from our company, the issues were managed by a highly knowledgeable professional, but on rare encounters, we were assigned an individual with comparatively less product knowledge. 

Positive

The solution can be easily setup but requires heavy integration due to the multiple types of port and programming languages involved. Comparing the resource requirements of the solution I would say it can be installed effortlessly. I would rate the initial setup an eight out of ten. 

A professional needs some pre-acquired knowledge to manage Coverity's deployment process, but the local solution partners provide support well enough for trouble-free deployment. The overall deployment process of Coverity took around two and a half hours in our organization. The deployment duration depends upon the operating system and resources including high-end RAM and CPU processors. 

Coverity offers varying prices for different companies. Our company has a five-year licensing contract with Coverity, so the licensing posture is seamless. As our organization is based in Bangladesh, in our country's currency, it took around 18 lakh taka to license Coverity. 

Before adopting Coverity, I conducted POC for multiple products before purchasing; during the POC, I found Coverity to be more user-friendly than competitor products. 

The security vulnerability detection from Coverity works excellently, but on a few occasions, there are false positives. The chances of false positive generation by the solution are extremely low. The product has a high detection rate, which helps developers handle configuration and confidentiality issues. 

The cost savings offered by the solution depend upon the country of purchase; in our country, the dollar value of the product is extremely high. At our company, we have imported the solution at the dollar value, but an RFP has been assorted so that the competitors can participate in an auction of the product and we can obtain the solution at a fair value. 

Five years ago, Coverity took a competitive approach and wanted to establish a presence in South Asian markets, so our company received a discounted price for the solution at that time. Now the vendor has procured numerous customers in South Asia, and we will have to take the RFP again next year to find an affordable solution. 

Coverity handles false positives very well. I would rate the false positive managing feature a nine out of ten. I would advise others to practice using the solution for a few days on SourceForge auditing; if an individual works on Coverity regularly, it becomes easier to use.

If there are any issues with Coverity, there is no need to panic; the individual can raise a proper ticket to avail themselves of the excellent troubleshooting support from the vendor. I would suggest purchasing the solution if it's within the budget. Overall, I would rate Coverity a nine out of ten. 

I have not used the product for my projects in the company recently, but I know that some other teams use it for certain work.

Coverity is used as a static code analysis tool in my company.

Compared to the other tools in the market, Coverity is not a user-friendly product. Coverity fails to provide the same comfort as other solutions in the market, which provides better visibility of reports.

I have experience with Coverity. I am a customer of the tool.

I have not directly contacted the product's support team, but there is a group within the corporate circles that maintains the tool, and so they communicate with the tool's technical team. I believe that the support offered was satisfactory.

I don't use any other products which are similar to Coverity.

I was involved in the tool's deployment phase.

Depending on the usage types, one has to opt for different types of licenses from Coverity, especially to be able to use areas like report viewing or report generation. Reviewers may have to opt for a different license. For report generation, I used the product two to three ago for a project, and it was done mainly for benchmarking. The setting of the jobs or the configurations was pretty difficult compared to the other products in the market. Working with the product is a bit difficult in general.

I don't have accurate information about the prices associated with the product.

I am not the person in authority who makes decisions over whether the company should look at other options apart from Coverity. The higher management makes such decisions while I am just a part of the product development team.

In terms of the satisfaction derived from the use of the product in our company, I would say that there was another person in my company who benchmarked against Coverity with other products like SonarQube and some other LDRA solutions. Products are used considering that different projects would have different requirements.

I can't say whether the product has helped my company maintain compliance with coding standards since we are not currently using Coverity. Many projects have strict guidelines when it comes to the static code analysis part. In the future, the tool's ability to maintain compliance with coding standards can be useful.

My company has licenses to use the product.

I don't have vast experience with Coverity to be able to say whether I would recommend the product to others or not.

I did not use the tool's AI capabilities.

Considering the analysis part and the benchmarking process involving the product that my company carried out, the solution is good for finding bugs and violations. I rate the tool at eight to nine out of ten.

I use Coverity for static code analysis, covering different kinds of malware issues that can arise and ensuring robustness in terms of security.

Coverity is easy to use and easy to integrate with CI. However, in my organization, there is an additional step that involves uploading to servers, which creates an overhead. 

Apart from this, tools like Check Point and Trivy were very easy to get started with. Overall, the solution offers good scalability and is straightforward to deploy.

There is an extra step in my organization that involves uploading to servers, which adds overhead. Understanding the reporting in the beginning was challenging, especially when figuring out which mode to run on and the different arguments to use.

I have been using Coverity for a few months.

I have not faced any challenges with the stability of Coverity.

Both tools have very good scalability. Understanding the flow and pipeline helps in scaling effectively, and it is highly scalable.

I have not contacted the support team yet.

Neutral

The initial setup was straightforward.

I do not know about the pricing.

The overall rating I give to Coverity is seven out of ten. The additional step that needs to be taken is a factor in my rating.

I use Coverity in my company mainly to fix bug issues and detect errors with code analysis.

The ability of Coverity to fix bug issues is important to me. Coverity actually helps to debug and deal really fast when it comes to code analysis. Coverity does have a higher detection rate. It is easy to integrate Coverity into the CI/CD pipeline. Coverity is helpful in marking false positives. Though Coverity has some pros and cons, its pros make it a quite good tool.

The scanning ability of Coverity is good since it helps fix bug issues. The interface of Coverity is quite good, and it is also easy to use.

Coverity takes a lot of time to dereference null pointers. The product's price is one of its shortcomings, where improvements are required. In general, the price of the product should be kept low.

In the future, Coverity should provide more flexibility.

I have been using Coverity for a year. I use the solution's latest version. I am a customer of the tool.

Stability-wise, I rate the solution a seven out of ten.

Scalability-wise, I rate the solution an eight out of ten. I rate the coverage of the product a six out of ten.

Currently, five people in my company use Coverity. My company plans to increase the use of the tool for twenty people.

The solution's technical support is good. I rate the technical support a nine out of ten.

Positive

I have experience with SonarQube. I switched to Coverity from SonarQube since the former mainly focuses on scanning and detection of bugs, while the latter focuses on the security of the code. If you want only to fix bugs, then the focus of the product should also be quite good, like Coverity. SonarQube's focus area is different from Coverity.

I rate the initial setup of Coverity an eight on a scale of one to ten, where one is difficult, and ten is easy.

The setup phase of Coverity can sometimes be straightforward, and if there are some issues, it can be a little bit complex. When involved in some tracking activity, sometimes, Coverity uses looping logic, making it quite difficult to handle bugs. Sometimes, the tracking activity in Coverity will be straightforward with a very good interface. Marking the positive rates and giving some green and red bars can be helpful in Coverity.

The solution is deployed on an on-premises model.

The solution can be deployed in a day.

My company uses the git repository for the implementation of Coverity.

Five people are required to deploy the solution. Around thirty people might be required to take care of the maintenance process of the product since there will be an increase in the team members in our company.

I haven't seen any return on investment from the use of Coverity.

Coverity's cost is quite high. Coverity costs for a year are too high. I rate Coverity's price a ten on a scale of one to ten, where one is cheap and ten is expensive. There are no additional costs apart from the licensing costs attached to the product.

Though my company had other options apart from Coverity, we chose to continue with Coverity as we were already using it for some projects in our organization.

Coverity is quite a good tool that helps fix big issues and deal with code analysis. Coverity's scanning features and scalability are also quite good. The only drawback of the product stems from the fact that it is quite an expensive product. The product's cost can seem too high for a normal user. If your organization is quite good and okay with exploring the tool with its current costs, then you can opt for Coverity. Otherwise, you can use other solutions, like the free community edition from SonarQube.

I rate the overall solution an eight out of ten.

We use the solution to perform security scans on our application. We worked on a healthcare product. We wanted to submit it for FDA approval. It was mandatory to validate security issues, static code analysis, and dynamic code analysis. We evaluated multiple tools and shortlisted Coverity. I worked with the Synopsys team for integration and initial setup to allow the tool to scan our application implementation and identify static and dynamic code issues.

The solution has improved our code quality and security very well. It has multiple reports. I wanted good reports as evidence that we are doing security scans. We got them from Coverity. We were able to keep track of all the issues. Genuine issues were identified. It improved our code quality and provided us with the ability to keep track of all the issues that were identified.

Our product was not on the market yet. It was under development. Almost 90% of the development was already done. At that stage, we introduced Coverity as part of the compliance required for medical device products. It would have been good if we had introduced Coverity when the development was at 40%. It would have helped us address the incremental issues right then. We wouldn’t have had to go back and redo all the fixes for issues reported by Coverity.

The scan of the repository has been most effective in identifying critical vulnerabilities. The product provided visibility over security-related issues like hard coding and values getting exposed in a log. It helped us resolve difficult issues. With CI/CD integration, we could scan the incremental commits done by different developers. We were able to report them, and the developers were able to fix them.

The product identifies the issues and has an informative dashboard that gives us strains of incremental issues and resolutions. It also keeps track of whether the reported issues were fixed and what the resolution was. Sometimes, we find duplicate issues. Those were very well managed from the dashboard. Our primary requirement was for compliance, and it was good. The reports were significant and looked very professional.

The product must allow users to customize the issues they want to identify. Some of the issues reported by the tool were not that critical. We had a long list of low-priority issues that were piling up. It would be great if we could customize the rules to focus on critical issues.

I have been using the solution for two years.

I never encountered any issue that can raise a question about the tool’s stability. I rate the stability a ten out of ten.

The tool is highly scalable. I rate the scalability a ten out of ten. Our clients are medium-sized businesses.

The technical support was very good. We were engaged with one of the representatives from Synopsys. He continuously assisted us throughout the setup and actual usage. The support team also followed up proactively to check if we were struggling with any issues or seeking help.

Positive

I rate the ease of setup a nine out of ten. I explored the cloud version, too. However, we used the on-premise version. The deployment took almost one week.

The tool was fairly priced.

I will definitely recommend the product to others. We evaluated many solutions. I found Coverity easy to use, fairly priced, and it does the expected job. Overall, I rate the tool a ten out of ten.