We performed a comparison between Coverity and SonarQube based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison Result: Based on the parameters we compared, SonarQube comes out ahead of Coverity. Although both products have valuable features and can be estimated as high-end solutions, our reviewers found that Coverity is an expensive solution with an unfriendly licensing mechanism and a difficult exit process, which may make it less accessible for smaller teams or companies with budgetary constraints.
"The most valuable feature of Coverity is that it shows examples of what is actually wrong with the code."
"It is a scalable solution."
"It provides reports about a lot of potential defects."
"The features I find most valuable is that our entire company can publish the analysis results into our central space."
"This solution is easy to use."
"I like Coverity's capability to scan codes once we push it. We don't need more time to review our colleagues' codes. Its UI is pretty straightforward."
"Coverity gives advisory and deviation features, which are some of the parts I liked."
"The interface of Coverity is quite good, and it is also easy to use."
"I like the by-default policies that are they, as they seem to cover most of what I need."
"The solution has a wide variety of features and an open-source community that you are able to learn Java, JavaScript, or any other programing language."
"The most valuable features are code scanning and Quality Gates."
"The software quality gate streamlines the product's quality."
"The solution offers a very good community edition."
"The product has a friendly UI that is easy to use and understand."
"There's plenty of documentation available to users."
"The reporting and the results are quick. It gets integrated within the pipeline well."
"Coverity takes a lot of time to dereference null pointers."
"The product could be enhanced by providing video troubleshooting guides, making issue resolution more accessible. Troubleshooting without visual guides can be time-consuming."
"Sometimes, vulnerabilities remain unidentified even after setting up the rules."
"Some features are not performing well, like duplicate detection and switch case situations."
"The quality of the code needs improvement."
"Ideally, it would have a user-based license that does not have a restriction in the number of lines of code."
"Right now, the Coverity executable is around 1.2GB to download. If they can reduce it to approximately 600 or 700MB, that would be great. If they decrease the executable, it will be much easier to work in an environment like Docker."
"Coverity could improve the ease of use. Sometimes things become difficult and you need to follow the guides from the website but the guides could be better."
"The security in SonarQube could be better."
"We did have some trouble with the LDAP integration for the console."
"During the setup process, we only had one issue related to the number of available files. To perform the analysis, you have quite a lot of available file handles, so we had to increase that limit."
"Code security scanning could be improved."
"Code security could be better. They are already focusing on it, but I see a lot of improvement opportunities over there. I can see a lot of false positives in terms of security. They need to make the tests more accurate so that the false positives are not detected so frequently. It would also help if they provided us with an installer."
"You may need to purchase add-ons to get the useability you desire."
"It would be better if SonarQube provided a good UI for external configuration."
"The time it took for me to do the whole process was approximately two hours because I had to download, read the documentation, and do the configurations."
Coverity is ranked 4th in Static Application Security Testing (SAST) with 33 reviews while SonarQube is ranked 1st in Static Application Security Testing (SAST) with 110 reviews. Coverity is rated 7.8, while SonarQube is rated 8.0. The top reviewer of Coverity writes "Best SAST tool to check software quality issues". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Coverity is most compared with Klocwork, Fortify on Demand, Checkmarx One, Veracode and Polyspace Code Prover, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Veracode, Snyk and GitHub Advanced Security. See our Coverity vs. SonarQube report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.