Coverity vs SonarQube Server (formerly SonarQube) comparison

Black Duck and Sonar are both solutions in the Static Application Security Testing (SAST) category. Black Duck is ranked #4 with an average rating of 8.0, while Sonar is ranked #1 with an average rating of 8.2. Black Duck holds a 8.5% mindshare in SAST, compared to Sonar’s 28.7% mindshare. Additionally, 88% of Black Duck users are willing to recommend the solution, compared to 81% of Sonar users who would recommend it.

Coverity

Read 42 Coverity reviews

13,639 Views
9,320 Comparison Views

88% willing to recommend

SonarQube Server (formerly ...

Read 113 SonarQube Server (formerly SonarQube) reviews

43,809 Views
35,644 Comparison Views

81% willing to recommend

Coverity

SonarQube Server (formerly ...

Comparison Buyer's Guide

Download the report

Executive SummaryUpdated on Oct 30, 2024

SonarQube Server and Coverity compete in the software quality assurance domain. SonarQube seems to have the upper hand due to its open-source nature, community-driven support, and effective integration capabilities.

Features: SonarQube Server prioritizes ease of installation, features a stable platform, and provides extensive support for various tech stacks. It includes a free community edition and efficiently identifies vulnerabilities with a low false positive rate. Coverity offers low false positive rates, inline context-sensitive help, and rapid scanning, making it ideal for complex codebases.

Room for Improvement: SonarQube could improve with enhanced language support, more automation in task creation post-scan, and better enterprise reporting. Coverity struggles with high false positives, a limited user interface for non-technical users, and cumbersome reporting. Enhanced IDE integration and a more intuitive GUI would benefit users.

Ease of Deployment and Customer Service: SonarQube provides flexible deployment options, including on-premises, public cloud, and hybrid solutions, with customer support varying based on the package. Coverity mainly deploys on-premises with limited cloud options, and users often find its support lacking in immediacy and overall satisfaction.

Pricing and ROI: SonarQube is cost-efficient with its free community edition, accessible for smaller teams, providing significant ROI through open-source availability. Coverity's pricing is high due to user licenses, making it less accessible for smaller companies and impacting its perceived ROI.

To learn more, read our detailed Coverity vs. SonarQube Server (formerly SonarQube) Report (Updated: December 2024).

Buyer's Guide

Coverity vs. SonarQube Server (formerly SonarQube)

December 2024

Download the complete report

Helped 824,067 peers since 2012

Categories and Ranking

Coverity

Ranking in Static Application Security Testing (SAST)

4th

Average Rating

7.8

Reviews Sentiment

6.5

Number of Reviews

Ranking in other categories

No ranking in other categories

SonarQube Server (formerly ...

Ranking in Static Application Security Testing (SAST)

1st

Average Rating

8.0

Reviews Sentiment

7.5

Number of Reviews

113

Ranking in other categories

Application Security Tools (1st), Software Development Analytics (1st)

Mindshare comparison

As of December 2024, in the Static Application Security Testing (SAST) category, the mindshare of Coverity is 8.5%, up from 7.2% compared to the previous year. The mindshare of SonarQube Server (formerly SonarQube) is 28.7%, up from 28.6% compared to the previous year. It is calculated based on PeerSpot user engagement data.

Static Application Security Testing (SAST)

Featured Reviews

Md. Shahriar Hussain

Cyber Security Chartered Engineer at Banglalink

Offers impressive reporting features with user-friendliness and high scalability

The solution can be easily setup but requires heavy integration due to the multiple types of port and programming languages involved. Comparing the resource requirements of the solution I would say it can be installed effortlessly. I would rate the initial setup an eight out of ten. A professional needs some pre-acquired knowledge to manage Coverity's deployment process, but the local solution partners provide support well enough for trouble-free deployment. The overall deployment process of Coverity took around two and a half hours in our organization. The deployment duration depends upon the operating system and resources including high-end RAM and CPU processors.

Read full review

Wang Dayong

Senior Software Engineering Manager at Hill

Easy to integrate and has a plug-in that supports both C and C++ languages

The product provides false reports sometimes. It also fails to understand the context of the code. It reports that a line of code has issues without considering its relation with the previous line. The product should improve the report quality. While it asks us to improve the code quality, it would be good if it also suggests how to improve the quality.

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"It has the lowest false positives."

"Provides software security, and helps to find potential security bugs or defects."

"The tool as it is can be used for code quality improvement."

"The most valuable feature of Coverity is that it shows examples of what is actually wrong with the code."

"The most valuable feature of Coverity is its interprocedural analysis, which is advantageous because it compares favorably with other tools in terms of security and code analysis."

"The most valuable feature of Coverity is the wrapper. We use the wrapper to build the C++ component, then we use the other code analysis to analyze the code to the build object, and then send back the result to the SonarQube server. Additionally, it is a powerful capabilities solution."

"The interface of Coverity is quite good, and it is also easy to use."

"We were very comfortable with the initial setup."

More Coverity pros

"SonarQube is designed well making it easy to use, simple to identify issues and find solutions to problems."

"The fact that the solution does security scanning is valuable."

"It is an easy tool that you can deploy and configure. After that you can measure the history of your obligation and integrate it with other tools like GitLab or GitHub or Azure DevOps to do quality code analysis."

"Using SonarQube has helped us to identify areas of technical debt to work on, resulting in better code, fewer vulnerabilities, and fewer bugs."

"We use this solution for qualitative coding. We make use of the SonarLint plugin as well as the dashboard."

"It has very good scalability and stability."

"There are many options and examples available in the tool that help us fix the issues it shows us."

"SonarQube is good for checking and maintaining code quality."

More SonarQube Server (formerly SonarQube) pros

Cons

"Coverity takes a lot of time to dereference null pointers."

"Sometimes, vulnerabilities remain unidentified even after setting up the rules."

"I had tried integrating the tool with Azure DevOps, but the report I got stated that my team faced many challenges."

"Coverity is far from perfection, and I'm not 100 percent sure it's helping me find what I need to find in my role. We need exactly what we are looking for, i.e. security errors and vulnerabilities. It doesn't seem to be reporting while we are changing our code."

"Some features are not performing well, like duplicate detection and switch case situations."

"It should be easier to specify your own validation routines and sanitation routines."

"The level of vulnerability that this solution covers could be improved compared to other open source tools."

"Ideally, it would have a user-based license that does not have a restriction in the number of lines of code."

More Coverity cons

"There are sometimes security breaches in our code, which aren't be caught by SonarQube. In the security area, SonarCube has to improve. It needs to better compete with other products."

"This is a well-rounded solution, however, some features could be made available on the free version. The price of the solution could be reduced."

"During the setup process, we only had one issue related to the number of available files. To perform the analysis, you have quite a lot of available file handles, so we had to increase that limit."

"The interface could be a little better and should be enhanced."

"If I configure a project in SonarQube, it generates a token. When we're compiling our code with SonarQube, we have to provide the token for security reasons. If IP-based connectivity is established with the solution, the project should automatically be populated without providing any additional token. It will be easy to provide just the IP address. It currently supports this functionality, but it makes a different branch in the project dashboard. From the configuration and dashboard point of view, it should have some transformations. There can be dashboard integration so that we can configure the dashboard for different purposes."

"The documentation is not clear and it needs to be updated."

"Depending on the tool's configuration, sometimes you get false alarms that are unimportant to you."

"Dynamic scanning is missing and there are some issues with security scanning."

More SonarQube Server (formerly SonarQube) cons

Pricing and Cost Advice

"The tool was fairly priced."

"Coverity is quite expensive."

"Coverity is very expensive."

"Depending on the usage types, one has to opt for different types of licenses from Coverity, especially to be able to use areas like report viewing or report generation."

"This is a pretty expensive solution. The overall value of the solution could be improved if the price was reduced. Licensing is done on an annual basis."

"Offers varying prices for different companies"

"The price is competitive with other solutions."

"I would rate the pricing a six out of ten, where one is low, and ten is high price."

More Coverity pricing and cost advice

"For the Community edition, there is no extra cost. It's totally free. The Enterprise edition, Data Center edition, and Developer edition are the paid versions."

"People can try the free licenses and later can seek buying plugins/support, etc. once they started liking it."

"We did not purchase a license (required for C++ support), but this option was considered."

"There are many different packages with different pricing options available. We are able to try what we have and if we need extra features we can upgrade the license."

"We are using the open-source community version, but there are enterprise licenses available."

"Can try developer version for 14 days on the free trial."

"I am satisfied with the pricing."

"We're using the Community Edition, and we don't pay for anything."

More SonarQube Server (formerly SonarQube) pricing and cost advice

See which vendors are best for you

Use our free recommendation engine to learn which Static Application Security Testing (SAST) solutions are best for your needs.

See recommendations

824,067 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Manufacturing Company

32%

Computer Software Company

15%

Financial Services Firm

Government

Financial Services Firm

17%

Computer Software Company

15%

Manufacturing Company

13%

Government

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

Questions from the Community

How would you decide between Coverity and Sonarqube?

We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing rem...

See all answers

What do you like most about Coverity?

The solution has improved our code quality and security very well.

See all answers

What is your experience regarding pricing and costs for Coverity?

I do not know about the pricing.

See all answers

Is SonarQube the best tool for static analysis?

I am not very familiar with SonarQube and their solutions, so I can not answer. But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have a look...

See all answers

Which gives you more for your money - SonarQube or Veracode?

SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use...

See all answers

How does Snyk compare with SonarQube?

Snyk does a great job identifying and reducing vulnerabilities. This solution is fully automated and monitors 24/7 to find any issues reported on the internet. It will store dependencies that you a...

See all answers

Comparisons

Klocwork vs Coverity

Compared 7% of the time

Fortify on Demand vs Coverity

Compared 6% of the time

Checkmarx One vs Coverity

Compared 5% of the time

Veracode vs Coverity

Compared 5% of the time

Polyspace Code Prover vs Coverity

Compared 5% of the time

More Coverity Competitors

Checkmarx One vs SonarQube Server (formerly SonarQube)

Compared 16% of the time

SonarQube Cloud (formerly SonarCloud) vs SonarQube Server (formerly SonarQube)

Compared 12% of the time

GitHub Advanced Security vs SonarQube Server (formerly SonarQube)

Compared 10% of the time

Veracode vs SonarQube Server (formerly SonarQube)

Compared 9% of the time

Snyk vs SonarQube Server (formerly SonarQube)

Compared 4% of the time

More SonarQube Server (formerly SonarQube) Competitors

Product Reports

Buyer's Guide

Coverity

December 2024

Download Coverity product report

Buyer's Guide

SonarQube Server (formerly SonarQube)

November 2024

SonarQube Server (formerly SonarQube) report

Download SonarQube Server (formerly SonarQube) product report

Also Known As

Synopsys Static Analysis

Sonar

Learn More

Black Duck

Sonar

Interactive Demo

Demo not available

Black Duck

Sonar

Overview

Coverity gives you the speed, ease of use, accuracy, industry standards compliance, and scalability that you need to develop high-quality, secure applications. Coverity identifies critical software quality defects and security vulnerabilities in code as it’s written, early in the development process, when it’s least costly and easiest to fix. With the Code Sight integrated development environment (IDE) plugin, developers get accurate analysis in seconds in their IDE as they code. Precise actionable remediation advice and context-specific eLearning help your developers understand how to fix their prioritized issues quickly, without having to become security experts.

Coverity seamlessly integrates automated security testing into your CI/CD pipelines and supports your existing development tools and workflows. Choose where and how to do your development: on-premises or in the cloud with the Polaris Software Integrity Platform (SaaS), a highly scalable, cloud-based application security platform. Coverity supports more than 20 languages and 200 frameworks and templates.

SonarQube Server enhances code quality and security via static code analysis. It detects vulnerabilities, improves standards, and reduces technical debt, integrating into CI/CD pipelines.

SonarQube Server is a comprehensive tool for enhancing code quality and security. It offers static code analysis to identify vulnerabilities, improve coding standards, and reduce technical debt. By integrating into CI/CD pipelines, it provides automated checks for adherence to best practices. Organizations use it for code inspection, security testing, and compliance, ensuring development environments with better maintainability and fewer issues.

What are the key features of SonarQube Server?

Support for 20+ languages: Extensive programming language support suitable for diverse coding environments.
Custom coding rules: Allows for tailored rule sets to match specific coding standards.
Flexible quality gates: Define criteria for code acceptance at various intervals.
CI/CD integration: Seamless integration with Continuous Integration/Continuous Deployment tools.
Rich interface: User-friendly dashboard with detailed visual insights.

What benefits should users expect from SonarQube Server?

Improved code quality: Enhanced analysis contributes to fewer bugs and improved coding practices.
Security enhancements: Identifies and mitigates security vulnerabilities pre-emptively.
Maintainability: Reduces technical debt, yielding long-term development efficiency.
Customizable: Flexibility in configuration aligns with specific project needs.

Many industries implement SonarQube Server to uphold coding standards, maintain security protocols, and streamline their software development lifecycle. In sectors like finance and healthcare, adhering to regulations and ensuring reliable software is critical, making SonarQube Server invaluable. It is often integrated into CI/CD pipelines, ensuring that code changes meet set standards before deployment. This approach enhances productivity and maintains compliance with industry-specific requirements.

Sample Customers

SAP, Mega International, Thales Alenia Space

Information Not Available

Buyer's Guide

Coverity vs. SonarQube Server (formerly SonarQube)

December 2024

Free Report: Coverity vs. SonarQube Server (formerly SonarQube)

Find out what your peers are saying about Coverity vs. SonarQube Server (formerly SonarQube) and other solutions. Updated: December 2024.

DOWNLOAD NOW

824,067 professionals have used our research since 2012.

See our Coverity vs. SonarQube Server (formerly SonarQube) report.

See our list of best Static Application Security Testing (SAST) vendors.

We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.