Coverity Reviews

We have been working on a POC for this solution. It is an on-prem solution and we have 50 internal users. 

This solution is easy to use. 

The level of vulnerability that this solution covers could be improved compared to other open source tools. The UI could also be improved. We also cannot directly report the vulnerability. We need to add filters to projects and only then can we download reports. 

I have been using this solution for three months. 

This is a stable solution. 

The pricing is very reasonable compared to other platforms. It is based on a three year license. 

I would rate this solution a seven out of ten. 

We use the product only as a solution for defect code, to find more build liabilities in the code.

The product allows us to find vulnerabilities while testing our apps. 

The app analysis is the most valuable feature as I know other solutions don't have that.

It's a good tool. The interface, support, pricing, and integration do not have any limitations.

The solution could use more rules. For example, if I have a lot of rules in many languages, it helps my company as having access to more rules works for us.

We'd like a bit more integration.

I've been using the solution for maybe three months. 

The solution is stable. There are no bugs or glitches and it doesn't crash or freeze. It's reliable and the performance has been good overall. 

We find the solution to be scalable. 

I'm not sure exactly how many people are using the product.

I can't say if we have plans to increase usage or not in the future. 

We haven't had any issues with technical support. They are helpful and responsive. 

Positive

We also use SonarQube.

In the past, I used Checkmarx and Fortify, and Coverity had the better price.

I have access only to the interface part and I didn't do the configuration of the tool. I do not handle the initial setup of the product.

As I recall, the deployment itself only took days. 

Our company managed the setup in-house without the help of outside vendors. 

We find the pricing to be reasonable.

We're a customer and end-user.

We are using a recent version of the solution. 

I'd like potential new users to be aware that it's a good tool to implement basic code.

I'd rate the solution nine out of ten.

We've integrated Coverity into our CI/CD pipeline to check our source code against quality gates before deployment. It alerts us to issues so we can halt the pipeline, fix critical problems, and then run it again.

What I find most effective about Coverity is its low rate of false positives. I've seen other platforms with many false positives, but with Coverity, most vulnerabilities it identifies are genuine. This allows me to focus on real issues.

As for code remediation, although I can fix issues myself as a security engineer, the tool provides helpful remediation guidance for each vulnerability. It lists how to fix each issue, which I find useful. The solution has increased our development speed.  

The solution needs to improve its false positives. 

I have been using the product for one and a half years. 

I rate the tool's scalability a nine out of ten. We have 20-25 users who use it daily. 

I rate the solution's deployment ease a nine out of ten, and it can be completed in a few minutes. 

The solution's pricing is comparable to other products. 

I rate the overall solution a nine out of ten. 

I use my company's solution for code quality and secure code analysis.

The tool as it is can be used for code quality improvement. Whatever rules are in the tool are useful.

I don't use it directly on a day-to-day basis.

I expect the product to offer ease of integration with the built pipelines. I had tried integrating the tool with Azure DevOps, but the report I got stated that my team faced many challenges. I do not know the exact details.

I have been using Coverity for a few years.

I use Coverity simultaneously with Fortify but for different purposes.

I don't deal with the pricing.

I am satisfied with the product.

The tool is used for specific use cases like embedded systems.

I would not recommend the tool for web application technologies, Java, or cloud-native technologies since the tool is meant for embedded codes.

I rate the tool a six out of ten.

My primary use case is performing static application security testing on various code bases, including Java, PHP, and HTML. I use it to create review reports of assets and categorize the issues based on severity.

The product has been beneficial in logging functionality, allowing me to categorize vulnerabilities based on severity. This aids in providing updated reports on subsequent scans.

The product could be enhanced by providing video troubleshooting guides, making issue resolution more accessible. Troubleshooting without visual guides can be time-consuming.

I have been using Coverity for about two to three months, between June 2023 and August 2023.

There were occasional issues with lag during the initial setup and scans, especially in a cloud environment.

Due to the subscription-based model, I had to contact customer service, mainly to add new users. Response times varied, sometimes taking more than a week.

Neutral

I had experience with SonarQube as an alternative. Coverity excelled in code scanning because it did not require installation prerequisites. Its reports are also clear and informational. It provides us with a better idea of troubleshooting vulnerabilities.

The initial setup was elaborate and somewhat complicated. The information from the Synopsys website was more than enough. First-time users will struggle with many tools, packages, and libraries. Deployment took 30 minutes to complete. Two to three resources were involved in the process.

An integrator helped with the tool's deployment. 

I rate the solution a nine out of ten. 

We primarily use the solution for quality purposes. We also use it for security. That's one subset of quality. However, it's used for more dynamic behavior, such as memory leaks, et cetera. 

They have a good memory-related box and a static order analysis that's very good, especially around leaks.

We were very comfortable with the initial setup.

It is stable.

The cost is very high.

They don't have SonarQube compatibility with the dashboard, which is a big negative. They were actually arrogant for not providing it. We wanted to see all the problems in a single SonarQube dashboard, and we can't do that. They need SonarQube integration. They claim that they have SonarQube integration, yet it is not there.

We'd like it to be faster.

The solution could always use a bit more security. 

I've been using the solution for around 12 years. 

I consider the solution very stable. There are no bugs or glitches and it doesn't crash or freeze. It is reliable. 

That said, when we are doing security analysis on bigger projects, it can be slow. 

To scale, you need more hardware. That way it is scalable. That said, it is already handling quite a big amount. We have a specific problem when analyzing security in a big project. It can get slow. 

I'd rate it four out of five in its ability to scale. 

We have around 200 people using the solution currently. 30 to 40 use it on a daily basis. 

We do not have plans to increase usage based on the cost. We're actually looking for an alternative.

Support is not so good. They're too slow. In contrast, Clockwork has very good support.

Neutral

We've used Clockwork before. However, it has the same issues as this product. They're more for C# and C++.

The solution was very simple to set up. The frontend, backend, and UI are very good and easy to navigate.

I'd rate the initial setup process a four out of five in terms of how easy it was.

It is an expensive solution. 

Their sales team is very arrogant. 

I don't like their licensing mechanism. Everything is on very unfriendly terms. 

There are other tools you can use that are free and open-source. 

In a collaborative environment, they are very tricky. When it comes to looking at the bugs on a web interface, they try to block them. When you discuss it with them, they are quite unfriendly. Once you got stuck into the tool, they know that it's hard to leave due to the history. When you get into a tool, you need the history since the history needs to be built up, and therefore, over time, you have a dependency on the tool.

I'd rate the product a three out of five in terms of affordability.

We're a customer.

I would rate the solution seven out of ten.

I am the administrator and I use this solution to do the calibrating and security scanning of the code in my bank. We are trying to find any vulnerabilities in our code and we are integrating the process with our DevOps.

The most valuable feature is the ability to find vulnerabilities in our code.

I would like to see integration with popular IDEs, such as Eclipse. If Coverity were available as a plugin then developers could use it to find security issues while they are coding because right now, as we are using Coverity, it is a reactive way of finding vulnerabilities. We need to find these kinds of problems during the coding phase, rather than waiting for the code to be analyzed after it is written.

I have been working with Coverity for about eight months.

Coverity is quite stable and we haven’t had any issues or any downtime.

We did not have to scale drastically on any of our applications, so it would be difficult for me to judge how scalable it is. Because of the price, we only purchased 20 licenses. We do plan on scaling the number of users and increasing our usage.

The technical support is quite responsive and most of the time, we received a response really quickly. We have not had any timeline-related issues with them.

We did not use another solution before Coverty, although in my previous company, I used Veracode.

We also use SonarQube for code analysis.

Compared to SonarQube, Coverity finds more vulnerabilities. SonarQube is stronger on core quality, such as duplicate lines of code, but the security issues are found by Coverity.

SonarQube is available as a plugin for development environments such as Eclipse, which allows us to find vulnerabilities proactively.

SonarQube was easier to deploy and I did not require assistance from the vendor for installation or configuration.

We found that during installation and configuration, it takes pipelines for continuous integration and continuous deployment. It was a bit challenging because the necessary base integration was not easy to configure.

It took us slightly over a week to deploy, whereas, with SonarQube, we were able to complete it in less than a day. It was due to complexities in Coverity that it took us more than a week. The complexities were related to missing API features and hooks.

I had assistance from the vendor, Synopsys, during the deployment.

Coverity is quite expensive. Generally, for security scanning products, the pricing is very expensive. Some solutions have pricing that is based on the number of millions of lines of code, but Coverity is priced based on the number of users.

I believe that pricing based on the number of lines of codes is cheaper than billing on a per-user basis. If we have 400 or 500 developers and each needs a license then it will be cheaper to have a solution where the cost depends on the size of the code.

We also purchased Black Duck Binary Analysis and the Black Duck Hub from Synopsys.

My advice for anybody who is implementing this solution is to try to best capture security issues while the code is being written, rather than waiting until it is compiling. It’s easier and much more cost-effective to find vulnerabilities at the earlier, code-writing stage.

The other thing to keep in mind is that you should not rely on one approach to code security. You need to make sure that binary security is also in place, which is not done using Coverity. Any company that wants to secure its environment will need multiple levels of security scanning, and only one of these is handled by Coverity. The second one, binary scanning, can be done by using Black Duck or Veracode. This continues onto other security concerns, such as network scanning.

I would rate this solution a seven out of ten.

We use the solution for SaaS support.

The most valuable feature is the security advisor. It also provides a very detailed report.

Triage history has many bugs and needs to be improved. There could be a subsection. The solution could provide a graphical representation like other tools.

We have OS 2021, which is not the latest one. It should be updated regularly.

I have been using Coverity for almost a year.

The product is stable.

I rate the solution’s stability a nine out of ten.

Our organization has 20-30 users using this solution.

I rate the solution’s scalability an eight out of ten.

Technical support has expert hours and is available anytime. Also, we don't need to raise a ticket now because we have direct support from Coverity.

Positive

We are exploring Black Duck, which has more precise things. Coverity has a clear view. The report is very much clear rather than confusing like other tools. It also has a PDF option, and it gives precise information.

The initial setup is simple.

The solution has higher pricing. The price should be based on the user count. Suppose there is a ten-user license per pack. However, this could be adjusted to five users if needed.

Overall, I rate the solution an eight out of ten.