We use Coverity to help with code security and code vulnerability.
Solutions Architect at Hitachi High-Tech America
Stable and scalable, but screens cannot be added to branches easily
Pros and Cons
- "The most valuable feature of Coverity is that it shows examples of what is actually wrong with the code."
- "We use GitHub and Gitflow, and Coverity does not fit with Gitflow. I have to create a screen for our branches, and it's a pain for developers. It has been difficult to integrate Coverity with our system."
What is our primary use case?
What is most valuable?
The most valuable feature of Coverity is that it shows examples of what is actually wrong with the code.
What needs improvement?
We use GitHub and Gitflow, and Coverity does not fit with Gitflow. I have to create a screen for our branches, and it's a pain for developers. It has been difficult to integrate Coverity with our system.
In the next release, I would like to have the ability to easily add screens to branches myself as a developer.
For how long have I used the solution?
I've been using this solution for about five years.
Buyer's Guide
Coverity
November 2024
Learn what your peers think about Coverity. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
814,649 professionals have used our research since 2012.
What do I think about the stability of the solution?
It is a stable product.
What do I think about the scalability of the solution?
It's scalable, and approximately 200 developers use Coverity in my organization. We have 10 administrators at present.
How are customer service and support?
Technical support is good, but they do not have a user ticketing system. Therefore, we have to go through an to administrator to get support. For the support itself, I would give a rating of eight out of ten.
How would you rate customer service and support?
Positive
What's my experience with pricing, setup cost, and licensing?
The pricing is on the expensive side, and we are paying for a couple of items.
What other advice do I have?
My advice would be to look at other solutions and evaluate on-premises or SaaS options.
Overall, I would rate Coverity at six out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Senior Software Architect at a tech vendor with 10,001+ employees
Easy to set up with good static order analysis but is expensive
Pros and Cons
- "We were very comfortable with the initial setup."
- "We'd like it to be faster."
What is our primary use case?
We primarily use the solution for quality purposes. We also use it for security. That's one subset of quality. However, it's used for more dynamic behavior, such as memory leaks, et cetera.
What is most valuable?
They have a good memory-related box and a static order analysis that's very good, especially around leaks.
We were very comfortable with the initial setup.
It is stable.
What needs improvement?
The cost is very high.
They don't have SonarQube compatibility with the dashboard, which is a big negative. They were actually arrogant for not providing it. We wanted to see all the problems in a single SonarQube dashboard, and we can't do that. They need SonarQube integration. They claim that they have SonarQube integration, yet it is not there.
We'd like it to be faster.
The solution could always use a bit more security.
For how long have I used the solution?
I've been using the solution for around 12 years.
What do I think about the stability of the solution?
I consider the solution very stable. There are no bugs or glitches and it doesn't crash or freeze. It is reliable.
That said, when we are doing security analysis on bigger projects, it can be slow.
What do I think about the scalability of the solution?
To scale, you need more hardware. That way it is scalable. That said, it is already handling quite a big amount. We have a specific problem when analyzing security in a big project. It can get slow.
I'd rate it four out of five in its ability to scale.
We have around 200 people using the solution currently. 30 to 40 use it on a daily basis.
We do not have plans to increase usage based on the cost. We're actually looking for an alternative.
How are customer service and support?
Support is not so good. They're too slow. In contrast, Clockwork has very good support.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
We've used Clockwork before. However, it has the same issues as this product. They're more for C# and C++.
How was the initial setup?
The solution was very simple to set up. The frontend, backend, and UI are very good and easy to navigate.
I'd rate the initial setup process a four out of five in terms of how easy it was.
What's my experience with pricing, setup cost, and licensing?
It is an expensive solution.
Their sales team is very arrogant.
I don't like their licensing mechanism. Everything is on very unfriendly terms.
There are other tools you can use that are free and open-source.
In a collaborative environment, they are very tricky. When it comes to looking at the bugs on a web interface, they try to block them. When you discuss it with them, they are quite unfriendly. Once you got stuck into the tool, they know that it's hard to leave due to the history. When you get into a tool, you need the history since the history needs to be built up, and therefore, over time, you have a dependency on the tool.
I'd rate the product a three out of five in terms of affordability.
What other advice do I have?
We're a customer.
I would rate the solution seven out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Coverity
November 2024
Learn what your peers think about Coverity. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
814,649 professionals have used our research since 2012.
Integration Architect at a manufacturing company with 10,001+ employees
A scalable solution that needs to improve its SCM integration capabilities
Pros and Cons
- "Coverity gives advisory and deviation features, which are some of the parts I liked."
- "SCM integration is very poor in Coverity."
What is our primary use case?
We are using Coverity for Android, cluster programs, and infotainment.
What is most valuable?
Coverity's setup takes a long time. Coverity gives advisory and deviation features, which are some of the parts I liked.
What needs improvement?
SCM integration is very poor in Coverity. The IDR file is not portable. After the analysis, it generates an IDR file. It cannot be ported from the machine since it is machine specific. Also, the component mapping has to be done manually. We cannot upload in one shot through automation or an Excel sheet. That is also a drawback.
In terms of the additional features that the solution should possess, I would say that it should have very good and sound features for Android-related stuff and embedded features should be supported. Also, infotainment programs for people who are using HMI should be supported very well.
For how long have I used the solution?
I have been using Coverity for more than one year. In my company, we use the tool. Also, we go to the vendor for support. I am using Coverity 2022.
What do I think about the stability of the solution?
Speaking about stability, I would say that product-wise, there is no such complaint. There are no alarming complaints. However, some minor things we have to fix, use and tune it. With the newer versions, the only problem is if any new version or any new tool or new plugin comes to our infotainment program, then even with vendor support, we won't get a solution since maybe the tool is not supported or because there is something else that has to be looked into. We are facing problems due to such cases. Otherwise, it's fine, so it is good enough for an existing tool and program.
What do I think about the scalability of the solution?
The product is scalable if provided if the tool is supported well, and if new features are incorporated parallelly, then definitely it's scalable.
To speak exactly about the number of users is difficult, but above 300 people in my company use the solution.
There are four or five members out there who manage Coverity's administration from a project point of view.
How are customer service and support?
My opinion on support depends on what kind of support my company has adopted. I need to check. I don't know what company support they have provided. If they have taken golden support, support will come like that. In that way, I don't want to comment on that.
Which solution did I use previously and why did I switch?
Initially, I worked with Klocwork in my previous company.
Regarding Klocwork, if you can provide me with its information, then we would definitely like to explore it.
How was the initial setup?
Initial setup for the infotainment program is not easy. This is because the template, specifically code template files, have to be generated, and that itself takes time since they talk to the vendor and they get the template files. We are using the same template file for most of the programs. It is not fixed that this program has to use this template file, so it is not like that. since it has to be fine-tuned.
For a few programs, like cluster programs, it takes only half a day or a day to get the setup done since everything is ready. But for infotainment, it sometimes takes three to four days, and issues keep coming in for the new enablement. Hence, it may take even three weeks to one month sometimes.
What's my experience with pricing, setup cost, and licensing?
Coverity’s price is on the higher side. It should be lower. It's definitely priced on the higher side, and in that sense, I will definitely give a big alert stating that it is on the higher side of the price.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Security Analyst at Dover Corporation
Provides software security and helps find potential security bugs or defects
Pros and Cons
- "Provides software security, and helps to find potential security bugs or defects."
- "The product lacks sufficient customization options."
What is our primary use case?
We use this tool for call scans in order to improve call quality. We implement testing and this tool cleans up our potential feedback. We are a semiconductor company and provide software solutions to our clients. I'm a senior manager.
How has it helped my organization?
Coverity has improved our functionality and efficiency.
What is most valuable?
This product provides software security, and helps to find potential security bugs or defects with its checker feature. The solution also enables us to implement secure coding.
What needs improvement?
We've found that there is a quite high false positive rate. It's a problem because we end up wasting time on something that's not an issue. The tracker reports too many issues that are not relevant. I'd like to see some kind of customization mechanism in the future.
For how long have I used the solution?
We've been using this solution for over 10 years.
What do I think about the stability of the solution?
The solution is stable.
What do I think about the scalability of the solution?
The solution is scalable, we have several thousand users.
How are customer service and support?
The technical support is reasonable.
How would you rate customer service and support?
Neutral
What other advice do I have?
I rate this solution eight out of 10.
Disclosure: My company has a business relationship with this vendor other than being a customer:
Automation Practice Leader at a financial services firm with 10,001+ employees
Improves security by detecting vulnerabilities in code, but it needs integration with popular development environments
Pros and Cons
- "Coverity is quite stable and we haven’t had any issues or any downtime."
- "I would like to see integration with popular IDEs, such as Eclipse."
What is our primary use case?
I am the administrator and I use this solution to do the calibrating and security scanning of the code in my bank. We are trying to find any vulnerabilities in our code and we are integrating the process with our DevOps.
What is most valuable?
The most valuable feature is the ability to find vulnerabilities in our code.
What needs improvement?
I would like to see integration with popular IDEs, such as Eclipse. If Coverity were available as a plugin then developers could use it to find security issues while they are coding because right now, as we are using Coverity, it is a reactive way of finding vulnerabilities. We need to find these kinds of problems during the coding phase, rather than waiting for the code to be analyzed after it is written.
For how long have I used the solution?
I have been working with Coverity for about eight months.
What do I think about the stability of the solution?
Coverity is quite stable and we haven’t had any issues or any downtime.
What do I think about the scalability of the solution?
We did not have to scale drastically on any of our applications, so it would be difficult for me to judge how scalable it is. Because of the price, we only purchased 20 licenses. We do plan on scaling the number of users and increasing our usage.
How are customer service and technical support?
The technical support is quite responsive and most of the time, we received a response really quickly. We have not had any timeline-related issues with them.
Which solution did I use previously and why did I switch?
We did not use another solution before Coverty, although in my previous company, I used Veracode.
We also use SonarQube for code analysis.
Compared to SonarQube, Coverity finds more vulnerabilities. SonarQube is stronger on core quality, such as duplicate lines of code, but the security issues are found by Coverity.
SonarQube is available as a plugin for development environments such as Eclipse, which allows us to find vulnerabilities proactively.
SonarQube was easier to deploy and I did not require assistance from the vendor for installation or configuration.
How was the initial setup?
We found that during installation and configuration, it takes pipelines for continuous integration and continuous deployment. It was a bit challenging because the necessary base integration was not easy to configure.
It took us slightly over a week to deploy, whereas, with SonarQube, we were able to complete it in less than a day. It was due to complexities in Coverity that it took us more than a week. The complexities were related to missing API features and hooks.
What about the implementation team?
I had assistance from the vendor, Synopsys, during the deployment.
What's my experience with pricing, setup cost, and licensing?
Coverity is quite expensive. Generally, for security scanning products, the pricing is very expensive. Some solutions have pricing that is based on the number of millions of lines of code, but Coverity is priced based on the number of users.
I believe that pricing based on the number of lines of codes is cheaper than billing on a per-user basis. If we have 400 or 500 developers and each needs a license then it will be cheaper to have a solution where the cost depends on the size of the code.
What other advice do I have?
We also purchased Black Duck Binary Analysis and the Black Duck Hub from Synopsys.
My advice for anybody who is implementing this solution is to try to best capture security issues while the code is being written, rather than waiting until it is compiling. It’s easier and much more cost-effective to find vulnerabilities at the earlier, code-writing stage.
The other thing to keep in mind is that you should not rely on one approach to code security. You need to make sure that binary security is also in place, which is not done using Coverity. Any company that wants to secure its environment will need multiple levels of security scanning, and only one of these is handled by Coverity. The second one, binary scanning, can be done by using Black Duck or Veracode. This continues onto other security concerns, such as network scanning.
I would rate this solution a seven out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Director at a healthcare company with 10,001+ employees
Useful in areas like code quality and secure code analysis but needs to offer easy integration capabilities
Pros and Cons
- "The tool as it is can be used for code quality improvement."
- "I had tried integrating the tool with Azure DevOps, but the report I got stated that my team faced many challenges."
What is our primary use case?
I use my company's solution for code quality and secure code analysis.
What is most valuable?
The tool as it is can be used for code quality improvement. Whatever rules are in the tool are useful.
What needs improvement?
I don't use it directly on a day-to-day basis.
I expect the product to offer ease of integration with the built pipelines. I had tried integrating the tool with Azure DevOps, but the report I got stated that my team faced many challenges. I do not know the exact details.
For how long have I used the solution?
I have been using Coverity for a few years.
Which solution did I use previously and why did I switch?
I use Coverity simultaneously with Fortify but for different purposes.
What's my experience with pricing, setup cost, and licensing?
I don't deal with the pricing.
What other advice do I have?
I am satisfied with the product.
The tool is used for specific use cases like embedded systems.
I would not recommend the tool for web application technologies, Java, or cloud-native technologies since the tool is meant for embedded codes.
I rate the tool a six out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Jun 21, 2024
Flag as inappropriateApp Security at FineLabs
Helps to check source code against quality gates before deployment
Pros and Cons
- "What I find most effective about Coverity is its low rate of false positives. I've seen other platforms with many false positives, but with Coverity, most vulnerabilities it identifies are genuine. This allows me to focus on real issues."
- "The solution needs to improve its false positives."
What is our primary use case?
We've integrated Coverity into our CI/CD pipeline to check our source code against quality gates before deployment. It alerts us to issues so we can halt the pipeline, fix critical problems, and then run it again.
What is most valuable?
What I find most effective about Coverity is its low rate of false positives. I've seen other platforms with many false positives, but with Coverity, most vulnerabilities it identifies are genuine. This allows me to focus on real issues.
As for code remediation, although I can fix issues myself as a security engineer, the tool provides helpful remediation guidance for each vulnerability. It lists how to fix each issue, which I find useful. The solution has increased our development speed.
What needs improvement?
The solution needs to improve its false positives.
For how long have I used the solution?
I have been using the product for one and a half years.
What do I think about the scalability of the solution?
I rate the tool's scalability a nine out of ten. We have 20-25 users who use it daily.
How was the initial setup?
I rate the solution's deployment ease a nine out of ten, and it can be completed in a few minutes.
What's my experience with pricing, setup cost, and licensing?
The solution's pricing is comparable to other products.
What other advice do I have?
I rate the overall solution a nine out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Aug 5, 2024
Flag as inappropriateSoftware Integration Engineer at Thales
Powerful capabilities, reliable, and good support
Pros and Cons
- "The most valuable feature of Coverity is the wrapper. We use the wrapper to build the C++ component, then we use the other code analysis to analyze the code to the build object, and then send back the result to the SonarQube server. Additionally, it is a powerful capabilities solution."
- "Coverity could improve the ease of use. Sometimes things become difficult and you need to follow the guides from the website but the guides could be better."
What is our primary use case?
We use Coverity because we have a SonarQube server and we have a lot of software components that use different languages, such as Java, C, C++, and above. For C and C++ components we use Coverity.
What is most valuable?
The most valuable feature of Coverity is the wrapper. We use the wrapper to build the C++ component, then we use the other code analysis to analyze the code to the build object, and then send back the result to the SonarQube server. Additionally, it is a powerful capabilities solution.
What needs improvement?
Coverity could improve the ease of use. Sometimes things become difficult and you need to follow the guides from the website but the guides could be better.
For how long have I used the solution?
I have been using Coverity for approximately four years.
What do I think about the stability of the solution?
Coverity is stable.
What do I think about the scalability of the solution?
The scalability of Coverity is good. We have more than around 15 software components and other components involved.
We have 20 developers that are using the solution in my organization.
How are customer service and support?
We had support from Coverity for the first six months of usage but later we did not.
I rate the support from Coverity a four out of five.
Which solution did I use previously and why did I switch?
We have used other solutions, such as SonarQube.
How was the initial setup?
In the beginning, it takes two weeks to learn how to set up Coverity, but later the maintenance work is very easy. The beginning involves soft code, that we need to set up before using SonarQube, we have created SonarQube property itself for every component and inside we need to copy different options for Coverity. We had global Coverity roles or vendors we had to allow it to work with global rules and according to the component itself and the setup. The full implementation process can take approximately one month to complete.
What about the implementation team?
We have two teams to set up the server and install Coverity. I set up the project in Coverity and the different roles in the soft code. The developers use Coverity in their daily work.
What other advice do I have?
My advice to other is the first few steps of using Coverity takes time. It's better to have an experienced user to support it. For new users, it will be hard for them to set it up. If they can get someone to support it directly at the beginning it would be better because for me it's very hard at the beginning for a few weeks.
And on a scale from one to 10, how would you rate Coverity?
I rate Coverity an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Coverity Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2024
Product Categories
Static Application Security Testing (SAST)Popular Comparisons
SonarQube Server (formerly SonarQube)
Veracode
GitLab
Checkmarx One
Snyk
OWASP Zap
Mend.io
SonarQube Cloud (formerly SonarCloud)
Fortify on Demand
Sonatype Lifecycle
Acunetix
PortSwigger Burp Suite Professional
HCL AppScan
Qualys Web Application Scanning
Klocwork
Buyer's Guide
Download our free Coverity Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What is the difference between Coverity and SonarQube?
- What is the biggest difference between Coverity and SonarQube?
- How would you decide between Coverity and Sonarqube?
- What Application Security Solution Do You Use That Is DevOps Friendly?
- Which is the most comprehensive open source Web Security Testing tool?
- What is the best Application Security Testing platform?
- When evaluating Application Security Testing, what aspect do you think is the most important to look for?
- SAST vs. DAST: Which is better for application security testing?
- What tools do you rely on for building a DevSecOps pipeline?
- What does the Log4j/Log4Shell vulnerability mean for your company?