Coverity Reviews

In my opinion, the most effective Coverity feature for identifying critical vulnerabilities is the extra checks, which offers deep analysis.

We're currently facing a primary challenge with automation using Coverity. Each developer has a license and can perform manual checks, and we also have a nightly build that analyzes the entire software. The main issue is that the tool can't look behind submodules in our code base, so it doesn't see changes stored there.

This limitation means it can't detect changes accurately, forcing us to analyze all files instead of just the modified ones. It struggles with repositories organized with different submodules. Although documentation suggests it's possible to configure Coverity to handle this, it requires effort.

The solution's analysis tools are high-quality, but the web design could improve. For example, the data is organized into pages when there are many findings, such as ten thousand lines of information. Each page shows about a hundred items, and navigating through these pages (from items 100 to 200, 200 to 300, and so on) can be cumbersome.

I've heard from a colleague about another Synopsys tool with a very good GUI. It might be a solution for us to include with Coverity. We invested in Coverity, but compared to SonarQube, it lacks a good interface. SonarQube has a responsive, intuitive GUI, but its analysis quality isn't as good as Coverity's. Coverity's interface isn't great, but its analysis is much better. We hope Synopsys will improve Coverity because it doesn't make a good impression when you first use it. We started with the command line and saw the results were very good. We moved from another tool with a slightly better GUI, but it crashed often, so Coverity was an improvement. 

When I used the solution earlier, I noticed some issues. It supports C++, which we use, but there's room for improvement. Coverity has two plug-ins. The newer one works well for languages like C# or Java and is very responsive. When we evaluated it with Synopsys, they presented it as easy to configure and install.

However, C++ slows down significantly because it's analyzing in the background. It's not very responsive when typing, likely due to the many included files in C++ that need analysis. It's not as quick as with C# or other languages, where you get immediate feedback from Coverity.

The classic plug-in is still supported but old-fashioned. It has a manual option, but I haven't checked it. The main problem for C++ users who prefer the old plug-in is responsiveness.

The SourceForge benchmark, along with OWASP Top 50 and Top 10, can be implemented with Coverity. When talking about the product's source code, through the code analysis, the security issues, whether related to confidentiality, integrity, run-time error, or application crash incidents, can be identified and fixed by the developer before a solution goes for production. 

The user-friendliness of the tool is the most valuable feature. The reporting feature is up to the mark and easy to use in comparison to other solutions. 

The use case is basically the code-scanning activity we perform. It helps us identify security vulnerabilities in the development phase. 

It aids in mitigating security risks in the initial phase of software development, so the potential risks become minimal. Those are the main use cases for this.

It effectively help us identify the latest security vulnerabilities. The database is updated, and it provides a plugin for the developer IDE. As a developer writes the code, they can identify security vulnerabilities on the fly during the coding visit. That is the effective feature of Coverity.

We use Coverity primarily to find issues such as software bugs and memory leaks, especially in C++ and C# projects. It helps us identify deadlocks, synchronization issues, and product crashes.

Coverity has been instrumental in resolving product crashes by detecting various issues like deadlocks. It helped us resolve synchronization issues in automobile companies where products were not able to shut down.

I work on multiple projects using various programming languages, and Coverity provides more security and quality checks than CodeSonar, resulting in more robust results.

The second point is that CodeSonar created many intermediate directories, consuming almost three-fourths of my hard disk space. In contrast, Coverity occupies less than half of the space that CodeSonar used. 

If someone is starting their security journey, they are looking for a code scanning tool and considering the entire portfolio that a vendor can offer. From this perspective, Synopsys provides a comprehensive suite of application security tools that can be used at various stages of the SDLC, which CodeSonar lacks. CodeSonar primarily offers static analysis and binary analysis tools, and while it can perform open-source analysis, it does so with limited programming language coverage. This limitation does not meet our long-term requirements. 

Therefore, considering the long-term vision, we decided that Synopsys, recognized as a leader in the industry for seven consecutive years, offers a broader range of tools and greater value.

It is used to check software quality compliant with standards.

It taking compliance with standards like MISRA is crucial, especially for the automotive market.

We write thousands of lines of code on a daily basis, and we cannot say that our code is free because there are a lot of other developers contributing to the source code and things like that. And this process is prone to human error, defects in the source code, etc.

To automate detection, we use Coverity's static analysis, which has a low false-positive ratio. That's because Coverity's analysis engine includes 20-plus patented technologies. A lot of other static analysis tools use pattern-based analysis, but Coverity's is flow based. That's why we ended up using it. Coverity is helping us identify some of the critical defects at the early stages of the development life cycle. So overall, it is giving us a greater ROI and making our application more mature and robust.

We use the solution to perform security scans on our application. We worked on a healthcare product. We wanted to submit it for FDA approval. It was mandatory to validate security issues, static code analysis, and dynamic code analysis. We evaluated multiple tools and shortlisted Coverity. I worked with the Synopsys team for integration and initial setup to allow the tool to scan our application implementation and identify static and dynamic code issues.

The solution has improved our code quality and security very well. It has multiple reports. I wanted good reports as evidence that we are doing security scans. We got them from Coverity. We were able to keep track of all the issues. Genuine issues were identified. It improved our code quality and provided us with the ability to keep track of all the issues that were identified.

Our product was not on the market yet. It was under development. Almost 90% of the development was already done. At that stage, we introduced Coverity as part of the compliance required for medical device products. It would have been good if we had introduced Coverity when the development was at 40%. It would have helped us address the incremental issues right then. We wouldn’t have had to go back and redo all the fixes for issues reported by Coverity.