Klocwork Reviews

Klocwork is part of our automated system, continuously improving the pipeline. Whenever the software is merged into the project control system, it is going to reduce Klocwork scanning automatically.

Klocwork's most valuable feature is the static code analysis feature. It detects the potential problem earlier to allow the developer to receive feedback quickly and then address it before it becomes a problem.

Klocwork has to improve its features to stay ahead of other free or low-cost solutions, like Visual Studio Code Analyzer.

I have used Klocwork within the last 12 months.

Klocwork is a stable solution but the performance could improve when compared to other solutions.

I have used the support from Klocwork. There was a transition time when we started using the solution which was not smooth. However, we didn't need to report any problems after that.

I have previously used Apple Xcode and Microsoft Visual Studio static code analysis and then JetBrains ReSharper type of the code analysis from the third-party tool, which is much cheaper than the Klocwork. Additionally, they are faster. I do not think we will be using Klocwork for much longer.

Klocwork was straightforward to implement and took us a half-day to implement and the upgrade took less time.

There are other solutions on the market such as Microsoft Visual Studio. They have been adding more static code analysis features that come for free. It is getting better all the time. That is one of the possibilities is that we've been considering that we may stop using the Klocwork because it doesn't give us any added value.

Klocwork is an expensive solution.

When we first purchased Klocwork I would have rated it a nine or ten out of ten. However, because of the performance of the execution and cost, I would no longer rate it that high.

I rate Klocwork a six out of ten.

• Good set of checkers for static code analysis, cyber security
• Possibility of creating custom checkers- Good and easy integration into continuous integration (CI)
• The whole package offers a lot of possibilities: add-ons for Eclipse, standalone clients, access via web site, support, documentation, command line.

More and more departments are targeting static code analysis now, as they see the benefits. Klocwork with its capabilities is helping with this, providing the integration. The advantage is that while coding, developers see code violations.

• Global variables sometimes generate false positives. Variables with global scopes sometimes produce False Positives. It means, I get violations from KW which after personal analysis turn out to be not true. At the moment it seems Klocwork is not able to track the values of variables with global scope. Thus the tool makes assumptions for the value range. It occurs that I get violations due to values which simply cannot occur > as the global variables are not tracked. This is annoying and time consuming. One simpler thing on variables with global scope: unused variables with global scope cannot be detected by checkers. This is highly recommended to have it in order to clean the code.
• The preprocessor needs better integration for custom checkers as the tool focuses more on static code analysis; after preprocessing the file.- Updating from one version to the other takes too much time. The process somehow needs too much CPU power.
• Once there are bugs detected and accepted by KW, it takes some time to integrate the changes. This means that what does not fit on the Rogue Wave road map is not definitely considered.

I have used it for four years.

I did not encounter any stability issues; only that the update process takes too long. Here, the process could be speeded up.

Scalability is good, from small teams to multisite project teams.

Technical support is good (7/10).

I previously used PC-lint. I switched because KW is more mature.

Initial setup is going well; very straightforward and following its documentation.

I evaluated QAC/QAC++, LDRA Testbed.

A good thing is that you are rapidly ramped up and can use the tool.

Klocwork is part of the DevOps process. It is scaling the code on every request.

It saves a lot of time when it comes to finding defects, it's basically inputted in every access we do.

The most valuable feature is the Incremental analysis.

I believe it should support more languages, such as Python and JavaScript.

I would like to see dynamic analysis as well.

I have been working with Klocwork for seven years.

We are using version 2021.2.

Klocwork is very stable and very mature.

It is very scalable.

In our organization, we have 50 users.

It is used on a daily basis. It's one of the most important tools that every developer has.

The support is good. We have no problems with the support.

We used Coverity in the past, but they shifted their focus, and we switched to Klocwork.

The initial setup is straightforward.

It is simple to set up and can be done by any developer.

The initial deployment took a couple of days.

We have one person, working half-time to maintain this solution. That is all that is needed.

I didn't require any assistance because I installed it myself.

We have seen a return on investment. Each developer invests at least half an hour a day less on defects. 

Licensing fees are paid annually, but they also have a perpetual license.

There are no additional costs.

I would recommend, first creating a baseline of their source code with all of the issues, and then handling the new issues on a daily basis while gradually resolving the old ones.

I would rate Klocwork a nine out of ten.

It is one of the best tools available for static analysis.

This tool was already rolled out in our projects at Delphi Technical Center in Bangalore, India. Though we had a QAC tool for MISRA checks, Klocwork was preferred for complete code base static analysis before projects go to production.

For all GM projects, this tool is used to perform static analysis. It provides a nice report, so all manual efforts in analyzing the code base are completely removed.

There are some false warnings found which eventually are not considered for a fix after the team reviewed the source code.

We have been using the system for around three years.

It is quite stable, reliable and has not shown any difference in the results for multiple runs.

We have not tried to scale yet, but it was sufficient for our current projects.

We have not encountered any problems at my level. I have no idea how the technical support is.

We were using QAC and Klocwork at my previous company. At my current organization, we use Polyspace.

The setup was in place when I arrived.

I have no idea about pricing.

I was not involved in the tool evaluation process.

I recommend this tool as one of the best to be used for static analysis and should at least be tried.

our primary use case was to find and fix all possible static vulnerabilities like Buffer over flow, null pointer check, array out of bounds, concurrency violations, etc.., We work on Linux platform with gcc compiler. 

It has helped our organization to produce the non-defective code right at the developer's desktop. So we were able to deliver releases on time.

The pre-checkin code review, industry standard checks, continuous integration (CI) and customized checkers are the most valuable features.

It would be nice to consider having more language support ability. Currently Klocwork supports C/C++, Java and C#, (Android*)

Klocwork is very stable. i have seen Klocwork running on 40 million lines of code without any problem. 

Klocwork has almost all the features what an advanced Static code analyser should have. 

Customer Service:

Customer service is great. We are getting responses from support within a day. The local support (I am from India) is also good.

Technical Support:

Technical support from Klocwork is great. The Klocwork documentations are available online so we hardly contact the Klocwork support.

We were using three Open Source static analyzers and faced lots of false-positives and false-negatives. Klocwork has given us better results with real issues.

Setup was straightforward with the installation shields (a single .exe for Windows and .sh file for Linux).

For the very first time, the vendor team had helped us in the deployment. Their support was great. From the second time onwards, our internal team was able to upgrade and install with the help of online documentations.

We got what we have expected. Klocwork worth the price. 

The Klocwork tool is worth the price that they have quoted.

we have evaluated multiple open source tools and few commercial tools.

Unlike other static code analysis tools, Klocwork integrates seamlessly into desktop IDEs, build systems, continuous integration tools, and any team's natural workflow. Mirroring how code is developed at any stage, Klocwork prevents defects and finds vulnerabilities on-the-fly, as code is being written.

Klocwork also helps prioritize work with SmartRank, the revolutionary new recommendation engine that prioritizes issues and helps select which ones to work on first.

Take prioritized, corrective action immediately to deliver more secure and reliable code.

Our main test case is to check for some of our internal standards which we usually do manually. But when we got Klocwork, it completely changed the scenario. We are writing a simple logic for checking our internal standards without much overhead.

One more is on-the-fly analysis which is the most important feature, and CI which Klocwork provides I believe.

• First will be the on-the-fly analysis as it is reducing the time for developing code and report generation.
• One more best thing is the reports section which is very nice to understand.

Support for AUTOSAR C++14 by adding a new taxonomy that you can use to ensure compliance with the AUTOSAR C++14 Standard, release 18-03.

I don't know much about cost and licensing as my management is looking at these things.

No.

We are using it for C and C++ to find security vulnerabilities in our source code. It is a static application security testing (SAST) tool.

On-the-fly analysis and incremental analysis are the best parts of Klocwork. Currently, we are using both of these features very effectively.

Modern languages, such as Angular and .NET, should be included as a part of Klocwork. They have recently added Kotlin as a part of their project, but we would like to see more languages in Klocwork. That's the reason we are using Coverity as a backup for some of the other languages. 

I would like to see some more new guidelines added. As you know, this Klocwork tool is fully compliant with MISRA, CERT, and CWE, but a few coding guidelines are still not supported by Klocwork.

I have been using it for around eight years.

We have been using Klocwork for many years. That itself speaks of its stability in our organization.

We have been trying to scale up this particular tool. We are not only using Klocwork. We are also using other SAST solutions because security cannot be handled by only using one particular tool. Klocwork is the oldest one, but we are using SonarQube and Coverity to filter out more and more defects from our source code. So, it's not really scalable itself, but with the help of other tools, we managed to scale to organization needs.

Currently, we have nine users who are using it in our organization. It is used once a week to give the reports to our security team, and they act on those reports to filter out all the vulnerabilities.

They're hyperresponsive. They have regular calls to see what exactly we are doing with Klocwork and how we are doing. They are super responsive. They are knowledgeable. I would rate them a five out of five.

Positive

I used Kiuwan earlier, but I used it for open source. It was primarily to find open sources in our entire source code. It supports modern languages. It has more languages than Klocwork.

It is an on-premise solution. It is not very difficult to set up on our premises. It is easy to install and easy to use. I would rate it a five out of five in terms of the setup.

If your source code is in C or C++, you should be using Klocwork. We have compared the results of different tools like SonarQube and Coverity with Klocwork. Klocwork was able to find a better number of defects in the source code than SonarQube and Coverity. At times, both Coverity and SonarQube missed some of the defects such as null pointer dereference, memory leak issues, etc. The detection rate of Klocwork is very high for C and C++.

I would rate Klocwork an eight out of ten.

Our primary use case is to check our Internal Standards which is always a burden because it involves lot of manual checking. We are using Klocwork for this by writing some algorithms and implementing it in Klocwork. Klocwork is very strong in this section.

As said earlier checking our industry standards is main burden which involves lot of manual work. Now Klocwork has completely removed this and we are very easily checking our internal standards.

The ability to create custom checkers, which is an important part of most of the projects. Its on the fly capability is very good. 

Nothing as of now. I hope that in each new release they add new features relating to the addition of checkers, improving their analysis engines etc. In the near future I will discuss additional features that need to be added.

Technical Support is very good. They took only hours to resolve most of my issues.

I didn't use any tools other than Klocwork.

Initial setup is straightforward. There is no complexity in the initial setup.

I have implemented it with the help of a vendor team. They are really very good with Klocwork.

It is worth it for the price that the vendor quoted.

I evaluated two other tools, which were not matched with Klocwork at any point. I don't want to reveal the names of the tools.

Support for more languages would be helpful since this is my trustworthy tool. One more advice from my side would be to do some webinars on Klocwork will be helpful for some new users.