Klocwork Reviews

We are using it for C and C++ to find security vulnerabilities in our source code. It is a static application security testing (SAST) tool.

On-the-fly analysis and incremental analysis are the best parts of Klocwork. Currently, we are using both of these features very effectively.

Modern languages, such as Angular and .NET, should be included as a part of Klocwork. They have recently added Kotlin as a part of their project, but we would like to see more languages in Klocwork. That's the reason we are using Coverity as a backup for some of the other languages. 

I would like to see some more new guidelines added. As you know, this Klocwork tool is fully compliant with MISRA, CERT, and CWE, but a few coding guidelines are still not supported by Klocwork.

I have been using it for around eight years.

We have been using Klocwork for many years. That itself speaks of its stability in our organization.

We have been trying to scale up this particular tool. We are not only using Klocwork. We are also using other SAST solutions because security cannot be handled by only using one particular tool. Klocwork is the oldest one, but we are using SonarQube and Coverity to filter out more and more defects from our source code. So, it's not really scalable itself, but with the help of other tools, we managed to scale to organization needs.

Currently, we have nine users who are using it in our organization. It is used once a week to give the reports to our security team, and they act on those reports to filter out all the vulnerabilities.

They're hyperresponsive. They have regular calls to see what exactly we are doing with Klocwork and how we are doing. They are super responsive. They are knowledgeable. I would rate them a five out of five.

Positive

I used Kiuwan earlier, but I used it for open source. It was primarily to find open sources in our entire source code. It supports modern languages. It has more languages than Klocwork.

It is an on-premise solution. It is not very difficult to set up on our premises. It is easy to install and easy to use. I would rate it a five out of five in terms of the setup.

If your source code is in C or C++, you should be using Klocwork. We have compared the results of different tools like SonarQube and Coverity with Klocwork. Klocwork was able to find a better number of defects in the source code than SonarQube and Coverity. At times, both Coverity and SonarQube missed some of the defects such as null pointer dereference, memory leak issues, etc. The detection rate of Klocwork is very high for C and C++.

I would rate Klocwork an eight out of ten.

Our primary use case is to check our Internal Standards which is always a burden because it involves lot of manual checking. We are using Klocwork for this by writing some algorithms and implementing it in Klocwork. Klocwork is very strong in this section.

As said earlier checking our industry standards is main burden which involves lot of manual work. Now Klocwork has completely removed this and we are very easily checking our internal standards.

The ability to create custom checkers, which is an important part of most of the projects. Its on the fly capability is very good. 

Nothing as of now. I hope that in each new release they add new features relating to the addition of checkers, improving their analysis engines etc. In the near future I will discuss additional features that need to be added.

Technical Support is very good. They took only hours to resolve most of my issues.

I didn't use any tools other than Klocwork.

Initial setup is straightforward. There is no complexity in the initial setup.

I have implemented it with the help of a vendor team. They are really very good with Klocwork.

It is worth it for the price that the vendor quoted.

I evaluated two other tools, which were not matched with Klocwork at any point. I don't want to reveal the names of the tools.

Support for more languages would be helpful since this is my trustworthy tool. One more advice from my side would be to do some webinars on Klocwork will be helpful for some new users.

Our main test case is to check for some of our internal standards which we usually do manually. But when we got Klocwork, it completely changed the scenario. We are writing a simple logic for checking our internal standards without much overhead. 

One more is on the fly analysis which is the most important feature which Klocwork provides I believe. 

• It has reduced the manual analysis for a lot of scenarios like checking for internal standards.
• It has saved a lot of time in developing a code through on the fly analysis mode.
• Klocwork team is regularly updating their checkers which is the good one where we can get more accurate and new kind of issues or bugs in our code can be identified.

First will be the on the fly analysis as it is reducing the time for developing a code. One more best thing is the reports section which is very nice to understand. Also the support which is available for Industry Standards as well as we can also write our own internal standards and we can check during the analysis.

Not much as of now. But I am feeling Klocwork should support more number of languages like other static code analyzers do. Right now Klocwork has supportability available only to C, C++, Java, and C#. 

Very good.

I evaluated some other tools, but I don't want to reveal the names of these tools. I didn't find them as good tools when compared with Klocwork. 

It has a straightforward setup from my scenario. Just installing a few .exe files. Not much complexity is involved in this.

Vendor team. Very good, and they are friendly.

I don't know much about cost and licensing as my management is looking at these things.

I evaluated some other tools, but I don't want to reveal the names of these tools. I didn't find them as good tools when compared with Klocwork.

Not much as of now.

We currently use Klocwork mainly for static code analysis.

Now the only issue we have is that whenever we need to get the code we have to build it first. Then we can get the report. Without building the source code we have to get the static code and the source code. That's what we are looking into. It would be better if they could provide a solution for this issue, regarding code building, when compiling the report.

I would like to see a dashboard added to provide a clear look and feel. The dashboard would then supplement the users to enable them to get a quick view of the content, as long is it is clear. A presentational dashboard would be good.

The stability is good. We can run it on multiple machines without an issue.

We have a server license here for two servers and ten users.

The technical support is good. They support us whenever we need it.

The initial setup was straightforward, not too complicated.

Klocwork is a good product, but keep in mind that before building the code you have to get a report. Then you use the code. If you don't need to get a report after building the source code then this is a good solution for you. I prefer this tool.

I would rate Klocwork as eight out of ten.

My primary case would be checking for memory related issues and some null pointer issues where Klocwork is too strong in this section. We used to check these issues most often, and Klocwork is the one which provides us this clear way.

We are very concerned about these issues for some of the critical projects which are very important for us. Using Klocwork, we have cleared all these issues without much difficulty.

• Its vast checkers supportability
• Custom checker creation
• Industry standards supportability
• Support to a vast number of IDEs and so on.

Nothing much as of now. I feel Klocwork is going in a great way. The one thing I personally feel is that Klocwork must increase their support to some other languages.

We are using Klocwork to perform static code analysis of our solutions towards an embedded project. The project is built on an RTOS, and the relevant middleware and applications are developed in C++.

The tool helps the team to think beforehand about corner cases or potential bugs that might arise in real-time. This, in turn, increases the efficiency of the project as well as the team.

We like using the static analysis and code refactoring, which are very valuable because of our requirements to meet safety critical levels and reliability.

The way to define the rules is too complex. The definition/rules for static analysis could be automated according to various SILs, so as to avoid confusion. 

It should be semi-flexible. However, this may be due to my limited experience.

The tool has good support for static analysis.