The main problem is that since it only parses the code, the warnings or the problems that are given as a result of the report can sometimes require a lot of effort to analyze. It will show all possible problems in the code. However, many are not actual problems. So you need to analyze and check if certain items flagged can lead to an actual problem or not. Since it's only static, it doesn't run the code itself and there's always a huge number of findings. You have to analyze all of them to know which ones can lead to actual problems.
Principle engineer at a manufacturing company with 10,001+ employees
Real User
Top 20
2023-05-10T09:39:00Z
May 10, 2023
Under NIST cybersecurity standards, we must address vulnerabilities within a specified time after discovering them. When we try to propagate those updates and fixes through the system, it would be nice if the clients could reconnect to the existing server or have the server dynamically updated in some way. I know that isn't easy, but maybe processes could be enhanced to make that more streamlined from a DevOps perspective. Maybe there could be a process by which the clients can update themselves as they reconnect to the new server when there's a new version available and install all of the tools currently within that installation environment.
Head of Customer Succes at a tech services company with 51-200 employees
Real User
2022-10-20T10:18:48Z
Oct 20, 2022
This solution could be improved if they offered support of more languages including Ada and Golang. They currently only support seven languages. In a future release, we would like to have architecture management added.
Software Chief Engineer at a transportation company with 10,001+ employees
Real User
2019-11-21T10:01:00Z
Nov 21, 2019
There are many things that can be improved. The code used between projects is one of the very painful points in Klocwork. So if you are using a code and the product is shared between projects, you have to analyze the different projects just to comment if it is good or to justify it in the different projects. And the solutions they provide for the issues, are not fully correct. So this is the main issue is using the code between projects.
For an improved product, we'd like to see integration with Agile DevOps and Agile methodologies. Some capability of the tool that allows us to trigger the status analysis report based on actions like regular builds. We would like to have better integration with Microsoft Agile DevOps tools. This would save us a lot of time. In addition, we also sometimes experience issues with false-positive detections - phantom issues. For the previous version, we realized it wasn't possible to have a quick dashboard for the number of violations. A feature like business intelligence or code coverage could be included.
Specialist at a non-tech company with 5,001-10,000 employees
Real User
2019-06-11T11:10:00Z
Jun 11, 2019
Now the only issue we have is that whenever we need to get the code we have to build it first. Then we can get the report. Without building the source code we have to get the static code and the source code. That's what we are looking into. It would be better if they could provide a solution for this issue, regarding code building, when compiling the report. I would like to see a dashboard added to provide a clear look and feel. The dashboard would then supplement the users to enable them to get a quick view of the content, as long is it is clear. A presentational dashboard would be good.
Senior H.R - DevOps & Infrastructure Recruitment Consultant at Meteonic Innovation Pvt. Ltd.
Real User
2018-12-21T11:56:00Z
Dec 21, 2018
Nothing much as of now. I feel Klocwork is going in a great way. The one thing I personally feel is that Klocwork must increase their support to some other languages.
Software Solutions Engineer at Meteonic Innovation Pvt. Ltd.
User
2018-11-19T07:29:00Z
Nov 19, 2018
Not much as of now. But I am feeling Klocwork should support more number of languages like other static code analyzers do. Right now Klocwork has supportability available only to C, C++, Java, and C#.
It is not a panacea, because there is no tool that is a panacea. We bought Klocwork, but it was limited to one little program, but the program is now sort of failing. So, we have a license for usage on a program that is sort of failing, and we really can't use the license on anything else. It is a terrrible shame. Klocwork is still tight on their licensing. If Klocwork would loosen up on the licensing, and where the license could be used, and how many different programs could be run on it, then we have several development programs that I would love to be able to use it for going forward. I would like to have a tool developed by a vendor that picks out all of the NSA Juliet Test Suite cases, then is generous with the licensing. It might be expensive, but it is generous. Klocwork does have a problem with true positives. It only found 30% of true positives in the Juliet test case.
Software Solutions Engineer at Meteonic Innovation Pvt. Ltd.
User
2018-07-12T05:12:00Z
Jul 12, 2018
Nothing as of now. I hope that in each new release they add new features relating to the addition of checkers, improving their analysis engines etc. In the near future I will discuss additional features that need to be added.
Klocwork detects security, safety, and reliability issues in real-time by using this static code analysis toolkit that works alongside developers, finding issues as early as possible, and integrates with teams, supporting continuous integration and actionable reporting.
The main problem is that since it only parses the code, the warnings or the problems that are given as a result of the report can sometimes require a lot of effort to analyze. It will show all possible problems in the code. However, many are not actual problems. So you need to analyze and check if certain items flagged can lead to an actual problem or not. Since it's only static, it doesn't run the code itself and there's always a huge number of findings. You have to analyze all of them to know which ones can lead to actual problems.
Under NIST cybersecurity standards, we must address vulnerabilities within a specified time after discovering them. When we try to propagate those updates and fixes through the system, it would be nice if the clients could reconnect to the existing server or have the server dynamically updated in some way. I know that isn't easy, but maybe processes could be enhanced to make that more streamlined from a DevOps perspective. Maybe there could be a process by which the clients can update themselves as they reconnect to the new server when there's a new version available and install all of the tools currently within that installation environment.
This solution could be improved if they offered support of more languages including Ada and Golang. They currently only support seven languages. In a future release, we would like to have architecture management added.
Klocwork has to improve its features to stay ahead of other free or low-cost solutions, like Visual Studio Code Analyzer.
I believe it should support more languages, such as Python and JavaScript. I would like to see dynamic analysis as well.
There are many things that can be improved. The code used between projects is one of the very painful points in Klocwork. So if you are using a code and the product is shared between projects, you have to analyze the different projects just to comment if it is good or to justify it in the different projects. And the solutions they provide for the issues, are not fully correct. So this is the main issue is using the code between projects.
For an improved product, we'd like to see integration with Agile DevOps and Agile methodologies. Some capability of the tool that allows us to trigger the status analysis report based on actions like regular builds. We would like to have better integration with Microsoft Agile DevOps tools. This would save us a lot of time. In addition, we also sometimes experience issues with false-positive detections - phantom issues. For the previous version, we realized it wasn't possible to have a quick dashboard for the number of violations. A feature like business intelligence or code coverage could be included.
Now the only issue we have is that whenever we need to get the code we have to build it first. Then we can get the report. Without building the source code we have to get the static code and the source code. That's what we are looking into. It would be better if they could provide a solution for this issue, regarding code building, when compiling the report. I would like to see a dashboard added to provide a clear look and feel. The dashboard would then supplement the users to enable them to get a quick view of the content, as long is it is clear. A presentational dashboard would be good.
Support for AUTOSAR C++14 by adding a new taxonomy that you can use to ensure compliance with the AUTOSAR C++14 Standard, release 18-03.
Nothing much as of now. I feel Klocwork is going in a great way. The one thing I personally feel is that Klocwork must increase their support to some other languages.
Not much as of now. But I am feeling Klocwork should support more number of languages like other static code analyzers do. Right now Klocwork has supportability available only to C, C++, Java, and C#.
It is not a panacea, because there is no tool that is a panacea. We bought Klocwork, but it was limited to one little program, but the program is now sort of failing. So, we have a license for usage on a program that is sort of failing, and we really can't use the license on anything else. It is a terrrible shame. Klocwork is still tight on their licensing. If Klocwork would loosen up on the licensing, and where the license could be used, and how many different programs could be run on it, then we have several development programs that I would love to be able to use it for going forward. I would like to have a tool developed by a vendor that picks out all of the NSA Juliet Test Suite cases, then is generous with the licensing. It might be expensive, but it is generous. Klocwork does have a problem with true positives. It only found 30% of true positives in the Juliet test case.
Nothing as of now. I hope that in each new release they add new features relating to the addition of checkers, improving their analysis engines etc. In the near future I will discuss additional features that need to be added.
It would be nice to consider having more language support ability. Currently Klocwork supports C/C++, Java and C#, (Android*)