We performed a comparison between Coverity and SonarQube based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison Result: Based on the parameters we compared, SonarQube comes out ahead of Coverity. Although both products have valuable features and can be estimated as high-end solutions, our reviewers found that Coverity is an expensive solution with an unfriendly licensing mechanism and a difficult exit process, which may make it less accessible for smaller teams or companies with budgetary constraints.
"The product is easy to use."
"The most valuable feature of Coverity is the wrapper. We use the wrapper to build the C++ component, then we use the other code analysis to analyze the code to the build object, and then send back the result to the SonarQube server. Additionally, it is a powerful capabilities solution."
"The security analysis features are the most valuable features of this solution."
"The most valuable feature is the integration with Jenkins."
"The app analysis is the most valuable feature as I know other solutions don't have that."
"It's pretty stable. I rate the stability of Coverity nine out of ten."
"We were very comfortable with the initial setup."
"This solution is easy to use."
"It's enabled us to improve software quality and help us to disseminate best practices."
"Before you even compile, it can catch known vulnerability issues or patterns."
"Engineers have also learned from the results and have improved themselves as engineers. This will help them with their careers."
"Improve the code coverage and evaluates the technical steps and percentage of code being resolved."
"Integrate it into the developers' workbench so that they can bench check their code against what will be done in the server-based audit version."
"The solution has a plug-in that supports both C and C++ languages."
"With SonarQube's web interface, it is easy to drill down to see the individual problems, but also to look at the project from above and get the big picture, with possible larger problem areas."
"The good thing with SonarQube is it covers a lot of issues, it's a very robust framework."
"They could improve the usability. For example, how you set things up, even though it's straightforward, it could be still be easier."
"The product lacks sufficient customization options."
"The product should include more customization options. The analytics is not as deep as compared to SonarQube."
"Reporting engine needs to be more robust."
"We use GitHub and Gitflow, and Coverity does not fit with Gitflow. I have to create a screen for our branches, and it's a pain for developers. It has been difficult to integrate Coverity with our system."
"Its price can be improved. Price is always an issue with Synopsys."
"There should be additional IDE support."
"Coverity could improve the ease of use. Sometimes things become difficult and you need to follow the guides from the website but the guides could be better."
"Monitoring is a feature that can be improved in the next version."
"We could use some team support, but since we are using the community version, it's not available."
"I find it is light on the security side."
"We have tens of millions of code to be analyzed and processed. There can be some performance degradation if we are applying Sonar Link to large code or code that is complex. When the code had to be analyzed is when we ran into the main issues. There were several routines involved to solve those performance issues but this process should be improved."
"There is no automation. You need to put the code there and test. You then pull the results and put them back in the development environment. There is no integration with the development environment. We would like it to be integrated with our development environment, which is basically the CI/CD pipeline or the IDE that we have."
"The product needs to integrate other security tools for security scanning."
"If I configure a project in SonarQube, it generates a token. When we're compiling our code with SonarQube, we have to provide the token for security reasons. If IP-based connectivity is established with the solution, the project should automatically be populated without providing any additional token. It will be easy to provide just the IP address. It currently supports this functionality, but it makes a different branch in the project dashboard. From the configuration and dashboard point of view, it should have some transformations. There can be dashboard integration so that we can configure the dashboard for different purposes."
"We also use Fortify, which is another tool to find security errors. Fortify is a better security tool. It is better than SonarQube in finding errors. Sometimes, SonarQube doesn't find some of the errors that Fortify is able to find. Fortify also has a community, which SonarQube doesn't have. Its installation is a little bit complex. We need to install a database, install the product, and specify the version of the database and the product. They can simplify the installation and make it easier. We use docker for the installation because it is easier to use. Its dashboard needs to be improved. It is not intuitive. It is hard to understand the interface, and it can be improved to provide a better user experience."
Coverity is ranked 4th in Static Application Security Testing (SAST) with 33 reviews while SonarQube is ranked 1st in Static Application Security Testing (SAST) with 110 reviews. Coverity is rated 7.8, while SonarQube is rated 8.0. The top reviewer of Coverity writes "Best SAST tool to check software quality issues". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Coverity is most compared with Klocwork, Fortify on Demand, Checkmarx One, Veracode and Polyspace Code Prover, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Veracode, Snyk and GitHub Advanced Security. See our Coverity vs. SonarQube report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.