We performed a comparison between Coverity and SonarQube based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison Result: Based on the parameters we compared, SonarQube comes out ahead of Coverity. Although both products have valuable features and can be estimated as high-end solutions, our reviewers found that Coverity is an expensive solution with an unfriendly licensing mechanism and a difficult exit process, which may make it less accessible for smaller teams or companies with budgetary constraints.
"It has the lowest false positives."
"I like Coverity's capability to scan codes once we push it. We don't need more time to review our colleagues' codes. Its UI is pretty straightforward."
"Provides software security, and helps to find potential security bugs or defects."
"The most valuable feature is that there were not a whole lot of false positives, at least on the codebases that I looked at."
"The product is easy to use."
"The product has deeper scanning capabilities."
"The security analysis features are the most valuable features of this solution."
"The app analysis is the most valuable feature as I know other solutions don't have that."
"We are using the Community edition. So, we don't have to incur any licensing costs. This is the best part."
"We have the software metrics that SonarQube gives us, which is something we did not have before. This helps us work towards aiming coding standards to empower us to move in the direction of better code quality. SonarQube provides targets and metrics for that."
"SonarQube has a lot of value, it reviews the basic coding standards and security vulnerabilities of code that help to reduce issues."
"We can create a Quality Gate in order to fail Jenkins jobs where the code coverage is lower than the set percentage."
"Engineers have also learned from the results and have improved themselves as engineers. This will help them with their careers."
"The static code analysis is very good."
"It's a great product. If you are in a hurry and just want to focus on the functional requirements of any kind of project, SonarQube is highly helpful. It enables the developers to code securely. SonarQube has a Community edition, which is open source and free. There are also three proprietary or paid versions: Enterprise edition, Data Center edition, and Developer edition."
"SonarQube is designed well making it easy to use, simple to identify issues and find solutions to problems."
"The solution could use more rules."
"Sometimes it's a bit hard to figure out how to use the product’s UI."
"They could improve the usability. For example, how you set things up, even though it's straightforward, it could be still be easier."
"The quality of the code needs improvement."
"Some features are not performing well, like duplicate detection and switch case situations."
"We actually specified several checkers, but we found some checkers had a higher false positive rate. I think this is a problem. Because we have to waste some time is really the issue because the issue is not an issue. I mean, the tool pauses or an issue, but the same issue is the filter now.Some check checkers cannot find some issues, but sometimes they find issues that are not relevant, right, that are not really issues. Some customisation mechanism can be added in the next release so that we can define our Checker. The Modelling feature provided by Coverity helps in finding more information for potential issues but it is not mature enough, it should be mature. The fast testing feature for security testing campaign can be added as well. So if you correctly integrate it with the training team, maybe you can help us to find more potential issues."
"The solution is a bit complex to use in comparison to other products that have many plugins."
"The tool needs to improve its reporting."
"I don't believe you can have metrics of code quality based upon code analysis. I don't think it's possible for a computer to do it."
"Their dashboarding is very limited. They can improve their dashboards for multiple areas, such as security review, maintainability, etc. They have all this information, so they should publish all this information on the dashboard so that the users can view the summary and then analyze it further. This is something that I would like to see in the next version."
"We're in the process of figuring out how to automate the workflow for QA audit controls on it. I think that's perhaps an area that we could use some buffing. We're a Kubernetes shop, so there are some things that aren't direct fits, which we're struggling with on the component Docker side. But nothing major."
"There are limitations to the free version that limit development options as far as languages."
"You may need to purchase add-ons to get the useability you desire."
"There isn't a very good enterprise report."
"The scanning part could be improved in SonarQube. We have used Coverity for scanning, and we have the critical issues reported by Coverity. When we used SonarQube for scanning and looked at the results, it seems that some of them have incorrect input. This part can be improved for C and C++ languages."
"I would like to see more options for security, beyond the basics like SQL injection."
Coverity is ranked 4th in Static Application Security Testing (SAST) with 33 reviews while SonarQube is ranked 1st in Static Application Security Testing (SAST) with 110 reviews. Coverity is rated 7.8, while SonarQube is rated 8.0. The top reviewer of Coverity writes "Best SAST tool to check software quality issues". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Coverity is most compared with Klocwork, Fortify on Demand, Checkmarx One, Veracode and Polyspace Code Prover, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Veracode, Snyk and GitHub Advanced Security. See our Coverity vs. SonarQube report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.