Klocwork Review

Enables us to resolve violations but it needs integration with Agile DevOps and Agile methodologies

What is our primary use case?

I'm a product architect and belong to a classic management system team. We're a Klocwork customer. We have around 50-60 developers in the team and I'm involved in the utilization of the tool and I am familiar with its capability. We've just started using the latest version which is the first one that's compatible with .NET framework 4.7.2. The previous version was not fully compatible with Visual Studio 2017.

In our case, the use is for static code analysis for each baseline in order to see what kind of violation we have.

Parallel to that, we use the results and apply some refactoring in order to solve this violation. For us, the violation is considered the highest priority according to our risk assessment model.

What needs improvement?

For an improved product, we'd like to see integration with Agile DevOps and Agile methodologies. Some capability of the tool that allows us to trigger the status analysis report based on actions like regular builds. We would like to have better integration with Microsoft Agile DevOps tools. This would save us a lot of time. In addition, we also sometimes experience issues with false-positive detections - phantom issues.

For the previous version, we realized it wasn't possible to have a quick dashboard for the number of violations. A feature like business intelligence or code coverage could be included. 

For how long have I used the solution?

I've been using Klocwork since I joined the company over two years ago.

What do I think about the stability of the solution?

We consider it a stable product.

What do I think about the scalability of the solution?

I didn't have the chance to test it deeply.

How are customer service and technical support?

I haven't had direct contact with technical support. 

Which solution did I use previously and why did I switch?

Where I worked previously we used SonarQube. I have also used the Microsoft standard rule set by Visual Studio. 

How was the initial setup?

The initial setup is quite straightforward and the configuration from the client-side is also simple. The more difficult part aspect relates to the definition of the rule sets. For instance, if we want to compare a list of rule sets coming from external sources other than Klocwork we don't have native tools. We need to bring the profile list from Microsoft or from another static analysis tool or measuring tool and embed it inside Klocwork. The profiles need to be merged using Excel or something similar.

What about the implementation team?

They provide support and knowledge about the tool. So if we are not able to use a particular function, we ask the central team.

What's my experience with pricing, setup cost, and licensing?

I'm not involved in the financial or licensing aspect of the solution. 

What other advice do I have?

We use Klocwork in two different configurations, on-prem and cloud. Basically we can summarize on-premises. We connect the client directly to the server on-premises remotely. But for certain products and features, we also use a local server that is on-premise but with different configurations. In this case, the server is deployed with some rule set and configured in a certain manner locally with the second option of redirecting the connection directly to our headquarter.

I would recommend the latest version. In the roadmap of the product, a lot of improvements have been made. We are currently on hold with moving over to this tool because of the license but once we're able to, we'll import our profiles from the previous version to the new one.

The previous version was not compatible with the .NET framework. 4.7.2 it didn't fully consider the retargeting option of C++

I would rate Klocwork seven out of ten.

Which version of this solution are you currently using?

**Disclosure: I am a real user, and this review is based on my own experience and opinions.
More Klocwork reviews from users
Find out what your peers are saying about Perforce, SonarSource, Veracode and others in Application Security. Updated: September 2021.
534,057 professionals have used our research since 2012.
Add a Comment
ITCS user