It was difficult for us to have a rule since we sometimes have an issue based on the rules we apply. I don't know if it's an issue with the MISRA rule or how CodeSonar applies rules. However, it was difficult for us to apply a rule, especially to a part of the code, and not apply it to the rest of the code. It's tricky to understand exactly how CodeSonar is analyzing the code. Basically, making rules not to be applied everywhere in the code is tricky.

The initial setup is difficult. 

It was expensive.

In terms of areas for improvement, the use case for CodeSonar was good, but compared to other tools, it seems CodeSonar isn't a sound static analysis tool, and this is a major con I've seen from it.

Right now, in the market, people prefer sound static analysis tools, so I would have preferred if CodeSonar was developed into a sound static analysis tool formally, in terms of its algorithms, so then you can see it extensively used in the market because at the moment, here in India, only fifty to sixty customers use CodeSonar. If the product is developed into a sound static analysis tool, it could compete with Polyspace, and from its current fifty customers, that number could go up to a hundred.

It would be beneficial for the solution to include code standards and additional functionality for security. A higher emphasis is currently placed on quality defects than on security items. 

I am from the embedded domain, in which typically, our code works on the hardware. We follow a standard called MISRA guidelines. The MISRA guidelines were not appropriately reported. There were some flags or errors. I was working on C++ code and there were certain class categories, which were C standards, and were being reported in C++, where C++ is a higher-level language, some of those may not even be applicable in the latest C++ version that we had. The reporting could improve to make the solution better.

In a future release, the solution should upgrade itself to the current trends and differentiate between the languages. If there are any classifications that can be set for these programming languages that would be helpful rather than having everything in the generic category.

Our license model allows one user per license. Currently, we have limitations for VPN profiles. We can’t share the key with other users. There could be a shared licensing model for the users. It will be very beneficial for a large company site.

CodeSonar could improve by having better coding rules so we did not have to use another solution, such as MISRA C.

The scanning tool for core architecture could be improved. The core complex is something that we really need to analyze, but the complex feature as a whole is not present in the tool.

I would like CodeSonar to support many other programming languages, apart from C and C++. They should support things like AngularJS and Node.js, which are trending in the market right now.