We just raised a $30M Series A: Read our story

Coverity OverviewUNIXBusinessApplication

Coverity is #10 ranked solution in application security tools. IT Central Station users give Coverity an average rating of 8 out of 10. Coverity is most commonly compared to SonarQube:Coverity vs SonarQube. Coverity is popular among the large enterprise segment, accounting for 74% of users researching this solution on IT Central Station. The top industry researching this solution are professionals from a computer software company, accounting for 30% of all views.
What is Coverity?

Coverity® gives you the speed, ease of use, accuracy, industry standards compliance, and scalability that you need to develop high-quality, secure applications. Coverity identifies critical software quality defects and security vulnerabilities in code as it’s written, early in the development process, when it’s least costly and easiest to fix. With the Code Sight™ integrated development environment (IDE) plugin, developers get accurate analysis in seconds in their IDE as they code. Precise actionable remediation advice and context-specific eLearning help your developers understand how to fix their prioritized issues quickly, without having to become security experts. 

Coverity seamlessly integrates automated security testing into your CI/CD pipelines and supports your existing development tools and workflows. Choose where and how to do your development: on-premises or in the cloud with the Polaris Software Integrity Platform™ (SaaS), a highly scalable, cloud-based application security platform. Coverity supports 22 languages and over 70 frameworks and templates.

Coverity was previously known as Synopsys Static Analysis.

Coverity Buyer's Guide

Download the Coverity Buyer's Guide including reviews and more. Updated: December 2021

Coverity Customers

MStar Semiconductor, Alcatel-Lucent

Coverity Video

Pricing Advice

What users are saying about Coverity pricing:
  • "The price is competitive with other solutions."
  • "Coverity is quite expensive."
  • "Coverity is very expensive."
  • "The licensing fees are based on the number of lines of code."
  • "It is expensive."

Coverity Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
SH
Security Consultant at a tech services company with 11-50 employees
Consultant
Top 20
Straightforward to install and reports few false positives, but it should be easier to specify your own validation and sanitation routines

Pros and Cons

  • "The most valuable feature is that there were not a whole lot of false positives, at least on the codebases that I looked at."
  • "It should be easier to specify your own validation routines and sanitation routines."

What is our primary use case?

I am a consultant and I work to bring solutions to different companies. Static code analysis is one of the things that I assist people with, and Coverity is one of the tools that I use for doing that.

I worked with Coverity when doing a couple of different PoCs. For these, I get a few different teams of developers together and we want to decide what makes the most sense for each team as far as scanning technologies. So, part of that is what languages are supported, part of that is how extensible it is, and part of that extensibility is do the developers have time to actually create custom roles?

We also want to know things like what the professional are services like, and do people typically need many hours of professional services to get the system spun up. Other factors include whether it deployed on-premises or in the cloud, and also, which of those environments it can operate with.

One of the things is there's not really a shining star out of all of these tools. SaaS tools have been getting more mature in the past decade, particularly in how fast they run, but also in the results they get. Of course, framework and language additions that increase the capability with results are considered.

What is most valuable?

The most valuable feature is that there were not a whole lot of false positives, at least on the codebases that I looked at.

What needs improvement?

It should be easier to specify your own validation routines and sanitation routines.

For example, if you have data coming into the application, perhaps something really simple like it's getting a parameter from a web page that is your username when you go to a website to login, and then ultimately that's being consumed by something, the data goes through some business logic and then, let's say, it enters that username into a database. 

Well, what if I say my username is JavaScript calling alert hello. Now I've just entered JavaScript code as my username and you should be able to sanitize that pretty easily with a number of different techniques to remove the actual executable code from what they entered on the login page. However, once you do that, you want the program to understand that you are doing it and then remove what looks like a true positive at first glance because, in fact, the data being consumed in the SQL exec statement is not unsanitized. It's not just coming from the web.

Likewise, let's say you log in, and then it says, "Hello" Such and such. You can inject JavaScript code there and have it be executed when it says hello. So basically the ability to say that this validates and then also above and beyond that, this validates data coming from any GET parameter on the web. You should be able to specify a particular routine validates all of that, or this particular routine validates anytime we read data from a database, maybe an untrusted database.

So, if I reach for that data eight times and I say, "Hey," this validates it once, I also get the option to say it validates it the other seven times, or I could just say it's a universal validator. Obviously, a God validator so to speak is not a good practice because you're sure to miss some edge cases, but to have one routine validate three or four different occurrences is not rare and is often not a bad practice.

Another thing that Coverity needs to implement or improve is a graphical way to display the data. If you can see an actual graphical view of the data coming in, then it would be very useful. Let's say, the first node would be GET parameter from a webpage, and then it would be an arrow to another method like validate user ID, and then another method of GET data about the user. Next, that goes into the database, and so forth. When that's graphically displayed, then it is helpful for developers because they can better grab onto it.

The speed of Coverity can be improved, although that is true for any similar product.

What do I think about the stability of the solution?

It never crashed so stability has not been an issue.

What do I think about the scalability of the solution?

I have never used it for more than four relatively small to medium-sized projects at a time, so I've never needed to scale it.

How are customer service and technical support?

I have dealt with sales engineering, rather than technical support. They would sometimes provide a liaison to tech support if they didn't know the answer, but really, they guided us through the proof of concept and they knew that they were under a competitive evaluation against the other tools. They were able to resolve any issues that we came across and got us up and running fairly quickly, as far as I recall.

How was the initial setup?

Coverity is on the good side when it comes to setting it up. I think that it is pretty straightforward to get up and running.

What about the implementation team?

We implement Coverity on our own, with guidance from Coverity.

What's my experience with pricing, setup cost, and licensing?

The price is competitive with other solutions.

Which other solutions did I evaluate?

In addition to Coverity, I have experience with Checkmarx, Fortify, Veracode, and HCL AppScan, which was previously known as IBM AppScan.

Checkmarx is probably the most extensible and customizable of these products, and you're able to use the C# language to do so, which a lot of developers are familiar with.

HCL AppScan is another tool that has customization capabilities. They are not as powerful but they are easier to implement because you don't need to write any code.

I cannot give an endorsement for any particular one. They all have their merits and it just depends on the requirements. Generally, however, all of these tools are getting better.

What other advice do I have?

My advice for anybody who is considering this product is to first look around your organization to see if it has already been implemented in another group. If you're a big organization then Coverity or a similar tool may already be in use. In cases like this, I would say that it is best to adopt the same tool because your organization has already gone down that path and there are no huge differences in the capabilities of these tools. Some of them do it in different ways and some do things that others don't, but you won't have the initial bump of the learning curve and you can leverage their experience.

I would rate this solution a seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
VV
Senior Solutions Architect at a computer software company with 11-50 employees
Real User
Top 20
Broad integration capacity and works with more languages than some competitors

Pros and Cons

  • "One of the most valuable features is Contributing Events. That particular feature helps the developer understand the root cause of a defect. So you can locate the starting point of the defect and figure out exactly how it is being exploited."
  • "Right now, the Coverity executable is around 1.2GB to download. If they can reduce it to approximately 600 or 700MB, that would be great. If they decrease the executable, it will be much easier to work in an environment like Docker."

What is our primary use case?

We write thousands of lines of code on a daily basis, and we cannot say that our code is free because there are a lot of other developers contributing to the source code and things like that. And this process is prone to human error, defects in the source code, etc.

How has it helped my organization?

To automate detection, we use Coverity's static analysis, which has a low false-positive ratio. That's because Coverity's analysis engine includes 20-plus patented technologies. A lot of other static analysis tools use pattern-based analysis, but Coverity's is flow based. That's why we ended up using it. Coverity is helping us identify some of the critical defects at the early stages of the development life cycle. So overall, it is giving us a greater ROI and making our application more mature and robust.

What is most valuable?

One of the most valuable features is Contributing Events. That particular feature helps the developer understand the root cause of a defect. So you can locate the starting point of the defect and figure out exactly how it is being exploited. So contributing Events lets you create that kind of a workflow. 

We also need a tool that works in an environment that isn't dependent on the built environment. You point it to a folder. Then the tool picks it up, runs the scan, and gives you the report. That feature is available in Coverity. So you don't have to rely upon build artifacts or developer artifacts. So these are the two key features we use daily, and we've gotten good results. 

What needs improvement?

Coverity's UI is the one thing that needs improvement. Technically speaking, it's doing an outstanding job otherwise. Also, they could reduce their executable size. Right now, the Coverity executable is around 1.2GB to download. If they can reduce it to approximately 600 or 700MB, that would be great. If they decrease the executable, it will be much easier to work in an environment like Docker.

For how long have I used the solution?

I've been using it for the past two years.

What do I think about the stability of the solution?

This product has been in the industry for more than 30 years, so it's pretty robust.

How are customer service and support?

Coverity has a decent SLA. The moment you purchase the tool, you also get an SLA agreement with all the email support. They have email support, call support, as well as WebEx and Zoom sessions on demand. Of course, that depends on the nature of the technical issue. If it's simple, it can be resolved with a couple of email exchanges, but if it really needs some attention, they're happy to get on a call. They've even delivered some custom patches as well. 

Which solution did I use previously and why did I switch?

I used CodeSonar a few years back. Both tools have their advantages. In any static analysis tool, the first stage is the instrumentation of the source code. It'll try to capture the skeleton of your source code. So when I compare them based on the first phase alone, Coverity is far better than CodeSonar. 

They both use a similar technique, but CodeSonar uses up way more storage resources. For example, to scan a 1GB code base, CodeSonar generates more than 5GB of instrumented files for every 1GB of code base. In total, that is 6GB. Coverity generates 500MB extra on top of 1GB, so that equals 1.5GB all in. That's a huge difference. CodeStar would eat up my disc space and hardware resources when I used it, whereas Coverity is minimal. 

In terms of checkers, both CodeSonar and Coverity cover a good length and breadth, especially for C and C++ programming languages. But CodeSonar focuses only on four languages—C, C++, Java, and C#—only four programming languages, whereas Coverity supports more than 20-plus programming languages.

Also, the two are comparable with respect to their plugin offerings, but there are crucial differences. For example, CodeSonar only focuses on well-known integrations, like Jenkins and JIRA, but you cannot expect all customers to use the same tools. Coverity supports almost all CI/CD tools, including Jenkins and Bamboo. It also integrates with service providers like Azure DevOps Pipelines, AWS CodePipelines that CodeSonar hasn't added yet. The plugins are available in the marketplace, and you don't have to pay extra. You just have to download it from the marketplace, hook the plugin in your pipeline, and ready to use kind of approach. So these are some of the major use cases, three major use cases I would say when you compare apples to apples with CodeSonar and Coverity.

How was the initial setup?

Setting up Coverity is pretty simple. It comes with a normal executable. You just double click, follow the wizard, and complete the setup. It also have on screen instructions as well, which makes it pretty easy and cool. Deployment is a much broader question. It depends on how many projects you are trying to scan using Coverity and whether you are integrating this static analysis solution with your CI/CD setup, ID, bug tracking, etc. That all factors in to the total deployment time. So if we're talking about overall deployment, including bug tracking, integration, email notification, CI/CD integration, and everything, it took us 15 to 20 days to onboard 600 projects with 20 users, including all integration.

We don't have a lot of maintenance. There is a major release every quarter, and we get information on new upgrades, patches, and things like that. And we do have the option to not upgrade. The maintenance is mostly covered by the vendor itself, meaning they deliver the patches and upgrades on time. So I don't see that as a hurdle right now. It's been taken care of.

What's my experience with pricing, setup cost, and licensing?

I'm not sure about the licensing. My commercial team deals with that.

What other advice do I have?

I rate Coverity nine out of 10. It's a good choice. If you plan to use Coverity, you should read through the manual to really understand its settings. You have to tune the Coverity engine to get the best research and scalability out of it. A Coverity recently added some smart features that automatically compute the hardware requirements in your current machine. It automatically scales up. For example, it can detect how much multi-core CPU power it needs to run an analysis and how much memory is required, so it makes resources available for other applications running on the same machine. That intelligence has been built on. So initially, I recommend going over the fundamentals and fine-tuning it based on one's own requirements.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Learn what your peers think about Coverity. Get advice and tips from experienced pros sharing their opinions. Updated: December 2021.
555,358 professionals have used our research since 2012.
Nachu Subramanian
Automation Practice Leader at a financial services firm with 10,001+ employees
Real User
Top 5Leaderboard
Improves security by detecting vulnerabilities in code, but it needs integration with popular development environments

Pros and Cons

  • "Coverity is quite stable and we haven’t had any issues or any downtime."
  • "I would like to see integration with popular IDEs, such as Eclipse."

What is our primary use case?

I am the administrator and I use this solution to do the calibrating and security scanning of the code in my bank. We are trying to find any vulnerabilities in our code and we are integrating the process with our DevOps.

What is most valuable?

The most valuable feature is the ability to find vulnerabilities in our code.

What needs improvement?

I would like to see integration with popular IDEs, such as Eclipse. If Coverity were available as a plugin then developers could use it to find security issues while they are coding because right now, as we are using Coverity, it is a reactive way of finding vulnerabilities. We need to find these kinds of problems during the coding phase, rather than waiting for the code to be analyzed after it is written.

For how long have I used the solution?

I have been working with Coverity for about eight months.

What do I think about the stability of the solution?

Coverity is quite stable and we haven’t had any issues or any downtime.

What do I think about the scalability of the solution?

We did not have to scale drastically on any of our applications, so it would be difficult for me to judge how scalable it is. Because of the price, we only purchased 20 licenses. We do plan on scaling the number of users and increasing our usage.

How are customer service and technical support?

The technical support is quite responsive and most of the time, we received a response really quickly. We have not had any timeline-related issues with them.

Which solution did I use previously and why did I switch?

We did not use another solution before Coverty, although in my previous company, I used Veracode.

We also use SonarQube for code analysis.

Compared to SonarQube, Coverity finds more vulnerabilities. SonarQube is stronger on core quality, such as duplicate lines of code, but the security issues are found by Coverity.

SonarQube is available as a plugin for development environments such as Eclipse, which allows us to find vulnerabilities proactively.

SonarQube was easier to deploy and I did not require assistance from the vendor for installation or configuration.

How was the initial setup?

We found that during installation and configuration, it takes pipelines for continuous integration and continuous deployment. It was a bit challenging because the necessary base integration was not easy to configure.

It took us slightly over a week to deploy, whereas, with SonarQube, we were able to complete it in less than a day. It was due to complexities in Coverity that it took us more than a week. The complexities were related to missing API features and hooks.

What about the implementation team?

I had assistance from the vendor, Synopsys, during the deployment.

What's my experience with pricing, setup cost, and licensing?

Coverity is quite expensive. Generally, for security scanning products, the pricing is very expensive. Some solutions have pricing that is based on the number of millions of lines of code, but Coverity is priced based on the number of users.

I believe that pricing based on the number of lines of codes is cheaper than billing on a per-user basis. If we have 400 or 500 developers and each needs a license then it will be cheaper to have a solution where the cost depends on the size of the code.

What other advice do I have?

We also purchased Black Duck Binary Analysis and the Black Duck Hub from Synopsys.

My advice for anybody who is implementing this solution is to try to best capture security issues while the code is being written, rather than waiting until it is compiling. It’s easier and much more cost-effective to find vulnerabilities at the earlier, code-writing stage.

The other thing to keep in mind is that you should not rely on one approach to code security. You need to make sure that binary security is also in place, which is not done using Coverity. Any company that wants to secure its environment will need multiple levels of security scanning, and only one of these is handled by Coverity. The second one, binary scanning, can be done by using Black Duck or Veracode. This continues onto other security concerns, such as network scanning.

I would rate this solution a seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
AT
Sr. QA Engineer at a computer software company with 1-10 employees
Real User
Top 20
Good tech support but it doesn't report errors like it should

Pros and Cons

  • "I encountered a bug with Coverity, and I opened a ticket. Support provided me with a workaround. So it's working at the moment, or at least it seems to be."
  • "Coverity is far from perfection, and I'm not 100 percent sure it's helping me find what I need to find in my role. We need exactly what we are looking for, i.e. security errors and vulnerabilities. It doesn't seem to be reporting while we are changing our code."

What is our primary use case?

We use Coverity for static analysis of our code.

What needs improvement?

Coverity is far from perfection, and I'm not 100 percent sure it's helping me find what I need to find in my role. We need exactly what we are looking for, i.e. security errors and vulnerabilities. It doesn't seem to be reporting while we are changing our code. So either we are perfect, or the tool is missing something. 

For how long have I used the solution?

I've been using Coverity for a couple of years.

What do I think about the scalability of the solution?

I haven't had much experience trying to scale up Coverity. Only three people at our company work with it.

How are customer service and support?

I encountered a bug with Coverity, and I opened a ticket. Support provided me with a workaround. So it's working at the moment, or at least it seems to be. They are on par with other tech support in terms of knowledge. However, their style of communication could use some improvement.

How was the initial setup?

Setting up Coverity is highly complex. The upgrade procedure is also pretty tough. We've had trouble with it on at least one occasion. When I went ahead with it, it destroyed the installation. I couldn't go back. So it's challenging to understand from the documentation. It seems like they tried to cover all possible topics in their manuals, so they ended up scratching the surface of everything in the world except for the particular practical items that I needed.

What's my experience with pricing, setup cost, and licensing?

Coverity is very expensive.

What other advice do I have?

I rate Coverity five out of 10, but it's tough for me to judge because we decided to purchase it based on one requirement that no other static analysis tool could satisfy. For that reason, we haven't tried anything else. So, let's make an analogy. Let's say I used Sony TVs my entire life, and someone comes up and says, "Hey, there is a new brand of TVs. What do you think of them? Do you think they are good?" How would I know? By comparison, SonarQube seems to be more feature-rich for a standard programming language, and it works with more continuous integration tools.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
SG
Senior Technical Specialist at a tech services company with 201-500 employees
Real User
Top 5
Integrates well with Jenkins and GitLab, and has helped us find errors before going into production

Pros and Cons

  • "The most valuable feature is the integration with Jenkins."
  • "Ideally, it would have a user-based license that does not have a restriction in the number of lines of code."

What is our primary use case?

We have a development team and we are using this product for static code analysis.

How has it helped my organization?

This product has definitely helped our organization. Based on what I have heard from the development team, they have found a lot of issues before code goes into production.

What is most valuable?

The most valuable feature is the integration with Jenkins. Jenkins can be used to automatically run it to perform the code analysis.

Integration with GitLab is helpful.

What needs improvement?

Coverity is too costly, which is why we are trying other tools. Ideally, it would have a user-based license that does not have a restriction in the number of lines of code.

For how long have I used the solution?

We have been using Coverity for between five and six years.

What do I think about the scalability of the solution?

Coverity is used across our entire organization.

How was the initial setup?

The initial setup in the Windows environment was straightforward. However, for Linux, it has some complexity.

What about the implementation team?

We have a separate team in the company that takes care of deployment. One person is enough for the task

What's my experience with pricing, setup cost, and licensing?

The licensing fees are based on the number of lines of code. We may not need more than five user licenses but with a restriction on the number of lines of code, for a small company the cost will shoot up.

Which other solutions did I evaluate?

Our license for Coverity has expired and we are in the process of exploring new static code analysis tools. Ideally, we would like to have one that is low-cost.

One of the products that I have downloaded a trial version for is SonarQube. At this point, I have only installed the Windows version but I plan on testing the Linux version, as well.

What other advice do I have?

In summary, this is a helpful product and the feedback that I have heard from the development team is good.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
ML
Director at a manufacturing company with 10,001+ employees
Real User
Top 20
Stable, scalable, and provides reports about a lot of potential defects

Pros and Cons

  • "It provides reports about a lot of potential defects."
  • "Its price can be improved. Price is always an issue with Synopsys."

What is our primary use case?

We use it in our company during product development.

What is most valuable?

It provides reports about a lot of potential defects.

What needs improvement?

Its price can be improved. Price is always an issue with Synopsys.

For how long have I used the solution?

I have been using Coverity for about three or four years.

What do I think about the stability of the solution?

It has good stability.

What do I think about the scalability of the solution?

Its scalability is good. 

How are customer service and technical support?

They are professional and very responsible. They have a local FAE.

How was the initial setup?

It is not straightforward, but it is also not too complex. The learning curve needed for installing Coverity is okay.

What's my experience with pricing, setup cost, and licensing?

It is expensive.

What other advice do I have?

I would recommend this solution if you can afford it. If you have enough budget, it is one of the best solutions right now. There may be other cheaper solutions, but you get what you pay for.

We have been using Coverity for several years. We would not have continued using it if it was not a good solution. We always have some minor questions or improvements for them, and they always give us a relatively fast response.

I would rate Coverity a nine out of ten. Only its price should be improved.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Product Categories
Application Security
Buyer's Guide
Download our free Coverity Report and get advice and tips from experienced pros sharing their opinions.