Coverity Room for Improvement

Security Consultant at a tech services company with 11-50 employees
It should be easier to specify your own validation routines and sanitation routines. For example, if you have data coming into the application, perhaps something really simple like it's getting a parameter from a web page that is your username when you go to a website to login, and then ultimately that's being consumed by something, the data goes through some business logic and then, let's say, it enters that username into a database. Well, what if I say my username is JavaScript calling alert hello. Now I've just entered JavaScript code as my username and you should be able to sanitize that pretty easily with a number of different techniques to remove the actual executable code from what they entered on the login page. However, once you do that, you want the program to understand that you are doing it and then remove what looks like a true positive at first glance because, in fact, the data being consumed in the SQL exec statement is not unsanitized. It's not just coming from the web. Likewise, let's say you log in, and then it says, "Hello" Such and such. You can inject JavaScript code there and have it be executed when it says hello. So basically the ability to say that this validates and then also above and beyond that, this validates data coming from any GET parameter on the web. You should be able to specify a particular routine validates all of that, or this particular routine validates anytime we read data from a database, maybe an untrusted database. So, if I reach for that data eight times and I say, "Hey," this validates it once, I also get the option to say it validates it the other seven times, or I could just say it's a universal validator. Obviously, a God validator so to speak is not a good practice because you're sure to miss some edge cases, but to have one routine validate three or four different occurrences is not rare and is often not a bad practice. Another thing that Coverity needs to implement or improve is a graphical way to display the data. If you can see an actual graphical view of the data coming in, then it would be very useful. Let's say, the first node would be GET parameter from a webpage, and then it would be an arrow to another method like validate user ID, and then another method of GET data about the user. Next, that goes into the database, and so forth. When that's graphically displayed, then it is helpful for developers because they can better grab onto it. The speed of Coverity can be improved, although that is true for any similar product. View full review »
Nachu Subramanian
Head of DevOps Engineering Center of Excellence at OCBC Bank
I would like to see integration with popular IDEs, such as Eclipse. If Coverity were available as a plugin then developers could use it to find security issues while they are coding because right now, as we are using Coverity, it is a reactive way of finding vulnerabilities. We need to find these kinds of problems during the coding phase, rather than waiting for the code to be analyzed after it is written. View full review »
Yantao Zhao
Software Integration Engineer at Thales Australia
My personal opinion is that the webpage of the last version of Coverity is not very easy to use. They've made some unnecessary changes and now I can't see all the analysis results or my status from when we started using the solution up to now. Because we have many components on the integration field, it is sometimes hard to find files of one specific component because we use relative path. When I look at the components, they all look very similar. But that is just my personal opinion. I would also like to see a more user-friendly user interface and configuration. I can see the menu on the left but it's a little different from the other tools that I use, but this is perhaps only a personal thing. View full review »
Learn what your peers think about Coverity. Get advice and tips from experienced pros sharing their opinions. Updated: January 2021.
455,108 professionals have used our research since 2012.
Senior Technical Specialist at a tech services company with 201-500 employees
Coverity is too costly, which is why we are trying other tools. Ideally, it would have a user-based license that does not have a restriction in the number of lines of code. View full review »
Security Engineer at a comms service provider with 10,001+ employees
The quality of the code needs improvement. They should develop a better code. The interface, efficiency, and the performance also need improvement as well as the languages that it offers. It should have more language options. The user interface is not user-friendly. View full review »
Director at a manufacturing company with 10,001+ employees
Its price can be improved. Price is always an issue with Synopsys. View full review »
Chief Specialist at a government with 501-1,000 employees
They could improve the usability. For example, how you set things up, even though it's straightforward, it could be still be easier. View full review »
* Ability to follow source file s-links into the target location for issuing assignments through GIT. Our current build environment uses symbolic links into the git repo and Coverity does not follow the link into the actual location of the source file to determine the git author. * Single API for all interactions. I am not a fan of using both SOAP and REST APIs and Coverity offers a mix of functionality depending on the interface used. I would greatly prefer a full REST API with improved documentation for all actions including issuing assignments, streaming, and project creation. View full review »
Learn what your peers think about Coverity. Get advice and tips from experienced pros sharing their opinions. Updated: January 2021.
455,108 professionals have used our research since 2012.