Klocwork Pros and Cons

I like not having to dig through false positives. Chasing down a false positive can take anywhere from five minutes for a small easy one, then something that is complicated and goes through a whole bunch of different class cases, and it can take up to 45 minutes to an hour to find out if it is a false positive or not.

The ability to create custom checkers is a plus.

The tool helps the team to think beforehand about corner cases or potential bugs that might arise in real-time.

We like using the static analysis and code refactoring, which are very valuable because of our requirements to meet safety critical levels and reliability.

Klocwork does have a problem with true positives. It only found 30% of true positives in the Juliet test case.

We bought Klocwork, but it was limited to one little program, but the program is now sort of failing. So, we have a license for usage on a program that is sort of failing, and we really can't use the license on anything else.

I hope that in each new release they add new features relating to the addition of checkers, improving their analysis engines etc.

Now the only issue we have is that whenever we need to get the code we have to build it first. Then we can get the report.

The way to define the rules is too complex. The definition/rules for static analysis could be automated according to various SILs, so as to avoid confusion.