We just raised a $30M Series A: Read our story
2018-03-02T15:50:00Z

What needs improvement with Coverity?

19

Please share with the community what you think needs improvement with Coverity.

What are its weaknesses? What would you like to see changed in a future version?

ITCS user
Guest
99 Answers

author avatar
Top 20Real User

Its price can be improved. Price is always an issue with Synopsys.

2020-10-30T18:48:21Z
author avatar
Consultant

It should be easier to specify your own validation routines and sanitation routines. For example, if you have data coming into the application, perhaps something really simple like it's getting a parameter from a web page that is your username when you go to a website to login, and then ultimately that's being consumed by something, the data goes through some business logic and then, let's say, it enters that username into a database. Well, what if I say my username is JavaScript calling alert hello. Now I've just entered JavaScript code as my username and you should be able to sanitize that pretty easily with a number of different techniques to remove the actual executable code from what they entered on the login page. However, once you do that, you want the program to understand that you are doing it and then remove what looks like a true positive at first glance because, in fact, the data being consumed in the SQL exec statement is not unsanitized. It's not just coming from the web. Likewise, let's say you log in, and then it says, "Hello" Such and such. You can inject JavaScript code there and have it be executed when it says hello. So basically the ability to say that this validates and then also above and beyond that, this validates data coming from any GET parameter on the web. You should be able to specify a particular routine validates all of that, or this particular routine validates anytime we read data from a database, maybe an untrusted database. So, if I reach for that data eight times and I say, "Hey," this validates it once, I also get the option to say it validates it the other seven times, or I could just say it's a universal validator. Obviously, a God validator so to speak is not a good practice because you're sure to miss some edge cases, but to have one routine validate three or four different occurrences is not rare and is often not a bad practice. Another thing that Coverity needs to implement or improve is a graphical way to display the data. If you can see an actual graphical view of the data coming in, then it would be very useful. Let's say, the first node would be GET parameter from a webpage, and then it would be an arrow to another method like validate user ID, and then another method of GET data about the user. Next, that goes into the database, and so forth. When that's graphically displayed, then it is helpful for developers because they can better grab onto it. The speed of Coverity can be improved, although that is true for any similar product.

2020-09-30T08:03:31Z
author avatar
Top 5Real User

Coverity is too costly, which is why we are trying other tools. Ideally, it would have a user-based license that does not have a restriction in the number of lines of code.

2020-09-23T06:10:04Z
author avatar
Top 5LeaderboardReal User

I would like to see integration with popular IDEs, such as Eclipse. If Coverity were available as a plugin then developers could use it to find security issues while they are coding because right now, as we are using Coverity, it is a reactive way of finding vulnerabilities. We need to find these kinds of problems during the coding phase, rather than waiting for the code to be analyzed after it is written.

2020-04-02T07:00:09Z
author avatar
Real User

The quality of the code needs improvement. They should develop a better code. The interface, efficiency, and the performance also need improvement as well as the languages that it offers. It should have more language options. The user interface is not user-friendly.

2019-08-26T06:42:00Z
author avatar
MSP

My personal opinion is that the webpage of the last version of Coverity is not very easy to use. They've made some unnecessary changes and now I can't see all the analysis results or my status from when we started using the solution up to now. Because we have many components on the integration field, it is sometimes hard to find files of one specific component because we use relative path. When I look at the components, they all look very similar. But that is just my personal opinion. I would also like to see a more user-friendly user interface and configuration. I can see the menu on the left but it's a little different from the other tools that I use, but this is perhaps only a personal thing.

2019-08-22T05:49:00Z
author avatar
Real User

* Ability to follow source file s-links into the target location for issuing assignments through GIT. Our current build environment uses symbolic links into the git repo and Coverity does not follow the link into the actual location of the source file to determine the git author. * Single API for all interactions. I am not a fan of using both SOAP and REST APIs and Coverity offers a mix of functionality depending on the interface used. I would greatly prefer a full REST API with improved documentation for all actions including issuing assignments, streaming, and project creation.

2019-04-09T17:59:00Z
author avatar
Real User

They could improve the usability. For example, how you set things up, even though it's straightforward, it could be still be easier.

2019-03-11T07:21:00Z
author avatar
Consultant

* Reporting engine needs to be more robust. * Custom reporting is a must have. * Perhaps, the availability of connectors to popular open source BI tools, such as BIRT, JasperReports, or Pentaho may add value.

2018-03-02T15:50:00Z
Find out what your peers are saying about Synopsys, SonarSource, Veracode and others in Application Security. Updated: October 2021.
540,884 professionals have used our research since 2012.