Please share with the community what you think needs improvement with Klocwork.
What are its weaknesses? What would you like to see changed in a future version?
There are many things that can be improved. The code used between projects is one of the very painful points in Klocwork. So if you are using a code and the product is shared between projects, you have to analyze the different projects just to comment if it is good or to justify it in the different projects. And the solutions they provide for the issues, are not fully correct. So this is the main issue is using the code between projects.
For an improved product, we'd like to see integration with Agile DevOps and Agile methodologies. Some capability of the tool that allows us to trigger the status analysis report based on actions like regular builds. We would like to have better integration with Microsoft Agile DevOps tools. This would save us a lot of time. In addition, we also sometimes experience issues with false-positive detections - phantom issues. For the previous version, we realized it wasn't possible to have a quick dashboard for the number of violations. A feature like business intelligence or code coverage could be included.
Now the only issue we have is that whenever we need to get the code we have to build it first. Then we can get the report. Without building the source code we have to get the static code and the source code. That's what we are looking into. It would be better if they could provide a solution for this issue, regarding code building, when compiling the report. I would like to see a dashboard added to provide a clear look and feel. The dashboard would then supplement the users to enable them to get a quick view of the content, as long is it is clear. A presentational dashboard would be good.
Support for AUTOSAR C++14 by adding a new taxonomy that you can use to ensure compliance with the AUTOSAR C++14 Standard, release 18-03.
Nothing much as of now. I feel Klocwork is going in a great way. The one thing I personally feel is that Klocwork must increase their support to some other languages.
Not much as of now. But I am feeling Klocwork should support more number of languages like other static code analyzers do. Right now Klocwork has supportability available only to C, C++, Java, and C#.
It is not a panacea, because there is no tool that is a panacea. We bought Klocwork, but it was limited to one little program, but the program is now sort of failing. So, we have a license for usage on a program that is sort of failing, and we really can't use the license on anything else. It is a terrrible shame. Klocwork is still tight on their licensing. If Klocwork would loosen up on the licensing, and where the license could be used, and how many different programs could be run on it, then we have several development programs that I would love to be able to use it for going forward. I would like to have a tool developed by a vendor that picks out all of the NSA Juliet Test Suite cases, then is generous with the licensing. It might be expensive, but it is generous. Klocwork does have a problem with true positives. It only found 30% of true positives in the Juliet test case.
Nothing as of now. I hope that in each new release they add new features relating to the addition of checkers, improving their analysis engines etc. In the near future I will discuss additional features that need to be added.
It would be nice to consider having more language support ability. Currently Klocwork supports C/C++, Java and C#, (Android*)
What are the OWASP Top 10 this year?
What single web app security tool (or a minimum set of tools) would you recommend for overall web app protection (from the most critical security risks covered by these Top 10)?
Let the community know what you think. Share your opinions now!