Coverity Reviews & Product Details

Sometimes finds breathtaking C++ out of bounds memory writes. Review collected by and hosted on G2.com.

Little progress since 2010’s; languages other than C/C++ extremely weak. Useless support since takeover by Synopsys. Review collected by and hosted on G2.com.

I love the feature how coverity tool by synopsys can detect issues in the code and thus provides a way to make your code way more optimized. Review collected by and hosted on G2.com.

I dislike that sometimes there are false positive issues for which there is no perfect fix, but coverity indicate it as a bug. But there is always a way to declare that false positive and its good enough. Review collected by and hosted on G2.com.

It has very capable and promising features which provides an user to debug and analysis the code for the faster run times. I have used this tool while doing in my project.

The quality of producy support is awe some, they actually helped me alot which reduces time and effort, and makes my code best. Review collected by and hosted on G2.com.

It has some bugs to fix but can find the solutions for it because of their product support. Review collected by and hosted on G2.com.

We use the Coverity Static Analysis tool for security scans of C/C++ server code.

Coverity is having a higher detection rate as we highly rely on this code scan for our application code.

We had seamlessly integrated this SAST tool (Coverity) to our CI/CD Pipeline and the vulnerabilities were being notified to the respective developer via mail.

It provides a mechanism to audit the findings and mark false positives in an effecient way.

Support for several languages is one another factor that stands out well when compared to other tools.

Time it takes to scan huge code lines is significantky faster compared to other tools. Review collected by and hosted on G2.com.

However there are some improvements points which I thought I should highlight to make this tool even more better for the end users.

strzcpy vs. NULL_STRING

Coverity does not recognize that strzcpy adds a terminating x00.

ab_pfetch*

On Windows we currently have many OVERRUN false positives.

bsearch on fixed width table vs. Literal

Coverity’s model for bsearch assumes that bsearch access the key on the full width of the key. If bsearch is given a fixed (max) size table, and say strcmp as compare function, then in reality when bsearch is called with a small literal as key, then all is good. Alas Coverity thinks that bsearch will read beyond the end of the literal, even though strcmp will not.

NO_EFFECT on var_arg

On Windows we currently have a NO_EFFECT warning on all uses of va_args

TAINTED_SCALAR

Coverity to warn for uses of tainted data, data that might be controlled by an attacker. This may lead to data corruption, code injection,...

When possible Coverity reports additional defects describing the dangerous use of the tainted data INTEGER_OVERFLOW.

RW.LITERAL_OPERATOR_NOT_FOUND on printf with TEL_Format

When using TEL defined format such as TEL_Flpu, TEL_Fsu, TEL_Fpid ,... Coverity sometimes requires a space before the 'T' from TEL_Fxxx.

TAINTED_STRING

Coverity to warn for uses of tainted data, data that might be controlled by an attacker. This may lead to data corruption, code injection, SQL injection, directory traversal,

PW.PRINTF_ARG_MISMATCH - * precision or * size vs. size_t or ptrdiff_t parameters

64 bits builds or scans - The C-Standard states that the * precision or size are of type int. This is generally 4 bytes. On 64 bits builds size_t and ptrdiff_t are 8 bytes.

If I had submitted a fix yesterday, today’s Coverity Connect continue to report the defect. Review collected by and hosted on G2.com.

Assigning issues to users is simply easy and less false positives. Review collected by and hosted on G2.com.

Reporting portion and for results it take more time than other solutions. Review collected by and hosted on G2.com.

helps development and security teams address security and quality defects early in the software development life cycle (SDLC),

Best thing about Coverity is highly accurate, supports thousands of developers, and quickly analyzes large projects exceeding 100 million lines of code. Review collected by and hosted on G2.com.

Few pointers definitely needs improvement would be resources leaks. dereferences of NULL pointers. incorrect usage of APIs. Review collected by and hosted on G2.com.

Its user friendly UI. It easy to browse code using Coverity and it also briefly describes about the issue. Review collected by and hosted on G2.com.

I was facing issue in categorising the Coverity issues. Review collected by and hosted on G2.com.

It is easy to use the tool. And helps to find any issue that is overlooked in manual review. Review collected by and hosted on G2.com.

The tool is pretty good. It is easy to set up with proper guidelines. Review collected by and hosted on G2.com.

Excellent User Interface and server-side features. The Coverity support team is also very responsive Review collected by and hosted on G2.com.

I did not find any such attribute during my experience Review collected by and hosted on G2.com.

Ease with which we one produce highly scalable software and address security issues. Review collected by and hosted on G2.com.

Coverituy tool can update to provide more content to its customers. Review collected by and hosted on G2.com.