Unified View of Static Analysis and Dynamic Analysis Defects
"Good code analysis is like having a really smart friend look over you, understand your code, guide you, and help you avoid making mistakes as you develop software."
Coverity Static Analysis and Coverity Dynamic Analysis Integration
Coverity Integrity Manager provides the industry's first and only tightly-coupled integration between Coverity Static Analysis and Coverity Dynamic Analysis to further increase the accuracy of static analysis results and speed the dynamic detection of defects in your code.
Static analysis and dynamic analysis are complimentary techniques, as static analysis identifies a larger range of defects by traversing all possible execution paths, while dynamic analysis focuses on the paths that are exercised in test workloads. But both are necessary for Java applications, as dynamic analysis identifies concurrency defects that static analysis may miss given that certain errors can only occur at run-time.
By combining static analysis and dynamic analysis techniques together, it increases the accuracy and speed of defect detection to provide the most thorough analysis of race conditions, deadlocks, and resource leaks.
Centralized Management of Static and Dynamic Analysis Defects
By combining both Coverity Static Analysis and Coverity Dynamic Analysis results into a single view through the Coverity Integrity Manager interface, you can easily view and manage all Coverity-identified defects together. By viewing both static and dynamic analysis defects in one place, it increases the efficiency of the defect resolution process by fixing defects based upon their risk and impact, and provides visibility into defect status and trending across your entire project or product portfolio.
Defect Understanding, Prioritization, and Impact Mapping
"Explaining errors is often more difficult than finding them. A misunderstood explanation means the error is ignored or, worse, transmuted into a false positive."
- A Few Billion Lines of Code Later
When faced with 1,000s of defects, where do you start? For every defect discovered, Coverity Integrity Manager provides a clear explanation of the defect, the severity, and the impact to help you answer three important questions:
- Which defects are the most critical?
- Which defects do I fix first (or at all)?
- Which other projects and products are impacted by this defect?
With this visibility, developer efficiency is improved by spending less time on researching the defect, fixing the critical priority defects first, and reducing defect triage time by easily identifying all of the places the defect exists. Development managers and executives now have actionable information to make better fix/no fix decisions based upon impact to a single project, across all projects, across the product portfolio, and to the business, reducing the risk of schedule slips and quality issues across products.
Defect Description
Coverity Integrity Manager provides a description of the defect in plain English along with information on how it impacts your code or program.
Common Weakness Enumeration (CWE) Mapping
Through the Coverity Integrity Manager, we map every defect to the CWE specification, a community-developed defect dictionary, to gather defect information and get a better understanding of defect severity, identify what kind of exploits are found around that defect, and get potential fix guidance. This provides one-click access to a rich knowledge base of defect detail, taking the guess work out researching unfamiliar defects, and helping you identify the root cause faster.
Defect Navigation
This intuitive and precise navigation helps visualize the flow of the code with conditional statements. Navigation markers serve as guides around the code to understand defect context. Symbol highlighting helps to emphasize the occurrences, or uses, of the symbol in a given file and provides a way to navigate to the declaration or definition.
Inline Expansion of Function Calls
For interprocedural defects, you can expand function calls inline and understand the execution path for deeply nested events to get a comprehensive explanation of the defect, an impossible task during manual code reviews.
Checker Classification
This helps you easily prioritize defects by combining checkers into categories, such as crash-causing errors, security vulnerabilities, unexpected behavior, and performance degradation. The classification maps each checker into categories based upon how it manifests into issues, such as memory corruption, resource leaks, security best practices violations, and insecure handling of data, to name a few. These defect types are then prioritized based upon high, medium, and low impact, derived from Coverity's experience scanning millions of lines of open source code.
Source Code Navigation
This intuitive navigation helps you evaluate and understand the scope of the problem within the context of the rest of the source code, using the original files and directory structure.
Iterative Refinement of Filtering Criteria
An efficient way to get to the exact defect that needs to be analyzed, this allows you to build the filtering query incrementally to get feedback on partial results and then easily build or backtrack the filters as needed.
Project and Product Impact Mapping
Re-use of code is a standard practice in most development organizations today for efficiency purposes, but as codebases grow, code sharing and branching increases the complexity and difficulty of defect detection. With other solutions, you get a list of defects but no insight into the impact, the same defect will look like multiple defects, and piecing together the defect's impact to projects and products is a manual effort.
Coverity Integrity Manager provides the industry's first capability to automatically map the impact of a defect across the entire codebase, alerting you of the presence of a single defect in other projects and products that share code. It also allows you to visualize all of the code branches together so you can see the defects that matter to you.
The process of defect disposition becomes precise and manageable, as you can quickly identify the impact of a defect from one part of the code on the entire product portfolio. And what was before flagged as multiple defects is now considered a single defect, increasing efficiency to fix defects faster and increasing visibility to focus on addressing the high priority defects based upon impact.
Enterprise and Centralized Deployments
Coverity Integrity Manager is a highly scalable solution that supports enterprise-class and centralized deployments.
Enterprise Deployments
Coverity Integrity Manager was designed for large, global and agile development organizations, with a multi-tiered architecture consisting of enterprise-class infrastructure modules. It was designed specifically to support teams with hundreds of concurrent users needing formal separation of roles and access controls.
Centralized Deployments
Coverity Integrity Manager supports centralized deployments through consolidated reporting for better visibility into defect status across the product portfolio, shared defect triage information to increase developer efficiency, and role based access controls for segregation of duties.
Defect Reporting
Viewing and tracking defect history and resolution status at the branch level, the project level, and across projects is critical to make better decisions and measure developer productivity and quality improvement over time. In addition, you can use Coverity reports as a way to certify code quality--your code and third party code received from you software supply chain--to internal and external customers and audit teams.
Coverity Integrity Manager reporting allows you to answer three critical questions:
- Which defects have been fixed and have all critical defects been fixed?
- Have all instances of the defect across shared code been triaged and fixed (or not fixed)?
- What does my defect and quality trending look like by product, by release, by checker and defect type, and by user over time?
Metrics & Trending
Project managers can accurately track and monitor defect data to make educated decisions about where and how to invest resources. For every project and product, you can see metrics such as the number of total defects, number of outstanding defects, number of resolved defects, and defect density trending over time.
Dashboards
View a summarized graphical overview of the state of software integrity within and across projects and products. These customizable views can be shared among users, emailed with links or exported to Excel for cooperative decision making. Executives can get a precise view of the state of software integrity for each product, and each software component within it.
The main dashboard provides a graphical snapshot of the current profile of software defects, highlighting defect metrics, trends, and the top five new, outstanding, resolved, and fixed defects by user. The individual project dashboard outlines this information at a more granular level for project managers, team leads, and development managers.
