Coverity Static Analysis

Coverity Static Analysis helps developers find hard-to-spot, yet potentially crash-causing defects early in the development phase, reducing the cost, time, and risk of software errors. Coverity Static Analysis' best-in-class analysis engine identifies the most critical bugs in your C/C++, Java, and C# codebases, scaling to hundreds of users, thousands of defects, and millions of lines of code in a single analysis. By providing the industry's most accurate analysis solution and the lowest false positive rate, you can focus on the real and relevant defects instead of wasting development cycles.

Through Coverity Integrity Manager, the intuitive user interface for Coverity Static Analysis, developers and development managers can quickly find the defects in their code, easily understand defects and their impact, prioritize defects based upon severity, and identify all of the places a defect exists across projects and products that re-use code. Coverity Static Analysis helps increase developer productivity by finding and fixing defects faster, increases visibility into defect history within and across projects to stay on-schedule and make better fix/no fix decisions, and reduces the risk of product quality issues in the field.

"25% of the defects identified by Coverity would have stalled a product launch and delayed time to market if not caught by Coverity early in the development cycle. I suspect if Test/QA saw all of the bugs Coverity has found, they would say the percentage is even higher." - Dan Rose, Systems Engineering Manager

Best of Breed Analysis Engine

"Good code analysis is like having a really smart friend look over your shoulder, understand your code, guide you, and help you avoid making mistakes as you develop software."

Coverity Static Analysis leverages the most innovative, sophisticated and patented techniques to help you find bugs that are difficult, if not impossible, to find by other means. Click here to view a sample of the types of defects identified. With the most accurate analysis engine on the market, Coverity Static Analysis provides the lowest false positive rate in the industry.

Why is Coverity's analysis engine unique? It understands and thinks about your code like a person would, not a machine. How does it do this?

  1. Breadth of coverage: it looks for many different types of defects in your code and looks for the same problem in multiple ways.
  2. Coding behavior: it takes the developer's coding behavior and intent into consideration, understanding what you meant to say, not what you said.
  3. Continuous tuning: it leverages all of the information collected from scanning trillions of lines of code from commercial customers and the open source community to tune the analysis engine.

This guidance helps you quickly find what happened and where it happened so you can save time, fix more bugs faster, and improve your coding skills.

100% Code Coverage

Coverity Static Analysis provides the deepest level of granularity to help find every bug, across every line of code, with evidence of existence, and without the need to build any test cases. It even exposes unreachable areas of the code due to logic errors.

Boolean Satisfiability (SAT Solver)

This innovative technology suppresses defects that could not possibly have occurred by executing and pruning out the infeasible paths, providing a low false positive rate without trading off false negatives.

Interprocedural Analysis

Many errors can only be found by crossing function boundaries. This analysis technique looks at all of the functions in context to find the defect, goes to an infinite number of levels deep to tell you where the problem is, and shows you the exact location in the code that was analyzed to provide evidence of the problem.

Statistical Analysis and Programmer Intent

This Coverity patented technique looks for patterns, reporting when there is a deviation from the pattern. The analysis engine recognizes programmer intent, not just code semantics, by following user behavior.

Defect Understanding, Prioritization, and Impact Mapping

"Explaining errors is often more difficult than finding them. A misunderstood explanation means the error is ignored or, worse, transmuted into a false positive."- A Few Billion Lines of Code Later

When faced with 1,000s of defects, where do you start? For every defect discovered, Coverity Static Analysis provides a clear explanation of the defect, the severity, and the impact to help you answer three important questions:

  1. Which defects are the most critical?
  2. Which defects do I fix first (or at all)?
  3. Which other projects and products are impacted by this defect?

With this visibility, developer efficiency is improved by spending less time on researching the defect, fixing the critical priority defects first, and reducing defect triage time by easily identifying all of the places the defect exists. Development managers and executives now have actionable information to make better fix/no fix decisions based upon impact to a single project, across all projects, across the product portfolio, and to the business, reducing the risk of schedule slips and quality issues across products.

Defect Description

Coverity Static Analysis provides a description of the defect in plain English along with information on how it impacts your code or program.

Common Weakness Enumeration (CWE) Mapping

Coverity Static Analysis is the first solution to provide a link to the CWE specification, a community-developed defect dictionary, to gather defect information and get a better understanding of defect severity, identify what kind of exploits are found around that defect, and get potential fix guidance. This provides one-click access to a rich knowledge base of defect detail, taking the guess work out researching unfamiliar defects, and helping you identify the root cause faster.

Defect Navigation

This intuitive and precise navigation helps visualize the flow of the code with conditional statements. Navigation markers serve as guides around the code to understand defect context. Symbol highlighting helps to emphasize the occurrences, or uses, of the symbol in a given file and provides a way to navigate to the declaration or definition.

Inline Expansion of Function Calls

For interprocedural defects, you can expand function calls inline and understand the execution path for deeply nested events to get a comprehensive explanation of the defect, an impossible task during manual code reviews.

Checker Classification

This helps you easily prioritize defects by combining checkers into categories, such as crash-causing errors, security vulnerabilities, unexpected behavior, and performance degradation. The classification maps each checker into categories based upon how it manifests into issues, such as memory corruption, resource leaks, security best practices violations, and insecure handling of data, to name a few. These defect types are then prioritized based upon high, medium, and low impact, derived from Coverity's experience scanning millions of lines of open source code.

Source Code Navigation

This intuitive navigation helps you evaluate and understand the scope of the problem within the context of the rest of the source code, using the original files and directory structure.

Iterative Refinement of Filtering Criteria

An efficient way to get to the exact defect that needs to be analyzed, this allows you to build the filtering query incrementally to get feedback on partial results and then easily build or backtrack the filters as needed.

Project and Product Impact Mapping

Re-use of code is a standard practice in most development organizations today for efficiency purposes, but as codebases grow, code sharing and branching increases the complexity and difficulty of defect detection. With other solutions, you get a list of defects but no insight into the impact, the same defect will look like multiple defects, and piecing together the defect's impact to projects and products is a manual effort.

Coverity Static Analysis provides the industry's first capability to automatically map the impact of a defect across the entire codebase, alerting you of the presence of a single defect in other projects and products that share code. It also allows you to visualize all of the code branches together so you can see the defects that matter to you.

The process of defect disposition becomes precise and manageable, as you can quickly identify the impact of a defect from one part of the code on the entire product portfolio. And what was before flagged as multiple defects is now considered a single defect, increasing efficiency to fix defects faster and increasing visibility to focus on addressing the high priority defects based upon impact.

Ease of Use and Flexibility

Coverity Static Analysis is suitable for enterprise deployments, scaling to large, complex codebases (10 million+ lines of code), with no impact on the central build environment. Coverity Static Analysis also enables local analysis to clean your code before check-in.

Desktop Analysis

Coverity Static Analysis can easily be used within your own development environment. Developers using Eclipse and Visual Studio IDEs can analyze, triage, and repair their defects prior to checking in code to the nightly build.

Customizable Analysis

Fine tune your analysis by modifying either the number of checkers deployed, or the settings specific to an individual checker. The ability to configure Coverity Static Analysis for a particular code block, or application, allows you to select the level of performance most appropriate for your application, and leads to more accurate and reliable results.

Coverity Static Analysis Software Development Kit (SDK)

Formerly known as Extend, the Coverity Static Analysis SDK allows you write custom checkers to meet the unique needs of your codebase. Click here for more information.

Defect Reporting

Viewing and tracking defect history and resolution status at the branch level, the project level, and across projects is critical to make better decisions and measure developer productivity and quality improvement over time. In addition, you can use Coverity Static Analysis reports as a way to certify code quality--your code and third party code received from you software supply chain--to internal and external customers and audit teams.

As shown through Coverity Integrity Manager, Coverity Static Analysis' defect reporting allows you to answer three critical questions:

  1. Which defects have been fixed and have all critical defects been fixed?
  2. Have all instances of the defect across shared code been triaged and fixed (or not fixed)?
  3. What does my defect and quality trending look like by product, by release, by checker and defect type, and by user over time?

Metrics & Trending

Project managers can accurately track and monitor defect data to make educated decisions about where and how to invest resources. For every project and product, you can see metrics such as the number of total defects, number of outstanding defects, number of resolved defects, and defect density trending over time.

Dashboards

View a summarized graphical overview of the state of software integrity within and across projects and products. These customizable views can be shared among users, emailed with links or exported to Excel for cooperative decision making. Executives can get a precise view of the state of software integrity for each product, and each software component within it.

The main dashboard provides a graphical snapshot of the current profile of software defects, highlighting defect metrics, trends, and the top five new, outstanding, resolved, and fixed defects by user. The individual project dashboard outlines this information at a more granular level for project managers, team leads, and development managers.

Coverity Software Integrity Rating Report

The Coverity Software Integrity Rating provides an objective standard by which to measure the software integrity of codebases, projects, and products in your entire software supply chain against industry averages. The Coverity Software Integrity Rating report provides an initial rating based on data collected from Coverity Static Analysis.

A Coverity customer interested in certifying their ratings can submit this report for assessment, and if the Coverity Integrity Rating Program Requirements are met, Coverity will issue a Coverity Integrity Seal to mark the integrity level achieved for that codebase, project, or product. Visit the Software Integrity Rating program page for more information.

Featured Resources

Customer Case Studies

Webinars

White Papers

Related News and Articles

News Articles

Press Releases

Next Steps