Coverity Static Analysis

Coverity® Static Analysis, a critical component of the Coverity Development Testing Platform, helps developers find hard-to-spot, yet potentially crash-causing defects early in the software development life-cycle, reducing the cost, time, and risk of software errors. Coverity Static Analysis' best-in-class analysis engine identifies the most critical bugs in your C/C++, Java, and C# codebases, scaling to thousands of developers working across geographic boundaries, thousands of defects, and millions of lines of code in a single analysis. By providing the industry's most accurate analysis solution and the lowest false positive rate, you can focus on the real and relevant defects instead of wasting development cycles. Parallel analysis and incremental analysis for C/C++ and Java allow code to be analyzed in minutes in many cases enabling developers to scan their code more frequently and efficiently. Analysis can be run on up to 8 cores simultaneously and users can choose to only analyze the files which have been changed or were impacted by a change.

Through Coverity Integrity Manager, the intuitive user interface for Coverity Static Analysis, developers and development managers can quickly and easily manage the defects in their code. This includes prioritizing defects based upon impact, filtering defect information to view only what's relevant to them, automatically finding all of the places the defect exists across projects and code branches, collaborating with other developers to share triage information across distributed teams and geographic boundaries, and accessing a rich shared knowledge base to understand how to fix the defect. Coverity Integrity Manager provides links to the CWE for more detailed information about each type of defect.

"What struck us most about Coverity 5.5 is the speed of analysis – our analysis runs in just minutes – as well as the depth and accuracy of the results." - Lou Montulli, VP of Engineering, at Zetta.net

Best of Breed Analysis Engine

Coverity Static Analysis leverages the most innovative, sophisticated and patented techniques to help you find defects in your code that are difficult, if not impossible, to find by other means. With the most accurate analysis engine on the market, Coverity Static Analysis provides the lowest false positive rate in the industry.

View sample of the types of defects identified.

The Coverity analysis engine is unique because it understands and thinks about code like a person would, not a machine. How does it do this?

  1. Breadth of coverage: it looks for many different types of defects in your code and looks for the same problem in multiple ways.
  2. Coding behavior: it takes the developer's coding behavior and intent into consideration, understanding what you meant to say, not what you said.
  3. Continuous tuning: it leverages all of the information collected from scanning trillions of lines of code from commercial customers and the open source community to tune the analysis engine.

This sophisticated guidance helps you quickly find what happened and where it happened so you can save time, fix more defects faster and get back to your core task of developing code.

100% Code Coverage

Coverity Static Analysis provides the deepest level of granularity. It looks for hidden defects in every line of code without the need to build any test cases. It even exposes unreachable areas of the code due to logic errors.

Boolean Satisfiability (SAT Solver)

This innovative technology suppresses defects that could not possibly have occurred by executing and pruning out the infeasible paths, providing a low false positive rate without trading off false negatives.

Interprocedural Analysis

Many errors can only be found by crossing function boundaries. This analysis technique looks at all of the functions in context to find the defect, goes to an infinite number of levels deep to tell you where the problem is, and shows you the exact location in the code that was analyzed to provide evidence of the problem.

Statistical Analysis and Programmer Intent

This Coverity patented technique looks for patterns, reporting when there is a deviation from the pattern. The analysis engine recognizes programmer intent, not just code semantics, by following user behavior.

FindBugs™ Analysis

FindBugs, a leading open source development testing tool for Java, ships out-of-the-box with Coverity. Coverity has fine-tuned the FindBugs checkers to improve the accuracy of the analysis and integrated the results into our centralized defect management system, Coverity Integrity Manager. Now developers have a single location to prioritize, manage and view all defects. And developers can collaborate more effectively because FindBugs triage history can be shared amongst developers and across geographic boundaries through a shared triage data store.

Parallel Analysis

Coverity parallel analysis for C/C++ and Java allows analysis to be run on up to eight cores simultaneously enabling complex code bases to be scanned on a regular basis and enabling teams to adopt Coverity development testing as part of their nightly build or continuous integration process. Customers have been able to analyze their code up to 10 times faster using parallel analysis versus serial analysis.

Incremental Analysis

Coverity incremental analysis for C/C++ and Java allows developers to quickly analyze their code by automatically detecting and analyzing only the files that have changed and files that may have been affected by the change.

Customizable Analysis

Fine tune your analysis by modifying either the number of checkers deployed, or the settings specific to an individual checker. The ability to configure Coverity Static Analysis for a particular code block, or application, allows you to select the level of performance most appropriate for your application, and leads to more accurate and reliable results.

Coverity Static Analysis Software Development Kit (SDK)

Formerly known as Extend, the Coverity Static Analysis SDK allows you to write custom checkers to meet the unique needs of your codebase.

Defect Management

"Explaining errors is often more difficult than finding them. A misunderstood explanation means the error is ignored or, worse, transmuted into a false positive."- A Few Billion Lines of Code Later

When faced with 1,000s of defects, where do you start? For every defect discovered, Coverity Integrity Manager provides a clear explanation of the defect, the severity, and location of the defect to help you answer three important questions:

  1. Which defects are the most critical?
  2. Which defects do I fix first (or at all)?
  3. Which other projects and products are impacted by this defect?

With this visibility, developers can dramatically reduce triage time. Individuals now have actionable information to make better fix/no fix decisions based upon impact to a single project, across all projects, across the product portfolio, and to the business, reducing the risk of schedule slips and quality issues across products. Triage information is stored centrally enabling developers to share triage information with their teammates around the world enabling better collaboration and faster access to critical information.

Defect Description

Coverity Integrity Manager provides a clear description of the defect, the severity and potential business impact so developers can quickly identify which defects to fix first.

Common Weakness Enumeration (CWE) Mapping

Through the Coverity Integrity Manager, we map every defect to the CWE specification, a community-developed defect dictionary, to gather defect information and get a better understanding of defect severity, identify what kind of exploits are found around that defect, and get potential fix guidance. This provides one-click access to a rich knowledge base which takes the guess work out researching unfamiliar defects, and helps you identify the root cause faster.

Defect Navigation

Coverity enables users to pinpoint the exact location in the code where the defect exists and displays the actual code so you can better understand the defect context. Developers can also view the number of occurrences of the defect across projects, code branches and product versions.

Inline Expansion of Function Calls

For interprocedural defects, you can expand function calls inline and understand the execution path for deeply nested events to get a comprehensive explanation of the defect, an impossible task during manual code reviews.

Checker Classification

This helps you easily prioritize defects by combining checkers into categories, such as crash-causing errors, security vulnerabilities, unexpected behavior, and performance degradation. The classification maps each checker into categories based upon how it manifests into issues, such as memory corruption, resource leaks, security best practices violations, and insecure handling of data, to name a few. These defect types are then prioritized based upon high, medium, and low impact, derived from Coverity's experience scanning millions of lines of open source code. Checker classification and impact type are customizable enabling you to tailor the values to meet your organizations unique workflow.

Source Code Navigation

This intuitive navigation helps you evaluate and understand the scope of the problem within the context of the rest of the source code, using the original files and directory structure.

Flexible Defect Filtering

Coverity Integrity Manager enables users to quickly see the information most important to them by providing flexible defect filtering capabilities.

Defect Impact Mapping

To save time, developers often re-use code. However, as codebases grow, code sharing and branching increases the complexity and difficulty of defect detection. With other solutions, you get a list of defects but no insight into the impact; the same defect will look like multiple defects, and piecing together the defect's impact to projects and products is a manual effort.

Coverity Integrity Manager maps the impact of a defect across the entire codebase, alerting you of the presence of a single defect in other projects and products that shared code. It also allows you to visualize all of the code branches together so you can see the defects that matter to you.

The process of defect disposition becomes precise and manageable, as you can quickly identify the impact of a defect from one part of the code on the entire product portfolio. And what was before flagged as multiple defects is now considered a single defect, increasing efficiency to fix defects faster and increasing visibility to focus on addressing the high priority defects based upon impact.

Development Workflow Integration

Coverity is easy to use and fits seamlessly into the standard development workflow.

Desktop Analysis

Coverity Static Analysis can easily be used within your own development environment. Developers can analyze, triage, and repair their defects right from the Eclipse, Visual Studio or WindRiver Workbench IDE on their desktop. This enables developers to clean their code prior to checking it into a centralized build system and while the code is fresh in their mind.

Jenkins Integration

Coverity offers out-of-the box integration with Jenkins Continuous Integration Server. This enables organizations to automatically apply a continuous process for quality.

Process Integration

Coverity seamlessly integrates with critical components of your development environment. A sample of developer tools we've integrated for other customers include: source control management systems, bug tracking systems, IDEs, and continuous integration systems such as Jenkins. Our extensible platform enables users to integrate with third-party testing solutions such as FindBugs, a leading open source static analysis engine for Java. In addition to Jenkins and FindBugs, Coverity integrates with many additional solutions. You can view a sample list here.

Coverity's Extensible Platform

Coverity's extensible platform enables it to be easily integrated with other leading development tools such as FindBugs™ which ships out-of-the-box with Coverity. Developers can manage defects found by both Coverity and FindBugs from Coverity Integrity Manager, our defect management system, as part of a standardized development workflow which saves developers valuable time.

Defect Reporting

Viewing and tracking defect history and resolution status at the branch level, the project level, and across projects is critical to make better decisions and measure developer productivity and quality improvement over time. Coverity Integrity Manager reporting allows you to answer three critical questions:

As shown through Coverity Integrity Manager, Coverity Static Analysis' defect reporting allows you to answer three critical questions:

  1. Which defects have been fixed and have all critical defects been fixed?
  2. Have all instances of the defect across shared code been triaged and fixed (or not fixed)?
  3. What does my defect and quality trending look like by product, by release, by checker and defect type, and by user over time?

Metrics & Trending

Coverity provides unparalleled visibility into quality, security and efficiency trends across the organization. Within Coverity Integrity Manager developers can see detailed information about the number of defects since the last analysis, the defects that were found in the central build, defects found from their desktop analysis and more.

Through Coverity Integrity Control managers and business executives get a more expansive view of quality and security trends over time, by team or by software component. Managers can quickly drill down into a detailed view to get a deeper understanding of areas of risk in their organization.

Featured Resources

Customer Case Studies

White Papers

Collateral

Datasheets

Demos

Additional Links

  • Solutions for agile environments Learn how automated development code testing helps developers enforce quality with every development sprint.
  • Security Learn how to effectively bring security into the software development lifecycle

Related News and Articles

News Articles

Press Releases

Next Steps

Community