Coverity Code Advisor

The Coverity® Code Advisor solution includes Coverity Quality Advisor and Coverity Security Advisor. The solution surfaces quality and security defects in the developer workflow, with accurate and actionable remediation guidance, based on patented techniques and a decade of research and development and analysis of over 10 billion lines of proprietary and open source code.

  • Arm your developers with the information they need to troubleshoot and fix critical defects quickly and efficiently.
  • Build quality and security into development to reduce the cost of rework and delayed time to market resulting from defects found late in the cycle.
  • Reduce the risk of costly and brand-damaging software failures and security breaches in the field or in production.

New in beta: Code Advisor On Demand

Quick and easy to use cloud-hosted solution. You can analyze as much code as often as you like. Available free for Java projects during our beta period.

Free Trial View the Demo

Intelligent
Code
Analysis

The Coverity Code Advisor solution helps reduce risk and lower overall project cost by identifying critical quality defects and potential security vulnerabilities during development. The solution utilizes sophisticated source code analysis to find the most critical defects in highly complex code bases, leveraging patented techniques for deep analysis and accurate issue detection.

The Coverity Code Advisor solution finds critical issues such as:

  • API usage errors
  • Best practice coding errors
  • Build system issues
  • Buffer overflows
  • Class hierarchy inconsistencies
  • Code maintainability issues
  • Concurrent data access violations
  • Control flow issues
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Deadlocks
  • Error handling issues
  • Hard-coded credentials
  • Incorrect expression
  • Insecure data handling
  • Integer handling issues
  • Integer overflows
  • Memory – corruptions
  • Memory – illegal accesses
  • Null pointer dereferences
  • Path manipulation
  • Performance inefficiencies
  • Program hangs
  • Race conditions
  • Resource leaks
  • Rule violations
  • Security best practices violations
  • Security misconfigurations
  • SQL Injection
  • Uninitialized members

Efficient
Issue
Management

Coverity Connect is the collaborative issue management console that efficiently manages all issues surfaced by Coverity development testing solutions to resolution within a unified workflow.

This includes:

  • Prioritization and filtering based on criticality and impact.
  • Source code navigation to identify the exact path to the defect.
  • Patent-pending remediation engine enables security vulnerabilities to be quickly addressed without requiring deep domain expertise.
  • Automatic identification of every occurrence of a defect across branches.
  • CWE Compatible mapping and knowledge base for each defect.
  • Automatic assignment of defects to the appropriate developer.

 

Analysis
Packs

In addition to quality and security defects identified through the Coverity Code Advisor solution, you can seamlessly integrate additional analysis results to efficiently manage multiple types of issues to resolution within a unified development testing workflow.

Coverity offers the following analysis packs:

Coverity Dynamic Analysis: Identify concurrency issues such as race conditions, deadlocks and resource leaks by analyzing Java programs as they run. View and manage both static and dynamically identified quality defects in a single workflow.

Coverity Architecture Analysis: Visualize the code structure to identify dependency conflicts and interface violations, detect architectural flaws that could create exposure, manage code complexity and enforce architectural design rules.

Analysis Integration: Manage FindBugs and FxCop defects in the same workflow as defects found by Coverity development testing solutions, providing your developers with a single workflow for finding and fixing defects.

SDLC
Integrations

We know you probably use multiple analysis tools – no one tool can find every type of defect. That’s why our platform is open, so you can import third party analysis results into our workflow to view and manage all types of defects in the same way. Your developers are more productive by not having to deal with multiple tools and workflows. And you get a single view of software risks.

Our platform works seamlessly within your current process and integrates with the most popular development tools and technologies, to make development testing a natural part of the SDLC process.

Coverity supports integrations with the critical tools and systems used to support the development process, including:

  • IDEs to surface and remediate defects before code check in, right at the desktop.
  • Code coverage and test execution frameworks to help focus testing efforts.
  • Source control management to map defects to code changes and responsible developers.
  • Bug tracking to link defects to your overall defect management process.
  • Build and continuous integration to automatically test for defects with every build or as part of an Agile process.
  • ALM solutions for increased traceability and collaboration with QA.

Check out our full list of SDLC integrations.

CWE

Coverity Coverage For Common Weakness Enumeration (CWE):

CWE

CWE Name

Coverity Static Analysis Checker

Language

4 J2EE Environment Issues CONFIG Java
7 J2EE Misconfiguration: Missing Custom Error Page CONFIG Java
20 Improper Input Validation TAINTED_SCALAR C/C++
USER_POINTER]
TAINTED_STRING
22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) JSP_DYNAMIC_INCLUDE Java
PATH_MANIPULATION]
73 External Control of File Name or Path UNRESTRICTED_DISPATCH] Java
78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) OS_CMD_INJECTION Java
OS_CMD_INJECTION]
79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) XSS] Java
89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) JSP_SQL_INJECTION Java
SQLI]
SQLI
90 Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’) LDAP_INJECTION] Java
94 Improper Control of Generation of Code (‘Code Injection’) JAVA_CODE_INJECTION Java
XPATH_INJECTION]
UNKNOWN_LANGUAGE_INJECTION
SCRIPT_CODE_INJECTION
REGEX_INJECTION
OGNL_INJECTION
NOSQL_QUERY_INJECTION
JCR_INJECTION
119 Improper Restriction of Operations within the Bounds of a Memory Buffer ARRAY_VS_SINGLETON Java
REVERSE_NEGATIVE]
OVERRUN
MISMATCHED_ITERATOR
INVALIDATE_ITERATOR
INTEGER_OVERFLOW
INCOMPATIBLE_CAST
COM.BSTR.CONV
BAD_ALLOC_ARITHMETIC
120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) BUFFER_SIZE Java
STRING_SIZE]
STRING_OVERFLOW
SIZECHECK
125 Out-of-bounds Read INTEGER_OVERFLOW Java
OVERRUN]
129 Improper Validation of Array Index NEGATIVE_RETURNS Java
TAINTED_SCALAR]
TAINTED_SCALAR
REVERSE_NEGATIVE
131 Incorrect Calculation of Buffer Size BAD_ALLOC_STRLEN Java
SIZECHECK]
SIZECHECK
134 Uncontrolled Format String PARSE_WARNINGS Java
TAINTED_STRING]
170 Improper Null Termination BUFFER_SIZE Java
STRING_NULL]
SIZECHECK
READLINK
185 Incorrect Regular Expression REGEX_CONFUSION] Java
188 Reliance on Data/Memory Layout INCOMPATIBLE_CAST] Java
190 Integer Overflow or Wraparound OVERFLOW_BEFORE_WIDEN] C/C++, Java
PARSE_WARNINGS]
PARSE_WARNINGS
OVERFLOW_BEFORE_WIDEN
INTEGER_OVERFLOW
194 Unexpected Sign Extension SIGN_EXTENSION] Java
195 Signed to Unsigned Conversion Error MISRA_CAST] Java
197 Numeric Truncation Error CHAR_IO Java
NO_EFFECT]
MISRA_CAST
200 Information Exposure CONFIG Java
209 Information Exposure Through an Error Message SENSITIVE_DATA_LEAK] Java
243 Creation of chroot Jail Without Changing Working Directory CHROOT] Java
248 Uncaught Exception UNCAUGHT_EXCEPT] Java
252 Unchecked Return Value CHECKED_RETURN C/C++, Java
CHECKED_RETURN]
253 Incorrect Check of Function Return Value ORM_LOAD_NULL_CHECK] C/C++, Java
BAD_COMPARE]
259 Use of Hard-coded Password HARDCODED_CREDENTIALS] Java
290 Authentication Bypass by Spoofing WEAK_GUARD Java
WEAK_GUARD]
291 Reliance on IP Address for Authentication WEAK_GUARD Java
WEAK_GUARD]
293 Using Referer Field for Authentication WEAK_GUARD Java
WEAK_GUARD]
313 Cleartext Storage in a File or on Disk SENSITIVE_DATA_LEAK Java
UNENCRYPTED_SENSITIVE_DATA]
UNENCRYPTED_SENSITIVE_DATA
315 Cleartext Storage of Sensitive Information in a Cookie SENSITIVE_DATA_LEAK Java
UNENCRYPTED_SENSITIVE_DATA]
317 Cleartext Storage of Sensitive Information in GUI SENSITIVE_DATA_LEAK] Java
319 Cleartext Transmission of Sensitive Information SENSITIVE_DATA_LEAK Java
UNENCRYPTED_SENSITIVE_DATA]
321 Use of Hard-coded Cryptographic Key HARDCODED_CREDENTIALS] Java
327 Use of a Broken or Risky Cryptographic Algorithm RISKY_CRYPTO] C/C++, Java
328 Reversible One-Way Hash RISKY_CRYPTO] C/C++, Java
350 Reliance on Reverse DNS Resolution for a Security-Critical Action WEAK_GUARD Java
WEAK_GUARD]
352 Cross-Site Request Forgery (CSRF) CSRF Java
CSRF]
366 Race Condition within a Thread GUARDED_BY_VIOLATION C/C++, Java
MISSING_LOCK]
RACE_CONDITION]
VOLATILE_ATOMICITY
NON_STATIC_GUARDING_STATIC
367 Time-of-check Time-of-use (TOCTOU) Race Condition TOCTOU] Java
369 Divide By Zero DIVIDE_BY_ZERO C/C++, Java
PARSE_WARNINGS]
DIVIDE_BY_ZERO]
377 Insecure Temporary File SECURE_TEMP] Java
384 Session Fixation CONFIG Java
SESSION_FIXATION]
390 Detection of Error Condition Without Action MISSING_THROW] Java
394 Unexpected Status Code or Return Value NEGATIVE_RETURNS Java
REVERSE_NEGATIVE]
398 Indicator of Poor Code Quality COPY_PASTE_ERROR C/C++, Java
VIRTUAL_DTOR]
PASS_BY_VALUE
NO_EFFECT
MIXED_ENUMS
MISMATCHED_ITERATOR
ENUM_AS_BOOLEAN
STRAY_SEMICOLON]
IDENTICAL_BRANCHES
400 Uncontrolled Resource Consumption (‘Resource Exhaustion’) STACK_USE] Java
401 Improper Release of Memory Before Removing Last Reference (‘Memory Leak’) COM.BSTR.ALLOC Java
SYMBIAN.CLEANUP_STACK]
NO_EFFECT
CTOR_DTOR_LEAK
403 Exposure of File Descriptor to Unintended Control Sphere (‘File Descriptor Leak’) RESOURCE_LEAK] Java
404 Improper Resource Shutdown or Release RESOURCE_LEAK C/C++, Java
RESOURCE_LEAK]
415 Double Free SYMBIAN.CLEANUP_STACK Java
USE_AFTER_FREE]
416 Use After Free COM.BAD_FREE Java
USE_AFTER_FREE]
USE_AFTER_FREE
COM.BSTR.ALLOC
425 Direct Request (‘Forced Browsing’) CONFIG Java
427 Uncontrolled Search Path Element UNSAFE_JNI] Java
456 Missing Initialization of a Variable NO_EFFECT] Java
457 Use of Uninitialized Variable PARSE_WARNINGS Java
UNINIT_CTOR]
UNINIT_CTOR
UNINIT
459 Incomplete Cleanup DELETE_ARRAY Java
SYMBIAN.CLEANUP_STACK]
465 Pointer Issues NO_EFFECT] Java
467 Use of sizeof() on a Pointer Type BAD_SIZEOF Java
SIZEOF_MISMATCH]
470 Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’) UNSAFE_REFLECTION] Java
476 NULL Pointer Dereference FORWARD_NULL C/C++, Java
REVERSE_INULL]
NULL_RETURNS
480 Use of Incorrect Operator CONSTANT_EXPRESSION_RESULT C/C++, Java
NO_EFFECT]
CONSTANT_EXPRESSION_RESULT]
481 Assigning instead of Comparing PARSE_WARNINGS C/C++
PARSE_WARNINGS]
482 Comparing instead of Assigning NO_EFFECT Java
NO_EFFECT]
483 Incorrect Block Delimitation NESTING_INDENT_MISMATCH C/C++, Java
NESTING_INDENT_MISMATCH]
484 Omitted Break Statement in Switch MISSING_BREAK] C/C++, Java
502 Deserialization of Untrusted Data UNSAFE_DESERIALIZATION] Java
532 Information Exposure Through Log Files SENSITIVE_DATA_LEAK] Java
543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context BAD_LOCK_OBJECT Java
SINGLETON_RACE]
LOCK_EVASION
561 Dead Code DEADCODE C/C++, Java
UNREACHABLE]
562 Return of Stack Variable Address PARSE_WARNINGS Java
RETURN_LOCAL]
563 Assignment to Variable without Use (‘Unused Variable’) UNUSED_VALUE C/C++, Java
UNUSED_VALUE]
567 Unsynchronized Access to Shared Data in a Multithreaded Context SERVLET_ATOMICITY] Java
568 finalize() Method Without super.finalize() CALL_SUPER] Java
569 Expression Issues CONSTANT_EXPRESSION_RESULT C/C++, Java
SIZEOF_MISMATCH]
SIZEOF_MISMATCH
CONSTANT_EXPRESSION_RESULT]
570 Expression is Always False NO_EFFECT C/C++
PARSE_WARNINGS]
573 Improper Following of Specification by Caller CALL_SUPER C/C++, Java
VARARGS]
OPEN_ARGS
MISSING_RESTORE]
MISSING_RESTORE
INVALIDATE_ITERATOR
580 clone() Method Without super.clone() CALL_SUPER] Java
584 Return Inside Finally Block PARSE_WARNINGS] Java
590 Free of Memory not on the Heap BAD_FREE Java
BAD_FREE]
596 Incorrect Semantic Object Comparison HIBERNATE_BAD_HASHCODE] Java
597 Use of Wrong Operator in String Comparison BAD_COMPARE] C/C++
606 Unchecked Input for Loop Condition NEGATIVE_RETURNS Java
TAINTED_SCALAR]
610 Externally Controlled Reference to a Resource in Another Sphere HEADER_INJECTION] Java
615 Information Exposure Through Comments CONFIG Java
617 Reachable Assertion LOCK] Java
628 Function Call with Incorrectly Specified Arguments BAD_COMPARE Java
PARSE_WARNINGS]
633 Weaknesses that Affect Memory COM.BSTR.ALLOC] Java
650 Trusting HTTP Permission Methods on the Server Side CONFIG Java
662 Improper Synchronization ATOMICITY] C/C++, Java
665 Improper Initialization NO_EFFECT Java
NO_EFFECT]
667 Improper Locking LOCK Java
SLEEP]
670 Always-Incorrect Control Flow Implementation STRAY_SEMICOLON] Java
672 Operation on a Resource after Expiration or Release USE_AFTER_FREE] C/C++, Java
USE_AFTER_FREE
676 Use of Potentially Dangerous Function DC.DANGEROUS] C/C++, Java
SECURE_CODING]
DC.WEAK_CRYPTO
DC.STRING_BUFFER
DC.STREAM_BUFFER
681 Incorrect Conversion between Numeric Types MISRA_CAST Java
MISRA_CAST]
683 Function Call With Incorrect Order of Arguments SWAPPED_ARGUMENTS] C/C++, Java
685 Function Call With Incorrect Number of Arguments PARSE_WARNINGS] Java
686 Function Call With Incorrect Argument Type PARSE_WARNINGS] Java
687 Function Call With Incorrectly Specified Argument Value NEGATIVE_RETURNS] Java
704 Incorrect Type Conversion or Cast INCOMPATIBLE_CAST Java
PARSE_WARNINGS]
710 Coding Standards Violation ASSIGN_NOT_RETURNING_STAR_THIS Java
SELF_ASSIGN]
MISSING_RETURN
MISSING_COPY_OR_ASSIGN
HFA
BAD_OVERRIDE
731 OWASP Top Ten 2004 Category A10 – Insecure Configuration Management CONFIG Java
758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior DELETE_VOID Java
EVALUATION_ORDER]
759 Use of a One-Way Hash without a Salt WEAK_PASSWORD_HASH] Java
760 Use of a One-Way Hash with a Predictable Salt WEAK_PASSWORD_HASH Java
WEAK_PASSWORD_HASH]
762 Mismatched Memory Management Routines ALLOC_FREE_MISMATCH] Java
764 Multiple Locks of a Critical Resource LOCK] Java
772 Missing Release of Resource after Effective Lifetime VIRTUAL_DTOR] Java
775 Missing Release of File Descriptor or Handle after Effective Lifetime RESOURCE_LEAK] Java
783 Operator Precedence Logic Error CONSTANT_EXPRESSION_RESULT] C/C++, Java
SIZEOF_MISMATCH]
CONSTANT_EXPRESSION_RESULT
BAD_COMPARE
798 Use of Hard-coded Credentials CONFIG Java
HARDCODED_CREDENTIALS]
833 Deadlock DC.DEADLOCK C/C++, Java
ORDER_REVERSAL]
DEADLOCK]
LOCK_INVERSION
835 Loop with Unreachable Exit Condition (‘Infinite Loop’) INFINITE_LOOP C/C++, Java
INFINITE_LOOP]
862 Missing Authorization CONFIG Java
863 Incorrect Authorization CONFIG Java
916 Use of Password Hash With Insufficient Computational Effort WEAK_PASSWORD_HASH Java
WEAK_PASSWORD_HASH]
917 Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’) EL_INJECTION] Java

OWASP

Coverity Coverage For OWASP TOP 10:

OWASP Short Name

OWASP10 Category

CWE

CWE Name

Coverity Static Analysis Checker

A1 Injection 77 Improper Neutralization of Special Elements used in a Command (‘Command Injection’) OS_CMD_INJECTION
A1 Injection 78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) OS_CMD_INJECTION
A1 Injection 88 Argument Injection or Modification OS_CMD_INJECTION
A1 Injection 89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) JSP_SQL_INJECTION
SQLI
A1 Injection 90 Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’) LDAP_INJECTION
A1 Injection 564 SQL Injection: Hibernate SQLI
A1 Injection 917 Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’) EL_INJECTION
A2 Broken Authentication 259 Use of Hard-coded Password HARDCODED_CREDENTIALS
A2 Broken Authentication 290 Authentication Bypass by Spoofing WEAK_GUARD
A2 Broken Authentication 291 Reliance on IP Address for Authentication WEAK_GUARD
A2 Broken Authentication 293 Using Referer Field for Authentication WEAK_GUARD
A2 Broken Authentication 321 Use of Hard-coded Cryptographic Key HARDCODED_CREDENTIALS
A2 Broken Authentication 350 Reliance on Reverse DNS Resolution for a Security-Critical Action WEAK_GUARD
A2 Broken Authentication 384 Session Fixation CONFIG
SESSION_FIXATION
A2 Broken Authentication 425 Direct Request (‘Forced Browsing’) CONFIG
A2 Broken Authentication 798 Use of Hard-coded Credentials CONFIG
HARDCODED_CREDENTIALS
A3 Cross-site Scripting 79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) XSS
A3 Cross-site Scripting 80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) XSS
A3 Cross-site Scripting 82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page XSS
A3 Cross-site Scripting 83 Improper Neutralization of Script in Attributes in a Web Page XSS
A3 Cross-site Scripting 85 Doubled Character XSS Manipulations XSS
A3 Cross-site Scripting 86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages XSS
A3 Cross-site Scripting 87 Improper Neutralization of Alternate XSS Syntax XSS
A4 Direct Object Ref 22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) JSP_DYNAMIC_INCLUDE
PATH_MANIPULATION
A4 Direct Object Ref 23 Relative Path Traversal PATH_MANIPULATION
A4 Direct Object Ref 36 Absolute Path Traversal PATH_MANIPULATION
A5 Security Misconfig 4 J2EE Environment Issues CONFIG
A5 Security Misconfig 7 J2EE Misconfiguration: Missing Custom Error Page CONFIG
A5 Security Misconfig 86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages XSS
A5 Security Misconfig 188 Reliance on Data/Memory Layout INCOMPATIBLE_CAST
A5 Security Misconfig 532 Information Exposure Through Log Files SENSITIVE_DATA_LEAK
A5 Security Misconfig 615 Information Exposure Through Comments CONFIG
A5 Security Misconfig 650 Trusting HTTP Permission Methods on the Server Side CONFIG
A6 Sensitive Data Exp 311 Missing Encryption of Sensitive Data SENSITIVE_DATA_LEAK
UNENCRYPTED_SENSITIVE_DATA
A6 Sensitive Data Exp 312 Cleartext Storage of Sensitive Information SENSITIVE_DATA_LEAK
UNENCRYPTED_SENSITIVE_DATA
A6 Sensitive Data Exp 313 Cleartext Storage in a File or on Disk SENSITIVE_DATA_LEAK
UNENCRYPTED_SENSITIVE_DATA
A6 Sensitive Data Exp 315 Cleartext Storage of Sensitive Information in a Cookie SENSITIVE_DATA_LEAK
UNENCRYPTED_SENSITIVE_DATA
A6 Sensitive Data Exp 317 Cleartext Storage of Sensitive Information in GUI SENSITIVE_DATA_LEAK
A6 Sensitive Data Exp 319 Cleartext Transmission of Sensitive Information SENSITIVE_DATA_LEAK
UNENCRYPTED_SENSITIVE_DATA
A6 Sensitive Data Exp 321 Use of Hard-coded Cryptographic Key HARDCODED_CREDENTIALS
A6 Sensitive Data Exp 327 Use of a Broken or Risky Cryptographic Algorithm RISKY_CRYPTO
A6 Sensitive Data Exp 328 Reversible One-Way Hash RISKY_CRYPTO
A6 Sensitive Data Exp 759 Use of a One-Way Hash without a Salt WEAK_PASSWORD_HASH
A6 Sensitive Data Exp 760 Use of a One-Way Hash with a Predictable Salt WEAK_PASSWORD_HASH
A6 Sensitive Data Exp 916 Use of Password Hash With Insufficient Computational Effort WEAK_PASSWORD_HASH
A7 Missing Authorization 425 Direct Request (‘Forced Browsing’) CONFIG
A7 Missing Authorization 862 Missing Authorization CONFIG
A7 Missing Authorization 863 Incorrect Authorization CONFIG
A8 Cross-site Request Forgery 352 Cross-Site Request Forgery (CSRF) CSRF
A10 Unvalidated Redirects 938 Unvalidated Redirects and Forwards UNRESTRICTED_DISPATCH