Industry-leading Static Analysis

Coverity^TM Static Analysis is Coverity’s flagship software analysis capability. Currently in use at over 600 customer sites by over 100,000 developers, companies rely on Coverity Static Analysis because it delivers the most mature feature set with documented, unbeatable accuracy of results – with customers realizing false positive rates below 5%. Available for C/C++, Java and C#, Coverity Static Analysis automates time consuming task of identifying memory corruption, run-time exceptions, security vulnerabilities, concurrency defects, performance degradation, and much more. This enables you and your development team to focus on correcting must-fix defects early in development when they’re easiest to eliminate.

Unbeatable Accuracy of Results

The sophisticated analysis engines of Coverity Static Analysis intelligently avoid false positives by carefully considering the semantics and idioms specific to each language and error type. In partnership with the U.S. Department of Homeland Security, Coverity Static Analysis is in use by over 250 open sources packages at Coverity’s Scan site. Analyzing more than 55 million lines of code on a recurring basis, open source developers with no Coverity Static Analysis training reported an average false positive rate under 14% — and this was with no configuration of Coverity Static Analysis. Commercial customers consistently report false positive rates under 10%, with some teams reporting rates as low as 5%. No other static analysis product on the market matches the proven, documented accuracy of Coverity Static Analysis.

100% Path Coverage and 100% Value Coverage

Coverity Static Analysis combines statistical and inter-procedural analysis with Boolean Satisfiability (SAT) to find the critical, crash-causing defects that matter most to developers. Coverity Static Analysis uses statistical analysis to infer correct behavior based on the behavioral patterns it tracks throughout your code, then performs deep inter-procedural (whole-program) analysis across function, file, and module boundaries to achieve 100% path coverage. Coverity’s patent-pending use of Boolean Satisfiability allows the product to deliver 100% value coverage when analyzing your source code. Coverity’s groundbreaking SAT engine translates code into questions based on Boolean values, and then applies SAT solvers to determine if paths are feasible at runtime or result in quality, security or performance defects. Only Coverity Static Analysis offers the added precision of this breakthrough technique.

Integration with Existing Development Processes

Coverity Static Analysis requires no significant changes to existing build environments or source code to ensure smooth integration with established development processes and tool chains. Tools that disrupt existing processes are often not used by developers because they exist outside established workplace behavior. To successfully integrate with existing development environments, Coverity Static Analysis supports multiple platforms, compilers (such as gcc and Microsoft Visual C++, as well as the many compilers available for embedded development). It also supports Eclipse and VisualStudio IDEs. The more tightly information from static analysis tools can be integrated with your existing processes, the more likely it will help you yield the results your team and your business expects.

Multi-threaded Support

The changing landscape of hardware demands new sophistication in static tools. To take advantage of multi-core hardware, software developers are now required to create multi-threaded applications that result in an exponential increase in the number of possible run time scenarios due to the concurrent execution of multiple operations. Concurrent execution creates new complexities in the software development process that Coverity Static Analysis excels at identifying, including hard-to-find, crash-causing software defects like deadlocks, thread blocks, atomicity, and race conditions.

Central Build Scalability and Desktop Analysis

Based on the nature of static analysis, the time required by any tool will increase in relationship to the amount of code being analyzed. Developers run Coverity Static Analysis on large code bases (millions of lines) and very large code bases (tens of millions of lines or larger) on a nightly basis in central build environments. At Coverity’s largest customers, Coverity Static Analysis analyzes in excess of 50 million lines of code on a nightly basis. In addition to scalability in the central build environment, Coverity Static Analysis also delivers local/desktop analysis for developers to ensure their code is ‘clean before check-in’. Developers using Eclipse and VisualStudio IDEs have the ability to analyze, triage and repair their code prior to nightly builds on the central server.

Coverity Integrity Manger and Flexible Workflow

Coverity Integrity Manager is a comprehensive workflow platform that makes it easy to view, triage, and resolve defects collaboratively via a customized workflow that mirrors your existing development process. The web-based interface allows developers to remediate quality, security and performance defects anywhere, at any time. Coverity Integrity Manager offers an array of capabilities to streamline the assignment and ownership of defects including:

• Persistent tracking of defects – One of the key deployment pitfalls for some static analysis tools can be dealing with the defects over time. Coverity Static Analysis provides persistent management of defect status from one analysis run to the next, even in the face of code churn. By preserving developers evaluation of defects, teams avoid time consuming rework and can focus on eliminating real defects
• Developer prioritization of defects – Coverity Static Analysis offers multiple, customizable severity settings to identify real defects, in addition to the ability to assign a status to the defect (e.g., False Positive, Ignore, Real Bug, etc.). To mirror existing workflow, the developer should be able to assign an action to be taken as a result of the defect discovered in the code
• Accountability/ownership of defects – Tools that simply identify potential defects create significant management overhead for administrators and end users. Coverity Static Analysis understands which developer is responsible for introducing a defect in a given software system and provides automatic defect assignment and email alerts

Configurability and Reporting

To account for natural differences in code bases and varying development environments (caused by different compilers or processor types), Coverity Static Analysis offers customization and tuning capabilities that allow developers to modify product settings such as search depth, processor type and various preprocessor directives required by the application being analyzed. In addition, Coverity Static Analysis provides the ability to fine tune analyses by modifying either the number of checkers deployed or the settings specific to an individual checker, such as the threshold for null pointer dereferences. The ability to configure Coverity Static Analysis for a particular code block or application allows developers to select the level of performance most appropriate for their application and leads to more accurate and reliable results. Coverity Static Analysis also provides out of the box reporting to deliver instant visibility into code quality and up-to-date information about current and historical defects, giving managers all the information necessary to assess progress towards meeting quality goals.

Create Custom Checkers with Coverity Extend^TM Static Analysis

A static analysis tool should have the ability to allow developers create new checks designed for their code base, or modify existing checkers to make them more effective at defect identification. Custom defect detection is an important feature when looking for domain-specific versions of common defects. Coverity offers Coverity Extend^TM Static Analysis to help organizations to create custom checks that are capable of identifying variants of known defect types. These checks can also help ensure compliance standards or with corporate or industry coding standards.

Contact us to find out how static source code analysis can shorten your development cycles and improve your code quality.