Synopsys Static Analysis Tool (Coverity)

Synopsys Static Analysis (Coverity®) is an accurate and comprehensive static analysis and Static Application Security Testing (SAST) platform that finds critical defects and security weaknesses in code as it’s written before they become vulnerabilities, crashes, or maintenance headaches.

Coverity GUI

Address Security at the Source

  • Arm your developers with the information they need to troubleshoot and fix critical defects quickly and efficiently
  • Build quality and security into development to reduce the cost of rework and delayed time to market resulting from defects found late in the cycle
  • Reduce the risk of costly and brand-damaging software failures and security breaches in the field or in production

Product Overview

Synopsys Static Analysis helps reduce risk and lower overall project cost by identifying critical quality defects and potential security vulnerabilities during development, with accurate and actionable remediation guidance, based on patented techniques and a decade of research and development and analysis of over 10 billion lines of proprietary and open source code.

Coverity‘s Policy Manager enables users to easily monitor and report on status, risks, and trends.

Key Features

Depth and Accuracy of Analysis

  • Synopsys Static Analysis integrates seamlessly with any build system and generates a high fidelity representation of the source code to ensure a deep understanding of its behavior.
  • Synopsys Static Analysis provides full path coverage, ensuring that every line of code and every potential execution path are tested. It utilizes multiple patented techniques to ensure deep, accurate analysis. 
  • Through a deep understanding of the source code and the underlying frameworks, Synopsys Static Analysis provides highly accurate analysis results so developers do not waste time managing large volume of false positive results. This enables them to effectively build security into the development lifecycle.

Speed and Scale of Analysis

Synopsys Static Analysis was built from the ground up to fit into your existing workflow with the following capabilities:

  • Parallel analysis allows Synopsys Static Analysis to run on up to sixteen cores simultaneously and delivers up to a 10X performance improvement over serial analysis.
  • Fast Desktop Analysis enables analysis acceleration by only re-analyzing the code which has changed or been impacted by a change, instead of the entire codebase each time. 
  • Synopsys Static Analysis scales to accommodate thousands of developers in geographically distributed environments and can analyze projects in excess of 100 million lines of code with ease.

Efficient Issue Management and Remediation

  • With Coverity Connect, the platform’s collaborative issue management interface, developers gain access to actionable information and precise remediation guidance, showing them the right way to fix the defect and the best place in the code to fix it without requiring deep security domain expertise.
  • Coverity Connect provides source code navigation to identify the exact path to the defect and automatically identify every occurrence of the defect across shared code.
  • Defects can be automatically assigned to the appropriate developer for resolution, and users can quickly view all outstanding security issues, OWASP Top 10 issues, CWE, and PCI related issues.

Software Development Lifecycle (SDLC) Integration

  • Synopsys Static Analysis allows rapid integration of critical tools and systems used to support the development process such as source control management, build and continuous integration, bug tracking, integrated development environments (IDE) and application lifecycle management (ALM) solutions.
  • Synopsys Static Analysis is an open platform that allows developers to import third party analysis results into the workflow to view and manage all types of defects in the same way with a single view of software defects and risks.

Drive Adoption and Mitigate Risk

Coverity Policy Manager enables organizations to define and enforce a consistent standard for code security as well as quality and testing across development teams. It provides visibility into which teams, projects or components are compliant with these standards and can create measurable stage gates based on predefined criteria regarding defects and testing. The customizable views in Coverity Policy Manager allows the selection of development metrics and thresholds that align to specific objectives for embedded, enterprise, and mobile applications.

Extend Vulnerability Detection

Coverity Extend is an easy-to-use Software Development Kit (SDK) that allows developers to detect unique defect types. The SDK is a framework for writing program analyzers, or checkers, which allows them to identify custom or domain specific defects. Customized checkers also help enable compliance with corporate security requirements and industry standards or guidelines.

Supported Languages and Frameworks

  • C/C++
  • JavaScript
  • ASP .NET
  • Node.js
  • Swift

  • C#
  • PHP
  • Objective-C
  • Ruby
  • Fortran

  • Java
  • Python
  • JSP
  • Android

Supported Platforms

  • Windows
  • AIX
  • Linux

  • HP-UX
  • Mac OS X
  • NetBSD

  • Solaris
  • FreeBSD

Some Supported Compilers

  • VisualDSP++
  • ARM C/C++
  • Borland C++
  • Clang
  • Cosmic C
  • Freescale Codewarrior
  • GNU GCC/G++
  • Green Hills C/C++/EC++
  • HI-TECH PICC
  • HP aCC
  • IAR C/C++

  • IBM XLC
  • Intel C++
  • Keil Compilers
  • Marvell MSA
  • QNX C/C++
  • Renesas C/C++
  • SNC C/C++
  • SNC GNU C/C++
  • Sony ORBIS SDK
  • Sony PS4
  • STMicroelectronics GNU C/C++
  • STMicroelectronics ST Micro C/C++

  • S SUN (Oracle) CC
  • Synopsys Metaware C and C++ 
  • TI Code  Composer
  • Visual Studio
  • Wind River C/++
  • JDK for Mac OS X
  • OpenJDK
  • Sun/Oracle JDK
  • CEVA XC4500

SDLC Integration

SCM

  • Accurev
  • Clearcase
  • CVS
  • Git
  • Hg (Mercurial)
  • Perforce
  • SVN
  • TFS SCM

IDE/CI

  • Android Studio
  • Eclipse
  • IBM RTC
  • IntelliJ
  • QNX Momentics
  • MS Visual Studio
  • Wind River Workbench
  • Jenkins
  • TFS

Issue Tracking

  • JIRA
  • Bugzilla

Critical Checks

  • API usage errors
  • Best practice coding errors
  • Build system issues
  • Buffer overflows
  • Class hierarchy inconsistencies
  • Code maintainability issues
  • Concurrent data access violations
  • Control flow issues
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)

  • Deadlocks
  • Error handling issues
  • Hard-coded credentials
  • Incorrect expression
  • Insecure data handling
  • Integer handling issues
  • Integer overflows
  • Memory – corruptions
  • Memory – illegal accesses
  • Null pointer dereferences

  • Path manipulation
  • Performance inefficiencies
  • Program hangs
  • Race conditions
  • Resource leaks
  • Rule violations
  • Security best practices violations
  • Security misconfigurations
  • SQL Injection
  • Uninitialized members

Coverity is also proud to serve the open source community with more than 4000 projects currently using our free Coverity Scan, including Linux, Python, PostgreSQL, Firefox, OpenSSL, Perl, Apache Hadoop, and many more.