Earlier this year, Coverity announced the fifth release of its defect investigation software tool, now called Coverity 5. Coverity 5 is basically a rehashing of its existing code analysis engine, process tools and debuggers, but with some added features and improved interfaces.
Recently, I spoke with Behrooz Zahiri, Coverity’s self-proclaimed perfect storm of code engineer and market analyzer. Zahiri summarized where Coverity 5 came from in three words: “our market research.” Coverity has been running audits of software development organizations to find out where common defects are found, which tools are used to discover these defects and how these issues are resolved. From their research, Coverity built a database of common defect areas and solutions, which it integrated into its latest software.
This new research-derived database serves two purposes: one, to work as a resource for developers so they can devise code with fewer errors; and two, to use the information in the database, once Coverity’s analysis engine is engaged, to find issues quicker and recommend common solutions to the problems found.
“When we decided to revamp Coverity 4, we had two goals that we wanted to reach. One was to make certain that our product was scalable and could deliver quick results for teams regardless of the team’s size. But we also wanted to elevate the adoption of our tool by increasing the effectiveness of defect repair,” said Zahiri.
Coverity’s new defect manager is built on a Java platform that has direct access to popular open source tools that have been approved and entered into its database, which also allows for plug-and-play of these pre-approved tools. The interfaces have also been updated and Coverity believes them to be more business-focused than prior versions.
Also new is a feature Coverity calls Defect Impact. This feature evaluates Coverity’s analysis of source code for defects. If defects are found, it prioritizes how they should be resolved by grouping them under three levels of severity (high, medium and low).
“High-risk defects negatively affect multiple parts of an application,” said Zahiri. “Many of these cause unexpected behavior throughout the application and alter the application’s memory management. Medium-level concerns are often performance dampeners. These defects allow the application to run, but at less-than-optimal speeds. And lastly, there are the low priorities — these are usually warning tags or artifacts in the code. Sometimes low-priority defects can be left alone, as the cost to resolve them doesn’t reflect a true positive return on the investment and they normally don’t hurt the application enough to matter.”
Defect Impact is broken into two features: a static analysis tool that supports analysis for applications built with C++, C# and Java, as well as dynamic analysis, which currently only supports Java.
Static analysis uses map checkers, which will seek out common areas where defects occur and search for problems — this is the primary way that risks are assessed in the final report generated by the tool. Dynamic analysis, which, again, is only for Java at press time, looks for concurrency issues and lockups in the user interface.
According to Zahiri, Coverity’s closest competitor is Klockwork, which he says is a similar offering that is priced and marketed very differently. Zahiri also admits Coverity has crossed paths with Polyspace and Parasoft from time to time.
For more information on Coverity check out these articles:
Coverity introduces build analysis tool, new Integrity Center (Apr. 14, 2009)
Coverity this week announced a new software build analysis product along with the bundling of all its software analysis products into one offering called the Coverity Integrity Center.
Coverity releases open source application architecture diagrams (Feb. 17, 2009)
Coverity’s new Scan library of open source software project “blueprints” can help software pros shave time off development and testing.
Coverity creates program to enforce code adherence (Nov. 25, 2008)
Coverity introduced Coverity Architecture Analyzer, which validates software architecture and detects potential security vulnerabilities.
Inside information from Coverity points to large-scale announcement in early July so stay tuned.