Coverity

Last updated
Coverity, Inc. - A Synopsys Company
Company type Public
Industry Security testing, static program analysis, software development
FoundedNovember 2002 (2002-11)
FateAcquired by Synopsys in 2014
Headquartersformerly San Francisco, California
Key people
Jason Schmitt (current GM)
ProductsCoverity Code Advisor, Coverity Code Advisor on Demand, Coverity Scan, Coverity Test Advisor, Seeker
Number of employees
250+
Parent Synopsys, Inc.
Website synopsys.com/software-integrity.html

Coverity is a proprietary static code analysis tool from Synopsys. This product enables engineers and security teams to find and fix software defects.

Contents

Coverity started as an independent software company in 2002 at the Computer Systems Laboratory at Stanford University in Palo Alto, California. It was founded by Benjamin Chelf, Andy Chou, David Park, and Seth Hallem with Stanford professor Dawson Engler as a technical adviser. The headquarters was moved to San Francisco. In June 2008, Coverity acquired Solidware Technologies. [1] In February 2014, Coverity announced an agreement to be acquired by Synopsys, an electronic design automation company, for $375M in cash. [2]

Products

Coverity is a static code analysis tool for C, C++, C#, Java, JavaScript, PHP, Python, .NET, ASP.NET, Objective-C, Go, JSP, Ruby, Swift, Fortran, Scala, VB.NET, and TypeScript. It also supports more than 70 different frameworks for Java, JavaScript, C# and other languages. [3]

Coverity Scan is a free static-analysis cloud-based service for the open source community.

Applications

Under a United States Department of Homeland Security contract in 2006, the tool was used to examine over 150 open source applications for bugs; 6000 bugs found by the scan were fixed across 53 projects. [4]

National Highway Traffic Safety Administration used the tool in its 2010-2011 investigation into reports of sudden unintended acceleration in Toyota vehicles. [5] [6] The tool was used by CERN on the software employed in the Large Hadron Collider [7] [8] and in the NASA Jet Propulsion Laboratory during the flight software development of the Mars rover Curiosity. [9]

Related Research Articles

Lint is the computer science term for a static code analysis tool used to flag programming errors, bugs, stylistic errors and suspicious constructs. The term originates from a Unix utility that examined C language source code. A program which performs this function is also known as a "linter".

In computer science, static program analysis is the analysis of computer programs performed without executing them, in contrast with dynamic program analysis, which is performed on programs during their execution in the integrated environment.

A programming tool or software development tool is a computer program that software developers use to create, debug, maintain, or otherwise support other programs and applications. The term usually refers to relatively simple programs, that can be combined to accomplish a task, much as one might use multiple hands to fix a physical object. The most basic tools are a source code editor and a compiler or interpreter, which are used ubiquitously and continuously. Other tools are used more or less depending on the language, development methodology, and individual engineer, often used for a discrete task, like a debugger or profiler. Tools may be discrete programs, executed separately – often from the command line – or may be parts of a single large program, called an integrated development environment (IDE). In many cases, particularly for simpler use, simple ad hoc techniques are used instead of a tool, such as print debugging instead of using a debugger, manual timing instead of a profiler, or tracking bugs in a text file or spreadsheet instead of a bug tracking system.

<span class="mw-page-title-main">Synopsys</span> American software company

Synopsys, Inc. is an American electronic design automation (EDA) company headquartered in Sunnyvale, California, that focuses on silicon design and verification, silicon intellectual property and software security and quality. Synopsys supplies tools and services to the semiconductor design and manufacturing industry. Products include tools for logic synthesis and physical design of integrated circuits, simulators for development, and debugging environments that assist in the design of the logic for chips and computer systems. As of 2023, the company is a component of both the Nasdaq-100 and S&P 500 indices.

<span class="mw-page-title-main">ROOT</span> Data analysis software

ROOT is an object-oriented computer program and library developed by CERN. It was originally designed for particle physics data analysis and contains several features specific to the field, but it is also used in other applications such as astronomy and data mining. The latest minor release is 6.32, as of 2024-05-26.

In the context of software engineering, software quality refers to two related but distinct notions:

Dynamic program analysis is the act of analyzing software that involves executing a program – as opposed to static program analysis, which does not execute it.

Klocwork is a static code analysis tool owned by Minneapolis, Minnesota-based software developer Perforce. Klocwork software analyzes source code in real time, simplifies peer code reviews, and extends the life of complex software.

Coding conventions are a set of guidelines for a specific programming language that recommend programming style, practices, and methods for each aspect of a program written in that language. These conventions usually cover file organization, indentation, comments, declarations, statements, white space, naming conventions, programming practices, programming principles, programming rules of thumb, architectural best practices, etc. These are guidelines for software structural quality. Software programmers are highly recommended to follow these guidelines to help improve the readability of their source code and make software maintenance easier. Coding conventions are only applicable to the human maintainers and peer reviewers of a software project. Conventions may be formalized in a documented set of rules that an entire team or company follows, or may be as informal as the habitual coding practices of an individual. Coding conventions are not enforced by compilers.

<span class="mw-page-title-main">Yasca</span>

Yasca is an open source program which looks for security vulnerabilities, code-quality, performance, and conformance to best practices in program source code. It leverages external open source programs, such as FindBugs, PMD, JLint, JavaScript Lint, PHPLint, Cppcheck, ClamAV, Pixy, and RATS to scan specific file types, and also contains many custom scanners developed for Yasca. It is a command-line tool that generates reports in HTML, CSV, XML, MySQL, SQLite, and other formats. It is listed as an inactive project at the well-known OWASP security project, and also in a government software security tools review at the U.S Department of Homeland Security web site.

<span class="mw-page-title-main">Red Lizard Software</span>

Red Lizard Software was a privately held software vendor for static analysis tools. The company was founded in 2009 as a spinout from the Australia research centre NICTA. It was headquartered in Sydney, Australia. In December 2015, the company was acquired by Synopsys and merged into the Coverity product line.

<span class="mw-page-title-main">SonarQube</span> Open-source platform for continuous inspection of code quality

SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs and code smells on 29 programming languages. SonarQube offers reports on duplicated code, coding standards, unit tests, code coverage, code complexity, comments, bugs, and security recommendations.

Polyspace is a static code analysis tool for large-scale analysis by abstract interpretation to detect, or prove the absence of, certain run-time errors in source code for the C, C++, and Ada programming languages. The tool also checks source code for adherence to appropriate code standards.

Cppcheck is a static code analysis tool for the C and C++ programming languages. It is a versatile tool that can check non-standard code. The creator and lead developer is Daniel Marjamäki.

The Power of 10 Rules were created in 2006 by Gerard J. Holzmann of the NASA/JPL Laboratory for Reliable Software. The rules are intended to eliminate certain C coding practices which make code difficult to review or statically analyze. These rules are a complement to the MISRA C guidelines and have been incorporated into the greater set of JPL coding standards.

RIPS is a static code analysis software, designed for automated detection of security vulnerabilities in PHP and Java applications. The initial tool was written by Johannes Dahse and released during the Month of PHP Security in May 2010 as open-source software. The open-source version is released under the GNU Lesser General Public License and was maintained until 2013.

CodeSonar is a static code analysis tool from CodeSecure, Inc. CodeSonar is used to find and fix bugs and security vulnerabilities in source and binary code. It performs whole-program, inter-procedural analysis with abstract interpretation on C, C++, C#, Java, as well as x86 and ARM binary executables and libraries. CodeSonar is typically used by teams developing or assessing software to track their quality or security weaknesses. CodeSonar supports Linux, BSD, FreeBSD, NetBSD, MacOS and Windows hosts and embedded operating systems and compilers.

Static application security testing (SAST) is used to secure software by reviewing the source code of the software to identify sources of vulnerabilities. Although the process of statically analyzing the source code has existed as long as computers have existed, the technique spread to security in the late 90s and the first public discussion of SQL injection in 1998 when Web applications integrated new technologies like JavaScript and Flash.

References

  1. Krill, Paul (2008-06-30). "Coverity buys Solidware to boost code analysis". Infoworld.com. Archived from the original on 2008-10-10. Retrieved 2011-01-29.
  2. "Synopsys Enters Software Quality and Security Market with Coverity Acquisition". PR Newswire. 2014-02-19. Retrieved 2014-02-20.
  3. "Coverity Static Analysis Data Sheet" (PDF). Synopsys.com. Retrieved 2019-07-15.
  4. [ "LAMP lights the way in open-source security : News : Security - ZDNet Asia". Archived from the original on June 14, 2009. Retrieved May 4, 2006."LAMP lights the way in open-source security"] – ZDNet
  5. "U.S. Used Key Tools to Examine Toyota Acceleration-Related Software" Archived 2013-05-26 at the Wayback Machine
  6. "Technical Support to the National Highway Traffic Safety Administration on the Reported Toyota Motor Corporation Unintended Acceleration Investigation" Archived 2011-02-13 at the Wayback Machine
  7. "CERN Chooses Coverity to Ensure Accuracy of Large Hadron Collider Software"
  8. "Improving Scientific Research: CERN and Coverity Static Analysis"
  9. "Coverity: Mars Rover Curiosity's 'Space Doctors' On Bug Hunting In Space"