Hubbry Logo
CoverityCoverityMain
Open search
Coverity
Community hub
Coverity
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Coverity
Coverity
Coverity
View on Wikipedia
from Wikipedia

Coverity is a proprietary static code analysis tool from Black Duck, Inc.[1] This product enables engineers and security teams to find and fix software defects.

Key Information

Coverity started as an independent software company in 2002 at the Computer Systems Laboratory at Stanford University in Palo Alto, California. It was founded by Benjamin Chelf, Andy Chou, David Park, and Seth Hallem with Stanford professor Dawson Engler as a technical adviser. The headquarters was moved to San Francisco. In June 2008, Coverity acquired Solidware Technologies.[2] In February 2014, Coverity announced an agreement to be acquired by Synopsys, an electronic design automation company, for $375M in cash.[3]

Products

[edit]

Coverity is a static code analysis tool for C, C++, C#, Java, JavaScript, PHP, Python, .NET, ASP.NET, Objective-C, Go, JSP, Ruby, Swift, Fortran, Scala, VB.NET, and TypeScript. It also supports more than 70 different frameworks for Java, JavaScript, C# and other languages.[4]

Coverity Scan is a free static-analysis cloud-based service for the open source community.

Applications

[edit]

Under a United States Department of Homeland Security contract in 2006, the tool was used to examine over 150 open source applications for bugs; 6000 bugs found by the scan were fixed across 53 projects.[5]

National Highway Traffic Safety Administration used the tool in its 2010-2011 investigation into reports of sudden unintended acceleration in Toyota vehicles.[6][7] The tool was used by CERN on the software employed in the Large Hadron Collider[8][9] and in the NASA Jet Propulsion Laboratory during the flight software development of the Mars rover Curiosity.[10]

References

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Coverity

View on Grokipedia
from Grokipedia
Coverity is a static analysis tool that performs scalable (SAST) to detect software defects, vulnerabilities, and quality issues in across enterprise-scale codebases. It supports analysis in 22 programming languages, over 200 frameworks, and infrastructure-as-code platforms, enabling developers and teams to identify complex issues early in the development lifecycle while ensuring compliance with industry standards such as CWE and MISRA. Coverity originated from academic research on static bug-finding techniques at Stanford University and was commercialized in 2002 by a startup focused on analyzing large software systems for generic errors like memory corruption and data races. The tool gained widespread adoption through Coverity Scan, a free service for open-source projects launched in partnership with the U.S. Department of Homeland Security, which by 2009 had analyzed approximately 60 million lines of code from over 280 open source projects. In 2014, Coverity was acquired by Synopsys Inc. for approximately $375 million, integrating it into Synopsys' software integrity portfolio to enhance code quality and security testing for semiconductor and systems design. As of October 2024, Coverity became part of Black Duck Software following the $2.1 billion acquisition of ' Software Integrity Group by Group and , rebranding the business as an independent entity dedicated to solutions. Key features include high-accuracy, flow-sensitive analysis that minimizes false positives, automation via integrations with IDEs, SCM systems, and pipelines, and the ability to handle massive codebases without requiring build modifications. Widely used in industries like , automotive, and , Coverity has analyzed billions of lines of code, reducing project risks and accelerating secure software delivery.

History

Founding and Early Development

Coverity was founded on November 8, 2002, in by researchers Benjamin Chelf, Andy Chou, David Park, and Seth Hallem, with technical guidance from professor Dawson Engler. The company's origins trace back to DARPA-funded research at Stanford's Computer Systems Laboratory between 1999 and 2002, which developed advanced static analysis methods to detect bugs and rule violations in C and C++ code. From its inception, Coverity focused on scalable static analysis for large, complex codebases, enabling the detection of defects such as memory leaks and null pointer dereferences without requiring extensive manual configuration. This approach was particularly suited to mission-critical software, with early adoption by NASA to analyze flight software for the Curiosity rover as part of the Mars Science Laboratory mission, where it helped identify issues in millions of lines of code. Operating initially as Coverity Inc. with bootstrapped funding, the company prioritized commercializing these academic innovations for enterprise-scale applications, analyzing billions of lines of code across industries by the late 2000s. A pivotal early formed in 2006 with the U.S. Department of , launching a public-private initiative to scan over 150 open-source projects—totaling more than 40 million lines of code—and identify around 6,000 defects, many of which were subsequently fixed to bolster security.

Acquisitions and Ownership Changes

In March 2014, , Inc. acquired Coverity for approximately $375 million, or $350 million net of cash acquired, marking the company's entry into the and market and integrating Coverity's static tools into ' broader software integrity portfolio. This acquisition enabled enhanced collaboration between Coverity's engineering team and ' resources, leading to improvements in the Coverity platform's static application testing capabilities, such as better defect detection and vulnerability identification for mission-critical software. The move positioned Coverity to leverage ' expertise in and , expanding its reach in complex software environments. In December 2017, further strengthened its software integrity offerings by acquiring Black Duck Software for approximately $547 million net of cash acquired, which specialized in open source security and management solutions. This transaction complemented Coverity's static analysis engine by incorporating Black Duck's tools for scanning and managing open source components, thereby broadening Coverity's applicability to software supply chains that increasingly rely on third-party code. The integration facilitated a more comprehensive product roadmap, allowing Coverity users to address both proprietary and open source risks within a unified platform. In May 2024, announced an agreement to sell its entire Software Integrity Group—which included Coverity and Black Duck—to firms Group and in a transaction valued at up to $2.1 billion, subject to performance-based earn-outs. Following the completion of the deal on October 1, 2024, the group was rebranded as Black Duck Software, Inc., operating as an independent entity focused on solutions. This ownership change allowed Black Duck Software to pursue an accelerated roadmap tailored to evolving needs, with Coverity continuing as a core static analysis offering under the new structure.

Technology

Core Static Analysis Engine

The Core Static Analysis Engine of Coverity is a proprietary system that employs and to examine without executing it, enabling the detection of defects across multiple programming languages including C/C++, , C#, , Python, and . models program states through an abstract store that maps variables to abstract values, while tracks state transitions along execution paths, incorporating flow-sensitive properties, path pruning for infeasible routes, and state merging to handle loops. This architecture processes code by parsing, type-checking, and constructing abstract syntax trees, followed by interprocedural analysis that links translation units and instantiates templates for comprehensive coverage. Designed for enterprise-scale deployments, the engine scales to analyze millions or even billions of lines of code in large codebases, as demonstrated by its application to over a billion lines across hundreds of customers and scans of open-source projects exceeding 450 million lines. It achieves low false positive rates—typically below 20%—through context-sensitive techniques that consider calling contexts, variable scopes, and execution paths to refine defect predictions and reduce noise. The engine integrates build capture mechanisms, such as the cov-build tool, to intercept and record compilation commands and intermediate representations during the build process, ensuring accurate modeling of dependencies and configurations without altering the original build environment. Modeling techniques simulate code behavior using abstract domains tailored to specific properties, such as tracking resource states (e.g., file handles) or pointer values, to identify defects including memory leaks, null pointer dereferences, and resource mismanagement. Originating from DARPA-funded research at in the late 1990s, where a analyzed the and uncovered thousands of defects, the engine has evolved into a hybrid approach combining with path-sensitive traversals and elements for enhanced precision in modern software ecosystems.

Detection Methods and Algorithms

Coverity utilizes path-sensitive analysis to precisely track the states of variables and data flows across multiple execution paths in a program, enabling the detection of defects that may only manifest under specific conditions. This approach involves constructing an exploded graph, where each node represents a symbolic program state, allowing the tool to explore feasible paths while pruning infeasible ones to mitigate the path explosion problem inherent in exhaustive analysis. By modeling program behavior symbolically, Coverity simulates execution without concrete inputs, computing constraints on variables to identify anomalies such as dereferences or buffer overflows along relevant paths. The tool's detection capabilities are organized around a taxonomy of over 20 checker categories, each targeting distinct classes of software defects and mapping to (CWE) identifiers for standardized vulnerability classification. Key categories include memory corruption (e.g., use-after-free, CWE-416), resource leaks (e.g., unclosed files or sockets, CWE-404), concurrency issues (e.g., race conditions and deadlocks, CWE-362), and security vulnerabilities (e.g., or , CWE-89 and CWE-79). Additional categories cover misuse, overflows, null dereferences, and build-related errors, with hundreds of individual checkers operating cooperatively to build the exploded graph and enforce category-specific rules. This structured taxonomy ensures comprehensive coverage of critical defect types while facilitating targeted remediation efforts. To minimize false positives, Coverity incorporates triage rules that leverage developer annotations and contextual heuristics during , achieving rates below 20% for mature checkers through techniques like false path elimination and on coding patterns. This evolution enhances precision by focusing on high-confidence defects, such as interprocedural interactions where function calls propagate tainted data across modules. Interprocedural further refines detection by generating context-sensitive summaries of function behaviors, enabling accurate modeling of complex dependencies without full re-analysis of callers.

Products and Services

Coverity Analysis

Coverity Analysis is the flagship commercial (SAST) tool developed by Coverity, now part of Duck Software, designed for enterprises to detect defects and vulnerabilities in proprietary codebases. It enables organizations to perform deep, accurate analysis on complex software projects, supporting scalable deployment for secure lifecycle (SDLC) integration. The tool offers flexible deployment options, including on-premises installations for and cloud-based Scan Service for elastic scaling, allowing seamless incorporation into pipelines for automated analysis of closed-source code. Integration typically involves configuring jobs to run during build and test phases, with options for incremental analysis to avoid blocking pipelines or comprehensive scans for thorough checks. Setup and usage follow a structured : developers or CI systems first capture the build using the cov-build command, which intercepts invocations to record code structure and data flow without altering the original build process, followed by execution of cov-analyze to apply and generate defect reports. This process supports over 20 programming languages, including C/C++, , Python, and , along with more than 200 frameworks and infrastructure-as-code platforms, ensuring broad applicability across enterprise environments. Licensing for Coverity Analysis operates on a lines-of-code (LOC) model, where usage is restricted by the aggregate number of lines in the analyzed , providing for large projects while including enterprise-grade features such as policy enforcement to mandate coding standards and compliance tracking across development teams. Following its acquisition by Clearlake Capital Group and Francisco Partners in late 2024 and subsequent rebranding as Black Duck Software, Coverity Analysis has seen updates enhancing DevSecOps capabilities, including default activation of security checkers in the CLI for faster pipeline integration and improved support via the Black Duck Bridge CLI for embedding full analysis into automated workflows. This contrasts with the free Coverity Scan service, which targets open-source projects without enterprise policy controls.

Coverity Scan

Coverity Scan is a free static code analysis service designed specifically for projects, enabling developers to identify and fix defects in their public repositories without cost. Launched on March 6, 2006, as part of a public-private partnership involving Coverity, , and the U.S. Department of (DHS), the service aimed to improve the security and quality of open-source code by providing automated scans that detect vulnerabilities and bugs early in the development process. This initiative stemmed from DHS's broader efforts to assess and enhance the reliability of open-source applications used in government and . The service performs analysis on code from public repositories, focusing on a limited set of programming languages including , C/C++, C#, , , and Python, to ensure compatibility with common open-source ecosystems. Developers submit their builds via a web interface, and the resulting defect reports are accessible through an online that highlights issues such as memory leaks, dereferences, and security flaws, complete with code snippets and remediation guidance. This approach allows for quick integration into pipelines, though the free tier imposes restrictions like scan frequency limits and no support for custom configurations available in paid versions. In contrast to the commercial Coverity product, which provides enterprise-scale scalability and advanced integrations, Coverity Scan prioritizes accessibility for the open-source community. Over its history, Coverity Scan has analyzed code from more than 9,500 open-source projects, encompassing billions of lines of code and benefiting over 53,000 developers worldwide. Notable participants include the Linux kernel, where regular scans have helped identify and resolve high-impact defects, and various Apache Software Foundation projects such as Hadoop and HTTP Server, contributing to measurable improvements in code quality metrics like defect density. These analyses have produced annual reports demonstrating trends in open-source software reliability, such as declining defect rates over time. Following Synopsys's divestiture of its Software Integrity Group, Coverity Scan transitioned to management under Black Duck Software in October 2024, ensuring continued free access for open-source users while aligning with Black Duck's focus on software security and composition analysis. As of 2025, the service remains operational with periodic tool upgrades to enhance defect detection capabilities, fostering ongoing community impact by democratizing access to professional-grade static analysis.

Features and Capabilities

Security and Quality Checks

Coverity's static analysis engine performs comprehensive security checks by detecting vulnerabilities aligned with the Top 10 and CWE categories, focusing on common web application risks. For instance, it identifies injection flaws such as SQL, , OS command, and LDAP injections originating from untrusted data sources across languages including C/C++, , Python, and . Buffer overflows are detected through memory corruption analysis, preventing potential crashes or exploits from overrun conditions in arrays or buffers. misuse is addressed via specialized checkers that flag incorrect usage of libraries and configurations, such as improper handling of cryptographic APIs or vulnerable settings in code. In addition to security vulnerabilities, Coverity conducts quality checks to enhance code reliability and maintainability. These include detection of —unreachable or unused code segments that can complicate maintenance—and unused variables, which represent redundant assignments that may indicate logical errors. Other reliability issues targeted encompass resource leaks, dereferences, and anomalies, all of which contribute to robust software behavior. While not exhaustive for dynamic performance profiling, these checks can reveal static indicators of bottlenecks, such as inefficient expressions or self-assignments that degrade efficiency. Defects are classified by severity levels—Very High, High, Medium, Low, and Very Low—based on potential impact, likelihood, and technical consequences like data modification or . Each issue includes an impact score and remediation guidance, such as suggested code fixes or best practices, to prioritize fixes effectively; for example, High-severity buffer overflows receive detailed traces linking the flaw to exploitable paths. Informational issues, which are non-critical, are also flagged for completeness. Coverity supports compliance with industry standards through dedicated checkers and reports. It evaluates adherence to MISRA guidelines for automotive and embedded systems, CERT secure coding standards to mitigate C/C++ vulnerabilities, and PCI-DSS requirements for protecting cardholder data by scanning for related security misconfigurations. These features enable organizations to generate compliance reports that map detected issues to specific rules, facilitating audits and regulatory alignment.

Integration and Reporting Tools

Coverity provides seamless integration with popular integrated development environments (IDEs) through dedicated plugins, enabling developers to perform static analysis directly within their workflows. For instance, the Coverity Desktop plugin supports , allowing users to configure and run analyses from the IDE's toolbar while viewing results in integrated views. Similarly, plugins for and facilitate on-the-fly scanning of compiled and scripted languages, with setup options for project-specific configurations. Additional support extends to and , where the plugin enables issue triaging and configuration editing without leaving the editor. To embed Coverity into continuous integration/continuous deployment (CI/CD) pipelines, official plugins and extensions are available for key tools. The Black Duck Security Scan Plugin for Jenkins automates Coverity static analysis within Jenkins builds, supporting scans and integration with Coverity Connect servers. For GitHub Actions, integrations leverage both GitHub-hosted and self-hosted runners to trigger scans, with workflows that download tools, perform builds, and commit defects programmatically. In Azure DevOps, the Coverity on Polaris extension automates scans in pipelines, allowing users to view results, manage projects, and configure build failures based on policy thresholds. These integrations ensure that defect detection occurs early in the development cycle, with options to break builds or generate alerts. Coverity's reporting capabilities center on interactive dashboards and customizable visualizations within the Coverity Connect platform, providing teams with actionable insights into code quality. Dashboards display Quality and Security charts that aggregate metrics such as defect counts, severity distributions, and compliance status, updated in real-time as analyses complete. Trend analysis tools track changes over time, including defect density and resolution rates, through configurable Trend views that plot data by commit history or custom hierarchies like ownership. Users can create and share trend reports via the Policy Manager, focusing on key performance indicators to monitor progress and identify persistent issues across releases. For automation and advanced workflows, Coverity exposes a REST that supports programmatic access to and management functions. The enables querying defects, updating statuses, and applying suppressions or waivers to individual issues or streams, facilitating bulk operations in environments. workflows allow assigning owners, adding comments, and linking external references, with history tracked for audit purposes; suppression mechanisms prevent false positives from recurring in future scans. Post-scan reporting outputs results in multiple formats to suit diverse needs, including detailed root-cause traces that map defects back to paths. HTML reports, generated via the cov-format-errors command, produce static pages for web-based review of issues with hyperlinks to snippets. PDF formats, such as the Coverity Integrity Report and Security Report, offer executive summaries with charts on defect trends and compliance, ideal for stakeholder presentations. XML exports from views enable integration with external tools, providing structured for custom parsing or automated processing.

Adoption and Applications

Industry Use Cases

Coverity plays a pivotal role in the automotive industry, where it is employed to analyze safety-critical codebases and ensure compliance with functional safety standards like ISO 26262. This standard governs the development of electrical and electronic systems in road vehicles, requiring rigorous verification to mitigate risks in software that controls braking, engine management, and advanced driver-assistance systems. Coverity's qualification kit enables organizations to qualify their static analysis processes as part of the overall software development lifecycle, supporting the certification of tools for ASIL (Automotive Safety Integrity Level) classifications from A to D. For instance, Synopsys has obtained ISO 26262 certification for Coverity and its companion tool Test Advisor, allowing their use in developing safety-critical automotive software that meets international safety requirements. By enforcing coding standards such as MISRA and detecting defects early, Coverity helps automotive developers reduce the likelihood of software faults that could lead to hazardous failures, thereby enhancing vehicle reliability and accelerating time-to-market for compliant systems. In the financial sector, Coverity supports the development of secure transaction systems by integrating into compliance frameworks like PCI DSS, which mandates protections for cardholder data and secure network architectures. Financial institutions use Coverity to perform static analysis on code handling payments, , and data encryption, identifying vulnerabilities such as injection flaws or buffer overflows that could expose sensitive information. This proactive approach aligns with PCI DSS requirements for programs and strong access controls, enabling developers to remediate issues before they propagate to production environments. Coverity's low false-positive rate ensures efficient workflows, allowing finance teams to maintain high code quality while meeting regulatory demands for secure, resilient . Aerospace applications of Coverity emphasize mission software reliability, with notable historical and ongoing use by NASA and its contractors. Since its early adoption, NASA has leveraged Coverity for static analysis of flight software, as demonstrated in the verification of control code for the Mars Science Laboratory's Curiosity rover, where it helped detect and resolve potential defects to ensure operational dependability in harsh extraterrestrial conditions. This usage extends to broader mission-critical systems, where Coverity's precision analysis minimizes risks in embedded software for spacecraft navigation, telemetry, and autonomy. NASA contractors continue to incorporate Coverity as a standard deliverable to verify code quality and security, integrating it into development pipelines to uphold rigorous standards for reliability in high-stakes environments. Coverity enables shift-left security practices within workflows, embedding static analysis early in the lifecycle to detect and address vulnerabilities before they reach deployment stages. By integrating with pipelines via tools like Coverity Analysis, teams can automate scans during code commits or builds, fostering a "" culture that reduces remediation costs and accelerates release cycles. Case studies illustrate how this approach significantly lowers the volume of defects and issues in production, with organizations reporting substantial improvements in overall through timely interventions.

Notable Users and Implementations

has utilized Coverity Static Analysis to enhance the security of its processes, particularly for and C/C++ codebases within its product ecosystem. Since integrating the tool around 2014-2015, SAP has made (SAST) mandatory across all products, embedding Coverity into its secure development lifecycle (SDL) to detect defects early and reduce vulnerabilities. This integration has allowed development teams to perform regular code scans, contributing to improved code quality and risk mitigation in large-scale environments where constitutes about 30% of the codebase. Google has leveraged Coverity for security scans on the Android operating system codebase, with notable implementations through the Coverity Scan service analyzing open-source components. In a 2010 analysis of the Android kernel, Coverity identified 359 defects, including 88 high-risk issues that could lead to security vulnerabilities, demonstrating the tool's role in uncovering potential flaws in mobile software. Ongoing scans via Coverity Scan continue to support defect detection in Android-related projects, aiding in annual improvements to code integrity. Microsoft supports Coverity integration within its Azure DevOps pipelines, enabling teams to incorporate static analysis for components in Windows and Azure environments to identify and remediate defects before deployment. Adoption of such tools has been studied by Microsoft researchers, revealing that developers typically address Coverity alerts with simple fixes averaging 4 lines of code, which helps reduce defect escape rates in production software. This approach aligns with broader efforts to enhance and quality in and OS development. In open-source projects, Coverity Scan has driven significant contributions, particularly in the , where regular analyses report defects that developers prioritize for fixes. For instance, the tool's scans have led to hundreds of patches addressing issues like memory leaks and dereferences, improving kernel stability and security; contributors often start with Coverity-reported defects as an accessible entry point to kernel development. This has resulted in thousands of defects identified and resolved over the years across the ecosystem.

References

  1. https://www.blackduck.com/static-analysis-tools-sast/coverity.html
  2. https://cacm.acm.org/research/a-few-billion-lines-of-code-later/
  3. https://www.theregister.com/2009/09/25/open_source_code_audit/
  4. https://www.prnewswire.com/news-releases/synopsys-completes-coverity-acquisition-252230471.html
  5. https://www.prnewswire.com/news-releases/clearlake-and-francisco-partners-complete-acquisition-of-black-duck-software-formerly-known-as-synopsys-software-integrity-group-302264926.html
  6. https://www.bloomberg.com/profile/company/2832205Z:US
  7. https://www.sramanamitra.com/2009/05/20/deal-radar-2009-coverity/
  8. https://dl.acm.org/doi/10.1145/1646353.1646374
  9. https://www.scientific-computing.com/news/coverity-tests-curiosity-rovers-control-software
  10. https://www.prnewswire.com/news-releases/coverity-scan-open-source-report-shows-commercial-code-is-more-compliant-to-security-standards-than-open-source-code-300120322.html
  11. https://www.securityweek.com/synopsys-acquire-coverity-375-million/
  12. https://www.eweek.com/security/synopsys-improves-coverity-static-application-security-testing/
  13. https://www.sec.gov/Archives/edgar/data/883241/000119312514059008/d677869dex991.htm
  14. https://news.blackduck.com/2017-12-11-Synopsys-Completes-Acquisition-of-Black-Duck-Software
  15. https://investor.synopsys.com/news/news-details/2017/News-Release-Synopsys-Synopsys-to-Enhance-Software-Integrity-Platform-with-Acquisition-of-Black-Duck-Software-11-02-2017/default.aspx
  16. https://www.eweek.com/security/synopsys-to-acquire-black-duck-for-565m-to-boost-software-integrity/
  17. https://investor.synopsys.com/news/news-details/2024/Synopsys-Enters-Definitive-Agreement-to-Sell-its-Software-Integrity-Business-to-Clearlake-Capital-and-Francisco-Partners/default.aspx
  18. https://news.blackduck.com/2024-10-01-Introducing-Black-Duck-Software-The-Leader-in-Application-Security-Has-a-New-Name
  19. https://scan.coverity.com/
  20. https://documentation.blackduck.com/bundle/coverity-docs-2025.9/page/extend-sdk/topics/introduction_extend_sdk.html
  21. https://documentation.blackduck.com/bundle/coverity-docs-2023.6/page/extend-sdk/topics/abstract_interpretation.html
  22. https://web.stanford.edu/~engler/BLOC-coverity.pdf
  23. https://www.helpnetsecurity.com/2013/05/07/analyzing-450-million-lines-of-software-code/
  24. https://www.cs.cmu.edu/~aldrich/courses/654/tools/cure-coverity-06.pdf
  25. https://documentation.blackduck.com/bundle/coverity-docs/page/coverity-analysis/topics/build_capture_for_compiled_languages.html
  26. https://www.eetimes.com/software-debugging-drives-darpa-winner/
  27. https://www.sramanamitra.com/2011/12/01/bootstrapping-to-25m-then-raising-23m-series-a-coverity-cofounder-andy-chou-part-1/
  28. https://documentation.blackduck.com/bundle/coverity-on-polaris/page/topics/c_understanding-coverity.html
  29. https://www.synopsys.com/software-integrity/static-analysis-tools-sast/owasp-mobile-top10.html
  30. https://sig-synopsys.my.site.com/community/s/article/Issue-Categorization-Types-Corresponding-CWE-IDs
  31. https://www.cs.columbia.edu/~junfeng/18sp-e6121/papers/coverity.pdf
  32. https://www.synopsys.com/software-integrity/static-analysis-tools-sast/coverity.html
  33. https://documentation.blackduck.com/bundle/coverity-docs/page/coverity-analysis/topics/running_analysis_as_part_of_a_cicd_pipeline.html
  34. https://documentation.blackduck.com/bundle/coverity-docs-2025.9/page/cnc/topics/requirements-coverity-license.html
  35. https://documentation.blackduck.com/bundle/coverity-docs/page/commands/topics/cov-analyze.html
  36. https://documentation.blackduck.com/bundle/coverity-docs/page/deploy-install-guide/topics/supported_languages%2C_compilers%2C_and_frameworks_for_coverity_analysis.html
  37. https://www.blackduck.com/company/legal/license-types.html
  38. https://documentation.blackduck.com/bundle/coverity-docs-2025.6/page/deploy-install-guide/topics/coverity_analysis_license_options.html
  39. https://news.blackduck.com/2024-05-06-Synopsys-Enters-Definitive-Agreement-to-Sell-its-Software-Integrity-Business-to-Clearlake-Capital-and-Francisco-Partners
  40. https://www.prnewswire.com/news-releases/introducing-black-duck-software-the-leader-in-application-security-has-a-new-name-302263912.html
  41. https://sig-synopsys.my.site.com/community/s/question/0D5Uh00000IDnzyKAD/announcement-coverity-202490-release-is-now-available
  42. https://documentation.blackduck.com/bundle/coverity-docs/page/upgrade-guide/topics/upgrade_considerations_for_2024_12.html
  43. https://scan.coverity.com/faq
  44. https://www.prnewswire.com/news-releases/annual-coverity-scan-report-finds-open-source-and-proprietary-software-quality-better-than-industry-average-for-second-consecutive-year-206406281.html
  45. https://www.washingtontechnology.com/2006/01/dhs-procures-testing-service-for-open-source-apps/352001/
  46. https://scan.coverity.com/projects/linux
  47. https://news.blackduck.com/2014-04-15-Coverity-Scan-Report-Finds-Open-Source-Software-Quality-Outpaces-Proprietary-Code-for-the-First-Time
  48. https://www.franciscopartners.com/media/clearlake-and-francisco-partners-complete-acquisition-of-black-duck-software-formerly-known-as-synopsys-software-integrity-group
  49. https://www.blackduck.com/static-analysis-tools-sast/owasp-top10.html
  50. https://scan.coverity.com/o/oss_success_stories
  51. https://phasepacific.com/wp-content/uploads/2021/10/SAST-Coverity-datasheet.pdf
  52. https://indico.cern.ch/event/250021/contributions/1574118/attachments/432964/600879/Coverity_Valgrind.pdf
  53. https://popl.mpi-sws.org/2014/andy.pdf
  54. https://documentation.blackduck.com/bundle/coverity-docs/page/reports/security/coverity_security_report.html
  55. https://www.it-cisq.org/wp-content/uploads/sites/6/2022/09/Coverity-Static-Analysis.pdf
  56. https://documentation.blackduck.com/bundle/coverity-docs/page/reports/misra/misra_report.html
  57. https://documentation.blackduck.com/bundle/coverity-docs/page/reports/cert/coverity_cert_report_guide.html
  58. https://documentation.blackduck.com/bundle/coverity-docs/page/reports/pci-dss/coverity_pci_dss.html
  59. https://www.blackduck.com/content/dam/black-duck/en-us/datasheets/coverity-pci-dss-ds.pdf
  60. https://sig-product-docs.synopsys.com/bundle/coverity-docs-2023.6/page/deploy-install-guide/topics/installing_coverity_desktop_for_eclipse%2C_wind_river_workbench%2C_qnx_momentics%2C_and_ibm_rtc.html
  61. https://sig-product-docs.synopsys.com/bundle/codesight_latest-2023.9.0/page/topics/installation_guides/vscode/r_code_sight_vscode_enable_scans.html
  62. https://sig-product-docs.synopsys.com/bundle/coverity-docs/page/webhelp-files/vs_start-vs.html
  63. https://sig-product-docs.synopsys.com/bundle/coverity-docs-2023.3/page/upgrade-guide/topics/upgrading_coverity_desktop_for_visual_studio.html
  64. https://documentation.blackduck.com/bundle/bridge/page/documentation/c_using-jenkins-plugin.html
  65. https://community.blackduck.com/s/article/Coverity-Integrations-GitHub-with-GitHub-Hosted-Runners
  66. https://marketplace.visualstudio.com/items?itemName=blackduck.blackduck-coverity-on-polaris
  67. https://documentation.blackduck.com/bundle/coverity-docs/page/coverity-platform/topics/dashboards.html
  68. https://documentation.blackduck.com/bundle/coverity-docs/page/coverity-platform/topics/view_trends.html
  69. https://documentation.blackduck.com/bundle/coverity-docs-2024.9/page/coverity-platform/topics/setting_up_coverity_policy_manager_trend_reports.html
  70. https://documentation.blackduck.com/bundle/coverity-docs-2025.6/page/cim-api-docs/openapi/cim-openapi.html
  71. https://sig-synopsys.my.site.com/community/s/article/Is-there-any-API-that-could-modify-the-triage-value-of-a-CID-in-a-specified-triage-store
  72. https://sig-synopsys.my.site.com/community/s/article/Ways-to-view-Coverity-Defects
  73. https://documentation.blackduck.com/bundle/coverity-docs/page/coverity-platform/topics/export_xml.html
  74. https://www.prnewswire.com/news-releases/synopsys-expands-software-integrity-strategy-to-enable-development-of-safer-and-more-secure-automotive-software-300272701.html
  75. https://www.blackduck.com/content/dam/black-duck/en-us/datasheets/ds-coverity-qualification-kit.pdf
  76. https://phasepacific.com/coverity-sast/
  77. https://sig-product-docs.synopsys.com/ja-JP/bundle/coverity-docs-2023.3/page/help-center/topics/using_coverity_to_differentiate_your_product_in_the_marketplace.html
  78. https://news.blackduck.com/2021-07-27-Synopsys-Advances-Application-Security-Testing-for-Developers-with-Rapid-Scan
  79. https://logicalhacking.com/publications/talk-brucker.ea-sast-expierences-2014/talk-brucker.ea-sast-expierences-2014.pdf
  80. https://www.youtube.com/watch?v=CFD6hxF8BmM
  81. https://www.prnewswire.com/news-releases/coverity-scan-2010-open-source-integrity-report-reveals-high-risk-software-flaws-in-android-106513923.html
  82. https://www.microsoft.com/en-us/research/publication/how-do-developers-act-on-static-analysis-alerts-an-empirical-study-of-coverity-usage/
  83. https://marketplace.visualstudio.com/items?itemName=synopsys-coverity.synopsys-coverity-azure-devops
  84. https://embeddedor.com/blog/2024/09/28/one-simple-and-rewarding-way-to-contribute-to-the-linux-kernel-fix-coverity-issues/
Add your contribution
Related Hubs
User Avatar
No comments yet.