Analyze Source Code For Defects, Security Vulnerabilities
Coverity's flagship product offering is Coverity Prevent, a source code analysis platform targeted to development shops and enterprise IT development departments. Coverity Prevent analyzes source code at compile time, identifying potential code defects, security vulnerabilities, and concurrency issues in the code and providing tools that enable developers to rectify the code issues discovered. The application provides an interface within which the full path to each discovered defect is displayed, source code is displayed (cross-referenced and linked by uses and definitions), and critical attributes of the defect are inlined within the source code.
Flavors of Coverity Prevent are available for use in C/C++, Java, and now C# environments. Platforms supported for C/C++ developers include Windows, Linux, Mac OS X, Solaris, HP-UX and more; with supported compilers including g++, gcc, MS Visual Studio, and Sun C/C++, to name just a few. The vendor states that support for other ANSI C compatible compilers is available on request. Supported Java environments include Windows, Solaris, Mac OS X, and Linux with JDK 1.4+; while the new Coverity Prevent for C# supports Windows XP/2003 machines with Visual Studio 2003/2005/2008.
In brief, Coverity Prevent's methodology is to first generate a "Software DNA" mapping of the application and then apply a series of individual analysis engines against the DNA mapping towards the goal of thoroughly understanding the application's functionality. Analysis engines--including the Path Simulation Engine, the Statistical Engine, and the Boolean Satisfiability (SAT) engine, then utilize the DNA map as a basis for their examinations.
On top of these analysis engines the vendor offers a series of modules dedicated to the identification of defects in three main categories: "Software Quality" (memory errors, logic errors, pointer errors, etc.), "Security Vulnerabilities," and "Concurrency Defects." Additionally, "solvers" designed for use specifically with the SAT engine include the False Path Pruning Solver, which determines if the path to an identified defect is indeed feasible and therefore enables the product to reject those defects which are unfeasible (in an attempt to reduce false-positive reports). Note that not all analysis engines and modules may be available for the C/C++, C# and Java flavors of the product; contact the vendor for further details.
Finally, the Defect Manager is a workflow-enabled tool that assists in the resolution of found defects.
New features in the latest Coverity Prevent release include Vistual Studio Support, C# concurrency defect detection, and support for Win32 concurrency.
Other products from the vendor include Coverity Extend, which is a complementary module to Coverity Prevent C/C++ that provides the ability to define/create custom checks to look for organization-specific code violations; the Coverity Thread Analyzer for Java, a standalone product for Windows (XP/Server 2003), Linux, Solaris, or Mac OS X w/JDK 1.5 that observes Java code as it is executed towards the specific goal of identifying race conditions or deadlocks (Coverity Thread Analyzer for Java can be used in combination with Coverity Prevent); the Coverity Architecture Analyzer, which leverages the DNA mapping technology to create application visualizations, including an architecture map, call graph visualization, and a dependency structure matrix (C/C++ and Java); and the Coverity Software Readiness Manager, a manager's tool that provides detail info such as code complexity, best practice violations, test coverage and more (Java only).
Contact Coverity for further information.
