We performed a comparison between Coverity and SonarQube based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison Result: Based on the parameters we compared, SonarQube comes out ahead of Coverity. Although both products have valuable features and can be estimated as high-end solutions, our reviewers found that Coverity is an expensive solution with an unfriendly licensing mechanism and a difficult exit process, which may make it less accessible for smaller teams or companies with budgetary constraints.
"Coverity gives advisory and deviation features, which are some of the parts I liked."
"This solution is easy to use."
"I encountered a bug with Coverity, and I opened a ticket. Support provided me with a workaround. So it's working at the moment, or at least it seems to be."
"The most valuable feature of Coverity is the wrapper. We use the wrapper to build the C++ component, then we use the other code analysis to analyze the code to the build object, and then send back the result to the SonarQube server. Additionally, it is a powerful capabilities solution."
"It has the lowest false positives."
"Provides software security, and helps to find potential security bugs or defects."
"The most valuable feature is that there were not a whole lot of false positives, at least on the codebases that I looked at."
"The ability to scan code gives us details of existing and potential vulnerabilities. What really matters for us is to ensure that we are able to catch vulnerabilities ahead of time."
"SonarQube has a lot of value, it reviews the basic coding standards and security vulnerabilities of code that help to reduce issues."
"My focus is mainly on the DevOps pipeline side of things, and from my perspective, the ease of use and configuration is valuable. It is pretty straightforward to take a deployment pipeline or CI/CD pipeline and integrate SonarQube into it."
"The depth features I have found most valuable. You receive a quick comprehensive comparison overview regarding the current release and the last release and what type of depths dependency or duplication should be used. This is going to help you to make a more readable code and have more flexibility for the engineers to understand how things should work when they do not know."
"The product itself has a friendly UI."
"The fact that the solution does security scanning is valuable."
"I like that it has a better dashboard compared to Clockwork. It's also stable."
"We've configured it to run on each commit, providing feedback on our software quality. ]"
"It's enabled us to improve software quality and help us to disseminate best practices."
"We use GitHub and Gitflow, and Coverity does not fit with Gitflow. I have to create a screen for our branches, and it's a pain for developers. It has been difficult to integrate Coverity with our system."
"We'd like it to be faster."
"I would like to see integration with popular IDEs, such as Eclipse."
"Sometimes it's a bit hard to figure out how to use the product’s UI."
"The product should include more customization options. The analytics is not as deep as compared to SonarQube."
"Coverity is far from perfection, and I'm not 100 percent sure it's helping me find what I need to find in my role. We need exactly what we are looking for, i.e. security errors and vulnerabilities. It doesn't seem to be reporting while we are changing our code."
"Its price can be improved. Price is always an issue with Synopsys."
"The solution's user interface and quality gate could be improved."
"The product must improve security analysis."
"There is need for support for the additional languages and ease of use in adding new rules for detecting issues."
"You may need to purchase add-ons to get the useability you desire."
"I have found this solution creates more noise than competitors."
"In the next release, I would like to have notifications because now, it is a bit difficult. I think that's a feature which we could add there and it would benefit the users as well. For every full request, they should be able to see their bugs or vulnerability directly on the surface."
"It requires advanced heuristics to recognize more complex constructs that could be disregarded as issues."
"The software testing tool capability could improve. It does not always integrate well. You have to use a specific plugin and the plugin does not always go in Apple's applications."
"The time it took for me to do the whole process was approximately two hours because I had to download, read the documentation, and do the configurations."
Coverity is ranked 4th in Application Security Testing (AST) with 33 reviews while SonarQube is ranked 1st in Application Security Testing (AST) with 110 reviews. Coverity is rated 7.8, while SonarQube is rated 8.0. The top reviewer of Coverity writes "Best SAST tool to check software quality issues". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Coverity is most compared with Klocwork, Fortify on Demand, Checkmarx One, Veracode and Polyspace Code Prover, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Veracode, Snyk and GitHub Advanced Security. See our Coverity vs. SonarQube report.
See our list of best Application Security Testing (AST) vendors.
We monitor all Application Security Testing (AST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.