We performed a comparison between Coverity and Mend.io based on real PeerSpot user reviews.
Find out in this report how the two Static Application Security Testing (SAST) solutions compare in terms of features, pricing, service and support, easy of deployment, and ROI."The features I find most valuable is that our entire company can publish the analysis results into our central space."
"The app analysis is the most valuable feature as I know other solutions don't have that."
"The most valuable feature is the integration with Jenkins."
"The reporting feature is up to the mark."
"Coverity is quite stable and we haven’t had any issues or any downtime."
"I encountered a bug with Coverity, and I opened a ticket. Support provided me with a workaround. So it's working at the moment, or at least it seems to be."
"The solution effectively identifies bugs in code."
"It is a scalable solution."
"The best feature is that the Mend R&D team does their due diligence for all the vulnerabilities. In case they observe any important or critical vulnerabilities, such as the Log4j-related vulnerability, we usually get a dedicated email from our R&D team saying that this particular vulnerability has been exploited in the world, and we should definitely check our project for this and take corrective actions."
"The dashboard view and the management view are most valuable."
"Its ease of use and good results are the most valuable."
"The license management of WhiteSource was at a good level. As compared to other tools that I have used, its functionality for the licenses for the code libraries was quite good. Its UI was also fine."
"We use a lot of open sources with a variety of containers, and the different open sources come with different licenses. Some come with dual licenses, some are risky and some are not. All our three use cases are equally important to us and we found WhiteSource handles them decently."
"The most valuable feature is the unified JAR to scan for all langs (wss-scanner jar)."
"The inventory management as well as the ability to identify security vulnerabilities has been the most valuable for our business."
"There are multiple different integrations there. We use Mend for CI/CD that goes through Azure as well. It works seamlessly. We never have any issues with it."
"Its price can be improved. Price is always an issue with Synopsys."
"SCM integration is very poor in Coverity."
"We'd like it to be faster."
"The solution's user interface and quality gate could be improved."
"They could improve the usability. For example, how you set things up, even though it's straightforward, it could be still be easier."
"We actually specified several checkers, but we found some checkers had a higher false positive rate. I think this is a problem. Because we have to waste some time is really the issue because the issue is not an issue. I mean, the tool pauses or an issue, but the same issue is the filter now.Some check checkers cannot find some issues, but sometimes they find issues that are not relevant, right, that are not really issues. Some customisation mechanism can be added in the next release so that we can define our Checker. The Modelling feature provided by Coverity helps in finding more information for potential issues but it is not mature enough, it should be mature. The fast testing feature for security testing campaign can be added as well. So if you correctly integrate it with the training team, maybe you can help us to find more potential issues."
"The tool needs to improve its reporting."
"When I put my code into Coverity for scanning, the code information of the product is in the system. The solution could be improved by providing a SBOM, a software bill of material."
"It would be good if it can do dynamic code analysis. It is not necessarily in that space, but it can do more because we have too many tools. Their partner relationship support is a little bit confusing. They haven't really streamlined the support process when we buy through a reseller. They should improve their process."
"We specifically use this solution within our CICD pipelines in Azure DevOps, and we would like to have a gate so that if the score falls below a certain value then we can block the pipeline from running."
"Some detected libraries do not specify a location of where in the source they were matched from, which is something that should be enhanced to enable quicker troubleshooting."
"It should support multiple SBOM formats to be able to integrate with old industry standards."
"If anything, I would spend more time making this more user-friendly, better documenting the CLI, and adding more examples to help expand the current documentation."
"I rated the solution an eight out of ten because WhiteSource hasn't built in a couple of features that we would have loved to use and they say they're on their roadmap. I'm hoping that they'll be able to build and deliver in 2022."
"They're working on a UI refresh. That's probably been one of the pain points for us as it feels like a really old application."
"The turnaround time for upgrading databases for this tool as well as the accuracy could be improved."
Coverity is ranked 4th in Static Application Security Testing (SAST) with 34 reviews while Mend.io is ranked 4th in Software Composition Analysis (SCA) with 29 reviews. Coverity is rated 7.8, while Mend.io is rated 8.4. The top reviewer of Coverity writes "Best SAST tool to check software quality issues". On the other hand, the top reviewer of Mend.io writes "Easy to use, great for finding vulnerabilities, and simple to set up". Coverity is most compared with SonarQube, Klocwork, Fortify on Demand and Checkmarx One, whereas Mend.io is most compared with SonarQube, Black Duck, Veracode, Snyk and GitLab. See our Coverity vs. Mend.io report.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.