We performed a comparison between Coverity and SonarQube based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison Result: Based on the parameters we compared, SonarQube comes out ahead of Coverity. Although both products have valuable features and can be estimated as high-end solutions, our reviewers found that Coverity is an expensive solution with an unfriendly licensing mechanism and a difficult exit process, which may make it less accessible for smaller teams or companies with budgetary constraints.
"The security analysis features are the most valuable features of this solution."
"The solution effectively identifies bugs in code."
"It's very stable."
"It has the lowest false positives."
"Coverity is quite stable and we haven’t had any issues or any downtime."
"The product is easy to use."
"This solution is easy to use."
"Coverity gives advisory and deviation features, which are some of the parts I liked."
"SonarQube is one of the more popular solutions because it supports 29 languages."
"The product itself has a friendly UI."
"The fact that the solution does security scanning is valuable."
"The software quality gate streamlines the product's quality."
"Improve the code coverage and evaluates the technical steps and percentage of code being resolved."
"I follow Quality Gate's graduation model within organization, and it is extremely helpful for me to benchmark products."
"The static code analysis is very good."
"The solution's user interface is very user-friendly."
"Coverity is not stable."
"Coverity takes a lot of time to dereference null pointers."
"Ideally, it would have a user-based license that does not have a restriction in the number of lines of code."
"I would like to see integration with popular IDEs, such as Eclipse."
"The product could be enhanced by providing video troubleshooting guides, making issue resolution more accessible. Troubleshooting without visual guides can be time-consuming."
"SCM integration is very poor in Coverity."
"Its price can be improved. Price is always an issue with Synopsys."
"Right now, the Coverity executable is around 1.2GB to download. If they can reduce it to approximately 600 or 700MB, that would be great. If they decrease the executable, it will be much easier to work in an environment like Docker."
"There are times that we have the database crash. However, this might be an issue with how we have configured it and not a software issue. Apart from this, I do not see any issues with the solution."
"SonarQube's detail in the security could be improved. It may be helpful to have additional details, with regards to Oracle PL/SQL. For example, it's neither as built nor as thorough as Java. For now, this is the only additional feature I would like to see."
"We had some issues scanning the master branch but when we upgraded to version 7.9 we noticed it does scan the master branch but we had to do a workaround for it to happen. This process could be improved in a future release."
"The implementation of the solution is straightforward. However, we did have some initial initialization issues at the of the projects. I don't think it was SonarQube's fault. It was the way it was implemented in our organization because it's mainly integrated with many software, such as Jira, Confluence, and Butler."
"There needs to be a shareable reporting piece or something we can click and generate easily."
"A better design of the interface and add some new rules."
"An improvement is with false positives. Sometimes the tool can say there is an issue in your code but, really, you have to do things in a certain way due to external dependencies, and I think it's very hard to indicate this is the case."
"A little bit more emphasis on security and a bit more security scanning features would be nice."
Coverity is ranked 4th in Static Application Security Testing (SAST) with 33 reviews while SonarQube is ranked 1st in Static Application Security Testing (SAST) with 110 reviews. Coverity is rated 7.8, while SonarQube is rated 8.0. The top reviewer of Coverity writes "Best SAST tool to check software quality issues". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Coverity is most compared with Klocwork, Fortify on Demand, Checkmarx One, Veracode and Polyspace Code Prover, whereas SonarQube is most compared with Checkmarx One, SonarCloud, Veracode, Snyk and GitHub Advanced Security. See our Coverity vs. SonarQube report.
See our list of best Static Application Security Testing (SAST) vendors.
We monitor all Static Application Security Testing (SAST) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.