Coverity Product Overview
Coverity® Development Testing Platform Smart companies understand that to reduce risk and accelerate time to market they need to find and fix quality and security issues in their code, starting in development. The challenge is how to get started. Many organizations struggle with the basics of how to deal with time to market pressures in the face of increasingly complex software, shrinking development cycles and fixed development resources. In the quest for speed, organizations make themselves vulnerable to risk. A small mistake in development could cause an organization to become next week’s headline news. Change just amplifies the problem. With every change, more risk is entered into the environment if not managed properly.
The Coverity® Development Testing Platform empowers development to build quality and security testing into the development process at the earliest stage for fast, resilient and predictable software delivery. With Coverity, development organizations can transform software testing from reactive to proactive, and into a competitive advantage. • Analyze: intelligently test code with a deep understanding of its behavior, criticality and change impact to focus testing on high risk areas and accurately detect defects often difficult to find through traditional testing. • Remediate: surface quality and security issues in the developer workflow with actionable guidance to quickly and efficiently manage issues to resolution. • Govern: enforce a consistent standard and process for quality, security and testing across the organization, with visibility into risk to make better decisions and release with confidence.
Technology with proven developer adoption. Embedded into the development process at over 1,100 companies.
Coverity Development Testing Platform
Analysis SDLC Packs Policy Manager Integrations Third Party Dynamic Metrics Analysis Coverity Connect IDE
Code Coverage Architecture Analysis Test Quality Security Test Execution Advisor Advisor Advisor Build/ Continuous FindBugs™ Integration Analysis Defect Tracking
SCM Analysis ™ Integration Coverity SAVE HP Toolkit Static Analysis Verification Engine ALM
Proprietary Code OpenSource Code
1 Coverity Product Overview The Coverity Development Testing Platform
Coverity® Static Analysis Verification Engine™ (Coverity SAVE™) Coverity SAVE, the award-winning analysis engine for the Coverity Development Testing Platform, applies multiple patented techniques for accurate issue detection, based on a decade of research and development and analysis of over 5 billion lines of proprietary and open source code. Coverity SAVE intelligently tests code changes with a deep understanding of behavior, criticality and change impact to focus testing on high risk areas of code and accurately identify traditionally untestable issues.
Coverity SAVE integrates seamlessly with any build system and generates a high fidelity representation of the source code to ensure a deep understanding of its behavior, supporting the market leading compilers for C/C++, Java and C#. Coverity SAVE also provides full path coverage, ensuring that every line of code and every potential execution path are tested. Coverity SAVE utilizes multiple patented techniques to ensure deep, accurate analysis. Including: • Interprocedural Dataflow Analysis: identify complex issues that cross function, file and class boundaries versus simple style violations or superficial issues. • Boolean Satisfiability Solvers: dramatically improve accuracy by performing a bit-accurate analysis. • False Path Pruning: understand the data dependencies in your code and eliminates infeasible paths from the analysis. • Statistical Profiling: automatically detects coding patterns and learns the programmer’s intent to reduce “noise” in the results. In other words, we understand what you meant to say, not what you said. • Design Pattern Intelligence: understand patterns and programming idioms in C/C++, Java and C# which are integrated into the analysis. • Enterprise Framework Analyzer: augment source code analysis by providing a deep understanding of modern web applications including dependency injection, entry points and the MVC paradigm. • White Box Fuzzer: automatically validate that data sanitization routines perform sufficient sanitization of untrusted data and are used in the right context. • Change Impact Analysis – Patent Pending: automatically map code and function dependencies to analyze all impacted code related to change—the changed code itself and the code impacted by a change. Only by understanding the full impact of a change can you ensure complete testing coverage over your high risk code.
Coverity SAVE fits into your existing workflow including parallel analysis to run on up to sixteen cores simultaneously and delivers up to a 10x performance improvement over serial analysis, and incremental analysis which only re-analyzing the code which has changed or been impacted by a change, instead of the entire code base each time. Coverity SAVE scales to accommodate thousands of developers in geographically distributed environments and can analyze projects in excess of 100 million lines of code with ease.
Coverity® Quality Advisor Coverity® Quality Advisor surfaces quality defects in the developer workflow, with accuracy and actionable remediation guidance. Your developers are armed with the information they need to troubleshoot and fix the quality defects that matter, quickly and efficiently, before the code even makes its way to QA. Teams can build quality into development to reduce re-work costs and delayed time to market resulting from defects found late in the cycle and reduce the risk of costly and brand-damaging quality issues and software failures in the field or in production. As a foundation for Quality Advisor, Coverity SAVE intelligently tests code changes with a deep understanding of behavior and criticality to accurately identify hard to spot yet potentially crash causing quality defects in C/C++, Java and C# codebases, including concurrency defects, improper use of memory and null pointer dereference issues. Defects are then surfaced in Quality Advisor for fast and easy remediation.
2 Coverity Product Overview The Coverity Development Testing Platform
In addition to quality defects identified by Coverity SAVE, you can seamlessly integrate results from additional analysis engines to manage multiple types of quality defects to resolution within a unified development testing workflow. Coverity offers the following analysis packs to Quality Advisor: • Coverity® Dynamic Analysis for Quality Advisor: Identify concurrency issues such as race conditions, deadlocks and resource leaks by analyzing Java programs as they run. View and manage both static and dynamically identified quality defects in a single workflow. • Coverity® Architecture Analysis for Quality Advisor: Visualize the code structure to identify dependency conflicts and interface violations, detect architectural flaws that could create exposure, manage code complexity and enforce architectural design rules. • FindBugs™ Analysis for Quality Advisor: FindBugs™, the leading open source static analysis engine for Java, ships out of the box with Quality Advisor, providing your developers with a single location to surface and remediate both Coverity and FindBugs identified quality defects.
Analysis engines commonly look for different types of quality issues and therefore many organizations find it valuable to implement multiple tools, but managing them in silos is not scalable or cost effective. With the Coverity® Analysis Integration Toolkit you can integrate third-party analysis results to manage Quality Advisor defects alongside third-party quality defects within a unified workflow. Improving the manageability of multiple tools enhances developer productivity and provides a consistent process for issue resolution, regardless of how the issue was identified.
Coverity® Connect Coverity® Connect is the collaborative issue management console to efficiently manage all issues surfaced by Quality Advisor, Security Advisor and Test Advisor to resolution within a unified workflow. • Connect issues: Manage quality defects, security defects, and untested code violations together in a single interface. • Connect developers: Share information and collaborate across geographically distributed teams with an enterprise platform. • Connect to your workflow: Manage issues efficiently to resolution within your SLDC process, from assignment of work items to tracking issues to closure.
For every issue discovered, Coverity Connect provides a clear explanation of the issue, its severity based on business impact, its precise location in the code and all additional occurrences of the defect across code branches. Developers now have actionable information to make better fix/no fix decisions based upon business impact. By categorizing and prioritizing issues together within a unified workflow, developers know what needs to be resolved first. With this visibility, time spent troubleshooting and fixing issues is dramatically reduced.
With Coverity Connect your organization can manage issues to resolution and promote collaboration across geographically distributed teams within a standard workflow. Issues can be automatically assigned to the appropriate owner and tracked to resolution within set SLA timeframes to ensure developer accountability. In addition, you can set alerts so developers are notified automatically when new issues impact their project, regardless of who introduced the issue, and maintain an audit trail of issue activity for future reference.
Coverity® Security Advisor Coverity® Security Advisor surfaces security defects in the developer workflow, with accuracy and actionable remediation guidance. Your developers are armed with the information they need to troubleshoot and fix the security defects that matter, quickly and efficiently, before the code even makes its way to security audit, without requiring developers to become security experts. Security Advisor provides you with technology purpose-built for development, not a security auditor, and enables you to reduce the risk of costly and brand-damaging security vulnerabilities in the field or in production.
Security Advisor surfaces security defects identified by Coverity SAVE for fast and easy remediation. Coverity SAVE intelligently tests code changes with a deep understanding of behavior and criticality to accurately identify security defects in both C/C++ embedded applications and Java web applications, including buffer overflows, integer overflows, format string errors, SQL injection and cross-site scripting (XSS). 3 Coverity Product Overview The Coverity Development Testing Platform
One of the primary reasons that legacy security tools have failed in development is due to high false positives, or inaccurate results. We designed and built our engine from the ground up to address the complexity of today’s modern applications. Coverity SAVE analysis innovations for Java web application security include an enterprise framework analyzer which augments source code analysis by providing a deep understanding of modern web applications including dependency injection, entry points and the MVC paradigm, as well as a white box fuzzer which automatically validate that data sanitization routines perform sufficient sanitization of untrusted data and are used in the right context.
Another key reason legacy security tools have failed in development is because they require security expertise and lack actionable remediation guidance. Through a deep understanding of the code and application, the Security Advisor patent pending remediation engine provides precise guidance with specific information about the right way to fix a defect and the best place to fix it in the code. This ensures your developers remediate defects faster, and ‘get it right the first time.’
Coverity® Test Advisor Coverity® Test Advisor improves the efficiency of unit testing by focusing time and resources on most critical parts of the code. With Test Advisor you can define what code needs to be tested based on your high risk criteria, analyze high risk code using patented techniques to understand code behavior and change impact analysis, remediate untested code violations alongside quality and security defects for efficient management to closure and govern test completeness in development.
With Test Advisor, you can define a meaningful unit testing policy based on your high risk code criteria and automatically analyze your code with every change. This allows you to accurately identify untested code violations as unit tests are executed. By establishing and enforcing consistent unit testing rules across projects and teams, you can ensure high risk and changed code is tested sufficiently as part of a standardized process. Testing rules also guide developers on what tests they need—and don’t need—to write.
As a foundation for Test Advisor, Coverity SAVE intelligently tests code changes with a deep understanding of behavior, criticality and change impact to analyze unit test effectiveness based on your defined testing rules including patent pending change impact analysis, which automatically map code and function dependencies to analyze all impacted code related to a change—both code that has been directly modified and unmodified code that is impacted by the code change. Risk and code change go hand-in-hand, so the only way to ensure complete testing coverage over high risk code is to understand the full scope and impact of a change. In addition, patent pending test data correlation automatically correlates discrete data from multiple sources, including Coverity SAVE, test coverage and source control management, turning data into actionable testing intelligence so you can easily identify untested code violations based on your defined rules.
With Test Advisor you can automate test violation management to provide information and guidance to help developers efficiently manage untested code violations to closure. This includes prioritizing violations to guide developers to focus on the most critical test issues and automatically assigning violations to the developer responsible for the change.
Test Advisor also drives developer accountability by establishing a standard testing process within your development organization and ensures test completeness. You can easily verify that developers have created and executed the necessary unit tests in lock step with code development and create a testing stage gate within Coverity® Policy Manager to validate code has been completely tested before it’s promoted to QA.
By guiding your developers to focus testing on the most critical parts of the code, you gain confidence that development testing time is spent wisely—on the risk areas of the code. Test Advisor makes it easier for you to ensure 100% coverage over the code that matters, and helps you find more defects in development, before it even gets to QA. This helps shorten the QA cycle and re-work time for faster time to market and reduces the risk of costly and brand damaging quality issues and software failures downstream. Test Advisor not only helps you reduce risk, but also enables you to enforce a process and create a culture of accountability over testing within your development organization.
4 Coverity Product Overview The Coverity Development Testing Platform
Coverity® Policy Manager Coverity® Policy Manager enforces development testing across your organization with consistent quality, security and testing standards. With Policy Manager you can define consistent standards across internal and offshore teams, open source and third party suppliers—with metrics that matter, pinpointing areas of risk so you know where to focus your efforts, and monitoring your project, teams, and suppliers against these standards over time. Policy Manager gives you the visibility, traceability and predictability you need to make better decisions and release with confidence.
Policy Manager allows you to monitor the adoption of development testing throughout your organization and ensure that critical defects are being addressed in a timely manner. Policies can be established for the number of active users, projects, lines of code being tested and types of defects fixed. Through the ability to track development testing adoption and the impact on quality, security and testing trends over time, you can quickly assess your return on investment from development testing efforts and address potential areas of risk or skills gaps within your teams.
Policy Manager also provides visibility into any outstanding issues that could impact time to market. It enables you to identify areas of risk where there are critical issues either newly identified or still outstanding. By honing in on areas of risk you can allocate resources appropriately to avoid costly schedule delays.
Policy Manager can help you set acceptance criteria and validate the quality and security of the code received from your supply chain partners by establishing and enforcing clear and specific code acceptance criteria. You can set quality and security policies upfront, such as the number of high risk defects, the types of defects allowed/not allowed, the amount of untested code violations or the amount of complexity to track technical debt. You can audit your supplier’s code upon receipt and notify them of policy violations which must be addressed before acceptance, or have your suppliers build development testing into their process to self-certify their code based on your established acceptance criteria.
Coverity® Software Development Lifecycle (SDLC) Integrations The Coverity® Development Testing Platform has bi-directional integration with existing lifecycle tools to make development testing a natural part of the SDLC process. Coverity supports integrations with the critical tools and systems used to support the development process, including IDEs, source control management, test coverage, bug tracking, build and continuous integration, and application lifecycle management solutions. In addition, you can import data from third-party tools for more robust analysis and governance utilizing the metrics you care about when assessing code quality, code security, test effectiveness and overall development risk.
Services Our team of development testing experts, utilizing their knowledge gained by implementing solutions for our customers worldwide, can help you identify how Coverity best fits into your organization’s development lifecycle with minimal disruption to the daily operations of your development and QA teams. Using a deployment maturity model that takes into consideration each customer’s level of maturity in integrating development testing into the development lifecycle, Coverity Professional Services can help your organization craft a roadmap towards software assurance and towards a state where all their applications are “Coverity Clean.” Beginning with a comprehensive understanding of your business goals, use cases and technical environment, we will create a deployment plan based on a level-by-level assessment that aligns with your organizational objectives.
To learn more about the Coverity Development Testing Platform, please contact your sales representative or visit us at www.coverity.com.
For More Information: Coverity Inc. Headquarters U.S. Sales: (800) 873-8193 www.coverity.com 185 Berry Street, Suite 6500 International Sales: +1 (415) 321-5237 Email: [email protected] San Francisco, CA 94107 USA Email: [email protected]
© 2012 Coverity, Inc. All rights reserved. Coverity and the Coverity logo are trademarks or registered trademarks of Coverity, Inc. in the U.S. and other countries. All other company and product names are the property of their respective owners.