scan.coverity.comCoverity Scan - Static Analysis

Toggle navigation Scan Home FAQ OSS Success Stories Projects Using Scan About Community Sign up Sign in Coverity Scan Static Analysis Find and fix defects in your Java, C/C++, C#, JavaScript, Ruby, or Python open source project for free Test every line of code and potential execution path. The root cause of each defect is clearly explained, making it easy to fix bugs Integrated with Sign Up For Free Coverity Scan Open Source Report 2023. Read moreApache Hbase fixed 75% of Resource leak defects found by Coverity Scan. Read moreLinux reduced time to fix new defects, found by Coverity Scan, from 120 days to 5 days. Coverity Scan finds Remote Code Execution in Apache Roller via OGNL Injection. Read moreCoverity static analysis successfully uncovers goto fail” SSL/TLS defect in iOS. Read moreCoverity Scan identifies buffer overflow and overrun vulnerabilities in PostgreSQL. Read moreMore than 8900 open source projects and 48000 developers use Coverity Scan I started with very low expectations as most commercial tools only find things cppcheck will find, too. But coverity-scan actually found what brought down the performance of my program the most and a few handful of bugs.” wxmaximaigraph uses an error handling mechanism based on returning error codes, which are supposed to be checked and potentially passed upwards by the caller. Coverity was so far the only tool we found which could reliably detect missing checks on return codes. ”In reporting defects Coverity Scan has illuminated several blocks of code that were too hard to understand. A few minutes of reflection on each revealed simpler and faster code that was easy for me and Coverity Scan to decide was safe. Thanks for creating this wonderful tool. ” From my experience, I think that Coverity improves the software quality of the NNStreamer project.” nnstreamerI manage Coverity Scan for the Tesseract OCR project Coverity Scan had be very helpful to find various bugs in the code, but since about a year it no longer allows configuring components for Tesseract OCR. That makes reports less useful. ”Perfect for our small team of developers . With Coverity we have a good program which supports us . ” AscEmuWithin minutes we were able to narrow down and fix some significant resource leaks that we were totally unaware even existed. We use Coverity at work now we can use it at home as well! ” craneAs a large project with a lot of legacy code, Coverity has helped understanding the quality of that code (and confirming/refusing the developers’ hunches). And of course it helps keeping quality high for the better maintained parts. ” QEMUCoverity helped me find some issues that were invisible even to Valgrind. It is a valuable tool to add to any C developer’s arsenal against the bugs. ” iucode-toolCoverity Scan helps us find defects in our software - which after ten years of development - are of course still to be found. While it’s not perfect, it got us started and interested in fixing more issues and improving the overall stability of our project. ” mangos zeroCoverity allows use to execute a weekly static analysis on the whole sources and keeps spotting issues that would go unnoticed otherwise. It’s also changing the mind of developers to pay more attention about possible NULL dereference and uninitialized values. ” TrinityCoreWith Coverity Scan, newer issues when they are getting introduced, are getting jumped on faster than before ” Dave Jones, Linux Kernel developerWhen run against the CPython code base for the first time, Coverty Scan found several actual bugs and even security issues. ” Stefan BehnelCoverity Scan identified the path_in() vulnerability; code inspection led to the rest. ” PostgreSQLThe open source tools are good, and improving, but Coverity currently provides a superior experience. ” VINCENT SANDERS Coverity remains the single most useful tool I’ve used.” Ward Fisher (NetCDF contributor)Coverity is really great and its web GUI is fun to use, too. I was able to identify and fix resource leaks, NULL pointer issues, buffer overflows and missing checks all over the place. ” Christian, Python developerIf you contribute to an open source project, you should be using Coverity Scan. It will likely find bugs that can certainly have security implications in your code. ” fwknopCoverity points out that we do not free [the memory] in one case and sure enough we forgot. ” Konrad Rzeszutek Wilk, Linux ContributorWe’ve run our code through Coverity Scan, and as a result, we’ve been alerted to potential future security issues within our products. We are grateful to Coverity for this fine service ” PowerDNSVulnerability Notifications- We recommend all administrators upgrade immediately. The vulnerability was created in commit. Coverity scan discovered it. ” FreeRADIUSFor those who have either never used static analysis tools, don’t fall into the trap of thinking that gcc-pedantic-Wall or even LLVM’s scan-build should be ’good enough for anyone’ ” Upstart and WhoopsieFor more than 2100 issues reported, every issue was inspected, and now all reported issues are resolved. ” BRL-CAD project leaderThe reports from Coverity are a valuable contribution to - among others - the LibreOffice development process. ” LibreOffice Coverity’s static source code analysis has proven to be an effective step towards furthering the quality and security of Linux” Andrew Morton, Lead Kernel MaintainerCoverity is a code-analysis tool - an extremely good one, probably at this moment the best in the world. ” GPSdSeveral other Coverity issues have been resolved and their fixes have made their way into release candidate 7. I’ve no doubt that Coverity is adding value to our project. ” POV-Ray Ah, that’s cool. Pretty neat that an automated tool can catch mutex lock problems in conditional statements wrapped in macros! I’m impressed.” GeniviCoverity performs very deep analysis and its results may well surprise you...but rather that than unexpected surprises for your users. ” Upstart and Whoopsie You have a very good product and provide a great service to the open source community (certainly to the Linux kernel community).” Linux Contributor Thank you guys for making such an awesome tool accessible to the open source community!” Java Developer Announcements Coverity Upgrade to 2023.6 2023 Nov 10 Attention SCAN users! We will begin upgrading the Coverity tools in SCAN on Saturday, 18th November to make this free service even better. The SCAN team has been hard at work stabilizing the service and getting ready for this upgrade. SCAN will be unavailable during the upgrade, locking registration and triage, and halting builds. Defect data will be unavailable at that time. The upgrade is expected to take up to three hours. After the upgrade, a new version of the Coverity build package will be available for download. Be sure to download the new build package. Full details of new features are available at the Community Site . Updates Supported Versions Versions 2022.09 and older will no longer be supported after the upgrade. The current supported versions are: 2023.6.2 2022.12.2 Users are encouraged to download the latest tools in Downloads . Going forward, only the latest two releases will be supported. This means projects should be expected to update their tools approximately once a year (or more frequently if you want the latest features/support). Scan Spotlight Projects 2023 July 23 The following nominated projects have recent defect resolutions: libreoffice qemu hwloc performancecopilot-pcp stress-ng zephyr tdengine synchronet wireshark wine bro ffmpeg mesa scummvm kicad apache-traffic-server New API endpoint to upload larger builds 2023 June 15 The current api request used to automate uploading a Project build has a limit of 500MB. We have added a new API endpoint to facilitate uploading larger builds. Please check the Submit Build page for more details. Build Limits The number of weekly builds per project are as follows: Up to 28 builds per...