I'd like to get comments from people who have used or evaluated Coverity for statically analysing Java-code. I know it's popular in C/C++ world, but is it worth spending the money for Java analysis or am I better off with PMD, Findbugs and other Open Source tools?
Posted: October 6, 2008 at 10:02 AM by: auramo
I'll chip in with a somewhat relevant answer. I've used Klocwork for the both Java and C code. Klocwork is a close competitor of Coverity... cost-wise they are about the same ( look carefully, Klocwork looks cheaper until you actually buy what you need ), and feature-wise they fight back and forth.
For C/C++, it's great. For Java.... well, it helped find a lot of resource leaks ( #$@^#ing Java developers seem to forget that resources like file handles aren't garbage collected ), but it doesn't seem to find many "critical" bugs. It's probably because the language itself does help protect against some of the more basic but hard to find errors ( array overflows, pointer corruption, etc ).
Get Coverity in to run a demo, they are more than happy to. See what sort of things they find.
On October 7, 2008 at 3:41 AM by: Chris Arguin
I'll add a limited me-too to the preceding answers, somewhat restricted by the Coverity NDA I'm bound by. Coverity Prevent has an impressive public track record for finding bugs in open source C/C++ code, but their Java product is a lot newer. (Coverity has a press release on my former employer, so I can say that it did help find and fix lots of bugs in our C/C++ code, more than I'd found in all my previous career in bug hunting.) FindBugs does an impressive job on Java code, and you can't beat the price. But the big point has already been made: try out both of them on your real code before you buy. There's no substitute for reality, and the conventional wisdom in static analysis is that there's surprisingly little overlap in what the tools discover.
On March 30, 2009 at 6:12 PM by: Flash Sheridan