WHITE PAPER

Managing Quality on the Developer Desktop

with the Coverity Software Testing Platform
For me, fast desktop analysis makes Coverity personal. As a developer, I have
time and again worked on a feature, then gone to test it, spent a few hours, and
then discovered the root cause was a stupid bug that I end up kicking myself
over. Often these mistakes are things that could have been spotted by Coverity.
I could have saved myself hours of frustration by using a tool like this regularly.
James Croall,
Java Developer and Coverity employee
Creating high-quality software is difficult and developers are under increased pressure to get highly
sophisticated applications and updates to market quickly. As a result of this pressure and complexity,
mistakes can happen even by those with the best coding skills.
One need only look to the news to see how a routine check-in by an experienced development team can
cause considerable damage. In February 2014 we saw Apples goto fail defect; the following April came
OpenSSLs so-called Heartbleed disclosure. The economic impact of Heartbleed was immediate, as
companies that had integrated and embedded the OpenSSL libraries were forced to patch remote systems
before they were exploited. Development teams need to do everything they can to catch mistakes before they
become expensive debacles.

MANAGING QUALITY ON THE DEVELOPER DESKTOP WITH THE

COVERITY SOFTWARE TESTING PLATFORM

Addressing Quality Early

The most practical way to avoid embarrassing and costly mistakes
is by testing software early in the development cycle. Problems
that reach the field could cost from 10 to 1000 times the cost of
fixing the problem during development. Testing comes in many
shapes and sizes, with most approaches requiring discipline and
effort from members of the development team.
In addition to labor intensive testing practices like code review
and unit testing, static code analysis provides valuable validation
of the code. When the right tools are deployed properly, this
validation comes without creating an extra burden for developers.
It scans the entirety of the source code, automatically identifying
coding errors such as those that impact correctness, robustness
and security in all functions, along all code paths. Unlike
traditional testing, developers do not need to fuss with a testing
framework, create test cases or even run the code.

WHITE PAPER

The centralized workflow described above works well for many

teams, enabling them to effectively identify, resolve and track
quality problems within days of the code being written. As the
process becomes ingrained and the organization matures, they
can take it a step further by identifying and resolving problems
on their desktop, before checking code changes into the source
control management system. Developers can fix problems as early
as possiblestreamlining the overall process while helping ensure
that only clean code makes it into the repository.

Static analysis is often applied during a central automated build,

enabling teams to easily ensure consistent validation of the
code. It is also possible to run static analysis tools on developer
desktops and in their IDE, but such an approach should be
carefully considered to ensure it doesnt slow developers down.

Incorporating Static Analysis into the Centralized

Build
When static analysis is integrated with the central build,
developers work at their desktops writing code and checking it
into source control as usual. The next time the central build runs,
the analysis will be run and developers will be notified of any new
issues.
With each build, Coverity static analysis technology analyzes
the source code; identifies quality, security and testing problems;
stores the results on the Coverity server; assigns issues to owners
based on source control management history or defined areas
of responsibility and may send out email notifications for new
or outstanding issues. By enabling team members to fix these
problems early and often, fewer problems find their way into later
phases. In addition to higher quality releases, teams such as QA
and Security become more efficient by focusing on identifying
larger-scale functionality and security problems since many
problems and inconsistencies were addressed during development.

Making it Easy for Developers

Previous generations of static analysis solutions for the desktop
have been cumbersome to use and difficult to adopt. To be
useful, the desktop analysis needs to find real problems with
minimal noise and cant disrupt developers. To be effective,
the desktop analysis must find the same problems found by
the central analysis. The Coverity Software Testing Platforms
desktop analysis capability solves exactly these problems, enabling
development teams to keep their code clean even before it is
checked into the repository. Developers typically modify only five
to ten files per day, so the analysis can save a significant amount
of time by analyzing only the files that changed. But testing those
files in isolation would produce incomplete and inaccurate results
because the analysis would not understand what happens in the
unmodified files upon which the modified code depends. The
Coverity platform solves this problem by analyzing only the files
that changed while incorporating intelligence about the behavior
of the unchanged code from the central analysis. As a result,

MANAGING QUALITY ON THE DEVELOPER DESKTOP WITH THE

COVERITY SOFTWARE TESTING PLATFORM

the Coverity solution realizes huge performance improvements

without sacrificing accuracy or consistency.

Incorporating Static Analysis at the Desktop

When static analysis is used on the developer desktop, developers
work at their desktops using their preferred development
environmentperhaps an IDE or from the command line. As
they edit the code, and prior to committing changes to their
source code control system, they analyze their changes as often as
they like. After addressing any problems, they check the changes
into source control, confident that they will not break the build.
The next time the central build runs, the integration build will
gain an understanding of the changed code but will not generally
identify any problems since the problems were addressed before
check-in.

WHITE PAPER

Find bugs before others do. The Coverity platform is capable

of analyzing most source files in 10 seconds or less on typical
hardware configurations. Developers wont waste time waiting
for a lengthy analysis to complete.
Consistent accuracy. The Coverity platforms unique approach
allows the desktop analysis to use the same configuration as
the server analysis. There is no need to worry about a scaledback desktop analysis missing important problems that will be
identified through the centralized build and analysis.
Unintrusive. Tools that analyze code as you type tend to
interrupt developer flow by raising spurious alerts exactly
when distractions are most disruptive. Incomplete code is not a
defect; the developer has simply not finished typing or making
changes. The Coverity platform lets developers quickly check
their code when it is appropriate to do so.
F lexible, convenient, accessible. The Coverity platform offers
plugins for common IDEs, but works equally well from the
command line or via scripts. In other words, developers have
easy access to fast, accurate, consistent analysis from their
personal development environment of choice.

Easy to install and configure

The benefits of the Coverity platforms desktop analysis include:

Identifying problems as early as possible. There is no waiting
for a nightly or weekly build to come back with a report of
problems. Developers can find and fix and issues while the
code is fresh in their minds.
Maintaining codebase and build integrity. For organizations
with dont break the build policies, developers can commit
code confident that the Coverity platforms desktop analysis
has identified any problems that would be identified by the
central analysis.

The Coverity platform provides central configuration, enabling

the Coverity Administrator to manage user permissions, projects
and downloads through Coverity Connect dashboardincluding
desktop analysis and per-project analysis configurations.
Developers simply download and install from the central Coverity
server, using their typical Coverity credentials. The plugins can
even detect when updates are available on the server, ensuring
everybody automatically stays up to date and in sync.

Convenient to use
The Coverity platform is already part of the centralized,
automated development process. Desktop analysis extends that
process, becoming an unobtrusive part of the developers desktop
workflow. It ties into the existing build process or IDE such
as Eclipse or Visual Studio, generally making desktop analyses
available with a single command or click of a button. Developers
immediately see any problems in their code, so they can fix them
while the code is fresh in mind.

MANAGING QUALITY ON THE DEVELOPER DESKTOP WITH THE

COVERITY SOFTWARE TESTING PLATFORM

IDE users see analysis results in their IDE editor pane, meaning
they dont even need to leave the development environment.

WHITE PAPER

efficiency. To be most effective, static analysis should be used early

and often in the development process. Many teams may consider
beginning their use of static analysis by running it regularly
against the centralized build to establish some initial experience
and success. Once a level of initial success has been achieved and
developers see the value it can provide, the use of the Coverity
platform can be expanded to be used on the individual developers
desktops so they can improve their overall code quality and
eliminate bugs before anyone sees their code.

About Coverity
Coverity, a Synopsys company, is a leading provider of software
quality and security testing solutions. Our award-winning
software testing platform helps developers create and deliver
better software, faster, by automatically testing source code for
software defects that could lead to product crashes, unexpected
behavior, security breaches or catastrophic system failure.

Optimized desktop analysis can even be performed from a

standard command line, for developers who prefer bare-bones
environments.

Summary
By providing fast, accurate, consistent results on the desktop
and maintaining a low false positive rate, the Coverity platform
provides a software testing solution that developers trust and
helps teams improve their overall code quality and development

Founded in the Computer Science Laboratory at Stanford

University, we invented a fundamentally different way to test
complex source code to find hard to spot, yet critical software
defects. Our approach: arm developers with static analysis
solutions that help them quickly and efficiently test their code
and address critical quality and security issues as the code is
written. Since our inception in 2003, we have cemented our
leadership position in the industry with a full suite of software
testing solutions.
Today, the worlds largest brands rely on us to help ensure the
quality, safety and security of their products and services.

For More Information

Coverity Inc. Headquarters

U.S. Sales: (800) 873-8193

www.coverity.com

185 Berry Street, Suite 6500

International Sales: +1 (415) 321-5237

Email: info@coverity.com

San Francisco, CA 94107 USA

Email: sales@coverity.com

2014 Coverity, Inc. All rights reserved. Coverity, the Coverity logo and Coverity SAVE are registered trademarks of Coverity, Inc. in the U.S.
and other countries. All other company and product names are the property of their respective owners.

201409-01