We are using Klocwork as a static analysis tool.
Klocwork is a commercial tool and has many advantages but also has limitations like false-positives.
I wonder who has ever compared Klocwork with other open source tools such as Findbugs.
Generally, commerical tools is known to be more reliable than open source tools.
But I think that Klocwork has also a few reliable issues in specific business domain such as android.
Can you say that Klocwork is superior to other open source tools, especially Findbugs in aspects of false positives and false negatives?
Klocwork is a static code analysis tool owned by Minneapolis, Minnesota-based software developer Perforce. Klocwork software analyzes source code in real time, simplifies peer code reviews, and extends the life of complex software.
Static analysis, also called static code analysis, is a method of computer program debugging that is done by examining the code without executing the program. The process provides an understanding of the code structure and can help ensure that the code adheres to industry standards.
#1) PVS-Studio. Best for not only for finding typos, dead code, but also potential vulnerabilities. A SAST solution that supports integration into popular IDEs CI/CD and other platforms. PVS-Studio is a static code analyzer that detects errors in C, C++, C#, and Java code.
Klocwork is a static code analysis and SAST tool for C, C++, C#, and Java that identifies software security, quality, and reliability issues helping to enforce compliance with standards.
What Is Static Code Analysis? Static analysis is a method of debugging that is done by automatically examining the source code without having to execute the program. This provides developers with an understanding of their code base and helps ensure that it is compliant, safe, and secure.
I have done a comparison between commercial and opensource static code analysis tools (SCAT) a few years back. Klocwork was one of them. To make a long story short, the result was that in the java environment the commercial tools didn't provide the (additional) value necessary to justify their price. In the number of bugs found, findbugs was much better than any of those tools. Only coverity found some bugs which none of the other tools found and had the lowest FPR. On the other side coverity didn't detect many bugs findbugs did find - so for us all the tools didn't justify the money involved. And if configured right, findbugs also provides a very low FPR. In a more recent version coverity included the possibility to integrate findbugs into their solution. Mhhmmm so why did they do that? :-)
There are however scenarios e.g. when using other programming languages or inter-programming language scans (e.g. your codebase includes other programming languages (like C, C++, C# ...)) or you need some of the additional functionalities provided by those tools - then it could be worth looking into commercial tools. But you can make up your own mind because every solution can be tested. Go to their webpage and download/request a trial and try for yourself (maybe in the meantime things changed?).
I checked out the following tools:
Commercial:
OpenSource:
So in the end what did we do? We installed the free sonar server which combines many tools like findbugs, pmd, checkstyle, cobertura and the like. With that we got a free solution which is in many aspects better than the commercial tools available. And if I would need to go the commercial route I would probably take a close look at coverity (and never look at CAST again).
[Update] Regarding your question about the performance - findbugs is able to scan huge codebases without a problem (if you experience problems then post it on the findbugs mailing list and they will help you). I remember back then findbugs was also one of the quickest tools. Coverity for instance needed nearly 2h to finish whereas findbugs was done in less then 10minutes. The other tools where in between those numbers.
Regarding the scanning of C and C++ code you may look at Splint and cppcheck. There are also some other helpful threads discussing that topic. But as mentioned since findbugs is only for java and you want to detect inter-programming language problems commercial tools may have an advantage. So in the end since findbugs is for free - just run it on your codebase and see what happens for yourself - your project can only benefit from it! Then fix the bugs found and afterwards do a trial with some of the commercial tools - and depending on the amount of bugs they find and the price you will pay, draw your own conclusion. To give you an example: One of the tools costs 'Lines of code' /divided by 10 (in $). But it may be that in your case you get a discount ;-)
[UPDATE II] Found an interesting master thesis discussing this topic. The main part is about findbugs but it also mentions klockwork and coverity.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With