The site that you are currently viewing is a static version of the Software Factory documentation delivered with the

version v7.2.
For up-to-date documentation, see the latest version.

Coverity

1. Application

Reference:LLD – Software Factory as a Product - Coverity
Type & Classification:Product
Step:Continuous Delivery
Bid/Project/Product Name & ID:Software Factory as a Product (SWaaP)
Solution Level:Digital product
Solution Name:Software Factory as a Product
Solution description:As deployed, create and update a Software Factory
Key Products/Solution:

2. Introduction

2.1 Document purpose

This document is a low level design - LLD which aims to describe how the architecture evoked in high level design - HLD will be implemented. This document will describe the protocols used in the target architecture, how to implement them and any modifications made to their default behavior. Once validated by Thales, this document will then serve as a basis for the implementation of configurations on equipment.

2.2 Document scope

This document is not a manual and is not intended to replace the reference literature describing with great precision all network protocols.

The protocols used will be briefly described as well as the modifications made to their default behavior.

2.3 Referenced documentation

Document referenceDocument Name
TASDTechnical Architecture and Security Document of SWaaP
SCOM-CoveritySoftware Center Operation Manual of Coverity

3. Component general description

This component is part of Software Factory as a Product (SWaaP), and it is visible in the TASD .

Coverity is a static analysis solution that makes it possible to address software issues early in the development life cycle by analysing source code to identify the following kinds of problems:

  • Software quality and security issues
  • Violations of common coding standards

A basic Coverity deployment consists of the following two components:

  • Coverity Connect – Manages code defects; it uses a database to store analysis results
  • Coverity Analysis - the tool for analyzing the code; this is only made available to be downloaded from Coverity Connect GUI by users

It can be managed using:

4. Functional & Business Requirements

No formal list of requirements has been expressed by clients. It is designed and developed based on business use cases.

4.1 Feature summary

Coverity addresses several specific needs related to software quality and security, primarily focusing on static code analysis. Here are the key needs that Coverity meets:

  1. Early Detection of Software Defects
    • Problem: Defects in code, such as bugs and logic errors, can lead to software crashes, unexpected behavior, and poor performance. Identifying these issues late in the development cycle can be costly and time-consuming to fix.
    • Solution: Coverity Analysis performs static code analysis to identify defects early in the development lifecycle. By analyzing the source code without executing it, Coverity can detect a wide range of issues, including null pointer dereferences, resource leaks, and buffer overflows, among others.
  2. Improvement of Code Quality
    • Problem: Maintaining high code quality is essential for reliable and maintainable software. Poor code quality can lead to technical debt, making the software harder to maintain and extend over time.
    • Solution: Code Quality Metrics and Standards: Coverity provides metrics and enforces coding standards, helping developers adhere to best practices and improve the overall quality of the codebase. It highlights areas that need refactoring and provides insights into code complexity and maintainability.
  3. Security Vulnerability Detection
    • Problem: Security vulnerabilities in software can be exploited by attackers, leading to data breaches, system compromises, and other security incidents. Identifying these vulnerabilities manually is challenging and often insufficient.
    • Solution: Security Analysis: Coverity includes features for identifying security vulnerabilities in the code. It can detect common security issues like SQL injection, cross-site scripting (XSS), and buffer overflows. This helps organizations ensure their software is secure against potential attacks.
  4. Continuous Integration and Continuous Deployment (CI/CD) Integration
    • Problem: Modern software development practices rely on CI/CD pipelines to automate the build, test, and deployment processes. Integrating static analysis into these pipelines is crucial for maintaining code quality without slowing down development.
    • Solution: Automation and Integration: Coverity can be integrated into CI/CD pipelines through its CLI and APIs, allowing automated analysis during the build process. This ensures that code quality checks are performed consistently and efficiently as part of the development workflow.
  5. Collaboration and Defect Management
    • Problem: Effective collaboration among development teams is essential for efficiently resolving defects and improving code quality. Without proper tools, managing defects and tracking their resolution can be challenging.
    • Solution: Coverity Connect: Provides a web-based interface for viewing and managing analysis results. It facilitates collaboration by allowing team members to triage defects, assign ownership, and track the status of issues. The platform supports integrations with other defect tracking and project management tools.
  6. Scalability and Performance
    • Problem: Large codebases and complex projects require scalable tools that can handle extensive analysis without significant performance degradation.
    • Solution: Scalable Analysis: Coverity is designed to scale with large codebases and complex projects. It offers efficient analysis algorithms and can be configured to run incrementally, analyzing only the changed parts of the codebase to save time.

4.1.2 Target Population

The target population for Coverity includes a wide range of professionals and organizations involved in software development and maintenance. Here are the key segments of the target population:

4.1.2.1 Software Development Teams

Roles:

  1. Developers: Primary users who write code and need tools to identify and fix defects early in the development process.
  2. Quality Assurance (QA) Engineers: Professionals who ensure the quality of the software by integrating static analysis into their testing workflows.
  3. Software Architects: Responsible for maintaining the overall structure and quality of the codebase, benefiting from tools that enforce coding standards and detect architectural issues.

4.1.2.2 Security Teams

Roles:

  1. Security Engineers: Professionals focused on identifying and mitigating security vulnerabilities within the codebase.
  2. DevSecOps Teams: Teams integrating security practices into the DevOps process, ensuring that security checks are part of the CI/CD pipeline.

4.1.2.3 Project and Product Managers

Roles:

  1. Project Managers: Oversee software projects and need tools to monitor code quality metrics, defect trends, and ensure compliance with project requirements.
  2. Product Managers: Ensure that the product meets quality and security standards, benefiting from insights into the codebase’s health and risk factors.

4.1.2.4 Compliance and Regulatory Teams

Roles:

  1. Compliance Officers: Ensure that the software development process adheres to industry standards and regulatory requirements.
  2. Regulatory Affairs Specialists: Focus on meeting specific industry standards, such as MISRA, CERT, and ISO, and rely on tools that provide automated compliance checks.

4.2 Prerequisites

Every prerequisites of the product are applicable to this component. In detail:

  • Kubernetes and Flux. See the TASD §4.1.2 Prerequisites for supported version.
  • Supports PostgreSQL versions 12–15, including all minor versions - check official documentation .

4.3 Variability

SWaaP is managing no variability on Coverity.

5. Architecture decision record

Here is a list of decisions:

Ref.Date/StatusDescription
ADR-COV-0012025/01Add Coverity as a component of the Software Factory as a Product (SWaaP). See ARD001 in TASD .

Table 3 - List of architecture decision record.

5.1 ADR-COV-001: Add Coverity as a component of the product

5.1.1 Status: Accepted

5.1.2 Context

  • See ADR005 in TASD .

5.1.3 Decision

  • Package TDP C2 deployment of Coverity as a component of SWaaP

5.1.4 Consequences

6. Architecture description

6.1 Business architecture and allocation to services

You will find in Figure 1 business architecture for software code and CI/CD engineering allocated to services:

Figure 1

Figure 1 - Business architecture allocated to services.

Note: in dash, external items.

6.2 Application architecture

Physical architecture is described in Figure 2 :

Figure 2

Figure 2 - Physical architecture

Coverity is using these external services:

  • A Software Factory or mirror for deployment (PRE_001)
  • Kubernetes with Flux (PRE_002, PRE_003)
  • Persistent storage to store the configuration and cache (PRE_004)
  • Ingress with TLS and DNS resolution associated for one entry point and certificates, classically https://coverity.SF-DOMAIN (PRE_005, PRE_006, PRE_007)
  • IAM (PRE_009); we recommend SAML SSO. See IAM
  • Mail server (PRE_014); you can configure is using Coverity mail server notification docs
  • Database (PRE_015); we recommend Managed PostgreSQL database. Alternative can be internal to namespace provided PostgreSQL database that is provided with the product.

6.2.1 User management

This role matrix has been defined in TASD:

User roleDescription user roleComment
UC1End user / Software engineerPerson that can write in a solution/product/project tenant
UC2ReaderPerson that can read content of a solution/product/project tenant
UC3Tenant ownerPerson that can administrate a solution/product/project tenant
UC4Software Factory application adminPerson that can administrate Software Factory instance components
UC5Software Factory system adminPerson that can administrate the deployment/upgrade of the Software Factory instance
UC6Software Factory tribePerson that are delivering asset to deploy/upgrade a Software Factory instance

For Coverity, a tenant is a project.

To gain access to Coverity a user must be first created and given permissions by a user with Server Admin role at the Global level. The user accounts can be local or external. You can find everything related to managing user accounts in the documentation .

To know more about how to configure SAML users please refer to the documentation. We recommend you configure external accounts through SAML and follow this step by step guide on how to configure SAML for the Coverity instance. Coverity is also able to manage local users or LDAP users .

6.2.2 RACI

In addition of global RACI (Responsible, Accountable, Consulted, Informed) of the SWaaP defined in TASD, we propose this RACI at usage.

ActionDescriptionUC4UC3UC2UC1
Create ProjectsBe able to create projectsRR/AI
Manage ProjectsBe able to manage users on projects, create streams and view project historyR/AI
Create component mapsBe able to create component mapsR/AR
Manage component mapsBe able to manage and view component mapsR/AR
Manage streamsBe able to add new streamsR/AC
Classify and triage issuesBe able to clasify and triage issues found on projectsR/AR
Commit to streamsBe able to commit scan results (snapshots) to streamsIR/A
Onboard usersBe able to grant access to users to Coverity GUIR/AC
Create groups for each projectBe able to create the user groups for each project onboarded initiallyR/AI
Application related settingsConfigure Coverity instanceR/A

In order to give the right permissions for the users you have to understand the permissions hierarchy . The user or user group can be given global permissions at the Coverity instance level or at a lower level - project/stream/component/component map/triage store level.

We recommend that you use user groups so that all the users in the same project share the same user groups. We recommend creating 3 user groups for a project, one for each of the two roles that exist in Software Factory (Tenant owner, End user / Software engineer) and another one for the Service account role.

Coverity has several built-in roles and it comes also with some pre-defined roles. Consult the documentaion to find out more. We advise you to usee some of these roles as in the table below, and there will also be a need to create additional roles with the permissions specified below, that will be then applied Globally or at the level mentioned in the table, on the object specified there. For example we see the Project creator role which is applied at the global level and has the Create projects permission but there are also roles defined at lower levels for example the Triage Issues User role that is applied on the Default Triage Store and has the permissions to View issues, Triage issues and Clasify issues.

There is a Users default group that all Coverity users are added to by default. We advise you give the permissions from this table to this group and for each project created the Users group must have No Access by default

We advise that you give the following permissions for the following roles.

Role LevelWhoWhatWhyProject RoleComponent RoleTriage RoleGlobal RoleCustom Role PermissionsObservations
Project RolesAs a Tenant OwnerI would like to be able to access Coverity instance so thatI can create a projectProject Creator
Project RolesAs a Tenant OwnerI would like to be able to access Coverity instance so thatI can view and manage users in my projectProject Owner
Project RolesAs a Tenant OwnerI would like to be able to access Coverity instance so thatI can view project’s historyProject Owner
Project RolesAs a Tenant OwnerI would like to be able to access Coverity instance so thatI can view and manage my team’s streamsProject Owner
Project RolesAs a Tenant OwnerI would like to be able to access Coverity instance so thatI can commit to streamProject Owner
Project RolesAs a Tenant OwnerI would like to be able to access Coverity instance so thatI can preview commitsProject Owner
Project RolesAs a Tenant OwnerI would like to be able to access Coverity instance so thatI can view and classify issues in stream and triage stroresProject Owner
Project RolesAs a Tenant OwnerI would like to be able to access Coverity instance so thatI can view issues in sourceProject Owner
Project RolesAs a Tenant OwnerI would like to be able to access Coverity instance so thatI can create and manage component mapsComponent Map Creator (custom role)Create Component Maps
Project RolesAs an End user / Software engineerI would like to be able to access Coverity instance so thatI can view my team’s projectDeveloper
Project RolesAs an End user / Software engineerI would like to be able to access Coverity instance so thatI can view project’s historyDeveloper
Project RolesAs an End user / Software engineerI would like to be able to access Coverity instance so thatI can preview commitsDeveloper
Project RolesAs an End user / Software engineerI would like to be able to access Coverity instance so thatI can view and classify issuesDeveloper
Project RolesAs an End user / Software engineerI would like to be able to access Coverity instance so thatI can view issues in sourceDeveloper
Project RolesAs an End user / Software engineerI would like to be able to access Coverity instance so thatI can view issues in stream and triage storesDeveloper
Project RolesAs an End user / Software engineerI would like to be able to access Coverity instance so thatI can classify issues in stream and triage storesDeveloper
Project RolesAs an End user / Software engineerI would like to be able to access Coverity instance so thatI can commit to streamCommiter
Project RolesAs a Tenant owner / Software engineerI would like to have a Service account with access to Coverity so thatI can create a streamStream Map User (custom role)Create Streams
Project RolesAs a Tenant owner / Software engineerI would like to have a Service account with access to Coverity so thatI can add a stream to a projectStream Map User (custom role)Manage Projects
Project RolesAs a Tenant owner / Software engineerI would like to have a Service account with access to Coverity so thatI can commit to streamCommiter
Global RolesAs a Software Factory application adminI would like to be able to access Coverity instance so thatI can create and manage users and user groupsSystem Admin
Global RolesAs a Software Factory application adminI would like to be able to access Coverity instance so thatI can create and manage projects and assign users/user groups to themSystem Admin
Global RolesAs a Software Factory application adminI would like to be able to access Coverity instance so thatI can create and manage custom rolesSystem Admin
Global RolesAs a Software Factory application adminI would like to be able to access Coverity instance so thatI can create and manage triage stores (and attributes)System Admin
Global RolesAs a Software Factory application adminI would like to be able to access Coverity instance so thatI can view and manage policy managerSystem Admin
Global RolesAs a Software Factory application adminI would like to be able to access Coverity instance so thatI can manage server parametersSystem Admin
Global RolesAs a UserI would like to be able toAccess Coverity GUIVisitor
Global RolesAs a UserI would like to be able toHave no access on any projects enforcedNo Access
Global RolesAs a UserI would like to be able toHave access on “Other” component from default component mapDeveloper (on Default)This permission has no consequence without permission on projects
Global RolesAs a UserI would like to be able toHave access on default Triage storeDeveloper (on Default)This permission has no consequence without permission on projects

6.3 Delivery

Component is part of the Software Factory as a Product (SWaaP) delivery. See TASD for more details.

6.3.1 Latest Version

6.3.2 Version Chart 2025.9.3 / Coverity 2025.9.3

6.4 Infrastructure architecture

6.4.1 Software Factory API

Here is a list of services that can be integrated with Coverity.

Ref.NameRequiredDescription
SFE01Flux → Git in Software Factory for deploymentMandatoryCode in a Git server for deployment of the product
SFE02Flux → Registry in Software Factory for deploymentMandatoryRegistries with helm charts and containers for deployment of the product
SFE04IAM - SAML SSOHighly recommendedUsers should be authenticated using SAML SSO
SFE05End user notification (SMTP)Highly recommendedNotification should be sent via mail using SMTP
SFE06Managed Databases (PostgreSQL)Mandatory for productionComponents store data in a PostgreSQL data base - Alternative is to use deploy embedded data base with the product
SFB06CLI or Runner → CoverityMandatoryCLI or GitLab Runner should connect to Coverity using Coverity public API - NextGen-CICD can manage this API
SFE12User / applicative admin → CoverityMandatoryUser and applicative admin should use Coverity UI or public API to access to Coverity

7. Operational and maintenance

In this chapter you will find strategy and policy. Detail implementation will be described in the SCOM .

7.1 Life cycle policy

This chapter will be completed issue link .

7.2 License

Official vendor documentation on licensing

7.3 Deployment

The component is deployed as a standard component using Flux and SWaaP packaging. See TASD for more details.

7.4 IAM

We support and recommend integration with IAM using SAML SSO. This configuration can be done in Coverity admin UI .

Documentation on Azure SAML specific configuration

7.5 Scaling

Coverity Connect pod sizing and scaling are different but related considerations. Sizing ensures that the pod resources meet the analysis environment storage and processing workload requirements. Scaling defines pod resource requirements to support growth of the analysis environment over time. The following sections describe how to estimate Coverity Connect pod CPU and memory resources using the following methods:

  • Scaling CPU and memory using commits (IDIRs)
  • Scaling CPU and memory using view loading times

Scaling CPU and memory using commits (IDIRs)

Medium IDIRs (2.6 GB) defines, for medium projects with 2.6 GB IDIRs, response times for commit pool thread counts in environments with various CPU and memory resource combinations. For various commit pool threads, determine the number of CPU cores and memory needed to obtain an estimated throughput.

Table 1 and Table 2 present resources and performance for medium commit (IDIR) size (2.6 GB)

Commit pool threadsCPU cores (minimum)Memory (GB) with default queue sizeMemory (GB) with maximum queue sizeThroughput (commits/hr)
583239110
10103845145
15158088175
2020100116239
2525120128290
3030144150350

Table 1 - Commit throughput for medium IDIRs.

commitWorkQueueCapacityMemory (GB)
(Default) 802
1504
2005
2506.5

Table 2 - Maximum queue memory usage for medium IDIRs.

Scaling CPU and memory using view loading times

Medium project (10K issues) defines, for a medium size project of 10K issues, response times for concurrent queries submitted in environments with various CPU and memory resource combinations. For various levels of concurrency and 64 GB of memory, determine the number of CPU cores needed to obtain an estimated performance.

Table 3 Presents Query Response Time (s) by concurrency, core count (8|16|24|32) and 64 GB memory for medium size views with around 10k issues.

Concurrency8162432Memory (GB)
11.31.21.11.164
505.33.532.664
1009.16.35.54.764
15012.98.67.76.664
20016.110.99.58.164
25017.611.610.38.864
30013.311.29.664
35014.912.610.864
40016.31411.964
4501512.864
5001613.764
5501815.464

Table 3 - View loading throughput-Medium project.

7.6 Backup / restore

We recommend to manage point in time restore at platform level. Like that it is possible to restore synchronously:

  • volumes,
  • database

Synopsys does not provide a B&R procedure for Cloud Deployment with an external database. Backup and restore should be done according to PostgresSQL recommendations and internal procedures. Chapter 26. Backup and Restore

7.7 Monitoring

7.8 Logging

We recommend to apply the platform logging & SOC management strategy.

Last modified 20.03.2026: Update Coverity to 2025.9.3 (7932720)