Ship it!

Today is a few days short of my first anniversary of starting work at Coverity. It has been an extremely fun, educational and challenging year. I wanted a change, and I got one in a lot of ways. Working at a rapidly-growing, ten-year-old, 300-person company is very different than working at an industry behemoth like Microsoft. Working in a downtown Seattle skyscraper is a pleasant change from crossing the bridge to Redmond every day. I’ve spent the last six months doing a lot more strategy and planning than writing code, which I hope to rebalance back towards the coding side for the next six months.

But in a lot of ways things have been the same. I’m still working on analysis of C#. I’m still meeting with my old friends on the C# compiler team from time to time. (Hi guys!) I’m still shipping software to paying customers who are people like me: software developers who want tools that make their code better. Both DevDiv and Coverity have the property that their R&D employees are their target market, and that’s a really pleasant property to have.

And I’m still working with a great team of smart people, from whom I still have much to learn. When I arrived a year ago I had only the vaguest idea of how far along the c# analyzer was. I was relieved to learn that the whole thing was already working end to end when I arrived. There were many challenges in tuning the checkers, monitoring performance, and so on, that the whole team came together to solve.

I am therefore excited that today we announce the general availability of version 7.0 of Coverity’s analysis product. The C# analysis portion has been completely redesigned and rebuilt to use the same underlying analysis engine as the C, C++ and Java analyzers, and carefully tuned to avoid the false positive patterns that crop up in C#. A number of the checkers are specific to C#; all of them find real bugs in real programs. As I point out in this little video[1. I’m also excited that apparently the video production department has promoted me from Perfectly Ordinary Architect to Senior Architect! Not sure how that happened.] about Coverity vs FXCOP analysis: we hope they find those bugs that you’re glad you found before you shipped!

Today we’re also launching a redesigned web site, and we are moving the Coverity Development Testing Blog[1. Which is now using WordPress, same as] to If you want to subscribe, the RSS feed is

Over the next few weeks I’ll post some blogs describing in more technical detail the sorts of bugs the C# checkers find, how they do it, and how you can avoid these bad patterns in your own code.

12 thoughts on “Ship it!

  1. I’m excited to see how this turns out! It seems like it would be awesome to have both this and FxCop do analysis, especially during a CI build.

  2. Eric,

    Why does Coverity employ the ‘high touch sales’ approach? Considering that this is an engineering product, why can’t I download the software, try it and then buy it if it works for me?


  3. Eric,

    Thanks, I am a Joel fan as well and have read the article. I completely understand the strategy behind enterprise sales.

    I don’t think I expressed myself clearly in my previous comment. When I first learned about FxCop (back in 2007?), I was super excited. I really loved the idea of static analysis and the power it can bring to eliminate defects. At that time, I wondered if there are any commercial products and learned about Coverity. Because I could not try it easily, I ignored it. I have been consulting professionally in financial industry (mainly hedge funds and investment banks) in NYC for last 6 years, there are very few colleagues who know about the product and none of them has any experience about how effective it is.

    My interest in Coverity has peaked ONLY because you joined them. I have learned a lot about language design and how to write better software from you and if you decided to join a company which produces static analysis software, I would definitely want to evaluate it. I have requested the free trial and I am waiting for the response. However, I can’t help but wonder how much better Coverity would do if it was easier to know more about the product and its capabilities. The current sales approach requires that management knows about the tool and asks everyone in the team to use it v/s engineers asking for the tool because it helps them produce better software. For a product targeting software developers, I feel that the bottom up approach is a better idea. To give you an example, every single investment bank in NYC has bought ReSharper licenses because developers demand it. JetBrains has been able to increase the price by 100% because every developer demands it and companies don’t mind paying 250$ for a product which improves productivity.

    While typing this comment I was browsing Coverity website and ran in to Coverity Scan. [ ] It was disappointing that I could not scan a C# project but I was excited to look at the kind of defects Coverity can find in Java code. I decided to see report for a Java Project [ ] . Again, I am forced to sign up to see the existing scan reports. Luckily, the website supported Github and I was able to sign in. I thought, this is it, I can finally see the analysis. Guess what, the website wanted me to request access as one of the ‘observer’, ‘contributor’, ”maintainer’, ‘other’ before I can see the report. I have requested the access and I am still waiting to see a sample Coverity analysis.

    I think Coverity makes it way too hard for me to evaluate the technical merit of the product. I can’t help but feel that the product is not that great and that’s why Coverity need to adopt enterprise sales approach where you sell your product to managers instead of engineers. I am not suggesting that this is the truth, but this is how the current setup makes me feel.

    Apologies for the long winded comment, I hope I did not offend you.

    I genuniely want to learn and use the product that you are working on.


    • Thanks Yogi, I appreciate your candour.

      I have gotten your feedback a lot since I joined Coverity, and I have shared it with the sales, marketing and management teams — and I will certainly pass your comments along as well.

      I’m not at liberty at this time to describe precisely the actions that we’re considering taking on the basis of this feedback, but suffice for now to say that we hear it loud and clear. I hope to be able to announce some improvements to some of the points you touch on at some point in the future.

    • I’ve shared your comments with marketing management and they also appreciate your taking the time to share your thoughts.

      I wanted to comment specifically on one thing you said:

      “the website wanted me to request access as one of the ‘observer’, ‘contributor’, ”maintainer’, ‘other’ before I can see the report.”

      There is a good reason for that. We want to make sure that the people who are the first to see the defects in a software package are the people who can fix them, not the people who might use them as attack vectors! Restricting access by default is of course not a perfect mechanism for keeping away the bad guys, but every bit helps.

      • “not the people who might use them as attack vectors” That seems very counterproductive. Everyone should want *more* attacks to happen so that people pay *more* attention to static checker tools. The way you go about it, you shoot everyone in the foot. The people who are after exploitable bugs can get to your reports *anyway*. The people who should be learning your tools and using them to write better software are *actively discouraged*.

  4. Congratulations on your anniversary, then. At least, it is now the 14th in *my* time zone.

    I’m nearly at one year in my current job myself, which for me also marks one year as a mostly-C# developer.

  5. This product gives me a funny feeling: it sounds exciting but as a usual developer I will never be able to realistically try it (unlike e.g. CodeRush or ReSharper or RedGate SQL Toolbelt or any other software that is intended to be used by real world developers outside of fancy projects with a huge budget). I guess it sucks for your blogging about something your average old-time reader will probably never try. It would be nice if any future post will not mention Coverity at all and just focus on C# – as in good old times…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s