Black Duck Coverity
Black Duck Coverity is an application security tool that scans your organization's code projects for defects. You can bring project and defect data from Coverity into Brinqa to gain a unified view of your attack surface, thus strengthening your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Coverity and how to obtain that information from Coverity. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Black Duck Coverity from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Black Duck Coverity with Brinqa:
-
Server URL: Your organization's Black Duck Coverity server URL. The default URL format is
https://<server_name>. -
Username and Password: The username and password associated with the Black Duck Coverity account, which must have permissions to log in to the API server and return data. For additional information, see Create a Coverity user account.
Create a Black Duck Coverity user account
For the Black Duck Coverity connector to use the Coverity API, Brinqa recommends creating a dedicated user account in Black Duck Coverity with the appropriate role to retrieve data. To create the user account, follow these steps:
-
Log in to your organization's Black Duck Coverity server as an administrator.
-
Navigate to Configuration > Users & Groups.
-
Click Add and create a new user account.
Complete the Username, First name, Last name, Email, and Password fields. Leave the remaining fields as-is.
-
Click Create.
The new user account is now created but does not yet have any assigned roles or permissions. To assign a role to the user, follow these steps:
-
In the Users & Groups section, locate the newly created user account in the list.
-
Select the account, click the Roles tab, then click Edit under the Global scope.
Roles assigned under the Global scope apply across all projects. If your organization enforces project-specific permissions, ensure that the user account has access to all relevant data scopes. For additional information on roles and access management, see the Coverity documentation on roles and role-based access control
-
Select the Observer role from the list of available roles.
The Observer role is considered the minimum role required to access the Coverity API and retrieve data.
-
Click OK, then click Done to ensure that you save your changes.
If you do not have permissions to create a new account or assign roles, contact your Black Duck Coverity administrator. For additional information, see the Black Duck Coverity documentation on configuring users and roles.
(Optional) Create a Black Duck Coverity service account
In addition to creating a new user account with the Observer role, you can also create and assign a service account to your project(s) in Black Duck Coverity. A service account is a dedicated account that is used for automated processes and integrations, such as the Black Duck Coverity connector. For additional information, see Black Duck Coverity documentation on how to create a service account and assign it to a project.
Additional settings
The Black Duck Coverity connector contains additional options for specific configuration:
-
Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.
-
Parallel requests: The maximum number of parallel API requests. The default setting is 4.
-
Include detailed code analysis: Select this option to retrieve in-depth analysis details for each defect, including associated events, traces, and execution paths.
-
Include code snippet: Select this option to include a snippet of source code for each defect. This can provide you with contextual information into the code that triggered the defect.
-
Code snippet lines: Specify the number of lines of source code to include in each snippet for a defect. Increasing this value can add more context surrounding the defect. The default value is 3.
-
Skip certificate verification: Select this option to allow for untrusted certificates.
Types of data to retrieve
The Black Duck Coverity connector can retrieve the following types of data from the Coverity API:
Table 1: Data retrieved from Black Duck Coverity
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Defect | Yes | Static Code Finding |
| Defect Type | Yes | Static Code Finding Definition |
| Project | Yes | Code Project |
For detailed steps on how to view the data retrieved from Black Duck Coverity in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Defect
Table 2: Defect attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| CATEGORIES | categories |
| COMPONENT | Local variable |
| EVENTS | Local variable |
| FILE_NAME | fileName |
| FIRST_DETECTED_BY | Local variable |
| FIRST_FOUND | firstFound |
| FIRST_SNAPSHOT_DESC | Local variable |
| FIRST_SNAPSHOT_ID | Local variable |
| FIRST_SNAPSHOT_STREAM | Local variable |
| FIRST_SNAPSHOT_TARGET | Local variable |
| FIRST_SNAPSHOT_VERSION | Local variable |
| FUNCTION_NAME | Local variable |
| LAST_FIXED | lastFixed |
| LAST_FOUND | lastFound |
| LAST_SNAPSHOT_DESC | Local variable |
| LAST_SNAPSHOT_ID | Local variable |
| LAST_SNAPSHOT_STREAM | Local variable |
| LAST_SNAPSHOT_TARGET | Local variable |
| LAST_SNAPSHOT_VERSION | Local variable |
| LAST_TRIAGED | Local variable |
| MERGE_KEY | Local variable |
| NAME | name |
| OCCURRENCES | Local variable |
| PROJECT_ID | Local variable |
| PROJECT_NAME | Local variable |
| PROVIDER_STATUS | providerStatus |
| SOURCE_STATUS | sourceStatus |
| STATUS | status |
| STATUS_CATEGORY | statusCategory |
| TARGETS | targets |
| TYPE | type |
| UID | uid |
Defect Type
Table 3: Defect Type attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| CHECKER | Local variable |
| CATEGORIES | categories |
| CWE_IDS | cweIds |
| DESCRIPTION | description |
| IMPACT | Local variable |
| LANGUAGES | languages |
| NAME | name |
| UID | uid |
| WEAKNESSES | weaknesses |
Project
Table 4: Project attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| CATEGORIES | categories |
| DESCRIPTION | description |
| LAST_COMMIT | Local variable |
| LAST_TARGET | Local variable |
| LAST_VERSION | Local variable |
| NAME | name |
| SOURCE_CREATED_DATE | sourceCreatedDate |
| SOURCE_LAST_MODIFIED | sourceLastModified |
| STATUS | status |
| UID | uid |
Operation options
The Black Duck Coverity connector supports the following operation options. See connector operation options for information about how to apply them.
Table 5: Black Duck Coverity connector operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Defect | checkerList | Any Coverity checker name | A comma-separated list of Coverity checker names. Limit retrieved Defect objects by the specified checkers. For additional information, see Coverity documentation. | Key: checkerList Value: COPY_PASTE_ERROR,CSRF,DC.WEAK_CRYPTO. This key and value combination only retrieves Defect objects associated with the specified checker names. |
| descriptionPattern | Any glob pattern to match Defect descriptions. Please refer to the Coverity documentation for additional information. | Limit retrieved Defect objects by matching descriptions. Supports wildcards using * or exact string matching. | Key: descriptionPattern Value: *null pointer*. This key and value combination only retrieves Defect objects with descriptions containing "null pointer". | |
| namePattern | Any glob pattern to match Defect names. Please refer to the Coverity documentation for additional information. | Limit retrieved Defect objects by matching names. Supports wildcards using * or exact string matching. | Key: namePattern Value: NullPointer*. This key and value combination only retrieves Defect objects with names that start with "NullPointer". | |
| Defect Type | descriptionPattern | Any glob pattern to match Defect Type descriptions. Please refer to the Coverity documentation for additional information. | Limit retrieved Defect Type objects by matching descriptions. Supports wildcards using * or exact string matching. | Key: descriptionPattern Value: *overflow*. This key and value combination only retrieves Defect Types with descriptions containing "overflow". |
| namePattern | Any glob pattern to match Defect Type names. Please refer to the Coverity documentation for additional information. | Limit retrieved Defect Type objects by matching names. Supports wildcards using * or exact string matching. | Key: namePattern Value: BufferOverflow*. This key and value combination only retrieves Defect Types with names that start with "BufferOverflow". | |
| Project | descriptionPattern | Any glob pattern to match Project descriptions. Please refer to the Coverity documentation for additional information. | Limit retrieved Project objects by matching descriptions. Supports wildcards using * or exact string matching. | Key: descriptionPattern Value: *authentication*. This key and value combination only retrieves Project objects with descriptions containing "authentication". |
| namePattern | Any glob pattern to match Project names. Please refer to the Coverity documentation for additional information. | Limit retrieved Project objects by matching names. Supports wildcards using * or exact string matching. | Key: namePattern Value: CoreLib*. This key and value combination only retrieves Project objects with names that start with "CoreLib". |
The namePattern and descriptionPattern options apply to all Black Duck Coverity connector objects (Defect, Defect Type, and Project) because they are used to filter Projects, which serve as the entry point for retrieving associated Defects and Defect Types.
The option keys and values are case-sensitive as they are shown in this documentation.
APIs
The Black Duck Coverity connector uses the Coverity Platform SOAP Web Services API. Specifically, it uses the following endpoints:
Table 6: Black Duck Coverity API Endpoints
| Connector Object | API Endpoints |
|---|---|
| Defect | Defect Service: getMergedDefectsForProjectScope |
| Defect Type | Defect Service: getMergedDefectsForProjectScope |
| Project | Configuration Service: getProjects |
Changelog
The Black Duck Coverity connector has undergone the following changes:
Table 7: Black Duck Coverity connector changelog
This connector is part of a bundled release with other connectors from the same vendor. If a version shows "No change", it means that the connector version was updated for consistency as part of the bundle, but no functional changes were made to this specific connector. You can update to or skip this version without affecting your existing configuration.
| Version | Description | Date Published |
|---|---|---|
| 3.1.2 | The Coverity connector has been renamed to "Black Duck Coverity" and the connector icon has been updated. This change only affects the connector label and does not impact functionality. You can update without making any changes to your existing configurations. | August 5th, 2025 |
| 3.1.1 | Fixed an issue where the Defect object sync was failing. | August 5th, 2025 |
| 3.1.0 | Initial Integration+ release. | May 21st, 2025 |