List of tools for static code analysis

From Wikipedia, the free encyclopedia

This is a list of software tools that perform various kinds of static code analysis, grouped by programming language and in alphabetical order:

Contents 1 Ada 2 Borland_Delphi 3 C and/or C++ 4 C# 5 Fortran 6 HTML 7 Java 8 JavaScript 9 JOVIAL 10 Perl 11 PHP 12 Python 13 Verilog & VHDL 14 Visual Basic 15 Not language-specific 16 Unknown language 17 External links

[edit] Ada

• Axivion Bauhaus Suite - Architecture Visualization, Architecture Checking, Interface Analysis, Metrics, Clone Detection, Dominance Analysis, etc.
• LDRA Testbed
• PolySpace Verifier
• SofCheck Inspector for Ada Static Error Detection of Ada 83 & 95 with 100% path and control flow coverage
• SPARK programming language
• RapiTime WCET Analyzer
• Understand for AdaIDE with reverse engineering, automatic documentation, code navigation and understanding, metrics, maintenance and cross reference.

[edit] Borland_Delphi

• Understand for Delphi reverse engineering, code navigation, and metrics tool

[edit] C and/or C++

• Axivion Bauhaus Suite
• AQtime
• BLAST
• Cantata
• CCured (BSD, partly dynamic)
• Cleanscape lints for C++ and for C
• CMT++
• CodeSonar based on work by Reps et al at the University of Wisconsin.
• CodeWizard
• Coverity See the MC Checker for background.
• Cqual
• CScout Source code analyzer and refactoring browser for collections of C programs; handles the preprocessor constructs.
• C++test
• Flawfinder (GPL) Contains a good list of other security-based static checking tools.
• Fortify Software See Fortify Source Code Analysis
• GCC Introspector (GPL) C, but is expanding to include perl, bison, m4, bash, c#, java, c++, fortran, objective-c, lisp and scheme.
• Gimpel Software FlexeLint and PC-Lint
• HP Code Advisor Identifies potential coding errors, porting issues, and security vulnerabilities.
• ITS4 Scans source code for potentially dangerous function calls.
• LDRA Testbed
• Klocwork
• Lattix LDM - Architecture Management using Dependency Analysis
• MOPS (BSD style license)
• OpenC++
• OSPC
• PMD's Copy/Paste Detector
• PolySpace
• PREfast Part of DDK, for driver development, see VS2005 for user-land.
• QAC, QAC-MISRA, QAC++ Coding style, metrics, dataflow, good enforcing of MISRA standards.
• Resource Standard Metrics
• Rough Auditing Tool for Security
• Smatch C source checker, used mainly for Linux kernel code.
• Sotograph
• Sparse (GPL)
• Stacktool
• Splint (GPL)
• Surveyor C/C++, Java, COBOL, VB/VB.NET, Tcl, ASP, others.
• Visual Studio 2005 Team Edition only.
• RapiTime WCET Analyzer
• Understand for C/C++ ANSI C, C++ and K&R C reverse source engineering, code navigation, and metrics tool.

[edit] C#

• AQtime
• .TEST
• Resource Standard Metrics Configurable Static Source Code Metrics and Analysis Tool from M Squared Technologies, Online-Documentation
• Fortify Software See Fortify Source Code Analysis
• FxCop
• Lattix LDM - Architecture Management using Dependency Analysis
• LDRA Testbed
• Sotograph - Architecture and quality in-depth analysis and monitoring
• Visual Studio - Visual Studio 2005 Team Suite or Team Edition for Software Developers only, has integrated FxCop and PREFast functionality.
• DevMetrics and DevAdvantage (Now open source)
• Compuware DevPartner Studio

[edit] Fortran

• Cleanscape FortranLint
• FTNCHEK
• Understand for FORTRAN FORTRAN 77, 90, 95 reverse source engineering, metrics and cross reference tool

[edit] HTML

• W3C Markup Validation Service

[edit] Java

• Agitator Dashboard
• AntiC
• Axivion Bauhaus Suite - Architecture Visualization, Architecture Checking, Interface Analysis, Metrics, Clone Detection, Dominance Analysis, etc.
• Checkstyle
• CMTJava - Complexity Measures Tool for Java
• ESC/Java - Extended Static Checking for Java
• ESC/Java2
• FindBugs-Find Bugs in Java Programs
• Fortify Software See Fortify Source Code Analysis
• Hammurapi
• JDepend
• Oracle JDeveloper - Code auditing framework and code metrics
• Jlint
• Jtest
• Kaveri (Indus) - Program Comprehension/Slicing Tool (Library) for Java
• Klocwork
• Lattix LDM - Architecture Management using Dependency Analysis
• Lint4j Static source code analysis with plugins for Maven, Ant and Eclipse
• PMD
• QAJ
• Refactorit
• Resource Standard Metrics Configurable Static Source Code Metrics and Analysis Tool from M Squared Technologies, Online-Documentation
• SofCheck Inspector for Java Static Error Detection of Java byte code with 100% path coverage
• SonarJ Light weight management of architecture and technical quality for Java projects
• Sotograph - Architecture and quality in-depth analysis and monitoring
• Spoon - Spoon is a Java program processor that fully supports Java 5
• Structure101 - Structural dependency analysis. Rate & analyze the quality of your software architecture.
• Surveyor - Java and many other languages
• TorqueWrench
• Understand for Java reverse source engineering, code navigation, and metrics
• WALA T. J. Watson Libraries for Analysis

[edit] JavaScript

• JSLint - An online tool which you can also download and run from command line
• Javascript Lint - A lint like tool for javascript written in C/C++ and based on JavaScript engine for the Firefox browser.
• Universal Validator - An online tool to check the code of most web technologies, including Javascript.
• JavaScript Reporter - A static JavaScript analyzer/verifier.

[edit] JOVIAL

• Understand for JOVIAL reverse engineering, metrics, and cross referencing tool

[edit] Perl

• fluff
• Perl::Critic

[edit] PHP

• PHP executes a built-in basic Lint check when invoked with the -l switch. Example usage: for i in `find . -name \*.php`; do php -l $i | grep -v "No syntax errors"; done
• PMD's Copy/Paste Detector
• Zend Studio IDE includes static code analysis for PHP, called the "Code Analyzer".
• ocProducts code quality checker
• Armorize CodeSecure - The first security appliance for PHP source code scanning with traceback support and Web 2.0 interface.

[edit] Python

• PyChecker
• Pyflakes
• PyLint

[edit] Verilog & VHDL

• Spyglass by Atrenta
• Indigo RTL Analysis by Blue Pearl Software
• Hal by Cadence
• Leda by Synopsys

[edit] Visual Basic

• Aivosto Project Analyzer finds dead code and programming problems. It will also tell you which modules call which, and provide Cyclomatic complexity metrics.
• AQtime
• Axivion Bauhaus Suite - Clone Detection
• Compuware DevPartner Studio
• Resource Standard Metrics Configurable Static Source Code Metrics and Analysis Tool from M Squared Technologies, Online-Documentation
• Fortify Software See Fortify Source Code Analysis
• FxCop
• Lattix LDM - Architecture Management using Dependency Analysis
• Sotograph - Architecture and quality in-depth analysis and monitoring
• Visual Studio - Visual Studio 2005 Team Suite or Team Edition for Software Developers only, has integrated FxCop and PREFast functionality.
• DevMetrics and DevAdvantage (Now open source)
• Compuware DevPartner Studio

[edit] Not language-specific

• PAG and PAG/WWW - The Program Analyzer Generator, not for a specific language, but for building analyzers.
• StackAnalyzer - Stack Usage Analysis.
• CodeHawk™

[edit] Unknown language

• Broadway
• SLAM
• BOON
• Kaylo

[edit] External links

• Introspector Wikibook lists more software programs of this type.