List of tools for static code analysis

From Wikipedia, the free encyclopedia

This list may require cleanup to meet Wikipedia's quality standards.
Please help improve this list. It may be poorly defined, unverified or indiscriminate. (January 2008)

This is a list of significant tools for static code analysis.

Software Testing Portal

1 Historical products
2 Open-source or Noncommercial products
3 Commercial products
4 Formal methods tools
5 External links
6 See also
7 References

[edit] Historical products

Lint — the original static code analyzer of C code.

[edit] Open-source or Noncommercial products

[edit] .NET (C#, VB.NET and all .NET compatible languages)

Reflector.CodeMetrics — (an add-in for the essential Reflector)
CCMetrics
CRPlugin (plugin for DxCore)
FxCop — Free static analysis for Microsoft .NET programs that compile to CIL. Standalone and integrated in some Microsoft Visual Studio editions. From Microsoft.
StyleCop - Free source code analysis for C#, integrated into Microsoft Visual Studio.
Source Monitor
vil

[edit] Java

Bandera — analyzer for Java
Checkstyle — analyze Java and apply coding standard
Classycle — analyze Java class cycles and class and package dependencies (Layers)
FindBugs — an open-source static bytecode analyzer for Java (based on Jakarta BCEL).
Jlint — for Java
PMD (software) — a static ruleset based Java source code analyzer that identifies potential problems.
Soot — A Java program analysis and compiler optimization framework

[edit] C

CQual — A tool for adding type qualifiers in C.
SNav — Red Hat Source Navigator.
Sparse — a tool designed to find faults in the Linux kernel.
Splint — an open source evolved version of Lint (C language).
Frama-C — Frama-C is a suite of tools dedicated to the analysis of the source code of software written in C.

[edit] C++

Flawfinder — open source programming tool that examines C or C++ source code for security weaknesses.
Oink — collaboration of C++ static analysis tools, based on the research of CQual [1]

Dehydra - A scriptable static analysis tool based on GCC. Developed by Mozilla.

[edit] Fortran

ftnchek — static analyzer for Fortran 77 programs
g95-xml — code parser toolkit for Fortran 95

[edit] Scripting

JsLint - online analyzer for JavaScript
Perl::Critic - a static code analysis tool for Perl
Pixy — a PHP 4 source code scanner for detection of XSS and SQL injection vulnerabilities.
PyChecker - The original static code analyser for Python.
pylint - A static code analyser for Python. Works as a plugin to PyDev for the Eclipse IDE.
RATS — Rough Auditing Tool for Security, which can scan C, C++, Perl, PHP and Python source code.

[edit] Visual Basic

MZTools - MZTools 3.0 - Free Static Code Analysis & productivity enhancement tool for VB6, & VBA.

[edit] Templating

smarty-lint - a lint implementation for the popular templating engine, Smarty.

[edit] Commercial products

Aivosto Oy's - Project Analyzer - Static code analysis tool for VBA, and VB6/VB.net
Armorize Technologies CodeSecure - source code scanning (PHP, J2EE, ASP, etc.)
Axivion Bauhaus Suite — a tool for C, C++, Java and Ada code that comprises various analyses such as architecture checking, interface analyses, and clone detection.
CAST — provides a tool with 25+ language / product analyzers, defect detection as well as architectural and build-over-build trend analysis.
checKing - monitors the quality of software development process, including violations of coding rules for Java, JSP, Javascript, XML and HTML.
Checkmarx CxSuite - a suite of software which helps developers and auditors identify software security vulnerabilities.
ClockSharp - checks C# code against the Philips C# coding standard.
CMT++ code metrics tool for C/C++ (also for Java).
CodePro Analytix - Static code analysis for Java, integrated with Eclipse.
Complexity Analyzer - for .NET
DevMetrics — commercial
Compuware DevPartner - static code analyzer for .NET (C#, ASP.NET) with Visual Studio 2005 integration
Coverity Prevent — analyzes C, C++ and Java code.
DMS Software Reengineering Toolkit — supports custom analysis of C, C++, Java, COBOL, and many other languages.
ForCheck — analyzes of FORTRAN 66, FORTRAN 77, FORTRAN 90, HPF, FORTRAN 95
Enerjy Software - Metrics expert system and extendable static code analyzer Eclipse plugin for Java - compares code quality against Open Source projects
Fortify — helps developers identify software security vulnerabilities in C/C++, .NET, Java, JSP, ASP.NET, ColdFusion, "Classic" ASP, PHP, VB6, VBScript, JavaScript, PL/SQL, T-SQL and COBOL as well as configuration files.
GrammaTech - GrammaTech offers products for analyzing code written in C/C++ (CodeSurfer and CodeSonar) and Ada (Ada-ASSURED and Ada-Utilities)
Green Hills Software DoubleCheck - static analysis for C and C++ code.
Gimpel Software FlexeLint - static analysis for C and C++ code
HP Code Advisor - A static analysis tool for C and C++ programs
HP DevInspect - simplifies security during development by automatically finding and fixing application vulnerabilities in ASP.NET and Java based web applications.
IntelliJ IDEA — IDE for Java that also provides static code analysis.
Klocwork Insight and Klocwork Developer for Java — provides security vulnerability and defect detection as well as architectural and build-over-build trend analysis for C, C++ and Java
Lattix, Inc. LDM - Architecture and dependency analysis tool for Ada, C/C++, Java, .NET software systems.
LDRA Testbed - A software analysis and testing tool suite for C, C++, Ada83, Ada95 and Assembler (Intel, Freescale, Texas Instruments).
M Squared Technologies Resource Standard Metrics - source code analysis and metrics (C, Ansi C, C++, Ansi C++, C#, Java, Javascript, etc.)
Microsoft Visual Studio - Visual Studio Team System includes a static code analyzer.
MZTools - MZTools 6.0 - Static Code Analysis & productivity enhancement tool for VB.net, VB6, & VBA.
NDepend — A comprehensive analysis and reporting tool.
NStatic - deep static analysis of C# code.
Ounce Labs — automated source code analysis that enables organizations to identify and eliminate software security vulnerabilities in languages including Java, JSP, C/C++, C#, ASP.NET, and VB.Net.
Parasoft - static code analysis and security testing tools for Java, C, C++, C#, .Net (C#, VB.NET, Managed C++), HTML, CSS, JavaScript, VBscript.
PC-Lint - A multiplatform static code analysis tool by Gimpel Software for C and C++. Also available for the GNU/Linux and Unix operating systems in the form of FlexeLint.
PolySpace^TM code verifiers by The MathWorks - Software verification for C, C++ and Ada
PREfast – A Microsoft tool which identifies defects in C/C++ source code.
QA-C - deep static analysis of C for quality assurance and guideline enforcement.
Reasoning, Inc. offers a defect-finding service using an internal tool, which found defects in Apache Tomcat missed by an earlier version of FindBugs. ^[1]
ReSharper - Add-on for Visual Studio 2003/2005 from the creators of IntelliJ IDEA, which also provides static code analysis for C#.
Sandcat for PHP - Static source code analysis and hardening tool for PHP
SemmleCode — object oriented code queries for static program analysis.
SofCheck Inspector — provides static detection of logic errors, race conditions, and redundant code for Java and Ada.
Sotoarc/Sotograph - Architecture and quality in-depth analysis and monitoring for Java, C#, C and C++
Sparrow - C/C++ memory-bug detecting static analyzer.
STAN — Structure Analysis for Java. Eclipse integrated visual dependency analysis, quality metrics and reporting.
Structure101 - For understanding, analyzing, measuring and controlling the quality of your Software Architecture as it evolves over time.
Structure101g - A generic version of Structure101 - build your own flavor to support any programming language or dependency data.
Swat4j — a model based, goal oriented source code auditing tool for Java. Comes as an Eclipse plug-in.
Telelogic Logiscope RuleChecker (coding standards checking) and Audit (metrics measurement and ISO 9126-based quality modeling) for C, C++, Ada, Java.
TorqueWrench - A static Java bytecode analysis tool by StackFrame, LLC.
Understand — analyzes C,C++, Java, Ada, Fortran, Jovial, Delphi — reverse engineering of source, code navigation, and metrics tool.
Viva64 — analyzes C, C++ code for detect 64-bit portability issues.
Veracode SecurityReview — an on-demand application security testing and remediation, C, C++, Java, .Net and other languages.

[edit] Formal methods tools

Tools that use a formal methods approach to static analysis (e.g., using program assertions):

ESC/Java and ESC/Java2 — based on Java Modeling Language, an enriched version of Java.
SofCheck Inspector - statically determines and documents pre- and postconditions for Java methods; statically checks preconditions at all call sites; also supports Ada.
SPARK Toolset including the SPARK Examiner — based on the SPARK programming language, a subset of Ada.
Forge - bounded verification of Java programs against specification in the Java Modeling Language.

[edit] External links

List of static source code analysis tools for C
SAMATE-Wiki tool survey
SAMATE-Source Code Security Analyzers
List of Java static code analysis plugins for Eclipse
Common Weakness Enumeration — a community-developed dictionary of common software weaknesses (that are potentially identifiable by static code analysis tools)
“A Comparison of Bug Finding Tools for Java”, by Nick Rutar, Christian Almazan, and Jeff Foster, University of Maryland. Compares Bandera, ESC/Java 2, FindBugs, JLint, and PMD.
“Mini-review of Java Bug Finders”, by Rick Jelliffe, O'Reilly Media.

[edit] See also

[edit] References

^ “Finding More Null Pointer Bugs, But Not Too Many,” David Hovemeyer & William Pugh, http://findbugs.cs.umd.edu/papers/MoreNullPointerBugs07.pdf

Categories: Static code analysis

Hidden categories: Cleanup from January 2008 | Wikipedia list cleanup