List of tools for static code analysis

From Wikipedia, the free encyclopedia

This is a list of significant tools for static code analysis.

Contents

[edit] Historical products

  • Lint — the original static code analyzer of C code.

[edit] Open-source or Noncommercial products

[edit] .NET (C#, VB.NET and all .NET compatible languages)

[edit] Java

  • Bandera — analyzer for Java
  • Checkstyle — analyze Java and apply coding standard
  • Classycle — analyze Java class cycles and class and package dependencies (Layers)
  • FindBugs — an open-source static bytecode analyzer for Java (based on Jakarta BCEL).
  • Jlint — for Java
  • PMD (software) — a static ruleset based Java source code analyzer that identifies potential problems.
  • Soot — A Java program analysis and compiler optimization framework

[edit] C

  • CQual — A tool for adding type qualifiers in C.
  • SNav — Red Hat Source Navigator.
  • Sparse — a tool designed to find faults in the Linux kernel.
  • Splint — an open source evolved version of Lint (C language).
  • Frama-C — Frama-C is a suite of tools dedicated to the analysis of the source code of software written in C.

[edit] C++

  • Flawfinder — open source programming tool that examines C or C++ source code for security weaknesses.
  • Oink — collaboration of C++ static analysis tools, based on the research of CQual [1]
  • Dehydra - A scriptable static analysis tool based on GCC. Developed by Mozilla.

[edit] Fortran

  • ftnchek — static analyzer for Fortran 77 programs
  • g95-xml — code parser toolkit for Fortran 95

[edit] Scripting

  • JsLint - online analyzer for JavaScript
  • Perl::Critic - a static code analysis tool for Perl
  • Pixy — a PHP 4 source code scanner for detection of XSS and SQL injection vulnerabilities.
  • PyChecker - The original static code analyser for Python.
  • pylint - A static code analyser for Python. Works as a plugin to PyDev for the Eclipse IDE.
  • RATS — Rough Auditing Tool for Security, which can scan C, C++, Perl, PHP and Python source code.

[edit] Visual Basic

  • MZTools - MZTools 3.0 - Free Static Code Analysis & productivity enhancement tool for VB6, & VBA.

[edit] Templating

  • smarty-lint - a lint implementation for the popular templating engine, Smarty.

[edit] Commercial products

  • Aivosto Oy's - Project Analyzer - Static code analysis tool for VBA, and VB6/VB.net
  • Armorize Technologies CodeSecure - source code scanning (PHP, J2EE, ASP, etc.)
  • Axivion Bauhaus Suite — a tool for C, C++, Java and Ada code that comprises various analyses such as architecture checking, interface analyses, and clone detection.
  • CAST — provides a tool with 25+ language / product analyzers, defect detection as well as architectural and build-over-build trend analysis.
  • checKing - monitors the quality of software development process, including violations of coding rules for Java, JSP, Javascript, XML and HTML.
  • Checkmarx CxSuite - a suite of software which helps developers and auditors identify software security vulnerabilities.
  • ClockSharp - checks C# code against the Philips C# coding standard.
  • CMT++ code metrics tool for C/C++ (also for Java).
  • CodePro Analytix - Static code analysis for Java, integrated with Eclipse.
  • Complexity Analyzer - for .NET
  • DevMetrics — commercial
  • Compuware DevPartner - static code analyzer for .NET (C#, ASP.NET) with Visual Studio 2005 integration
  • Coverity Prevent — analyzes C, C++ and Java code.
  • DMS Software Reengineering Toolkit — supports custom analysis of C, C++, Java, COBOL, and many other languages.
  • ForCheck — analyzes of FORTRAN 66, FORTRAN 77, FORTRAN 90, HPF, FORTRAN 95
  • Enerjy Software - Metrics expert system and extendable static code analyzer Eclipse plugin for Java - compares code quality against Open Source projects
  • Fortify — helps developers identify software security vulnerabilities in C/C++, .NET, Java, JSP, ASP.NET, ColdFusion, "Classic" ASP, PHP, VB6, VBScript, JavaScript, PL/SQL, T-SQL and COBOL as well as configuration files.
  • GrammaTech - GrammaTech offers products for analyzing code written in C/C++ (CodeSurfer and CodeSonar) and Ada (Ada-ASSURED and Ada-Utilities)
  • Green Hills Software DoubleCheck - static analysis for C and C++ code.
  • Gimpel Software FlexeLint - static analysis for C and C++ code
  • HP Code Advisor - A static analysis tool for C and C++ programs
  • HP DevInspect - simplifies security during development by automatically finding and fixing application vulnerabilities in ASP.NET and Java based web applications.
  • IntelliJ IDEA — IDE for Java that also provides static code analysis.
  • Klocwork Insight and Klocwork Developer for Java — provides security vulnerability and defect detection as well as architectural and build-over-build trend analysis for C, C++ and Java
  • Lattix, Inc. LDM - Architecture and dependency analysis tool for Ada, C/C++, Java, .NET software systems.
  • LDRA Testbed - A software analysis and testing tool suite for C, C++, Ada83, Ada95 and Assembler (Intel, Freescale, Texas Instruments).
  • M Squared Technologies Resource Standard Metrics - source code analysis and metrics (C, Ansi C, C++, Ansi C++, C#, Java, Javascript, etc.)
  • Microsoft Visual Studio - Visual Studio Team System includes a static code analyzer.
  • MZTools - MZTools 6.0 - Static Code Analysis & productivity enhancement tool for VB.net, VB6, & VBA.
  • NDepend — A comprehensive analysis and reporting tool.
  • NStatic - deep static analysis of C# code.
  • Ounce Labs — automated source code analysis that enables organizations to identify and eliminate software security vulnerabilities in languages including Java, JSP, C/C++, C#, ASP.NET, and VB.Net.
  • Parasoft - static code analysis and security testing tools for Java, C, C++, C#, .Net (C#, VB.NET, Managed C++), HTML, CSS, JavaScript, VBscript.
  • PC-Lint - A multiplatform static code analysis tool by Gimpel Software for C and C++. Also available for the GNU/Linux and Unix operating systems in the form of FlexeLint.
  • PolySpaceTM code verifiers by The MathWorks - Software verification for C, C++ and Ada
  • PREfast – A Microsoft tool which identifies defects in C/C++ source code.
  • QA-C - deep static analysis of C for quality assurance and guideline enforcement.
  • Reasoning, Inc. offers a defect-finding service using an internal tool, which found defects in Apache Tomcat missed by an earlier version of FindBugs. [1]
  • ReSharper - Add-on for Visual Studio 2003/2005 from the creators of IntelliJ IDEA, which also provides static code analysis for C#.
  • Sandcat for PHP - Static source code analysis and hardening tool for PHP
  • SemmleCode — object oriented code queries for static program analysis.
  • SofCheck Inspector — provides static detection of logic errors, race conditions, and redundant code for Java and Ada.
  • Sotoarc/Sotograph - Architecture and quality in-depth analysis and monitoring for Java, C#, C and C++
  • Sparrow - C/C++ memory-bug detecting static analyzer.
  • STAN — Structure Analysis for Java. Eclipse integrated visual dependency analysis, quality metrics and reporting.
  • Structure101 - For understanding, analyzing, measuring and controlling the quality of your Software Architecture as it evolves over time.
  • Structure101g - A generic version of Structure101 - build your own flavor to support any programming language or dependency data.
  • Swat4j — a model based, goal oriented source code auditing tool for Java. Comes as an Eclipse plug-in.
  • Telelogic Logiscope RuleChecker (coding standards checking) and Audit (metrics measurement and ISO 9126-based quality modeling) for C, C++, Ada, Java.
  • TorqueWrench - A static Java bytecode analysis tool by StackFrame, LLC.
  • Understand — analyzes C,C++, Java, Ada, Fortran, Jovial, Delphi — reverse engineering of source, code navigation, and metrics tool.
  • Viva64 — analyzes C, C++ code for detect 64-bit portability issues.
  • Veracode SecurityReview — an on-demand application security testing and remediation, C, C++, Java, .Net and other languages.

[edit] Formal methods tools

Tools that use a formal methods approach to static analysis (e.g., using program assertions):

[edit] External links

[edit] See also

[edit] References

  1. ^ “Finding More Null Pointer Bugs, But Not Too Many,” David Hovemeyer & William Pugh, http://findbugs.cs.umd.edu/papers/MoreNullPointerBugs07.pdf