List_of_tools_for_static_code_analysis

By Wikipedia

This is a list of tools for static code analysis.

By language[edit]

Multi-language[edit]

  • Axivion Bauhaus Suite – A tool for Ada, C, C++, C#, and Java code that performs various analyses such as architecture checking, interface analyses, and clone detection.
  • Black Duck Suite – Analyzes the composition of software source code and binary files, searches for reusable code, manages open source and third-party code approval, honors the legal obligations associated with mixed-origin code, and monitors related security vulnerabilities.
  • CAST Application Intelligence Platform – Detailed, audience-specific dashboards to measure quality and productivity. 30+ languages, C, C++, Java, .NET, Oracle, PeopleSoft, SAP, Siebel, Spring, Struts, Hibernate and all major databases.
  • Cigital SecureAssist - A lightweight IDE plugin that points out common security vulnerabilities in real time as the developer is coding. Supports Java, .NET, and PHP.
  • ConQAT – Continuous quality assessment toolkit that allows flexible configuration of quality analyses (architecture conformance, clone detection, quality metrics, etc.) and dashboards. Supports Java, C#, C++, JavaScript, ABAP, Ada and many other languages.
  • Coverity SAVE – A static code analysis tool for C, C++, C# and Java source code. Coverity commercialized a research tool for finding bugs through static analysis, the Stanford Checker, which used abstract interpretation to identify defects in source code.
  • DMS Software Reengineering Toolkit – Supports custom analysis of C, C++, C#, Java, COBOL, PHP, VisualBasic and many other languages. Also COTS tools for clone analysis, dead code analysis, and style checking.
  • HP Fortify Static Code Analyzer – Helps developers identify software security vulnerabilities in C/C++, Java, JSP, .NET, ASP.NET, classic ASP, ColdFusion, PHP, Visual Basic 6, VBScript, JavaScript, PL/SQL, T-SQL, Python, Objective-C and COBOL and configuration files.
  • GrammaTech CodeSonar – Defect detection (buffer overruns, memory leaks, etc.), concurrency and security checks, architecture visualization and software metrics for C, C++, and Java source code.
  • IBM Rational AppScan Source Edition – Analyzes source code to identify security vulnerabilities while integrating security testing with software development processes and systems. Supports C/C++, .NET, Java, JSP, JavaScript, ColdFusion, Classic ASP, PHP, Perl, VisualBasic 6, PL/SQL, T-SQL, and COBOL
  • Imagix 4D – Identifies problems in variable use, task interaction and concurrency, especially in embedded applications, as part of an overall system for understanding, improving and documenting C, C++ and Java code.
  • Klocwork Insight – Provides security vulnerability, defect detection and build-over-build trend analysis for C, C++, C# and Java.
  • LDRA Testbed – A software analysis and testing tool suite for C, C++, Ada83, Ada95 and Assembler (Intel, Freescale, Texas Instruments).
  • MALPAS – A software static analysis toolset for a variety of languages including Ada, C, Pascal and Assembler (Intel, PowerPC and Motorola). Used primarily for safety critical applications in Nuclear and Aerospace industries.
  • Misspell Fixer – Small tool to fix common typos in your source code. It uses a fixed dictionary with the most typical programming related misspelled words.
  • Moose – Moose started as a software analysis platform with many tools to manipulate, assess or visualize software. It can evolve to a more generic data analysis platform. Supported languages are C/C++, Java, Smalltalk, .NET, more may be added.
  • Parasoft – Provides static analysis (pattern-based, flow-based, in-line, metrics) for C, C++, Java, .NET (C#, VB.NET, etc.), JSP, JavaScript, XML, and other languages. Through a Development Testing Platform, static code analysis functionality is integrated with unit testing, peer code review, runtime error detection and traceability.
  • Copy/Paste Detector (CPD) – PMDs duplicate code detection for (e.g.) Java, JSP, C, C++, ColdFusion, PHP and JavaScript[1] code.
  • Polyspace – Uses abstract interpretation to detect and prove the absence of certain run time errors in source code for C, C++, and Ada
  • Pretty Diff - A language-specific code comparison tool that features language-specific analysis reporting in addition to language-specific minification and beautification algorithms.
  • Protecode – Analyzes the composition of software source code and binary files, searches for open source and third party code and their associated licensing obligations. Can also detect security vulnerabilities.
  • .NET Compiler Platform (Codename "Roslyn") - Open-source compiler framework for C# and Visual Basic .NET developed by Microsoft .NET. Provides an API for analyzing and manipulating syntax.
  • Semmle – supports Java, C, C++, C#.
  • SofCheck Inspector – Static detection of logic errors, race conditions, and redundant code for Ada and Java; automatically extracts pre/postconditions from code.
  • SonarQube – A continuous inspection engine to manage the technical debt: unit tests, complexity, duplication, design, comments, coding standards and potential problems. Supports languages: ABAP, C, C++, Objective-C, COBOL, C#, Flex, Forms, Groovy, Java, JavaScript, Natural, PHP, PL/SQL, Visual Basic 6, Web, XML, Python.
  • Sotoarc/Sotograph – Architecture and quality in-depth analysis and monitoring for C, C++, C#, Java, ABAP.
  • SQuORE is a multi-purpose and multi-language monitoring tool[2] for software projects.
  • Veracode – Finds security flaws in application binaries and bytecode without requiring source. Supported languages include C, C++, .NET (C#, C++/CLI, VB.NET, ASP.NET), Java, JSP, ColdFusion, PHP, Ruby on Rails, and Objective-C, including mobile applications on the Windows Mobile, BlackBerry, Android, and iOS platforms.
  • Visual Studio Team System – Analyzes C++, C# source codes. only available in team suite and development edition.
  • Yasca – Yet Another Source Code Analyzer, a plugin-based framework to scan arbitrary file types, with plugins for C/C++, Java, JavaScript, ASP, PHP, HTML/CSS, ColdFusion, COBOL, and other file types. It integrates with other scanners, including FindBugs, PMD, and Pixy.

.NET[edit]

  • CodeIt.Right – Combines static code analysis and automatic refactoring to best practices which allows automatic correction of code errors and violations; supports C# and VB.NET.
  • CodeRush – A plugin for Visual Studio which alerts users to violations of best practices.
  • FxCop – Free static analysis for Microsoft .NET programs that compiles to CIL. Standalone and integrated in some Microsoft Visual Studio editions; by Microsoft.
  • NDepend – Simplifies managing a complex .NET code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and by comparing different versions of the code. Integrates into Visual Studio.
  • Parasoft dotTEST – A static analysis, unit testing, and code review plugin for Visual Studio; works with languages for Microsoft .NET Framework and .NET Compact Framework, including C#, VB.NET, ASP.NET and Managed C++.
  • StyleCop – Analyzes C# source code to enforce a set of style and consistency rules. It can be run from inside of Microsoft Visual Studio or integrated into an MSBuild project.

Ada[edit]

C/C++[edit]

  • Astrée – finds all potential runtime errors by abstract interpretation, can prove the absence of runtime errors and can prove functional assertions; tailored towards safety-critical C code (e.g. avionics).
  • BLAST – (Berkeley Lazy Abstraction Software verification Tool) – An open-source software model checker for C programs based on lazy abstraction.
  • Cppcheck – Open-source tool that checks for several types of errors, including use of STL.
  • cpplint – An open-source tool that checks for compliance with Google's style guide for C++ coding.
  • Clang – An open-source compiler that includes a static analyzer.
  • Coccinelle – An open-source source code pattern matching and transformation.
  • ECLAIR – A platform for the automatic analysis, verification, testing and transformation of C and C++ programs.
  • Eclipse (software) – An open-source IDE that includes a static code analyzer (CODAN).
  • Fluctuat – Abstract interpreter for the validation of numerical properties of programs.
  • Frama-C – An open-source static analysis framework for C.
  • Goanna – A software analysis tool for C/C++.
  • GrammaTech CodeSonar – Defect detection (Buffer overruns, memory leaks, ...), concurrency and security checks, architecture visualization and software metrics for C, C++ and Java source code.
  • Klocwork Insight – A static analysis tool for C/C++.
  • Lint – The original static code analyzer for C.
  • LDRA Testbed – A software analysis and testing tool suite for C/C++.
  • Parasoft C/C++test – A C/C++ tool that does static analysis, unit testing, code review, and runtime error detection; plugins available for Visual Studio and Eclipse-based IDEs.
  • PC-Lint – A software analysis tool for C/C++.
  • Polyspace – Uses abstract interpretation to detect and prove the absence of certain run time errors in source code.
  • PVS-Studio – A software analysis tool for C, C++, C++11, C++/CX (Component Extensions).
  • PRQA QA·C and QA·C++ – Deep static analysis of C/C++ for quality assurance and guideline/coding standard enforcement.
  • SLAM project – a project of Microsoft Research for checking that software satisfies critical behavioral properties of the interfaces it uses.
  • Sparse – An open-source tool designed to find faults in the Linux kernel.
  • Splint – An open-source evolved version of Lint, for C.

Eiffel[edit]

Java[edit]

  • AgileJ StructureViews – Reverse engineered Java class diagrams with an emphasis on filtering.
  • ObjectWeb ASM – allows decomposing, modifying, and recomposing binary Java classes (i.e. bytecode).
  • Checkstyle – Besides some static code analysis, it can be used to show violations of a configured coding standard.
  • FindBugs – An open-source static bytecode analyzer for Java (based on Jakarta BCEL) from the University of Maryland.
  • GrammaTech CodeSonar – Defect detection (Buffer overruns, memory leaks, ...), concurrency and security checks, architecture visualization and software metrics for C, C++ and Java source code.
  • IntelliJ IDEA– Cross-platform Java IDE with own set of several hundred code inspections available for analyzing code on-the-fly in the editor and bulk analysis of the whole project.
  • Jtest – Testing and static code analysis product by Parasoft.
  • LDRA Testbed – A software analysis and testing tool suite for Java.
  • PMD – A static ruleset based Java source code analyzer that identifies potential problems.
  • SemmleCode – Object oriented code queries for static program analysis.
  • SonarJ – Monitors conformance of code to intended architecture, also computes a wide range of software metrics.
  • Soot – A language manipulation and optimization framework consisting of intermediate languages for Java.
  • Squale – A platform to manage software quality (also available for other languages, using commercial analysis tools though).
  • SonarQube – is an open source platform for Continuous Inspection of code quality.
  • ThreadSafe – A static analysis tool for Java focused on finding concurrency bugs.

JavaScript[edit]

  • Closure Compiler – JavaScript optimizer that rewrites code to be faster and smaller, and checks use of native JavaScript functions.
  • JSLint – JavaScript syntax checker and validator.
  • JSHint – A community driven fork of JSLint.

Objective-C[edit]

  • Clang – The free Clang project includes a static analyzer. As of version 3.2, this analyzer is included in Xcode.[3]
  • OCLint – tool based on Clang enabling automated analysis

Opa[edit]

  • Opa includes its own static analyzer. As the language is intended for web application development, the strongly statically typed compiler checks the validity of high-level types for web data, and prevents by default many vulnerabilities such as XSS attacks and database code injections.

Packaging[edit]

  • Lintian – Checks Debian software packages for common inconsistencies and errors.
  • Rpmlint – Checks for common problems in rpm packages.

Perl[edit]

Python[edit]

  • Pylint – Static code analyzer.
  • pyflakes – A simple program which checks Python source files for errors.
  • pep8 – A tool to check your Python code against some of the style conventions in PEP 8.
  • pep257 – Python docstring style checker according to PEP 257
  • flake8 – Wraps pep8, pyflakes, and a script that checks cyclomatic complexity

Formal methods tools[edit]

Tools that use a formal methods approach to static analysis (e.g., using static program assertions):

See also[edit]

References[edit]

  1. ^ "PMD - Browse /pmd/5.0.0 at SourceForge.net". Retrieved Dec 9, 2012. 
  2. ^ Baldassari, Boris (2012). "SQuORE: a new approach to software project assessment", International Conference on Software and Systems Engineering and their Applications, Nov. 2012, Paris, France.
  3. ^ "Static Analysis in Xcode". Apple. Retrieved 2009-09-03. 
  4. ^ Cousot, Patrick (2007). "The Role of Abstract Interpretation in Formal Methods". IEEE International Conference on Software Engineering and Formal Methods. Retrieved 2010-11-08. 

External links[edit]

Do you want to build a website?
Start Here

Our Guidelines:

  • Reliability
  • Professionalism
  • Innovation