List of tools for static code analysis

By language

[edit]Multi-language

• Axivion Bauhaus Suite – A tool for Ada, C, C++, C#, and Java code that comprises various analyses such as architecture checking, interface analyses, and clone detection.
• Black Duck Suite – Analyze the composition of software source code and binary files, search for reusable code, manage open source and third-party code approval, honor the legal obligations associated with mixed-origin code, and monitor related security vulnerabilities.
• BugScout – Detects security flaws in Java, PHP, ASP and C# web applications.
• CAST Application Intelligence Platform – Detailed, audience-specific dashboards to measure quality and productivity. 30+ languages, C/C++, Java, .NET, Oracle, PeopleSoft, SAP, Siebel, Spring, Struts, Hibernate and all major databases.
• ChecKing – Integrated software quality portal that allows manage the quality of all phases of software development. It includes static code analyzers for Java, JSP, Javascript, HTML, XML, .NET (C#, ASP.NET, VB.NET, etc.), PL/SQL, embedded SQL, SAP ABAP IV, Natural/Adabas, C/C++, Cobol, JCL, PowerBuilder.
• Checkmarx – Allows security professionals and software developers to detect software security vulnerabilities and business logic flaws in Java, C# /.NET, ASP.NET, PHP, C/C++, ASP, Android Java, Objective C (iOS), Visual Basic 6, JavaScript, Ruby, Python, Perl, PL/SQL,APEX, and HTML5.
• Coverity SAVE – Coverity® Static Analysis Verification Engine (Coverity SAVE™) is a static code analysis tool for C, C++, C# and Java source code. Coverity commercialized a research tool for finding bugs through static analysis, the Stanford Checker, which used abstract interpretation to identify defects in source code.
• DMS Software Reengineering Toolkit – Supports custom analysis of C, C++, C#, Java, COBOL, PHP, VisualBasic and many other languages. Also COTS tools for clone analysis, dead code analysis, and style checking.
• HP Fortify Source Code Analyzer – Helps developers identify software security vulnerabilities in C/C++, Java, JSP, .NET, ASP.NET, ColdFusion, classic ASP, PHP, Visual Basic 6, VBScript, JavaScript, PL/SQL, T-SQL, Python and COBOL and configuration files.
• GrammaTech CodeSonar – Defect detection (Buffer overruns, memory leaks, ...), concurrency and security checks, architecture visualization and software metrics for C, C++ and Java source code.
• IBM Rational AppScan Source Edition – Analyzes source code to identify security vulnerabilities while integrating security testing with software development processes and systems. Supports C/C++, .NET, Java, JSP, JavaScript, ColdFusion, Classic ASP, PHP, Perl, VisualBasic 6, PL/SQL, T-SQL, and COBOL
• Imagix 4D – Identifies problems in variable use, task interaction and concurrency, especially in embedded applications, as part of an overall system for understanding, improving and documenting C, C++ and Java code.
• Klocwork Insight – Provides security vulnerability, defect detection and build-over-build trend analysis for C, C++, C# and Java.
• LDRA Testbed – A software analysis and testing tool suite for C, C++, Ada83, Ada95 and Assembler (Intel, Freescale, Texas Instruments).
• MALPAS – A software static analysis toolset for a variety of languages including Ada, C, Pascal and Assembler (Intel, PowerPC and Motorola). Used primarily for safety critical applications in Nuclear and Aerospace industries.
• Moose – Moose started as a software analysis platform with many tools to manipulate, assess or visualize software. It can evolve to a more generic data analysis platform. Supported languages are C/C++, Java, Smalltalk, .NET, more may be added.
• Parasoft – Provides static analysis (pattern-based, flow-based, in-line, metrics) for C, C++, Java, .NET (C#, VB.NET, etc.), JSP, JavaScript, XML, and other languages. Through a Development Testing Platform, static code analysis functionality is integrated with unit testing, peer code review, runtime error detection and traceability.
• Copy/Paste Detector (CPD) – PMDs duplicate code detection for (e.g.) Java, JSP, C, C++, ColdFusion, PHP and JavaScript^[1] code.
• Polyspace – Uses abstract interpretation to detect and prove the absence of certain run time errors in source code for C, C++, and Ada
• Protecode – Analyzes the composition of software source code and binary files, searches for open source and third party code and their associated licensing obligations. Can also detect secuity vulnerabilities.
• ResourceMiner – Architecture down to details multipurpose analysis and metrics, develop own rules for masschange and generator development. Supports 30+ legacy and modern languages and all major databases.
• Semmle – supports Java, C, C++, C#.
• SofCheck Inspector – Static detection of logic errors, race conditions, and redundant code for Ada and Java; automatically extractspre/postconditions from code.
• Sonar – A continuous inspection engine to manage the technical debt: unit tests, complexity, duplication, design, comments, coding standards and potential problems. Supports languages: ABAP, C, Cobol, C#, Flex, Forms, Groovy, Java, JavaScript, Natural, PHP, PL/SQL, Visual Basic 6, Web, XML, Python.
• Sotoarc/Sotograph – Architecture and quality in-depth analysis and monitoring for C, C++, C#, Java
• SQuORE is a multi-purpose and multi-language monitoring tool^[2] for software projects.
• Understand – Analyzes Ada, C, C++, C#, COBOL, CSS, Delphi, Fortran, HTML, Java, JavaScript, Jovial, Pascal, PHP, PL/M, Python, VHDL, and XML – reverse engineering of source, code navigation, and metrics tool.
• Veracode – Finds security flaws in application binaries and bytecode without requiring source. Supported languages include C, C++, .NET (C#, C++/CLI, VB.NET, ASP.NET), Java, JSP, ColdFusion, PHP, Ruby on Rails, and Objective-C, including mobile applications on the Windows Mobile, BlackBerry, Android, and iOS platforms.
• Visual Studio Team System – Analyzes C++, C# source codes. only available in team suite and development edition.
• Yasca – Yet Another Source Code Analyzer, a plugin-based framework to scan arbitrary file types, with plugins for C/C++, Java, JavaScript, ASP, PHP, HTML/CSS, ColdFusion, COBOL, and other file types. It integrates with other scanners, including FindBugs, PMD, and Pixy.

[edit].NET

• CodeIt.Right – Combines static code analysis and automatic refactoring to best practices which allows automatically correct code errors and violations; supports C# and VB.NET.
• CodeRush – A plugin for Visual Studio, it addresses a multitude of shortcomings with the popular IDE. Including alerting users to violations of best practices by using static code analysis.
• FxCop – Free static analysis for Microsoft .NET programs that compile to CIL. Standalone and integrated in some Microsoft Visual Studioeditions; by Microsoft.
• Kalistick – Mixing from the Cloud: static code analysis with best practice tips and collaborative tools for Agile teams.
• NDepend – Simplifies managing a complex .NET code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and by comparing different versions of the code. Integrates into Visual Studio.
• Parasoft dotTEST – A static analysis, unit testing, and code review plugin for Visual Studio; works with languages for Microsoft .NET Framework and .NET Compact Framework, including C#, VB.NET, ASP.NET and Managed C++.
• StyleCop – Analyzes C# source code to enforce a set of style and consistency rules. It can be run from inside of Microsoft Visual Studioor integrated into an MSBuild project. Free download from Microsoft.

[edit]ActionScript

• Apparat – A language manipulation and optimization framework consisting of intermediate representations for ActionScript.

[edit]Ada

• AdaControl – A tool to control occurrences of various entities or programming patterns in Ada code, used for checking coding standards, enforcement of safety related rules, and support for various manual inspections.
• Fluctuat – Abstract interpreter for the validation of numerical properties of programs.
• LDRA Testbed – A software analysis and testing tool suite for Ada83/95.
• Polyspace – Uses abstract interpretation to detect and prove the absence of certain run time errors in source code
• SofCheck Inspector – (Bought by AdaCore) Static detection of logic errors, race conditions, and redundant code for Ada; automatically extracts pre/postconditions from code.

[edit]C/C++

• Astrée – exhaustive search for runtime errors and assertion violations by abstract interpretation; tailored towards critical code (avionics)
• BLAST – (Berkeley Lazy Abstraction Software verification Tool) – A software model checker for C programs based on lazy abstraction.
• Cppcheck – Open-source tool that checks for several types of errors, including use of STL.
• cpplint – An open-source tool that checks for compliance with Google's style guide for C++ coding
• Clang – A compiler that includes a static analyzer.
• Coccinelle – Source code pattern matching and transformation
• ECLAIR – A platform for the automatic analysis, verification, testing and transformation of C and C++ programs.
• Eclipse (software) – An IDE that includes a static code analyzer (CODAN).
• Fluctuat – Abstract interpreter for the validation of numerical properties of programs.
• Frama-C – A static analysis framework for C.
• Goanna – A software analysis tool for C/C++.
• GrammaTech CodeSonar – Defect detection (Buffer overruns, memory leaks, ...), concurrency and security checks, architecture visualization and software metrics for C, C++ and Java source code.
• Lint – The original static code analyzer for C.
• LDRA Testbed – A software analysis and testing tool suite for C/C++.
• makedepend – A Unix tool to generate dependencies of C source files.
• Parasoft C/C++test – A C/C++ tool that does static analysis, unit testing, code review, and runtime error detection; plugins available forVisual Studio and Eclipse-based IDEs.
• PC-Lint – A software analysis tool for C/C++.
• Polyspace – Uses abstract interpretation to detect and prove the absence of certain run time errors in source code
• PVS-Studio – A software analysis tool for C, C++, C++11, C++/CX (Component Extensions).
• PRQA QA·C and QA·C++ – Deep static analysis of C/C++ for quality assurance and guideline/coding standard enforcement.
• SLAM project – a project of Microsoft Research for checking that software satisfies critical behavioral properties of the interfaces it uses.
• Sparse – A tool designed to find faults in the Linux kernel.
• Splint – An open source evolved version of Lint, for C.

[edit]Java

• AgileJ StructureViews – Reverse engineered Java class diagrams with an emphasis on filtering
• ObjectWeb ASM – allows decomposing, modifying, and recomposing binary Java classes (i.e. bytecode).
• Checkstyle – Besides some static code analysis, it can be used to show violations of a configured coding standard.
• FindBugs – An open-source static bytecode analyzer for Java (based on Jakarta BCEL) from the University of Maryland.
• GrammaTech CodeSonar – Defect detection (Buffer overruns, memory leaks, ...), concurrency and security checks, architecture visualization and software metrics for C, C++ and Java source code.
• Hammurapi – Versatile code review program; free for non-commercial use.
• Jtest – Testing and static code analysis product by Parasoft.
• Kalistick – A Cloud-based platform to manage and optimize code quality for Agile teams with DevOps spirit
• LDRA Testbed – A software analysis and testing tool suite for Java.
• PMD – A static ruleset based Java source code analyzer that identifies potential problems.
• SemmleCode – Object oriented code queries for static program analysis.
• SonarJ – Monitors conformance of code to intended architecture, also computes a wide range of software metrics.
• Soot – A language manipulation and optimization framework consisting of intermediate languages for Java.
• Squale – A platform to manage software quality (also available for other languages, using commercial analysis tools though).

[edit]JavaScript

• Closure Compiler – JavaScript optimizer that rewrites code to be faster and smaller, and checks use of native JavaScript functions.
• JSLint – JavaScript syntax checker and validator.
• JSHint – A community driven fork of JSLint.

[edit]Objective-C

• Clang – The free Clang project includes a static analyzer. As of version 3.2, this analyzer is included in Xcode.^[3]

[edit]Opa

• Opa includes its own static analyzer. As the language is intended for web application development, the strongly statically typed compiler checks the validity of high-level types for web data, and prevents by default many vulnerabilities such as XSS attacks and database code injections.

[edit]Packaging

• Lintian – Checks Debian software packages for common inconsistencies and errors.
• Rpmlint – Checks for common problems in rpm packages.

[edit]Perl

• Perl::Critic – A tool to help enforce common Perl best practices. Most best practices are based on Damian Conway's Perl Best Practicesbook.
• PerlTidy – Program that act as a syntax checker and tester/enforcer for coding practices in Perl.
• Padre – An IDE for Perl that also provides static code analysis to check for common beginner errors.

[edit]Python

• Pychecker – A source code checking tool.
• Pylint – Static code analyzer.

[edit]Formal methods tools

Tools that use a formal methods approach to static analysis (e.g., using static program assertions):

• ECLAIR – Uses formal methods-based static code analysis techniques such as abstract interpretation and model checking combined withconstraint satisfaction techniques to detect or prove the absence of certain run time errors in source code.
• ESC/Java and ESC/Java2 – Based on Java Modeling Language, an enriched version of Java.
• MALPAS – A formal methods tool that uses directed graphs and regular algebra to prove that software under analysis correctly meets its mathematical specification.
• Polyspace – Uses abstract interpretation, a formal methods based technique,^[4] to detect and prove the absence of certain run time errorsin source code for C/C++, and Ada
• SofCheck Inspector – Statically determines and documents pre- and post-conditions for Java methods; statically checks preconditions at all call sites; also supports Ada.
• SPARK Toolset including the SPARK Examiner – Based on the SPARK language, a subset of Ada.

[edit]See also

Software Testing portal

• Automated code review
• Best Coding Practices
• Dynamic code analysis
• Software metrics
• Integrated development environment (IDE) and Comparison of integrated development environments. IDEs will usually come with built-in support for static code analysis, or with an option to integrate such support. Eclipse offers such integration mechanism for most different types of extensions (plug-ins).

[edit]References

1. ^ "PMD - Browse /pmd/5.0.0 at SourceForge.net". Retrieved Sun Dec 09 2012.
2. ^ Baldassari, Boris (2012). "SQuORE: a new approach to software project assessment", International Conference on Software and Systems Engineering and their Applications, Nov. 2012, Paris, France.
3. ^ "Static Analysis in Xcode". Apple. Retrieved 2009-09-03.
4. ^ Cousot, Patrick (2007). "The Role of Abstract Interpretation in Formal Methods". IEEE International Conference on Software Engineering and Formal Methods. Retrieved 2010-11-08.

[edit]External links

• The Web Application Security Consortium's Static Code Analysis Tool List
• Java Static Checkers at the Open Directory Project
• List of Java static code analysis plugins for Eclipse
• List of static source code analysis tools for C
• List of static source code analysis tools at CERT
• SAMATE-Source Code Security Analyzers
• SATE – Static Analysis Tool Exposition
• "A Comparison of Bug Finding Tools for Java", by Nick Rutar, Christian Almazan, and Jeff Foster, University of Maryland. Compares Bandera, ESC/Java 2, FindBugs, JLint, and PMD.
• "Mini-review of Java Bug Finders", by Rick Jelliffe, O'Reilly Media.
• Parallel Lint, by Andrey Karpov
• Integrate static analysis into a software development process Explains how one goes about integrating static analysis into a software development process

Categories: 

• Static program analysis tools

http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis#Python