List of tools for static code analysis

List of tools for static code analysis

This is a list of significant tools for static code analysis.

Historical products

* Lint — the original static code analyzer of C code.

Open-source or Noncommercial products

.NET (C#, VB.NET and all .NET compatible languages)

* [http://www.codeplex.com/reflectoraddins/Wiki/View.aspx?title=CodeMetrics&referringTitle=Home Reflector.CodeMetrics] — (an add-in for the essential .NET_Reflector)
* [http://www.serviceframework.com/jwss/utility,ccmetrics,utility.aspx CCMetrics]
* [https://sourceforge.net/projects/crplugin/ CRPlugin] (plugin for [http://www.devexpress.com/Downloads/NET/DXCore/ DxCore] )
* FxCop — Free static analysis for Microsoft .NET programs that compile to CIL. Standalone and integrated in some Microsoft Visual Studio editions. From Microsoft.
* [http://www.campwoodsw.com/sm20.html Source Monitor]
* [http://www.1bot.com/ vil]
* [http://www.mono-project.com/Gendarme Gendarme] - A Free static analysis tool from the Mono project

Java

* [http://bandera.projects.cis.ksu.edu/ Bandera] — analyzer for Java
* [http://checkstyle.sourceforge.net/ Checkstyle] — analyze Java and apply coding standard
* [http://sourceforge.net/projects/classycle/ Classycle] — analyze Java class cycles and class and package dependencies (Layers)
* FindBugs — an open-source static bytecode analyzer for Java (based on Jakarta BCEL).
* [http://jlint.sourceforge.net/ Jlint] — for Java
* PMD (software) — a static ruleset based Java source code analyzer that identifies potential problems.
* [http://people.clarkson.edu/~dhou/projects/SCL/ SCL] — A Java program analysis tool that is programmable with SCL (Structural Constraint Language).
* [http://www.sable.mcgill.ca/soot/ Soot] — A Java program analysis and compiler optimization framework
* [http://sourceforge.net/projects/hammurapi/ Hammurapi] — Customizable static code analysis tool for java (based on coding standards) that can also generate metrics report
* [http://www.ucdetector.org/ UCDetector] — Unnecessary Code Detector: Eclipse PlugIn to find unnecessary (dead) public java code
* [http://www.alphaworks.ibm.com/tech/sa4j sa4j] - structural dependencies analyzes, measures stability, detects structural "anti-patterns", impact analysis on dependencies, and more.

C

* [http://www.cs.umd.edu/~jfoster/cqual/ CQual] — A tool for adding type qualifiers in C.
* [http://sourcenav.sourceforge.net/ SNav] — Red Hat Source Navigator.
* Sparse — a tool designed to find faults in the Linux kernel.
* Splint — an open source evolved version of Lint (C language).
* [http://frama-c.cea.fr Frama-C] — Frama-C is a suite of tools dedicated to the analysis of the source code of software written in C.
* [http://www.astree.ens.fr Astrée] - A tool for proving the absence of runtime errors (overflows, failed assertions, etc.), taylored to critical embedded control code (was applied to Airbus A340 and A380 avionics code)
* [http://deputy.cs.berkeley.edu/ Deputy] - Deputy is a C compiler that is capable of preventing common C programming errors, including out-of-bounds memory accesses as well as many other common type-safety errors.
* [http://manju.cs.berkeley.edu/ccured/ CCured] - CCured is a source-to-source translator for C. It analyzes the C program to determine the smallest number of run-time checks that must be inserted in the program to prevent all memory safety violations.
* [http://www.fortify.com/security-resources/rats.jsp RATS] - RATS is a tool for scanning C, C++, Perl, PHP and Python source code and flagging common security related programming errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions.
* [http://clang.llvm.org/StaticAnalysis.html LLVM/Clang Static Analyzer] - standalone tool that find bugs in C and Objective-C programs.
* [http://www.cs.berkeley.edu/~daw/mops/ MOPS] - MOPS is a tool for finding security bugs in C programs and for verifying conformance to rules of defensive programming.
* [http://www.cs.berkeley.edu/~daw/boon/ BOON] - BOON is a tool for automatically finding buffer overrun vulnerabilities in C source code.
* [http://mtc.epfl.ch/software-tools/blast/ BLAST] - BLAST is a software model checker for C programs.

C++

* [http://www.dwheeler.com/flawfinder/ Flawfinder] — open source programming tool that examines C or C++ source code for security weaknesses.
* [http://www.cubewano.org/oink Oink] — collaboration of C++ static analysis tools, based on the research of CQual [http://www.cubewano.org/oink/wiki/WikiStart#Historyandpreviouswork]
* [http://wiki.mozilla.org/Dehydra_GCC Dehydra] - A scriptable static analysis tool based on GCC. Developed by Mozilla.
* [http://edoc.sourceforge.net/index.html EDoc++] - Examines C++ code to identify problems with C++ exception propagation and usage.
* [http://sourceforge.net/projects/cppcheck/ c++check] - Checks C/C++ code for simple mistakes.

Fortran

* [http://www.dsm.fordham.edu/~ftnchek/ ftnchek] — static analyzer for Fortran 77 programs
* [http://g95-xml.sourceforge.net/ g95-xml] — code parser toolkit for Fortran 95

JavaScript

* [http://www.jslint.com/ JsLint] - online analyzer for JavaScript

Perl

* [http://search.cpan.org/dist/Perl-Critic Perl::Critic] - a static code analysis tool for Perl
* [http://www.fortify.com/security-resources/rats.jsp RATS] - RATS is a tool for scanning C, C++, Perl, PHP and Python source code and flagging common security related programming errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions.
* [http://search.cpan.org/dist/Perl-Metrics-Simple/bin/countperl countperl] command from Perl::Metrics::Simple module - code metrics include Cyclomatic complexity
* [http://search.cpan.org/~rgarcia/perl-5.10.0/ext/B/B/Xref.pm B::Xref] module is used to generate a cross reference listing of all definitions and uses of variables, subroutines and formats in a Perl program.
* [http://search.cpan.org/~kstar/B-Fathom-0.07/Fathom.pm B::Fathom] - a module to evaluate the readability of Perl code
* [http://perltidy.sourceforge.net/ perltidy] - script which indents and reformats Perl scripts to make them easier to read

PHP

* [http://pixybox.seclab.tuwien.ac.at/pixy/ Pixy] — a PHP 4 source code scanner for detection of XSS and SQL injection vulnerabilities.
* [http://code.google.com/p/smarty-lint/ smarty-lint] - a lint implementation for the popular templating engine, Smarty.

Python

* [http://pychecker.sourceforge.net/ PyChecker] - The original static code analyser for Python.
* [http://www.logilab.org/project/pylint pylint] - A static code analyser for Python. Works as a plugin to PyDev for the Eclipse IDE.
* [http://divmod.org/trac/wiki/DivmodPyflakes Pyflakes] - A lint-like tool for Python, whose primary advantage is being faster than PyChecker

Visual Basic

* [http://www.mztools.com/index.aspx/ MZTools] - MZTools 3.0 - Free Static Code Analysis & productivity enhancement tool for VB6, & VBA.

Multiple languages

* RATS — Rough Auditing Tool for Security, which can scan C, C++, Perl, PHP and Python source code.
* Yasca - Yet Another Source Code Analyzer, a plugin-based framework for scanning arbitrary file types, with plugins for scanning C, C++, Java, and JavaScript. Integrates FindBugs, [http://artho.com/jlint/ Jlint] , and PMD.

Commercial products

.NET

Products covering multiple .NET languages.
* [http://www.checkmarx.com CHECKMARX] [http://www.checkmarx.com/cx-suite.aspx CxSuite] - a Source Code Analysis suite of products allowing developers and auditors identify software security vulnerabilities.
* Compuware DevPartner - static code analyzer for .NET (C#, ASP.NET) with Visual Studio 2005 integration
* [http://www.knowdotnet.com/articles/complexityanalyzer.html Complexity Analyzer] - for .NET
* ReSharper - Add-on for Visual Studio 2003/2005 from the creators of IntelliJ IDEA, which also provides static code analysis for C#.
* [http://submain.com/codeit.right CodeIt.Right] - combines Static Code Analysis and automatic Refactoring to best practices in one product. CodeIt.Right will automatically correct code errors and violations. C# and VB.NET

C#

* [http://www.clocksharp.com ClockSharp] - checks C# code against the [http://www.tiobe.com/standards/gemrcsharpcs.pdf Philips C# coding standard] .
* [http://blogs.msdn.com/sourceanalysis/ StyleCop] - Free source code style and consistency tool for C#, integrated into Microsoft Visual Studio.
* NStatic - deep static analysis of C# code.

C/C++

* [http://www.checkmarx.com CHECKMARX] [http://www.checkmarx.com/cx-suite.aspx CxSuite] - a Source Code Analysis suite of products allowing developers and auditors identify software security vulnerabilities.
* [http://www.spa-arrow.com/english/main.asp Static Analysis tool SPARROW] A state-of-the-art Static Analysis tool (2008)
* [http://www.testwell.fi/cmtdesc.html CMT++] code metrics tool for C/C++ (also for [http://www.testwell.fi/cmtjdesc.html Java] ).
* Gimpel Software [http://www.gimpel.com/html/lintinfo.htm FlexeLint and PC-Lint] - Multi-platform static code analysis tools for C and C++ code.
* Green Hills Software DoubleCheck - static analysis for C and C++ code.
* HP Code Advisor - A static analysis tool for C and C++ programs
* LDRA Testbed - A software analysis and testing tool suite for C & C++.
* Microsoft Visual Studio - Visual Studio Team System includes a static code analyzer.
* [http://www.microsoft.com/whdc/DevTools/tools/PREfast_steps.mspx PREfast] – A Microsoft tool which identifies defects in C/C++ source code.
* QA-C - deep static analysis of C for quality assurance and guideline enforcement.
* QA-C++ - deep static analysis of C++ for quality assurance and guideline enforcement.
* Viva64 — analyzes C, C++ code for detect 64-bit portability issues.
* [http://www.abxsoft.com/codchk.htm ABRAXAS Software codeCheck] — programmable C/C++ Standards Checking Tool .

Java

* [http://www.checkmarx.com CHECKMARX] [http://www.checkmarx.com/cx-suite.aspx CxSuite] - a Source Code Analysis suite of products allowing developers and auditors identify software security vulnerabilities.
* checKing - monitors the quality of software development process, including violations of coding rules for Java, JSP, Javascript, XML and HTML.
* [http://www.instantiations.com/codepro/analytix/about.html CodePro Analytix] - Static code analysis for Java, integrated with Eclipse.
* [http://www.enerjy.com Enerjy Software] - Metrics expert system and extendable static code analyzer Eclipse plugin for Java - compares code quality against Open Source projects
* [http://www.hello2morrow.com/en/sonarj/sonarj.php SonarJ] - Architecture management solution for Java, comes with Eclipse-Plugin
* IntelliJ IDEA — IDE for Java that also provides static code analysis.
* [http://www.qavalidator.com/qavalidator/ QAValidator] - Checking Java code against a defined software architecture
* [http://stan4j.com STAN] — Structure Analysis for Java. Eclipse integrated visual dependency analysis, quality metrics and reporting.
* Swat4j — a model based, goal oriented source code auditing tool for Java. Comes as an Eclipse plug-in.
* [http://www.stackframe.com/TorqueWrench/ TorqueWrench] - A static Java bytecode analysis tool by [http://www.stackframe.com/ StackFrame, LLC] .
* [http://www.coverity.com/html/coverity-readiness-manager-java.html Coverity Software Readiness Manager for Java ] - tool of Coverity checks code quality, risk, code coverage, complexity, architectural integrity, and more

Visual Basic 6

* [http://www.aivosto.com/project/project.html Aivosto Oy's] - Project Analyzer - Static code analysis tool for VBA, and VB6/VB.net
* [http://www.mztools.com/index.aspx/ MZTools] - MZTools 6.0 - Static Code Analysis & productivity enhancement tool for VB.net, VB6, & VBA.

Fortran

* [http://www.codework.com/forcheck/product.html ForCheck] — analyzes of FORTRAN 66, FORTRAN 77, FORTRAN 90, HPF, FORTRAN 95

QL

* [http://www.ubitsoft.com/products/sqlenlight/sqlenlight.php SQL Enlight] - Provides static code analysis for Transact-SQL and is impelmented as an add-on for Visual Studio 2005/2008 and SQL Server Management Studio 2005/2008.

cripting languages

* Parasoft [http://www.parasoft.com/jsp/solutions/soa_solution.jsp?itemId=319 SOA Quality Solutions] Static analysis for SOA and RIA (WSDL, WS-*, XML, JavaScript, HTML, Accessibility/Section 508, etc.).
* [http://www.syhunt.com/sandcat4php Sandcat for PHP] - Static source code analysis and hardening tool for PHP

Multi-language

* [http://www.checkmarx.com CHECKMARX] - [http://www.checkmarx.com/cx-suite.aspx CxSuite] - a suite of software which helps developers and auditors identify software security vulnerabilities.
* [http://www.armorize.com Armorize Technologies] CodeSecure - source code scanning (PHP, J2EE, ASP, etc.)
* Axivion Bauhaus Suite — a tool for C, C++, Java and Ada code that comprises various analyses such as architecture checking, interface analyses, and clone detection.
* [http://www.castsoftware.com/Product/AIP.aspx CAST] — provides a tool with 25+ language / product analyzers, defect detection as well as architectural and build-over-build trend analysis.
* [http://www.compuware.com/products/xpediter/1997_ENG_HTML.htm Xpediter/DevEnterprise from Compuware] — COBOL and PL/I analysis at system and program level. Uses the source code as input and provides graphical representations and tabulated output. Delivers impact analysis capabilities based on specific program variables.
* Coverity Prevent — analyzes C, C++ and Java code.
* DMS Software Reengineering Toolkit — supports custom analysis of C, C++, Java, COBOL, and many other languages.
* Fortify — helps developers identify software security vulnerabilities in C/C++, .NET, Java, JSP, ASP.NET, ColdFusion, "Classic" ASP, PHP, VB6, VBScript, JavaScript, PL/SQL, T-SQL and COBOL as well as configuration files.
* [http://www.grammatech.com/products/ GrammaTech] - GrammaTech offers products for analyzing code written in C/C++ (CodeSurfer and CodeSonar) and Ada (Ada-ASSURED and Ada-Utilities)
* Klocwork Insight and Klocwork Developer for Java — provides security vulnerability and defect detection as well as architectural and build-over-build trend analysis for C, C++ and Java
* Lattix, Inc. LDM - Architecture and dependency analysis tool for Ada, C/C++, Java, .NET software systems.
* LDRA Testbed - A software analysis and testing tool suite for C, C++, Ada83, Ada95 and Assembler (Intel, Freescale, Texas Instruments).
* [http://msquaredtechnologies.com M Squared Technologies] Resource Standard Metrics - source code analysis and metrics (C, Ansi C, C++, Ansi C++, C#, Java, Javascript, etc.)
* [http://www.metrixware.com Metrixware] Code & Architecture quality analysis & dashboards (Java, Cobol, JSP, Javascript, Pacbase, C#, SAP/Abap, etc.)
* [http://www.optimyth.com Optimyth Software] Own analyzers for Policy Enforcement, Dependency Mappings and Metrics Calculation for multiple languajes, such us Cobol, SAP ABAP IV, Java, HTML, JSP, XML, PL/SQL, C#, among others. Repository and Web Dashboards based on ISO 9126 with connectors to the main tools (open and commercial) used to develop and test applications.
* Ounce Labs — automated source code analysis that enables organizations to identify and eliminate software security vulnerabilities in languages including Java, JSP, C/C++, C#, ASP.NET, and VB.Net.
* Parasoft [http://www.parasoft.com/jsp/solutions/application_security_solution.jsp?itemId=322 Application Security Solutions] - Static analysis for detection and remeditation of security vulnerabilities in Java, C/C++, and .NET. OWASP and PCI DSS 6 support, as well as policy enforcement. Integrated with Eclipse and Visual Studio.
* Parasoft [http://www.parasoft.com/jsp/solutions/application_security_solution.jsp?itemId=322 Application Development Quality Solutions- Java, C/C++, .NET] - Static analysis for Java (including JSP, XML configuration files and property files), C/C++ (including JSF and MISRA), and .Net (IL, C#, VB.NET). Integrated with Eclipse and Visual Studio.
* PolySpace code verifiers by [http://www.mathworks.com/products/polyspace/index.html?s_cid=HP_FP_PS_PolySpace The MathWorks] - Software verification for C, C++ and Ada
* [http://www.metrixware.com Metrixware System Code] - Static code analyzer and quality dashboard for C, C++, C#, Java, JSP, PHP and JavaScript.
* SofCheck Inspector — provides static detection of logic errors, race conditions, and redundant code for Java and Ada.
* Sotoarc/Sotograph - Architecture and quality in-depth analysis and monitoring for Java, C#, C and C++
* [http://www.telelogic.com/ Telelogic Logiscope] RuleChecker (coding standards checking) and Audit (metrics measurement and ISO 9126-based quality modeling) for C, C++, Ada, Java.
* Understand — analyzes C,C++, Java, Ada, Fortran, Jovial, Delphi — reverse engineering of source, code navigation, and metrics tool.
* [http://www.veracode.com Veracode SecurityReview] — an on-demand application security testing and remediation, C, C++, Java, .Net and other languages.

Uncategorized

* [http://www.anticipatingminds.com/Content/products/devMetrics/devMetrics.aspx DevMetrics] — commercial
* [https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200%5E9564_4000_100__ HP DevInspect] - simplifies security during development by automatically finding and fixing application vulnerabilities in ASP.NET and Java based web applications.
* [http://smacchia.chez.tiscali.fr/NDepend.html NDepend] — A comprehensive analysis and reporting tool.
* [http://www.automationsquare.com/plc-checker.html PLC Checker] — A coding rules verification tools for PLC programs.
* [http://www.reasoning.com Reasoning, Inc.] offers a defect-finding service using an internal tool, which found defects in Apache Tomcat missed by an earlier version of FindBugs. [“Finding More Null Pointer Bugs, But Not Too Many,” David Hovemeyer & William Pugh, http://findbugs.cs.umd.edu/papers/MoreNullPointerBugs07.pdf]
* SemmleCode — object oriented code queries for static program analysis.
* Structure101 - For understanding, analyzing, measuring and controlling the quality of your Software Architecture as it evolves over time.
* [http://www.headwaysoftware.com/products/structure101/g/index.php Structure101g] - A generic version of Structure101 - build your own flavor to support any programming language or dependency data.

Formal methods tools

Tools that use a formal methods approach to static analysis (e.g., using program assertions):

* ESC/Java and ESC/Java2 — based on Java Modeling Language, an enriched version of Java.
* SofCheck Inspector - statically determines and documents pre- and postconditions for Java methods; statically checks preconditions at all call sites; also supports Ada.
* SPARK Toolset including the SPARK Examiner — based on the SPARK programming language, a subset of Ada.
* [http://sdg.csail.mit.edu/forge Forge] - bounded verification of Java programs against specification in the Java Modeling Language.

External links

* [http://www.spinroot.com/static/ List of static source code analysis tools for C]
* [http://samate.nist.gov/index.php/Tools SAMATE-Wiki tool survey]
* [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers SAMATE-Source Code Security Analyzers]
* [http://www.eclipseplugincentral.com/Web_Links-index-req-viewcatlink-cid-14-orderby-rating.html List of Java static code analysis plugins for Eclipse]
* [http://cwe.mitre.org/ Common Weakness Enumeration] — a community-developed dictionary of common software weaknesses (that are potentially identifiable by static code analysis tools)
* [http://www.cs.umd.edu/~jfoster/papers/issre04.pdf “A Comparison of Bug Finding Tools for Java”] , by Nick Rutar, Christian Almazan, and Jeff Foster, University of Maryland. Compares Bandera, ESC/Java 2, FindBugs, JLint, and PMD.
* [http://www.oreillynet.com/digitalmedia/blog/2004/03/minireview_of_java_bug_finders.html “Mini-review of Java Bug Finders”] , by Rick Jelliffe, O'Reilly Media.

ee also

* [http://en.wikipedia.org/wiki/User:Nickj/List_of_tools_for_static_code_analysis Older, more-complete version of this page]
*List of code quality management dashboards

References


Wikimedia Foundation. 2010.

Нужно решить контрольную?

Look at other dictionaries:

  • Static code analysis — is the analysis of computer software that is performed without actually executing programs built from that software (analysis performed on executing programs is known as dynamic analysis). In most cases the analysis is performed on some version… …   Wikipedia

  • Static program analysis — This article is about certain software quality assessment methods. For the statistical method, see Static analysis. Static program analysis (also Static code analysis or SCA) is the analysis of computer software that is performed without actually …   Wikipedia

  • Code audit — A software code audit is a comprehensive analysis of source code in a programming project with the intent of discovering bugs, security breaches or violations of programming conventions. It is an integral part of the defensive programming… …   Wikipedia

  • List of code quality management dashboards — This is a list of significant tools for helping managers and developers to measure, control and improve applications health. As a rule, those tools are composed of four layers : * Static or dynamic code analysis engines to provide metrics such as …   Wikipedia

  • Code smell — In computer programming, code smell is any symptom in the source code of a program that possibly indicates a deeper problem. Often the deeper problem hinted by a code smell can be uncovered when the code is subjected to a short feedback cycle… …   Wikipedia

  • Automated code review — software checks source code for compliance with a predefined set of rules or best practices. The use of analytical methods to inspect and review source code to detect bugs has been a standard development practice. This process can be accomplished …   Wikipedia

  • Duplicate code — is a computer programming term for a sequence of source code that occurs more than once, either within a program or across different programs owned or maintained by the same entity. Duplicate code is generally considered undesirable for a number… …   Wikipedia

  • List of Eclipse-based software — * Adobe Flex Builder, Adobe IDE based on Eclipse for building Flex applications for the Flash Platform * Aptana, Web IDE based on Eclipse (commercial and community version) * Avaya Dialog Designer, a commercial IDE to build scripts for voice self …   Wikipedia

  • List of file formats — This is an incomplete list, which may never be able to satisfy particular standards for completeness. You can help by expanding it with reliably sourced entries. See also: List of file formats (alphabetical) This is a list of file formats… …   Wikipedia

  • List of Google products — This page is a summary of services and tools provided by Google Inc. For other uses, see Google (disambiguation). This list of Google products includes all major desktop, mobile and online products released or acquired by Google Inc.. They are… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”