List of tools for static code analysis

From Wikipedia, the free encyclopedia
Jump to: navigation, search

This is a list of tools for static code analysis.

By language[edit]


  • Axivion Bauhaus Suite – A tool for Ada, C, C++, C#, and Java code that performs various analyses such as architecture checking, interface analyses, and clone detection.
  • Black Duck Suite – Analyzes the composition of software source code and binary files, searches for reusable code, manages open source and third-party code approval, honors the legal obligations associated with mixed-origin code, and monitors related security vulnerabilities.
  • CAST Application Intelligence Platform – Detailed, audience-specific dashboards to measure quality and productivity. 30+ languages, C, C++, Java, .NET, Oracle, PeopleSoft, SAP, Siebel, Spring, Struts, Hibernate and all major databases.
  • Cigital SecureAssist - A lightweight IDE plugin that points out common security vulnerabilities in real time as the developer is coding. Supports Java, .NET, and PHP.
  • ConQAT – Continuous quality assessment toolkit that allows flexible configuration of quality analyses (architecture conformance, clone detection, quality metrics, etc.) and dashboards. Supports Java, C#, C++, JavaScript, ABAP, Ada and many other languages.
  • Coverity SAVE – A static code analysis tool for C, C++, C# and Java source code. Coverity commercialized a research tool for finding bugs through static analysis, the Stanford Checker. Scans using Coverity are available free of charge for open-source projects.[1]
  • DMS Software Reengineering Toolkit – Supports custom analysis of C, C++, C#, Java, COBOL, PHP, Visual Basic and many other languages. Also COTS tools for clone analysis, dead code analysis, and style checking.
  • HP Fortify Static Code Analyzer – Helps developers identify software security vulnerabilities in C/C++, Java, JSP, .NET, ASP.NET, classic ASP, ColdFusion, PHP, Visual Basic 6, VBScript, JavaScript, PL/SQL, T-SQL, Python, Objective-C and COBOL and configuration files.
  • GrammaTech CodeSonar – Defect detection (buffer overruns, memory leaks, etc.), concurrency and security checks, architecture visualization and software metrics for C, C++, and Java source code.
  • IBM Rational AppScan Source Edition – Analyzes source code to identify security vulnerabilities while integrating security testing with software development processes and systems. Supports C/C++, .NET, Java, JSP, JavaScript, ColdFusion, Classic ASP, PHP, Perl, Visual Basic 6, PL/SQL, T-SQL, and COBOL
  • Imagix 4D – Identifies problems in variable use, task interaction and concurrency, especially in embedded applications, as part of an overall system for understanding, improving and documenting C, C++ and Java code.
  • Kiuwan – supports Objective-C, Java, JSP, Javascript, PHP, C, C++, ABAP, COBOL, JCL, C#, PL/SQL, Transact-SQL, SQL, Visual Basic, VB.NET, Android, and Hibernate code.
  • LDRA Testbed – A software analysis and testing tool suite for C, C++, Ada83, Ada95 and Assembler (Intel, Freescale, Texas Instruments).
  • MALPAS – A software static analysis toolset for a variety of languages including Ada, C, Pascal and Assembler (Intel, PowerPC and Motorola). Used primarily for safety critical applications in Nuclear and Aerospace industries.
  • Moose – Moose started as a software analysis platform with many tools to manipulate, assess or visualize software. It can evolve to a more generic data analysis platform. Supported languages are C/C++, Java, Smalltalk, .NET, more may be added.
  • Parasoft – Provides static analysis (pattern-based, flow-based, in-line, metrics) for C, C++, Java, .NET (C#, VB.NET, etc.), JSP, JavaScript, XML, and other languages. Through a Development Testing Platform, static code analysis functionality is integrated with unit testing, peer code review, runtime error detection and traceability.
  • Copy/Paste Detector (CPD) – PMDs duplicate code detection for (e.g.) Java, JSP, C, C++, ColdFusion, PHP and JavaScript[2] code.
  • Polyspace – Uses abstract interpretation to detect and prove the absence of certain run time errors in source code for C, C++, and Ada
  • Pretty Diff - A language-specific code comparison tool that features language-specific analysis reporting in addition to language-specific minification and beautification algorithms.
  • Protecode – Analyzes the composition of software source code and binary files, searches for open source and third party code and their associated licensing obligations. Can also detect security vulnerabilities.
  • Klocwork – Provides security vulnerability, standards compliance (MISRA, ISO 26262 and others), defect detection and build-over-build trend analysis for C, C++, C# and Java.
  • Rogue Wave Software OpenLogic – Scans source code and binaries to identify open source code and licenses, manages open source policies and approvals, reports security vulnerabilities, and provides open source technical support.
  • Rough Auditing Tool for Security – A tool for scanning C, C++, Perl, PHP, Python (and soon Ruby) source code and flagging common security related programming errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions.
  • Semmle – Supports C, C++, C#, Java, JavaScript, Objective-C, Python and Scala.
  • SofCheck Inspector – Static detection of logic errors, race conditions, and redundant code for Ada and Java; automatically extracts pre/postconditions from code.
  • SonarQube – A continuous inspection engine to manage the technical debt: unit tests, complexity, duplication, design, comments, coding standards and potential problems. Supports languages: ABAP, C, C++, CSS, Objective-C, COBOL, C#, Flex, Forms, Groovy, Java, JavaScript, Natural, PHP, PL/SQL, Visual Basic 6, Web, XML, Python.
  • Sotoarc/Sotograph – Architecture and quality in-depth analysis and monitoring for C, C++, C#, Java, ABAP.
  • SQuORE is a multi-purpose and multi-language monitoring tool[3] for software projects.
  • Veracode – Finds security flaws in application binaries and bytecode without requiring source. Supported languages include C, C++, .NET (C#, C++/CLI, VB.NET, ASP.NET), Java, JSP, ColdFusion, PHP, Ruby on Rails, JavaScript (including Node.js), Objective-C, Classic ASP, Visual Basic 6, and COBOL, including mobile applications on the Windows Mobile, BlackBerry, Android, and iOS platforms and written in JavaScript cross platform frameworks.[4]
  • Yasca – Yet Another Source Code Analyzer, a plugin-based framework to scan arbitrary file types, with plugins for C/C++, Java, JavaScript, ASP, PHP, HTML/CSS, ColdFusion, COBOL, and other file types. It integrates with other scanners, including FindBugs, PMD, and Pixy.


  • .NET Compiler Platform (Codename "Roslyn") - Open-source compiler framework for C# and Visual Basic .NET developed by Microsoft .NET. Provides an API for analyzing and manipulating syntax.
  • CodeIt.Right – Combines static code analysis and automatic refactoring to best practices which allows automatic correction of code errors and violations; supports C# and VB.NET.
  • CodeRush – A plugin for Visual Studio which alerts users to violations of best practices.
  • FxCop – Free static analysis for Microsoft .NET programs that compiles to CIL. Standalone and integrated in some Microsoft Visual Studio editions; by Microsoft.
  • NDepend – Simplifies managing a complex .NET code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and by comparing different versions of the code. Integrates into Visual Studio.
  • Parasoft dotTEST – A static analysis, unit testing, and code review plugin for Visual Studio; works with languages for Microsoft .NET Framework and .NET Compact Framework, including C#, VB.NET, ASP.NET and Managed C++.
  • StyleCop – Analyzes C# source code to enforce a set of style and consistency rules. It can be run from inside of Microsoft Visual Studio or integrated into an MSBuild project.



  • Astrée – finds all potential runtime errors by abstract interpretation, can prove the absence of runtime errors and can prove functional assertions; tailored towards safety-critical C code (e.g. avionics).
  • BLAST – (Berkeley Lazy Abstraction Software verification Tool) – An open-source software model checker for C programs based on lazy abstraction (follow-on project is CPAchecker.[5]).
  • Cppcheck – Open-source tool that checks for several types of errors, including use of STL.
  • cpplint – An open-source tool that checks for compliance with Google's style guide for C++ coding.
  • Clang – An open-source compiler that includes a static analyzer (Clang Static Analyzer).
  • Coccinelle – An open-source source code pattern matching and transformation.
  • Cppdepend – Simplifies managing a complex C/C++ code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and comparing different versions of the code.
  • ECLAIR – A platform for the automatic analysis, verification, testing and transformation of C and C++ programs.
  • Eclipse (software) – An open-source IDE that includes a static code analyzer (CODAN).
  • Fluctuat – Abstract interpreter for the validation of numerical properties of programs.
  • Frama-C – An open-source static analysis framework for C.
  • Goanna – A software analysis tool for C/C++.
  • Klocwork Insight – A static analysis tool for C/C++.
  • Lint – The original static code analyzer for C.
  • LDRA Testbed – A software analysis and testing tool suite for C/C++.
  • Parasoft C/C++test – A C/C++ tool that does static analysis, unit testing, code review, and runtime error detection; plugins available for Visual Studio and Eclipse-based IDEs.
  • PC-Lint – A software analysis tool for C/C++.
  • Polyspace – Uses abstract interpretation to detect and prove the absence of run time errors, Dead Code in source code as well as used to check all MISRA (2004, 2012) rules (directives, non directives).
  • PVS-Studio – A software analysis tool for C, C++, C++11, C++/CX (Component Extensions).
  • PRQA QA·C and QA·C++ – Deep static analysis of C/C++ for quality assurance and guideline/coding standard enforcement with MISRA support.
  • SLAM project – a project of Microsoft Research for checking that software satisfies critical behavioral properties of the interfaces it uses.
  • Sparse – An open-source tool designed to find faults in the Linux kernel.
  • Splint – An open-source evolved version of Lint, for C.


  • Checkstyle – Besides some static code analysis, it can be used to show violations of a configured coding standard.
  • FindBugs – An open-source static bytecode analyzer for Java (based on Jakarta BCEL) from the University of Maryland.
  • IntelliJ IDEA – Cross-platform Java IDE with own set of several hundred code inspections available for analyzing code on-the-fly in the editor and bulk analysis of the whole project.
  • JArchitect – Simplifies managing a complex Java code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and by comparing different versions of the code.
  • Jtest – Testing and static code analysis product by Parasoft.
  • LDRA Testbed – A software analysis and testing tool suite for Java.
  • PMD – A static ruleset based Java source code analyzer that identifies potential problems.
  • SemmleCode – Object oriented code queries for static program analysis.
  • Sonargraph (formerly SonarJ) – Monitors conformance of code to intended architecture, also computes a wide range of software metrics.
  • Soot – A language manipulation and optimization framework consisting of intermediate languages for Java.
  • Squale – A platform to manage software quality (also available for other languages, using commercial analysis tools though).
  • SonarQube – is an open source platform for Continuous Inspection of code quality.
  • ThreadSafe – A static analysis tool for Java focused on finding concurrency bugs.
  • Windup – A pluggable rule-based automated migration tool by JBoss, targeting mainly Java applications.



  • Clang – The free Clang project includes a static analyzer. As of version 3.2, this analyzer is included in Xcode.[6]


  • Opa includes its own static analyzer. As the language is intended for web application development, the strongly statically typed compiler checks the validity of high-level types for web data, and prevents by default many vulnerabilities such as XSS attacks and database code injections.


  • Lintian – Checks Debian software packages for common inconsistencies and errors.
  • Rpmlint – Checks for common problems in rpm packages.



  • RIPS – A static code analyzer and audit framework for vulnerabilities in PHP applications.


  • TOAD - A PL/SQL development environment with a Code xPert component that reports on general code efficiency as well as specific programming issues.


  • Pylint – Static code analyzer. Quite stringent; includes many stylistic warnings as well.
  • PyCharm – Cross-platform Python IDE with code inspections available for analyzing code on-the-fly in the editor and bulk analysis of the whole project.

Formal methods tools[edit]

Tools that use sound, i.e. no false negatives, formal methods approach to static analysis (e.g., using static program assertions):

See also[edit]


  1. ^ "Coverity Scan - Static Analysis". Retrieved 2015-06-17. 
  2. ^ "PMD - Browse /pmd/5.0.0 at". Retrieved Dec 9, 2012. 
  3. ^ Baldassari, Boris (2012). "SQuORE: a new approach to software project assessment", International Conference on Software and Systems Engineering and their Applications, Nov. 2012, Paris, France.
  4. ^ "White Box Testing/Binary Static Analysis (SAST)". Retrieved 2015-04-01. 
  5. ^ "CPAchecker". 2015-02-08. 
  6. ^ "Static Analysis in Xcode". Apple. Retrieved 2009-09-03. 
  7. ^ Cousot, Patrick (2007). "The Role of Abstract Interpretation in Formal Methods" (PDF). IEEE International Conference on Software Engineering and Formal Methods. Retrieved 2010-11-08. 

External links[edit]