List of tools for static code analysis

From Wikipedia, the free encyclopedia

This article does not cite any references or sources. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. (January 2009)

This is a list of significant tools for static code analysis.

Contents 1 Historical products 2 Open-source or Noncommercial products 2.1 Multi-language 2.2 .NET (C#, VB.NET and all .NET compatible languages) 2.3 Java 2.4 C 2.5 C/C++ 2.6 Objective-C + 2.7 Perl 3 Commercial products 3.1 Multi-language 3.2 .NET 3.3 C/C++ 3.4 Java 3.5 Visual Basic 3.6 Uncategorized 4 Formal methods tools 5 External links 6 See also 7 References

[edit] Historical products

• Lint — the original static code analyzer of C code.

[edit] Open-source or Noncommercial products

[edit] Multi-language

• RATS — Rough Auditing Tool for Security, which can scan C, C++, Perl, PHP and Python source code.
• Yasca - Yet Another Source Code Analyzer, a plugin-based framework for scanning arbitrary file types, with plugins for scanning C/C++, Java, JavaScript, ASP, PHP, HTML/CSS, ColdFusion, COBOL, and other file types. It integrates with other scanners, including FindBugs, JLint, PMD, and Pixy.
• CPD - The Copy/Paste Detector (CPD) is an add-on to PMD that finds duplicated code. CPD works with Java, JSP, C, C++, Fortran and PHP code.

[edit] .NET (C#, VB.NET and all .NET compatible languages)

• FxCop — Free static analysis for Microsoft .NET programs that compile to CIL. Standalone and integrated in some Microsoft Visual Studio editions. From Microsoft.
• StyleCop - Analyzes C# source code to enforce a set of style and consistency rules. It can be run from inside of Microsoft Visual Studio or integrated into an MSBuild project. Free download from Microsoft.

[edit] Java

• Checkstyle — besides some static code analysis, it can be used to show violations of a configured coding standard
• FindBugs — an open-source static bytecode analyzer for Java (based on Jakarta BCEL) from the University of Maryland.
• PMD (software) — a static ruleset based Java source code analyzer that identifies potential problems.
• Hammurapi - a versatile code review solution.
• Sonar - a platform to manage source code quality

[edit] C

• Sparse — A tool designed to find faults in the Linux kernel.
• Splint — An open source evolved version of Lint (C language).
• Uno — A tool designed to find most common type of programming errors without generating too much output.
• BLAST (Berkeley Lazy Abstraction Software verification Tool) - a software model checker for C programs based on lazy abstraction.
• Frama-C — A static analysis framework for C.

[edit] C/C++

• Cppcheck — can find memory leaks, buffer overruns and many other common errors.

[edit] Objective-C +

[edit] Perl

• Perl::Critic — module and program to help find deviations from commonly accepted best practices

[edit] Commercial products

[edit] Multi-language

• Axivion Bauhaus Suite — a tool for C, C++, C#, Java and Ada code that comprises various analyses such as architecture checking, interface analyses, and clone detection.
• CodeSecure - Appliance with Web interface and built-in language parsers for analyzing ASP.NET, VB.NET, C#, Java/J2EE, JSP, EJB, PHP, Classic ASP and VBScript.
• CAST Application Intelligence Platform -- Detailed, audience-specific dashboards to measure quality and productivity. 30+ languages, SAP, Oracle, PeopleSoft, .NET, Java, C/C++, Struts, and all major databases.
• Coverity Prevent — identifies security vulnerabilities and code defects in C, C++, C# and Java code.
• DMS Software Reengineering Toolkit — supports custom analysis of C, C++, Java, COBOL, and many other languages.
• Fortify — helps developers identify software security vulnerabilities in C/C++, .NET, Java, JSP, ASP.NET, ColdFusion, "Classic" ASP, PHP, VB6, VBScript, JavaScript, PL/SQL, T-SQL and COBOL as well as configuration files.
• GrammaTech CodeSonar - Analyzes C,C++. Ada-Assured -Analyzes Ada
• Klocwork Insight and Klocwork Developer for Java — provides security vulnerability and defect detection as well as architectural and build-over-build trend analysis for C, C++, C# and Java
• Lattix, Inc. LDM - Architecture and dependency analysis tool for Ada, C/C++, Java, .NET software systems.
• LDRA Testbed - A software analysis and testing tool suite for C, C++, Ada83, Ada95 and Assembler (Intel, Freescale, Texas Instruments).
• Ounce Labs — automated source code analysis that enables organizations to identify and eliminate software security vulnerabilities in languages including Java, JSP, C/C++, C#, ASP.NET, and VB.Net.
• Parasoft - Security, reliability, performance, and maintainability analysis of Java, JSP, C, C++, .NET (C#, ASP.NET, VB.Net, etc.), WSDL, XML, HTML, CSS, JavaScript, VBScript/ASP, and configuration files.
• SofCheck Inspector — provides static detection of logic errors, race conditions, and redundant code for Java and Ada.
• Sotoarc/Sotograph - Architecture and quality in-depth analysis and monitoring for Java, C#, C and C++
• Structure101 - For understanding, analyzing, measuring and controlling the quality of your Software Architecture as it evolves over time. Available for Java and Ada, with support for C/C++ via Coverity and Programming Research.
• Understand — analyzes C,C++, Java, Ada, Fortran, Jovial, Delphi — reverse engineering of source, code navigation, and metrics tool.
• Visual Studio Team System - analyzes C++,C# source codes. only available in team suite and development edition.

[edit] .NET

Products covering multiple .NET languages.

• ReSharper - Add-on for Visual Studio 2003/2005 from the creators of IntelliJ IDEA, which also provides static code analysis for C#.
• CodeIt.Right - combines Static Code Analysis and automatic Refactoring to best practices which allows automatically correct code errors and violations. Supports both C# and VB.NET.

[edit] C/C++

• Abraxas Software CodeCheck — programmable static analysis and style checker for C and C++ code.
• Astrée — Run-time error analyzer for C
• Green Hills Software DoubleCheck — static analysis for C and C++ code.
• HP Code Advisor — A static analysis tool for C and C++ programs
• LDRA Testbed — A software analysis and testing tool suite for C & C++.
• PAG — The Program Analyzer Generator.
• PC-Lint — A software analysis tool for C & C++.
• QA-C (and QA-C++) — deep static analysis of C for quality assurance and guideline enforcement.
• Red Lizard's Goanna — Static analysis for C/C++ in Eclipse and Visual Studio.
• Viva64 — analyzes C, C++ code to detect 64-bit portability issues.

[edit] Java

• checKing - monitors the quality of software development process, including violations of coding rules for Java, JSP, Javascript, XML and HTML.
• IntelliJ IDEA — IDE for Java that also provides static code analysis.
• Swat4j — a model based, goal oriented source code auditing tool for Java.

[edit] Visual Basic

• Project Analyzer — static analysis tool for Visual Basic, Visual Basic .NET and Visual Basic for Applications.

[edit] Uncategorized

• SemmleCode — object oriented code queries for static program analysis.

[edit] Formal methods tools

Tools that use a formal methods approach to static analysis (e.g., using static program assertions):

• ESC/Java and ESC/Java2 — based on Java Modeling Language, an enriched version of Java.
• SofCheck Inspector - statically determines and documents pre- and postconditions for Java methods; statically checks preconditions at all call sites; also supports Ada.
• SPARK Toolset including the SPARK Examiner — based on the SPARK programming language, a subset of Ada.

[edit] External links

• List of static source code analysis tools for C
• SAMATE-Source Code Security Analyzers
• List of Java static code analysis plugins for Eclipse
• “A Comparison of Bug Finding Tools for Java”, by Nick Rutar, Christian Almazan, and Jeff Foster, University of Maryland. Compares Bandera, ESC/Java 2, FindBugs, JLint, and PMD.
• “Mini-review of Java Bug Finders”, by Rick Jelliffe, O'Reilly Media.
• Parallel Lint, by Andrey Karpov

[edit] See also

• Dynamic code analysis

[edit] References