List of tools for static code analysis

This is a list of significant tools for static code analysis.

Historical products

• Lint — the original static code analyzer of C code.

Open-source or Noncommercial products

Multi-language

• RATS — Rough Auditing Tool for Security, which can scan C, C++, Perl, PHP and Python source code.
• Yasca - Yet Another Source Code Analyzer, a plugin-based framework for scanning arbitrary file types, with plugins for scanning C/C++, Java, JavaScript, ASP, PHP, HTML/CSS, COBOL, and other file types. It integrates with other scanners, including FindBugs, JLint, and PMD.

.NET (C#, VB.NET and all .NET compatible languages)

• FxCop — Free static analysis for Microsoft .NET programs that compile to CIL. Standalone and integrated in some Microsoft Visual Studio editions. From Microsoft.

Java

• FindBugs — an open-source static bytecode analyzer for Java (based on Jakarta BCEL).
• PMD (software) — a static ruleset based Java source code analyzer that identifies potential problems.
• Hammurapi - a versatile code review solution.

C

• Sparse — a tool designed to find faults in the Linux kernel.
• Splint — an open source evolved version of Lint (C language).

C/C++

• Cppcheck — a tool that can find memory leaks, buffer overruns and many other common errors.

Commercial products

Multi-language

• Axivion Bauhaus Suite — a tool for C, C++, Java and Ada code that comprises various analyses such as architecture checking, interface analyses, and clone detection.
• Coverity Prevent — analyzes C, C++, C# and Java code.
• DMS Software Reengineering Toolkit — supports custom analysis of C, C++, Java, COBOL, and many other languages.
• Fortify — helps developers identify software security vulnerabilities in C/C++, .NET, Java, JSP, ASP.NET, ColdFusion, "Classic" ASP, PHP, VB6, VBScript, JavaScript, PL/SQL, T-SQL and COBOL as well as configuration files.
• Klocwork Insight and Klocwork Developer for Java — provides security vulnerability and defect detection as well as architectural and build-over-build trend analysis for C, C++, C# and Java
• Lattix, Inc. LDM - Architecture and dependency analysis tool for Ada, C/C++, Java, .NET software systems.
• LDRA Testbed - A software analysis and testing tool suite for C, C++, Ada83, Ada95 and Assembler (Intel, Freescale, Texas Instruments).
• Ounce Labs — automated source code analysis that enables organizations to identify and eliminate software security vulnerabilities in languages including Java, JSP, C/C++, C#, ASP.NET, and VB.Net.
• SofCheck Inspector — provides static detection of logic errors, race conditions, and redundant code for Java and Ada.
• Sotoarc/Sotograph - Architecture and quality in-depth analysis and monitoring for Java, C#, C and C++
• Understand — analyzes C,C++, Java, Ada, Fortran, Jovial, Delphi — reverse engineering of source, code navigation, and metrics tool.

.NET

Products covering multiple .NET languages.

• ReSharper - Add-on for Visual Studio 2003/2005 from the creators of IntelliJ IDEA, which also provides static code analysis for C#.

C/C++

• Green Hills Software DoubleCheck — static analysis for C and C++ code.
• HP Code Advisor — A static analysis tool for C and C++ programs
• LDRA Testbed — A software analysis and testing tool suite for C & C++.
• Microsoft Visual Studio — Visual Studio Team System includes a static code analyzer.
• QA-C (and QA-C++) — deep static analysis of C for quality assurance and guideline enforcement.
• Viva64 — analyzes C, C++ code for detect 64-bit portability issues.

Java

• checKing - monitors the quality of software development process, including violations of coding rules for Java, JSP, Javascript, XML and HTML.
• IntelliJ IDEA — IDE for Java that also provides static code analysis.
• Swat4j — a model based, goal oriented source code auditing tool for Java.

Visual Basic

• Project Analyzer — static analysis tool for Visual Basic, Visual Basic .NET and Visual Basic for Applications.

Uncategorized

• SemmleCode — object oriented code queries for static program analysis.
• Structure101 - For understanding, analyzing, measuring and controlling the quality of your Software Architecture as it evolves over time.

Formal methods tools

Tools that use a formal methods approach to static analysis (e.g., using static program assertions):

• ESC/Java and ESC/Java2 — based on Java Modeling Language, an enriched version of Java.
• SofCheck Inspector - statically determines and documents pre- and postconditions for Java methods; statically checks preconditions at all call sites; also supports Ada.
• SPARK Toolset including the SPARK Examiner — based on the SPARK programming language, a subset of Ada.

External links

• List of static source code analysis tools for C
• SAMATE-Source Code Security Analyzers
• List of Java static code analysis plugins for Eclipse
• “A Comparison of Bug Finding Tools for Java”, by Nick Rutar, Christian Almazan, and Jeff Foster, University of Maryland. Compares Bandera, ESC/Java 2, FindBugs, JLint, and PMD.
• “Mini-review of Java Bug Finders”, by Rick Jelliffe, O'Reilly Media.

See also

• List of code quality management dashboards
• Dynamic code analysis

References