List of tools for static code analysis

This is a list of software tools that perform various kinds of static code analysis, grouped by programming language and in alphabetical order:

Ada

• SPARK programming language

C and/or C++

• AntiC (also does Java)
• BLAST
• CCured
• Cleanscape lints for C++ and for C
• CMT++
• CodeSurfer (based on work by Reps et al at the University of Wisconsin). CodeSonar (builds on CodeSurfer)
• Coverity (see also the MC Checker for background).
• Cqual
• Flawfinder, (GPL) contains a good list of other static checking tools towards the bottom
• GCC Introspector - C, but is expanding to include perl, bison, m4, bash, c#, java.c++, fortran, objective-c, lisp and scheme.
• Gimpel Software PC-Lint
• HP Code Advisor - identifies potential coding errors, porting issues, and security vulnerabilities.
• CodeWizard
• Klocwork
• Lattix LDM
• MOPS - (BSD style license)
• OpenC++
• OSPC
• PMD's Copy/Paste Detector
• PolySpace
• PREfast Part of DDK, for driver development, see VS2005 for user-land
• QAC, QAC-MISRA, QAC++ -coding style,metrics,dataflow - good enforcing of MISRA standards
• Smatch - C source checker, used mainly for Linux kernel code
• Sotograph
• Sparse
• Stacktool
• Splint
• Surveyor - C/C++, Java, COBOL, VB/VB.NET, Tcl, ASP, others
• Visual_Studio VS2005, Team Edition only, has a code analysis option available (via the options Code Analysis -> General -> Enable Code Analysis for C/C++ project).

C#

Tool	License	Version	Details
FxCop	commercial	1.35
Lattix LDM	commercial	2.7	Architecture Management using dependency analysis
Visual_Studio	commercial	2005	Visual Studio 2005 Team Suite or Team Edition for Software Developers only, has integrated FxCop and PREFast functionality.

Fortran

• Cleanscape FortranLint

HTML

• W3C Markup Validation Service

Java

• Agitator Dashboard
• AntiC (also does C and/or C++)
• Checkstyle
• CMTJava - Complexity Measures Tool for Java
• ESC/Java - Extended Static Checking for Java
• ESC/Java2
• FindBugs
• Hammurapi
• JDepend
• Jlint
• Jtest
• Kaveri (Indus) - Program Comprehension/Slicing Tool (Library) for Java
• Lattix LDM
• PMD
• Purify
• QAJ
• Sotograph
• Spoon - Spoon is a Java program processor that fully supports Java 5
• Structure101 - Structural dependency analysis.
• Surveyor - Java and many other languages

JavaScript

• JSLint - An online tool which you can also download and run from command line
• Javascript Lint - A lint like tool for javascript written in C/C++ and based on JavaScript engine for the Firefox browser.

PHP

• PHP executes a built-in basic Lint check when invoked with the -l switch. Example usage: for i in `find . -name \*.php`; do php -l $i | grep -v "No syntax errors"; done
• PMD's Copy/Paste Detector
• Zend Studio IDE includes static code analysis for PHP, called the "Code Analyzer".

Python

• PyChecker
• Pyflakes
• PyLint

Verilog & VHDL

• Spyglass by Atrenta
• Hal by Cadence
• Leda by Synopsys

Not language-specific

• PAG and PAG/WWW - The Program Analyzer Generator, not for a specific language, but for building analyzers.
• StackAnalyzer - Stack Usage Analysis.

Unknown language

• Broadway
• SLAM
• BOON
• Kaylo

See also

• The Introspector page lists more software programs of this type.