List of tools for static code analysis

From Wikipedia, the free encyclopedia
Jump to: navigation, search

This is a list of tools for static code analysis.

By language[edit]


  • Axivion Bauhaus Suite – A tool for Ada, C, C++, C#, and Java code that performs various analyses such as architecture checking, interface analyses, and clone detection.
  • Black Duck Suite – Analyzes the composition of software source code and binary files, searches for reusable code, manages open source and third-party code approval, honors the legal obligations associated with mixed-origin code, and monitors related security vulnerabilities.
  • CAST Application Intelligence Platform – Detailed, audience-specific dashboards to measure quality and productivity. 30+ languages, C, C++, Java, .NET, Oracle, PeopleSoft, SAP, Siebel, Spring, Struts, Hibernate and all major databases.
  • Cigital SecureAssist - A lightweight IDE plugin that points out common security vulnerabilities in real time as the developer is coding. Supports Java, .NET, and PHP.
  • ConQAT – Continuous quality assessment toolkit that allows flexible configuration of quality analyses (architecture conformance, clone detection, quality metrics, etc.) and dashboards. Supports Java, C#, C++, JavaScript, ABAP, Ada and many other languages.
  • Coverity SAVE – A static code analysis tool for C, C++, C# and Java source code. Coverity commercialized a research tool for finding bugs through static analysis, the Stanford Checker. Scans using Coverity are available free of charge for open-source projects.[1]
  • DMS Software Reengineering Toolkit – Supports custom analysis of C, C++, C#, Java, COBOL, PHP, Visual Basic and many other languages. Also COTS tools for clone analysis, dead code analysis, and style checking.
  • HP Fortify Static Code Analyzer – Helps developers identify software security vulnerabilities in C/C++, Java, JSP, .NET, ASP.NET, classic ASP, ColdFusion, PHP, Visual Basic 6, VBScript, JavaScript, PL/SQL, T-SQL, Python, Objective-C and COBOL and configuration files.
  • GrammaTech CodeSonar – Defect detection (buffer overruns, memory leaks, etc.), concurrency and security checks, architecture visualization and software metrics for C, C++, and Java source code.
  • IBM Rational AppScan Source Edition – Analyzes source code to identify security vulnerabilities while integrating security testing with software development processes and systems. Supports C/C++, .NET, Java, JSP, JavaScript, ColdFusion, Classic ASP, PHP, Perl, Visual Basic 6, PL/SQL, T-SQL, and COBOL
  • Imagix 4D – Identifies problems in variable use, task interaction and concurrency, especially in embedded applications, as part of an overall system for understanding, improving and documenting C, C++ and Java code.
  • Kiuwan – supports Objective-C, Java, JSP, Javascript, PHP, C, C++, ABAP, COBOL, JCL, C#, PL/SQL, Transact-SQL, SQL, Visual Basic, VB.NET, Android, and Hibernate code.
  • LDRA Testbed – A software analysis and testing tool suite for C, C++, Ada83, Ada95 and Assembler (Intel, Freescale, Texas Instruments).
  • MALPAS – A software static analysis toolset for a variety of languages including Ada, C, Pascal and Assembler (Intel, PowerPC and Motorola). Used primarily for safety critical applications in Nuclear and Aerospace industries.
  • Moose – Moose started as a software analysis platform with many tools to manipulate, assess or visualize software. It can evolve to a more generic data analysis platform. Supported languages are C/C++, Java, Smalltalk, .NET, more may be added.
  • Parasoft – Provides static analysis (pattern-based, flow-based, in-line, metrics) for C, C++, Java, .NET (C#, VB.NET, etc.), JSP, JavaScript, XML, and other languages. Through a Development Testing Platform, static code analysis functionality is integrated with unit testing, peer code review, runtime error detection and traceability.
  • Copy/Paste Detector (CPD) – PMDs duplicate code detection for (e.g.) Java, JSP, C, C++, ColdFusion, PHP and JavaScript[2] code.
  • Polyspace – Uses abstract interpretation to detect and prove the absence of certain run time errors in source code for C, C++, and Ada
  • Pretty Diff - A language-specific code comparison tool that features language-specific analysis reporting in addition to language-specific minification and beautification algorithms.
  • Protecode – Analyzes the composition of software source code and binary files, searches for open source and third party code and their associated licensing obligations. Can also detect security vulnerabilities.
  • Klocwork – Provides security vulnerability, standards compliance (MISRA, ISO 26262 and others), defect detection and build-over-build trend analysis for C, C++, C# and Java.
  • Rogue Wave Software OpenLogic – Scans source code and binaries to identify open source code and licenses, manages open source policies and approvals, reports security vulnerabilities, and provides open source technical support.
  • Semmle – Supports C, C++, C#, Java, JavaScript, Objective-C, Python and Scala.
  • SofCheck Inspector – Static detection of logic errors, race conditions, and redundant code for Ada and Java; automatically extracts pre/postconditions from code.
  • SonarQube – A continuous inspection engine to manage the technical debt: unit tests, complexity, duplication, design, comments, coding standards and potential problems. Supports languages: ABAP, C, C++, Objective-C, COBOL, C#, Flex, Forms, Groovy, Java, JavaScript, Natural, PHP, PL/SQL, Visual Basic 6, Web, XML, Python.
  • Sotoarc/Sotograph – Architecture and quality in-depth analysis and monitoring for C, C++, C#, Java, ABAP.
  • SQuORE is a multi-purpose and multi-language monitoring tool[3] for software projects.
  • Veracode – Finds security flaws in application binaries and bytecode without requiring source. Supported languages include C, C++, .NET (C#, C++/CLI, VB.NET, ASP.NET), Java, JSP, ColdFusion, PHP, Ruby on Rails, Objective-C, Classic ASP, Visual Basic 6, and COBOL, including mobile applications on the Windows Mobile, BlackBerry, Android, and iOS platforms and written in JavaScript cross platform frameworks.[4]
  • Yasca – Yet Another Source Code Analyzer, a plugin-based framework to scan arbitrary file types, with plugins for C/C++, Java, JavaScript, ASP, PHP, HTML/CSS, ColdFusion, COBOL, and other file types. It integrates with other scanners, including FindBugs, PMD, and Pixy.


  • .NET Compiler Platform (Codename "Roslyn") - Open-source compiler framework for C# and Visual Basic .NET developed by Microsoft .NET. Provides an API for analyzing and manipulating syntax.
  • CodeIt.Right – Combines static code analysis and automatic refactoring to best practices which allows automatic correction of code errors and violations; supports C# and VB.NET.
  • CodeRush – A plugin for Visual Studio which alerts users to violations of best practices.
  • FxCop – Free static analysis for Microsoft .NET programs that compiles to CIL. Standalone and integrated in some Microsoft Visual Studio editions; by Microsoft.
  • NDepend – Simplifies managing a complex .NET code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and by comparing different versions of the code. Integrates into Visual Studio.
  • Parasoft dotTEST – A static analysis, unit testing, and code review plugin for Visual Studio; works with languages for Microsoft .NET Framework and .NET Compact Framework, including C#, VB.NET, ASP.NET and Managed C++.
  • StyleCop – Analyzes C# source code to enforce a set of style and consistency rules. It can be run from inside of Microsoft Visual Studio or integrated into an MSBuild project.



  • Astrée – finds all potential runtime errors by abstract interpretation, can prove the absence of runtime errors and can prove functional assertions; tailored towards safety-critical C code (e.g. avionics).
  • BLAST – (Berkeley Lazy Abstraction Software verification Tool) – An open-source software model checker for C programs based on lazy abstraction (follow-on project is CPAchecker.[5]).
  • Cppcheck – Open-source tool that checks for several types of errors, including use of STL.
  • cpplint – An open-source tool that checks for compliance with Google's style guide for C++ coding.
  • Clang – An open-source compiler that includes a static analyzer (Clang Static Analyzer).
  • Coccinelle – An open-source source code pattern matching and transformation.
  • Cppdepend – Simplifies managing a complex C/C++ code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and comparing different versions of the code.
  • ECLAIR – A platform for the automatic analysis, verification, testing and transformation of C and C++ programs.
  • Eclipse (software) – An open-source IDE that includes a static code analyzer (CODAN).
  • Fluctuat – Abstract interpreter for the validation of numerical properties of programs.
  • Frama-C – An open-source static analysis framework for C.
  • Goanna – A software analysis tool for C/C++.
  • Klocwork Insight – A static analysis tool for C/C++.
  • Lint – The original static code analyzer for C.
  • LDRA Testbed – A software analysis and testing tool suite for C/C++.
  • Parasoft C/C++test – A C/C++ tool that does static analysis, unit testing, code review, and runtime error detection; plugins available for Visual Studio and Eclipse-based IDEs.
  • PC-Lint – A software analysis tool for C/C++.
  • Polyspace – Uses abstract interpretation to detect and prove the absence of certain run time errors in source code.
  • PVS-Studio – A software analysis tool for C, C++, C++11, C++/CX (Component Extensions).
  • PRQA QA·C and QA·C++ – Deep static analysis of C/C++ for quality assurance and guideline/coding standard enforcement with MISRA support.
  • SLAM project – a project of Microsoft Research for checking that software satisfies critical behavioral properties of the interfaces it uses.
  • Sparse – An open-source tool designed to find faults in the Linux kernel.
  • Splint – An open-source evolved version of Lint, for C.


  • Checkstyle – Besides some static code analysis, it can be used to show violations of a configured coding standard.
  • FindBugs – An open-source static bytecode analyzer for Java (based on Jakarta BCEL) from the University of Maryland.
  • IntelliJ IDEA – Cross-platform Java IDE with own set of several hundred code inspections available for analyzing code on-the-fly in the editor and bulk analysis of the whole project.
  • JArchitect – Simplifies managing a complex Java code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and by comparing different versions of the code.
  • Jtest – Testing and static code analysis product by Parasoft.
  • LDRA Testbed – A software analysis and testing tool suite for Java.
  • PMD – A static ruleset based Java source code analyzer that identifies potential problems.
  • SemmleCode – Object oriented code queries for static program analysis.
  • SonarJ – Monitors conformance of code to intended architecture, also computes a wide range of software metrics.
  • Soot – A language manipulation and optimization framework consisting of intermediate languages for Java.
  • Squale – A platform to manage software quality (also available for other languages, using commercial analysis tools though).
  • SonarQube – is an open source platform for Continuous Inspection of code quality.
  • ThreadSafe – A static analysis tool for Java focused on finding concurrency bugs.
  • Windup – A pluggable rule-based automated migration tool by JBoss, targetting mainly Java applications.



  • Clang – The free Clang project includes a static analyzer. As of version 3.2, this analyzer is included in Xcode.[6]


  • Opa includes its own static analyzer. As the language is intended for web application development, the strongly statically typed compiler checks the validity of high-level types for web data, and prevents by default many vulnerabilities such as XSS attacks and database code injections.


  • Lintian – Checks Debian software packages for common inconsistencies and errors.
  • Rpmlint – Checks for common problems in rpm packages.



  • RIPS – A static code analyzer and audit framework for vulnerabilities in PHP applications.


  • Pylint – Static code analyzer. Quite stringent; includes many stylistic warnings as well.
  • PyCharm – Cross-platform Python IDE with code inspections available for analyzing code on-the-fly in the editor and bulk analysis of the whole project.

Formal methods tools[edit]

Tools that use sound, i.e. no false negatives, formal methods approach to static analysis (e.g., using static program assertions):

See also[edit]


  1. ^ "Coverity Scan - Static Analysis". Retrieved 2015-06-17. 
  2. ^ "PMD - Browse /pmd/5.0.0 at". Retrieved Dec 9, 2012. 
  3. ^ Baldassari, Boris (2012). "SQuORE: a new approach to software project assessment", International Conference on Software and Systems Engineering and their Applications, Nov. 2012, Paris, France.
  4. ^ "White Box Testing/Binary Static Analysis (SAST)". Retrieved 2015-04-01. 
  5. ^ "CPAchecker". 2015-02-08. 
  6. ^ "Static Analysis in Xcode". Apple. Retrieved 2009-09-03. 
  7. ^ Cousot, Patrick (2007). "The Role of Abstract Interpretation in Formal Methods" (PDF). IEEE International Conference on Software Engineering and Formal Methods. Retrieved 2010-11-08. 

External links[edit]