List of tools for static code analysis

From Wikipedia, the free encyclopedia

This is a list of significant tools for static code analysis.

Contents

• 1 Historical products
• 2 Open-source or Noncommercial products
  • 2.1 Multi-language
  • 2.2 .NET (C#, VB.NET and all .NET compatible languages)
  • 2.3 Java
  • 2.4 C
  • 2.5 C/C++
• 3 Commercial products
  • 3.1 Multi-language
  • 3.2 .NET
  • 3.3 C/C++
  • 3.4 Java
  • 3.5 Visual Basic
  • 3.6 Uncategorized
• 4 Formal methods tools
• 5 External links
• 6 See also
• 7 References

[edit] Historical products

• Lint — the original static code analyzer of C code.

[edit] Open-source or Noncommercial products

[edit] Multi-language

• RATS — Rough Auditing Tool for Security, which can scan C, C++, Perl, PHP and Python source code.
• Yasca - Yet Another Source Code Analyzer, a plugin-based framework for scanning arbitrary file types, with plugins for scanning C/C++, Java, JavaScript, ASP, PHP, HTML/CSS, COBOL, and other file types. It integrates with other scanners, including FindBugs, JLint, PMD, and Pixy.

[edit] .NET (C#, VB.NET and all .NET compatible languages)

• FxCop — Free static analysis for Microsoft .NET programs that compile to CIL. Standalone and integrated in some Microsoft Visual Studio editions. From Microsoft.
• StyleCop - Analyzes C# source code to enforce a set of style and consistency rules. It can be run from inside of Microsoft Visual Studio or integrated into an MSBuild project. Free download from Microsoft.

[edit] Java

• FindBugs — an open-source static bytecode analyzer for Java (based on Jakarta BCEL).
• PMD (software) — a static ruleset based Java source code analyzer that identifies potential problems.
• Hammurapi - a versatile code review solution.

[edit] C

• Sparse — a tool designed to find faults in the Linux kernel.
• Splint — an open source evolved version of Lint (C language).

[edit] C/C++

• Cppcheck — a tool that can find memory leaks, buffer overruns and many other common errors.

[edit] Commercial products

[edit] Multi-language

• Axivion Bauhaus Suite — a tool for C, C++, Java and Ada code that comprises various analyses such as architecture checking, interface analyses, and clone detection.
• Coverity Prevent — analyzes C, C++, C# and Java code.
• DMS Software Reengineering Toolkit — supports custom analysis of C, C++, Java, COBOL, and many other languages.
• Fortify — helps developers identify software security vulnerabilities in C/C++, .NET, Java, JSP, ASP.NET, ColdFusion, "Classic" ASP, PHP, VB6, VBScript, JavaScript, PL/SQL, T-SQL and COBOL as well as configuration files.
• GrammaTech CodeSonar - Analyzes C,C++. Ada-Assured -Analyzes Ada
• Klocwork Insight and Klocwork Developer for Java — provides security vulnerability and defect detection as well as architectural and build-over-build trend analysis for C, C++, C# and Java
• Lattix, Inc. LDM - Architecture and dependency analysis tool for Ada, C/C++, Java, .NET software systems.
• LDRA Testbed - A software analysis and testing tool suite for C, C++, Ada83, Ada95 and Assembler (Intel, Freescale, Texas Instruments).
• Ounce Labs — automated source code analysis that enables organizations to identify and eliminate software security vulnerabilities in languages including Java, JSP, C/C++, C#, ASP.NET, and VB.Net.
• SofCheck Inspector — provides static detection of logic errors, race conditions, and redundant code for Java and Ada.
• Sotoarc/Sotograph - Architecture and quality in-depth analysis and monitoring for Java, C#, C and C++
• Understand — analyzes C,C++, Java, Ada, Fortran, Jovial, Delphi — reverse engineering of source, code navigation, and metrics tool.

[edit] .NET

Products covering multiple .NET languages.

• ReSharper - Add-on for Visual Studio 2003/2005 from the creators of IntelliJ IDEA, which also provides static code analysis for C#.

[edit] C/C++

• Green Hills Software DoubleCheck — static analysis for C and C++ code.
• HP Code Advisor — A static analysis tool for C and C++ programs
• LDRA Testbed — A software analysis and testing tool suite for C & C++.
• QA-C (and QA-C++) — deep static analysis of C for quality assurance and guideline enforcement.
• Viva64 — analyzes C, C++ code for detect 64-bit portability issues.

[edit] Java

• checKing - monitors the quality of software development process, including violations of coding rules for Java, JSP, Javascript, XML and HTML.
• IntelliJ IDEA — IDE for Java that also provides static code analysis.
• Swat4j — a model based, goal oriented source code auditing tool for Java.
• FindBugs — a Open Source static Java analysis tool from the University of Maryland.

[edit] Visual Basic

• Project Analyzer — static analysis tool for Visual Basic, Visual Basic .NET and Visual Basic for Applications.

[edit] Uncategorized

• SemmleCode — object oriented code queries for static program analysis.
• Structure101 - For understanding, analyzing, measuring and controlling the quality of your Software Architecture as it evolves over time.

[edit] Formal methods tools

Tools that use a formal methods approach to static analysis (e.g., using static program assertions):

• ESC/Java and ESC/Java2 — based on Java Modeling Language, an enriched version of Java.
• SofCheck Inspector - statically determines and documents pre- and postconditions for Java methods; statically checks preconditions at all call sites; also supports Ada.
• SPARK Toolset including the SPARK Examiner — based on the SPARK programming language, a subset of Ada.

[edit] External links

• List of static source code analysis tools for C
• SAMATE-Source Code Security Analyzers
• List of Java static code analysis plugins for Eclipse
• “A Comparison of Bug Finding Tools for Java”, by Nick Rutar, Christian Almazan, and Jeff Foster, University of Maryland. Compares Bandera, ESC/Java 2, FindBugs, JLint, and PMD.
• “Mini-review of Java Bug Finders”, by Rick Jelliffe, O'Reilly Media.

[edit] See also

• List of code quality management dashboards
• Dynamic code analysis