http://en.wikipedia.org/wiki/List%5Fof%5Ftools%5Ffor%5Fstatic%5Fcode%5Fanalysis#C
List of tools for static
code analysis
From Wikipedia, the free encyclopedia
This is a list of significant tools for static code analysis.
[edit] Historical products
- Lint — the original static code analyzer
of C code.
[edit]
Open-source or Noncommercial products
[edit] Multi-language
- RATS — Rough Auditing
Tool for Security, which can scan C, C++, Perl, PHP and Python source
code.
- Yasca
- Yet Another Source Code Analyzer, a plugin-based framework for
scanning arbitrary file types, with plugins for scanning C/C++, Java,
_javascript_, ASP, PHP, HTML/CSS, ColdFusion, COBOL, and other file
types. It integrates with other scanners, including FindBugs,
JLint, PMD, and Pixy.
- CPD - The Copy/Paste Detector (CPD) is an add-on to PMD that finds duplicated code. CPD works
with Java, JSP, C, C++, Fortran and PHP code.
[edit]
.NET (C#, VB.NET and all .NET compatible
languages)
- FxCop
— Free static analysis for Microsoft .NET programs that compile to CIL. Standalone and
integrated in some Microsoft Visual Studio editions.
>From Microsoft.
- StyleCop
- Analyzes C# source code to enforce a set of style and consistency
rules. It can be run from inside of Microsoft Visual Studio or
integrated into an MSBuild project. Free download from Microsoft.
- Checkstyle — besides some static code analysis,
it can be used to show violations of a configured coding standard
- FindBugs
— an open-source static bytecode analyzer for Java (based on Jakarta BCEL) from the University of
Maryland.
- PMD (software) — a static ruleset based
Java source code analyzer that identifies potential problems.
- Hammurapi - a versatile code
review solution.
- Sonar
- a platform to manage source code quality
- Soot - a language manipulation and
optimization framework consisting of intermediate languages for Java
- Sparse
— A tool designed to find faults in the Linux
kernel.
- Splint — An open source evolved
version of Lint (C language).
- Uno — A
tool designed to find most common type of programming errors without
generating too much output.
- BLAST (Berkeley Lazy Abstraction
Software verification Tool) - a software model checker for C programs
based on lazy abstraction.
- Frama-C
— A static analysis framework for C.
- Cppcheck
— can find memory leaks, buffer overruns and many other common errors.
[edit] Objective-C +
- Perl::Critic — module and
program to help find deviations from commonly accepted best practices
[edit] Commercial products
[edit] Multi-language
- Axivion Bauhaus Suite
— a tool for C, C++, C#, Java and Ada code that comprises various
analyses such as architecture checking, interface analyses, and clone
detection.
- CodeSecure
- Appliance with Web interface and built-in language parsers for
analyzing ASP.NET, VB.NET, C#, Java/J2EE, JSP, EJB, PHP, Classic ASP
and _vbscript_.
- CAST Application
Intelligence Platform
-- Detailed, audience-specific dashboards to measure quality and
productivity. 30+ languages, SAP, Oracle, PeopleSoft, .NET, Java,
C/C++, Struts, and all major databases.
- Coverity
Prevent — identifies security vulnerabilities and code defects in C,
C++, C# and Java code.
- DMS Software Reengineering
Toolkit — supports custom analysis of C, C++, Java, COBOL, and many
other languages.
- Fortify
— helps developers identify software security vulnerabilities in C/C++,
.NET, Java, JSP, ASP.NET, ColdFusion, "Classic" ASP, PHP, VB6,
_vbscript_, _javascript_, PL/SQL, T-SQL and COBOL as well as configuration
files.
- GrammaTech CodeSonar - Analyzes C,C++.
Ada-Assured -Analyzes Ada
- Klocwork
Insight and Klocwork
Developer for Java — provides security vulnerability and defect
detection as well as architectural and build-over-build trend analysis
for C, C++, C# and Java
- Lattix, Inc. LDM - Architecture and
dependency analysis tool for Ada, C/C++, Java, .NET software systems.
- LDRA Testbed - A software analysis and
testing tool suite for C, C++, Ada83, Ada95 and Assembler (Intel,
Freescale, Texas Instruments).
- Ounce Labs
— automated source code analysis that enables organizations to identify
and eliminate software security vulnerabilities in languages including
Java, JSP, C/C++, C#, ASP.NET, and VB.Net.
- Parasoft
- Security, reliability, performance, and maintainability analysis of
Java, JSP, C, C++, .NET (C#, ASP.NET, VB.Net, etc.), WSDL, XML, HTML,
CSS, _javascript_, _vbscript_/ASP, and configuration files.
- SofCheck Inspector — provides static
detection of logic errors, race conditions, and redundant code for Java and Ada.
- Sotoarc/Sotograph
- Architecture and quality in-depth analysis and monitoring for Java,
C#, C and C++
- Structure101
- For understanding, analyzing, measuring and controlling the quality
of your Software Architecture as it evolves over time. Available for
Java and Ada, with support for C/C++ via Coverity
and Programming Research.
- Understand — analyzes C,C++, Java,
Ada, Fortran, Jovial, Delphi — reverse engineering of source, code
navigation, and metrics tool.
- Visual Studio Team System -
analyzes C++,C# source codes. only available in team suite and
development edition.
Products covering multiple .NET languages.
- ReSharper
- Add-on for Visual Studio 2003/2005 from the creators of IntelliJ
IDEA, which also provides static code analysis for C#.
- NDepend
- Simplifies managing a complex .NET code base by analyzing code
dependencies, by defining design rules, by doing impact analysis, and
by comparing different versions of the code (all .NET languages
supported)
- CodeIt.Right
- combines Static Code Analysis and automatic Refactoring to best
practices which allows automatically correct code errors and
violations. Supports both C# and VB.NET.
- Abraxas Software CodeCheck — programmable static analysis and
style checker for C and C++ code.
- Astrée
— Run-time error analyzer for C
- Green Hills Software DoubleCheck —
static analysis for C and C++ code.
- HP Code
Advisor — A static analysis tool for C and C++ programs
- LDRA Testbed — A software analysis and
testing tool suite for C & C++.
- Microsoft
PREfast - The
"Analyze Tool" included with Microsoft Visual Studio Team
Editions.
- Microsoft
PREfast
for Drivers (PFD) - An extension to PREfast to allow better
analysis of Windows device drivers.
- Microsoft
Static
Driver Verifier (SDV) - Performs detailed code path analysis for
Windows device drivers.
- PAG — The
Program Analyzer Generator.
- PC-Lint
— A software analysis tool for C & C++.
- QA-C
(and QA-C++) — deep static analysis of C for quality assurance and
guideline enforcement.
- Red Lizard's Goanna — Static analysis
for C/C++ in Eclipse and Visual Studio.
- Viva64
— analyzes C, C++ code to detect 64-bit portability issues.
- checKing
- monitors the quality of software development process, including
violations of coding rules for Java, JSP, _javascript_, XML and HTML.
- IntelliJ IDEA — IDE for Java that also
provides static code analysis.
- Swat4j
— a model based, goal oriented source code auditing tool for Java.
[edit] Visual Basic
- Project Analyzer — static analysis tool
for Visual Basic, Visual Basic .NET and Visual Basic for Applications.
[edit] Uncategorized
- SemmleCode — object oriented code queries for
static program analysis.
[edit] Formal methods tools
Tools that use a formal methods approach to static analysis
(e.g., using static program assertions):
[edit] External links
- List of static
source code analysis tools for C
- SAMATE-Source Code Security Analyzers
- List of Java static code analysis plugins for Eclipse
- “A Comparison of Bug Finding Tools for Java”, by
Nick Rutar, Christian Almazan, and Jeff Foster, University of Maryland.
Compares Bandera, ESC/Java 2, FindBugs,
JLint, and PMD.
- “Mini-review of Java Bug Finders”, by Rick
Jelliffe, O'Reilly Media.
- Parallel Lint,
by Andrey Karpov
[edit] See also
[edit] References
|
