BugScan probably competes with the @Stake tool, and works on object code:
http://www.hbgary.com/index.asp?G1=2G2=1
Coverity's tool is absolutely *outstanding* on C code. They plan to have
C++ support soon.
http://coverity.com/main.html
The Fortify tools (http://fortifysoftware.com) look good, from what I've
seen in a demo.
And there's a new release of Flawfinder that just came out. It has
documentation on how to integrate with vim and emacs, and has features
to suppress more false positives. http://www.dwheeler.com/flawfinder/
- Jared
Kenneth R. van Wyk wrote:
Greetings all,
FYI, it looks like we're at the beginning of a new wave of software security
tools. There's a few commercial products beginning to hit the market that
take static src code scanning to a new level. See the link below for a
LinuxWorld article that briefly (!) describes @stake's new SmartRisk Analyzer
tool in addition to Fortify's Source Code Analysis suite. These appear to
pick up where current static analysis tools (e.g., ITS4, Flawfinder) leave
off.
Anyone here willing/able to share some _user_ level experiences with any of
these tools? It'll be interesting to hear how they hold up in real software
development environments.
http://www.linuxworld.com.au/nindex.php/id;1780700095;fp;2;fpid;1
Cheers,
Ken van Wyk
