List of tools for static code analysis

List of tools for static code analysis

출처:  http://www.felinhome.com/blog/list-of-tools-for-static-code-analysis/

Posted on 2012 年 10 月 17 日 by xuming

This is a list of tools for static code analysis.

Contents 1 Historical 2 By language 2.1 Multi-language 2.2 .NET 2.3 ActionScript 2.4 Ada 2.5 C/C++ 2.6 Java 2.7 JavaScript 2.8 Objective-C 2.9 Perl 2.10 Python 3 Formal methods tools 4 See also 5 References 6 External links

Historical

• Lint — The original static code analyzer of C code.
• NuMega Code Review — now part of Micro Focus DevPartner suite.

By language

Multi-language

• Axivion Bauhaus Suite — A tool for Ada, C, C++, C#, and Java code that comprises various analyses such as architecture checking, interface analyses, and clone detection.
• Black Duck Suite — Analyze the composition of software source code and binary files, search for reusable code, manage open source and third-party code approval, honor the legal obligations associated with mixed-origin code, and monitor related security vulnerabilities.
• BugScout — Detects security flaws in Java, PHP, ASP and C# web applications.
• CAST Application Intelligence Platform — Detailed, audience-specific dashboards to measure quality and productivity. 30+ languages, C/C++, Java, .NET, Oracle, PeopleSoft, SAP, Siebel, Spring, Struts, Hibernate and all major databases.
• ChecKing — Integrated software quality portal that allows manage the quality of all phases of software development. It includes static code analyzers for Java, JSP, Javascript, HTML, XML, .NET (C#, ASP.NET, VB.NET, etc.), PL/SQL, embedded SQL, SAP ABAP IV, Natural/Adabas, C/C++, Cobol, JCL, PowerBuilder.
• Coverity Static Analysis (formerly Coverity Prevent) — Identifies security vulnerabilities and code defects in C, C++, C# and Java code. Complements Coverity Dynamic Code Analysis and Architecture Analysis.
• DevPartner Code Review. Offered by Micro Focus. Static metrics and bug pattern detection for C#, VB.NET, and ASP.NET languages. Plugin to Visual Studio. Customized parsers provide extension through regular expressions and tailored rulesets.
• DMS Software Reengineering Toolkit — Supports custom analysis of C, C++, C#, Java, COBOL, PHP, VisualBasic and many other languages. Also COTS tools for clone analysis, dead code analysis, and style checking.
• Compuware DevEnterprise — Analysis of COBOL, PL/I, JCL, CICS, DB2, IMS and others.
• GrammaTech CodeSonar — Analyzes C, C++.
• HP Fortify Source Code Analyzer — Helps developers identify software security vulnerabilities in C/C++, Java, JSP, .NET, ASP.NET, ColdFusion, classic ASP, PHP, Visual Basic 6, VBScript, JavaScript, PL/SQL, T-SQL, Python and COBOL and configuration files.
• IBM Rational AppScan Source Edition — Analyzes source code to identify security vulnerabilities while integrating security testing with software development processes and systems. Supports C/C++, .NET, Java, JSP, JavaScript, ColdFusion, Classic ASP, PHP, Perl, VisualBasic 6, PL/SQL, T-SQL, and COBOL
• Imagix 4D — Identifies problems in variable use, task interaction and concurrency, especially in embedded applications, as part of an overall system for understanding, improving and documenting C, C++ and Java code.
• Intel – Intel Parallel Studio XE: Contains Static Security Analysis (SSA) feature supports C/C++ and Fortran
• JustCode — Visual Studio code analysis and refactoring productivity tool by Telerik for C#, VB.NET, XAML, ASP.NET, JavaScript, HTML, XML, CSS, Razor, WinRT and Metro apps
• Klocwork Insight — Provides security vulnerability, defect detection, architectural and build-over-build trend analysis for C, C++, C#, Java.
• LDRA Testbed — A software analysis and testing tool suite for C, C++, Ada83, Ada95 and Assembler (Intel, Freescale, Texas Instruments).
• MALPAS; A software static analysis toolset for a variety of languages including Ada, C, Pascal and Assembler (Intel, PowerPC and Motorola). Used primarily for safety critical applications in Nuclear and Aerospace industries.
• Micro Focus (formerly Relativity Technologies) Modernization Workbench — Parsers included for C/C++, COBOL (multiple variants including IBM, Unisys, MF, ICL, Tandem), Java, PL/I, Natural (inc. ADABAS), Visual Basic, RPG, and other legacy languages; Extensible SDK to support 3rd party parsers. Supports automated metrics (including function points), business rule mining, componentisation and SOA analysis. Rich ad hoc diagramming, AST search & reporting)
• Moose — Moose started as a software analysis platform with many tools to manipulate, assess or visualize software. It can evolve to a more generic data analysis platform. Supported languages are C/C++, Java, Smalltalk, .NET, more may be added.
• Parasoft — Analyzes Java (Jtest), JSP, C, C++ (C++test), .NET (C#, ASP.NET, VB.NET, etc.) using .TEST, WSDL, XML, HTML, CSS, JavaScript, VBScript/ASP, and configuration files for security,^[1] compliance,^[2] and defect prevention.
• Copy/Paste Detector (CPD) — PMDs duplicate code detection for (e.g.) Java, JSP, C, C++, ColdFusion and PHP code.
• Polyspace — Uses abstract interpretation to detect and prove the absence of certain run time errors in source code for C, C++, and Ada
• ProjectCodeMeter^[3] — Warns on code quality issues such as insufficient commenting or complex code structure. Counts code metrics, gives cost & time estimations. Analyzes C, C++, C#, J#, Java, PHP, Objective-C, JavaScript, UnrealEngine script, ActionScript, DigitalMars D.
• Protecode — Analyzes the composition of software source code and binary files, searches for open source and third party code and their associated licensing obligations. Can also detect secuity vulnerabilities.
• Rational Software Analyzer — Supports Java, C, C++, others available via extensions
• ResourceMiner — Architecture down to details multipurpose analysis and metrics, develop own rules for masschange and generator development. Supports 30+ legacy and modern languages and all major databases.
• Semmle - supports Java, C, C++, C#.
• SofCheck Inspector — Static detection of logic errors, race conditions, and redundant code for Ada and Java; automatically extracts pre/postconditions from code.
• Sonar — A continuous inspection engine to manage the technical debt: unit tests, complexity, duplication, design, comments, coding standards and potential problems. Supports languages: ABAP, C, Cobol, C#, Flex, Forms, Groovy, Java, JavaScript, Natural, PHP, PL/SQL, Visual Basic 6, Web, XML, Python.
• Sotoarc/Sotograph — Architecture and quality in-depth analysis and monitoring for C, C++, C#, Java
• SPARROW – SPARROW is a static analysis tool that understands the semantics of C/C++ and Java code based on static analysis theory by automatically detecting fatal errors such as memory leaks and buffer overrun
• Syhunt Sandcat — Detects security flaws in PHP, Classic ASP and ASP.NET web applications.
• Understand — Analyzes Ada, C, C++, C#, COBOL, CSS, Delphi, Fortran, HTML, Java, JavaScript, Jovial, Pascal, PHP, PL/M, Python, VHDL, and XML — reverse engineering of source, code navigation, and metrics tool.
• Veracode — Finds security flaws in application binaries and bytecode without requiring source. Supported languages include C, C++, .NET (C#, C++/CLI, VB.NET, ASP.NET), Java, JSP, ColdFusion, PHP, Ruby on Rails, and Objective-C, including mobile applications on the Windows Mobile, BlackBerry, Android, and iOS platforms.
• Visual Studio Team System — Analyzes C++, C# source codes. only available in team suite and development edition.
• Yasca — Yet Another Source Code Analyzer, a plugin-based framework to scan arbitrary file types, with plugins for C/C++, Java, JavaScript, ASP, PHP, HTML/CSS, ColdFusion, COBOL, and other file types. It integrates with other scanners, includingFindBugs, PMD, and Pixy.

.NET

• CodeIt.Right — Combines static code analysis and automatic refactoring to best practices which allows automatically correct code errors and violations; supports C# and VB.NET.
• CodeRush — A plugin for Visual Studio, it addresses a multitude of shortcomings with the popular IDE. Including alerting users to violations of best practices by using static code analysis.
• FxCop — Free static analysis for Microsoft .NET programs that compile to CIL. Standalone and integrated in some Microsoft Visual Studio editions; by Microsoft.
• Gendarme — Open-source (MIT License) equivalent to FxCop created by the Mono project. Extensible rule-based tool to find problems in .NET applications and libraries, especially those containing code in ECMA CIL format.
• JustCode — Add-on for Visual Studio 2005/2008/2010 by Telerik for real-time, system-wide code analysis for C#, VB.NET, ASP.NET, XAML, JavaScript, HTML, Razor, CSS and multi-language systems.
• Kalistick — Mixing from the Cloud: static code analysis with best practice tips and collaborative tools for Agile teams.
• NDepend — Simplifies managing a complex .NET code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and by comparing different versions of the code. Integrates into Visual Studio.
• Parasoft dotTEST — A static analysis, unit testing, and code review plugin for Visual Studio; works with languages for Microsoft .NET Framework and .NET Compact Framework, including C#, VB.NET, ASP.NET and Managed C++.
• ReSharper — Plug-in to Visual Studio 2003/2005/2008/2010/2012 from the creators of IntelliJ IDEA, which executes over 1300 real-time static code inspections of C#, VB.NET, ASP.NET, ASP.NET MVC, JavaScript, XAML, XML, CSS, and HTML code.
• StyleCop — Analyzes C# source code to enforce a set of style and consistency rules. It can be run from inside of Microsoft Visual Studio or integrated into an MSBuild project. Free download from Microsoft.

ActionScript

• Apparat — A language manipulation and optimization framework consisting of intermediate representations for ActionScript.

Ada

• AdaControl - A tool to control occurrences of various entities or programming patterns in Ada code, used for checking coding standards, enforcement of safety related rules, and support for various manual inspections.
• AdaCore CodePeer — Automated code review and bug finder for Ada programs that uses control-flow, data-flow, and other advanced static analysis techniques.
• LDRA Testbed — A software analysis and testing tool suite for Ada83/95.
• Polyspace — Uses abstract interpretation to detect and prove the absence of certain run time errors in source code
• SofCheck Inspector — Static detection of logic errors, race conditions, and redundant code for Ada; automatically extractspre/postconditions from code.

C/C++

• Airac — An exhaustive static analyzer for automatic verification of array index ranges in C programs
• Astrée; exhaustive search for runtime errors and assertion violations by abstract interpretation; tailored towards critical code (avionics)
• BLAST — (Berkeley Lazy Abstraction Software verification Tool) — A software model checker for C programs based on lazy abstraction.
• Cppcheck — Open-source tool that checks for several types of errors, including use of STL.
• cpplint - An open-source tool that checks for compliance with Google’s style guide for C++ coding
• Clang — A compiler that includes a static analyzer.
• Coccinelle — Source code pattern matching and transformation
• Eclipse (software) — An IDE that includes a static code analyzer (CODAN).
• Flawfinder – simple static analysis tool for C/C++ programs to find potential security vulnerabilities
• Frama-C — A static analysis framework for C.
• FlexeLint — A multiplatform version of PC-Lint.
• Green Hills Software DoubleCheck — A software analysis tool for C/C++.
• Intel - Intel Parallel Studio XE: has static security analysis (SSA) feature.
• Lint — The original static code analyzer for C.
• LDRA Testbed — A software analysis and testing tool suite for C/C++.
• Monoidics INFER — A sound tool for C/C++ based on Separation Logic.
• Parasoft C/C++test— A C/C++ tool that does static analysis, unit testing, code review, and runtime error detection; plugins available for Visual Studio and Eclipse-based IDEs.
• PC-Lint — A software analysis tool for C/C++.
• Polyspace — Uses abstract interpretation to detect and prove the absence of certain run time errors in source code
• PVS-Studio — A software analysis tool for C/C++/.
• QA-C (and QA-C++) — Deep static analysis of C/C++ for quality assurance and guideline enforcement.
• Red Lizard‘s Goanna — Static analysis of C/C++ for command line, Eclipse and Visual Studio.
• SLAM project — a project of Microsoft Research for checking that software satisfies critical behavioral properties of the interfaces it uses.
• Sparse — A tool designed to find faults in the Linux kernel.
• Splint — An open source evolved version of Lint, for C.

Java

• AgileJ StructureViews — Reverse engineered Java class diagrams with an emphasis on filtering
• Checkstyle — Besides some static code analysis, it can be used to show violations of a configured coding standard.
• FindBugs — An open-source static bytecode analyzer for Java (based on Jakarta BCEL) from the University of Maryland.
• Hammurapi — Versatile code review program; free for non-commercial use.
• PMD — A static ruleset based Java source code analyzer that identifies potential problems.
• Soot — A language manipulation and optimization framework consisting of intermediate languages for Java.
• Squale — A platform to manage software quality (also available for other languages, using commercial analysis tools though).
• Jtest — Testing and static code analysis product by Parasoft.
• LDRA Testbed — A software analysis and testing tool suite for Java.
• SemmleCode — Object oriented code queries for static program analysis.
• SonarJ — Monitors conformance of code to intended architecture, also computes a wide range of software metrics.
• Kalistick — A Cloud-based platform to manage and optimize code quality for Agile teams with DevOps spirit

JavaScript

• Closure Compiler — JavaScript optimizer that rewrites code to be faster and smaller, and checks use of native JavaScript functions.
• JSLint — JavaScript syntax checker and validator.
• JSHint — A community driven fork of JSLint.

Objective-C

• Clang — The free Clang project includes a static analyzer. As of version 3.2, this analyzer is included in Xcode.^[4]

Perl

• Perl::Critic - A tool to help enforce common best practices for programming in Perl. Most best practices are based on Damian Conway‘s Perl Best Practices book.
• PerlTidy - Program that act as a syntax checker and tester/enforcer for coding practices in Perl.
• Padre - An IDE for Perl that also provides static code analysis to check for common beginner errors.

Python

• Pychecker — A source code checking tool.
• Pylint — Static code analyzer.

Formal methods tools

Tools that use a formal methods approach to static analysis (e.g., using static program assertions):

• ESC/Java and ESC/Java2 — Based on Java Modeling Language, an enriched version of Java.
• MALPAS; A formal methods tool that uses directed graphs and regular algebra to prove that software under analysis correctly meets its mathematical specification.
• Polyspace — Uses abstract interpretation, a formal methods based technique,^[5] to detect and prove the absence of certain run time errors in source code for C/C++, and Ada
• SofCheck Inspector — Statically determines and documents pre- and postconditions for Java methods; statically checkspreconditions at all call sites; also supports Ada.
• SPARK Toolset including the SPARK Examiner — Based on the SPARK language, a subset of Ada.

See also

Software Testing portal

• Automated code review
• Best Coding Practices
• Dynamic code analysis
• Software metrics
• Static code analysis
• Integrated development environment (IDE) and Comparison of integrated development environments. IDEs will usually come with built-in support for static code analysis, or with an option to integrate such support. Eclipse offers such integration mechasism for most different types of extensions (plug-ins).

References

1. ^ Parasoft Application Security Solution
2. ^ Parasoft Compliance Solution
3. ^ Project Code Meter site
4. ^ “Static Analysis in Xcode”. Apple. Retrieved 2009-09-03.
5. ^ Cousot, Patrick (2007). “The Role of Abstract Interpretation in Formal Methods”. IEEE International Conference on Software Engineering and Formal Methods. Retrieved 2010-11-08.

External links

• Java Static Checkers at the Open Directory Project
• List of Java static code analysis plugins for Eclipse
• List of static source code analysis tools for C
• List of static source code analysis tools at CERT
• SAMATE-Source Code Security Analyzers
• SATE – Static Analysis Tool Exposition
• “A Comparison of Bug Finding Tools for Java”, by Nick Rutar, Christian Almazan, and Jeff Foster, University of Maryland. Compares Bandera, ESC/Java 2, FindBugs, JLint, and PMD.
• “Mini-review of Java Bug Finders”, by Rick Jelliffe, O’Reilly Media.
• Parallel Lint, by Andrey Karpov
• Integrate static analysis into a software development process Explains how one goes about integrating static analysis into a software development process