Introduction to Software Engineering/Tools/Static Code Analysis

This is a list of tools for static code analysis.

Historical products

edit
  • Lint — The original static code analyzer of C code.

Open-source or Non-commercial products

edit

Multi-language

edit
  • PMD Copy/Paste Detector (CPD) — PMDs duplicate code detection for (e.g.) Java, JSP, C, C++ and PHP code.
  • Sonar — A continuous inspection engine to manage the technical debt (unit tests, complexity, duplication, design, comments, coding standards and potential problems). Supported languages are Java, Flex, PHP, PL/SQL, Cobol and Visual Basic 6.
  • Yasca — Yet Another Source Code Analyzer, a plugin-based framework for scanning arbitrary file types, with plugins for scanning C/C++, Java, JavaScript, ASP, PHP, HTML/CSS, ColdFusion, COBOL, and other file types. It integrates with other scanners, including FindBugs, JLint, PMD, and Pixy.

.NET (C#, VB.NET and all .NET compatible languages)

edit
  • FxCop — Free static analysis for Microsoft .NET programs that compile to CIL. Standalone and integrated in some Microsoft Visual Studio editions. From Microsoft.
  • Gendarme — Open-source (MIT License) equivalent to FxCop created by the Mono project. Extensible rule-based tool to find problems in .NET applications and libraries, particularly those that contain code in ECMA CIL format.
  • StyleCop — Analyzes C# source code to enforce a set of style and consistency rules. It can be run from inside of Microsoft Visual Studio or integrated into an MSBuild project. Free download from Microsoft.

ActionScript

edit
  • Apparat — A language manipulation and optimization framework consisting of intermediate representations for ActionScript.
  • BLAST (Berkeley Lazy Abstraction Software verification Tool) — A software model checker for C programs based on lazy abstraction.
  • Clang — A compiler that includes a static analyzer.
  • Frama-C — A static analysis framework for C.
  • Lint — The original static code analyzer for C.
  • Sparse — A tool designed to find faults in the Linux kernel.
  • Splint — An open source evolved version of Lint (for C).
  • cppcheck — Open-source tool that checks for several types of errors, including the use of STL.

Java

edit
  • Checkstyle — Besides some static code analysis, it can be used to show violations of a configured coding standard.
  • FindBugs — An open-source static bytecode analyzer for Java (based on Jakarta BCEL) from the University of Maryland.
  • Hammurapi — (Free for non-commercial use only) versatile code review solution.
  • PMD — A static ruleset based Java source code analyzer that identifies potential problems.
  • Soot — A language manipulation and optimization framework consisting of intermediate languages for Java.
  • Squale — A platform to manage software quality (also available for other languages, using commercial analysis tools though).

JavaScript

edit
  • Closure Compiler — JavaScript optimizer that rewrites JavaScript code to make it faster and more compact. It also checks your usage of native javascript functions.
  • JSLint — JavaScript syntax checker and validator.

Objective-C

edit
  • Clang — The free Clang project includes a static analyzer. As of version 3.2, this analyzer is included in Xcode.[1]
  • Oclint — OCLint is a static code analysis tool for improving quality and reducing defects by inspecting C, C++ and Objective-C code [2]
  • Faux Pas — Faux Pas inspects your iOS or Mac app’s Xcode project and warns about possible bugs, as well as about maintainability and style issues. [3]
  • Facebook Infer — Open Source Tool by Facebook to detect bugs in Android and iOS apps [4]
  • Sonar for Objective C — Open Source Sonar plugin for xcode. [5]
  • Sonar for Objective C (Commercial version ) — Paid Sonar plugin for xcode .[6]

Commercial products

edit

Multi-language

edit
  • Axivion Bauhaus Suite — A tool for C, C++, C#, Java and Ada code that comprises various analyses such as architecture checking, interface analyses, and clone detection.
  • Black Duck Suite — Analyze the composition of software source code and binary files, search for reusable code, manage open source and third-party code approval, honor the legal obligations associated with mixed-origin code, and monitor related security vulnerabilities.
  • CAST Application Intelligence Platform — Detailed, audience-specific dashboards to measure quality and productivity. 30+ languages, SAP, Oracle, PeopleSoft, Siebel, .NET, Java, C/C++, Struts, Spring, Hibernate and all major databases.
  • Checkmarx CxSuite — Source code analysis tool which identifies application security vulnerabilities in the following languages: Java, C# / .NET, PHP, C, C++, Visual Basic 6.0, VB.NET, APEX, Ruby, Javascript, ASP, Perl, Android, Objective C, PL/SQL, HTML5, Python and Groovy.
  • Coverity Static Analysis (formerly Coverity Prevent) — Identifies security vulnerabilities and code defects in C, C++, C# and Java code. Complements Coverity Dynamic Code Analysis and Architecture Analysis.
  • DMS Software Reengineering Toolkit — Supports custom analysis of C, C++, C#, Java, COBOL, PHP, VisualBasic and many other languages. Also COTS tools for clone analysis, dead code analysis, and style checking.
  • Compuware DevEnterprise — Analysis of COBOL, PL/I, JCL, CICS, DB2, IMS and others.
  • Fortify — Helps developers identify software security vulnerabilities in C/C++, .NET, Java, JSP, ASP.NET, ColdFusion, "Classic" ASP, PHP, VB6, VBScript, JavaScript, PL/SQL, T-SQL, python and COBOL as well as configuration files.
  • GrammaTech CodeSonar — Analyzes C,C++.
  • Imagix 4D — Identifies problems in variable usage, task interaction and concurrency, particularly in embedded applications, as part of an overall solution for understanding, improving and documenting C, C++ and Java software.
  • Intel - Intel Parallel Studio XE: Contains Static Security Analysis (SSA) feature supports C/C++ and Fortran
  • JustCode — Code analysis and refactoring productivity tool for JavaScript, C#, Visual Basic.NET, and ASP.NET
  • Klocwork Insight — Provides security vulnerability and defect detection as well as architectural and build-over-build trend analysis for C, C++, C# and Java.
  • Kiuwan – Software Analytics end-to-end platform for static code analysis, defect detection, application security & IT Risk Management, with enhanced life cycle and application governance features. It supports over 25 languages, including Objective-C, Java, JSP, JavaScript, PHP, C, C++, ABAP, COBOL, JCL, C#, PL/SQL, Transact-SQL, SQL, Visual Basic, Visual Basic .NET, Android (operating system).
  • Lattix, Inc. LDM — Architecture and dependency analysis tool for Ada, C/C++, Java, .NET software systems.
  • LDRA Testbed — A software analysis and testing tool suite for C, C++, Ada83, Ada95 and Assembler (Intel, Freescale, Texas Instruments).
  • Micro Focus (formerly Relativity Technologies) Modernization Workbench — Parsers included for COBOL (multiple variants including IBM, Unisys, MF, ICL, Tandem), PL/I, Natural (inc. ADABAS), Java, Visual Basic, RPG, C & C++ and other legacy languages; Extensible SDK to support 3rd party parsers. Supports automated Metrics (including Function Points), Business Rule Mining, Componentisation and SOA Analysis. Rich ad hoc diagramming, AST search & reporting)
  • Ounce Labs (from 2010 IBM Rational Appscan Source) — Automated source code analysis that enables organizations to identify and eliminate software security vulnerabilities in languages including Java, JSP, C/C++, C#, ASP.NET and VB.Net.
  • Parasoft — Analyzes Java (Jtest), JSP, C, C++ (C++test), .NET (C#, ASP.NET, VB.NET, etc.) using .TEST, WSDL, XML, HTML, CSS, JavaScript, VBScript/ASP, and configuration files for security[7], compliance[8], and defect prevention.
  • Polyspace — Uses abstract interpretation to detect and prove the absence of certain run-time errors in source code for C, C++, and Ada
  • Rational Asset Analyzer (IBM); Supports COBOL(multiple variants), PL/I, Java
  • Rational Software Analyzer — Supports Java, C/C++ (and others available through extensions)
  • Security Reviewer 1500+ Rules with up to 12 variants each, specialized per language with thousands of API and Frameworks covered. Supports languages: ABAP, Android Mobile, ASP, ASPX, C, C++, CSS, Objective-C, COBOL, C#, Forms, HTML5, Java-JSP-JSF, JavaScript, PHP, Ruby, Python, 11 SQL dialects including PL/SQL and T-SQL and TeradataSQL, VB.net, Visual Basic 6, Windows Mobile, XML, XPath. NIST and CVE checking. OWASP, CWE standards. 200+ Quality Metrics. Best Practices. SQALE dashboard.
  • SofCheck Inspector — Provides static detection of logic errors, race conditions, and redundant code for Java and Ada. Provides automated extraction of pre/postconditions from code itself.
  • SourceMeter — A platform-independent, command-line static source code analyzer for Java, C/C++, RPG IV (AS/400) and Python[9].
  • Sotoarc/Sotograph — Architecture and quality in-depth analysis and monitoring for Java, C#, C and C++
  • Syhunt Sandcat — Detects security flaws in PHP, Classic ASP and ASP.NET web applications.
  • Understand — Analyzes C,C++, Java, Ada, Fortran, Jovial, Delphi, VHDL, HTML, CSS, PHP, and JavaScript — reverse engineering of source, code navigation, and metrics tool.
  • Veracode — Finds security flaws in application binaries and bytecode without requiring source. Supported languages include C, C++, .NET (C#, C++/CLI, VB.NET, ASP.NET), Java, JSP, ColdFusion, and PHP.
  • Visual Studio Team System — Analyzes C++,C# source codes. only available in team suite and development edition.

.NET

edit

Products covering multiple .NET languages.

  • CodeIt.Right — Combines Static Code Analysis and automatic Refactoring to best practices which allows automatically correct code errors and violations. Supports both C# and VB.NET.
  • CodeRush — A plugin for Visual Studio, it addresses a multitude of short comings with the popular IDE. Including alerting users to violations of best practices by using static code analysis.
  • JustCode — Add-on for Visual Studio 2005/2008/2010 for real-time, solution-wide code analysis for C#, VB.NET, ASP.NET, XAML, JavaScript, HTML and multi-language solutions.
  • NDepend — Simplifies managing a complex .NET code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and by comparing different versions of the code. Integrates into Visual Studio.
  • ReSharper — Add-on for Visual Studio 2003/2005/2008/2010 from the creators of IntelliJ IDEA, which also provides static code analysis for C#.
  • Kalistick — Mixing from the Cloud: static code analysis with best practice tips and collaborative tools for Agile teams
  • Ada-ASSURED — A tool that offers coding style checks, standards enforcement and pretty printing features.
  • AdaCore CodePeer — Automated code review and bug finder for Ada programs that uses control-flow, data-flow, and other advanced static analysis techniques.
  • LDRA Testbed — A software analysis and testing tool suite for Ada83/95.
  • SofCheck Inspector — Provides static detection of logic errors, race conditions, and redundant code for Ada. Provides automated extraction of pre/postconditions from code itself.

C / C++

edit
  • CppDepend — Simplifies managing a complex C/C++ code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and by comparing different versions of the code. Integrates into Visual Studio.
  • FlexeLint — A multiplatform version of PC-Lint.
  • Green Hills Software DoubleCheck — A software analysis tool for C/C++.
  • Intel - Intel Parallel Studio XE: Contains Static Security Analysis (SSA) feature
  • LDRA Testbed — A software analysis and testing tool suite for C/C++.
  • Monoidics INFER — A sound tool for C/C++ based on Separation Logic.
  • PC-Lint — A software analysis tool for C/C++.
  • PVS-Studio — A software analysis tool for C,C++,C++11,C++/CX.
  • QA-C (and QA-C++) — Deep static analysis of C/C++ for quality assurance and guideline enforcement.
  • Red Lizard's Goanna — Static analysis for C/C++ in Eclipse and Visual Studio.
  • SourceMeter — A platform-independent, command-line static source code analyzer for Java, C/C++, RPG IV (AS/400) and Python.

Java

edit
  • JArchitect — Simplifies managing a complex Java code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and by comparing different versions of the code.
  • Jtest — Testing and static code analysis product by Parasoft.
  • LDRA Testbed — A software analysis and testing tool suite for Java.
  • Oversecured — A static SaaS-based vulnerability scanner for Android apps. Contains 90+ vulnerability categories.
  • SemmleCode — Object oriented code queries for static program analysis.
  • SonarJ — Monitors conformance of code to intended architecture, also computes a wide range of software metrics.
  • Kalistick — A Cloud-based platform to manage and optimize code quality for Agile teams with DevOps spirit
  • SourceMeter — A platform-independent, command-line static source code analyzer for Java, C/C++, RPG IV (AS/400) and Python.

Formal methods tools

edit

Tools that use a formal methods approach to static analysis (e.g., using static program assertions):

  • ESC/Java and ESC/Java2 — Based on Java Modeling Language, an enriched version of Java.
  • Polyspace — Uses abstract interpretation (a formal methods based technique[10]) to detect and prove the absence of certain run-time errors in source code for C, C++, and Ada
  • SofCheck Inspector — Statically determines and documents pre- and postconditions for Java methods; statically checks preconditions at all call sites; also supports Ada.
  • SPARK Toolset including the SPARK Examiner — Based on the SPARK programming language, a subset of Ada.

References

edit
  1. "Static Analysis in Xcode". Apple. Retrieved 2009-09-03.
  2. "Static Analysis". Oclint. Retrieved 2015-09-06.
  3. "Static Analysis". Faux Pas. Retrieved 2015-09-06.
  4. "Static Analysis". Facebook. Retrieved 2015-09-06.
  5. "Static Analysis in Sonar". Boto. Retrieved 2015-09-06.
  6. "Static Analysis". Boto. Retrieved 2015-09-06.
  7. Parasoft Application Security Solution
  8. Parasoft Compliance Solution
  9. SourceMeter
  10. Cousot, Patrick (2007). "The Role of Abstract Interpretation in Formal Methods". IEEE International Conference on Software Engineering and Formal Methods. Retrieved 2010-11-08.
edit