Introduction to Software Engineering/Tools/Static Code Analysis

This is a list of tools for static code analysis.

Historical products

  • Lint The original static code analyzer of C code.

Open-source or Non-commercial products

Multi-language

  • PMD Copy/Paste Detector (CPD) PMDs duplicate code detection for (e.g.) Java, JSP, C, C++ and PHP code.
  • Sonar A continuous inspection engine to manage the technical debt (unit tests, complexity, duplication, design, comments, coding standards and potential problems). Supported languages are Java, Flex, PHP, PL/SQL, Cobol and Visual Basic 6.
  • Yasca Yet Another Source Code Analyzer, a plugin-based framework for scanning arbitrary file types, with plugins for scanning C/C++, Java, JavaScript, ASP, PHP, HTML/CSS, ColdFusion, COBOL, and other file types. It integrates with other scanners, including FindBugs, JLint, PMD, and Pixy.

.NET (C#, VB.NET and all .NET compatible languages)

  • FxCop Free static analysis for Microsoft .NET programs that compile to CIL. Standalone and integrated in some Microsoft Visual Studio editions. From Microsoft.
  • Gendarme Open-source (MIT License) equivalent to FxCop created by the Mono project. Extensible rule-based tool to find problems in .NET applications and libraries, particularly those that contain code in ECMA CIL format.
  • StyleCop Analyzes C# source code to enforce a set of style and consistency rules. It can be run from inside of Microsoft Visual Studio or integrated into an MSBuild project. Free download from Microsoft.

ActionScript

  • Apparat A language manipulation and optimization framework consisting of intermediate representations for ActionScript.

C

  • BLAST (Berkeley Lazy Abstraction Software verification Tool) A software model checker for C programs based on lazy abstraction.
  • Clang A compiler that includes a static analyzer.
  • Frama-C A static analysis framework for C.
  • Lint The original static code analyzer for C.
  • Sparse A tool designed to find faults in the Linux kernel.
  • Splint An open source evolved version of Lint (for C).

C++

  • cppcheck Open-source tool that checks for several types of errors, including the use of STL.

Java

  • Checkstyle Besides some static code analysis, it can be used to show violations of a configured coding standard.
  • FindBugs An open-source static bytecode analyzer for Java (based on Jakarta BCEL) from the University of Maryland.
  • Hammurapi (Free for non-commercial use only) versatile code review solution.
  • PMD A static ruleset based Java source code analyzer that identifies potential problems.
  • Soot A language manipulation and optimization framework consisting of intermediate languages for Java.
  • Squale A platform to manage software quality (also available for other languages, using commercial analysis tools though).

JavaScript

  • Closure Compiler JavaScript optimizer that rewrites JavaScript code to make it faster and more compact. It also checks your usage of native javascript functions.
  • JSLint JavaScript syntax checker and validator.

Objective-C

  • Clang The free Clang project includes a static analyzer. As of version 3.2, this analyzer is included in Xcode.[1]
  • Oclint OCLint is a static code analysis tool for improving quality and reducing defects by inspecting C, C++ and Objective-C code [2]
  • Faux Pas Faux Pas inspects your iOS or Mac app’s Xcode project and warns about possible bugs, as well as about maintainability and style issues. [3]
  • Facebook Infer Open Source Tool by Facebook to detect bugs in Android and iOS apps [4]
  • Sonar for Objective C Open Source Sonar plugin for xcode. [5]
  • Sonar for Objective C (Commercial version ) Paid Sonar plugin for xcode .[6]

Commercial products

Multi-language

  • Axivion Bauhaus Suite A tool for C, C++, C#, Java and Ada code that comprises various analyses such as architecture checking, interface analyses, and clone detection.
  • Black Duck Suite Analyze the composition of software source code and binary files, search for reusable code, manage open source and third-party code approval, honor the legal obligations associated with mixed-origin code, and monitor related security vulnerabilities.
  • CAST Application Intelligence Platform Detailed, audience-specific dashboards to measure quality and productivity. 30+ languages, SAP, Oracle, PeopleSoft, Siebel, .NET, Java, C/C++, Struts, Spring, Hibernate and all major databases.
  • Checkmarx CxSuite Source code analysis tool which identifies application security vulnerabilities in the following languages: Java, C# / .NET, PHP, C, C++, Visual Basic 6.0, VB.NET, APEX, Ruby, Javascript, ASP, Perl, Android, Objective C, PL/SQL, HTML5, Python and Groovy.
  • Coverity Static Analysis (formerly Coverity Prevent) Identifies security vulnerabilities and code defects in C, C++, C# and Java code. Complements Coverity Dynamic Code Analysis and Architecture Analysis.
  • DMS Software Reengineering Toolkit Supports custom analysis of C, C++, C#, Java, COBOL, PHP, VisualBasic and many other languages. Also COTS tools for clone analysis, dead code analysis, and style checking.
  • Compuware DevEnterprise Analysis of COBOL, PL/I, JCL, CICS, DB2, IMS and others.
  • Fortify Helps developers identify software security vulnerabilities in C/C++, .NET, Java, JSP, ASP.NET, ColdFusion, "Classic" ASP, PHP, VB6, VBScript, JavaScript, PL/SQL, T-SQL, python and COBOL as well as configuration files.
  • GrammaTech CodeSonar Analyzes C,C++.
  • Imagix 4D Identifies problems in variable usage, task interaction and concurrency, particularly in embedded applications, as part of an overall solution for understanding, improving and documenting C, C++ and Java software.
  • Intel - Intel Parallel Studio XE: Contains Static Security Analysis (SSA) feature supports C/C++ and Fortran
  • JustCode Code analysis and refactoring productivity tool for JavaScript, C#, Visual Basic.NET, and ASP.NET
  • Klocwork Insight Provides security vulnerability and defect detection as well as architectural and build-over-build trend analysis for C, C++, C# and Java.
  • Kiuwan – Software Analytics end-to-end platform for static code analysis, defect detection, application security & IT Risk Management, with enhanced life cycle and application governance features. It supports over 25 languages, including Objective-C, Java, JSP, JavaScript, PHP, C, C++, ABAP, COBOL, JCL, C#, PL/SQL, Transact-SQL, SQL, Visual Basic, Visual Basic .NET, Android (operating system).
  • Lattix, Inc. LDM Architecture and dependency analysis tool for Ada, C/C++, Java, .NET software systems.
  • LDRA Testbed A software analysis and testing tool suite for C, C++, Ada83, Ada95 and Assembler (Intel, Freescale, Texas Instruments).
  • Micro Focus (formerly Relativity Technologies) Modernization Workbench Parsers included for COBOL (multiple variants including IBM, Unisys, MF, ICL, Tandem), PL/I, Natural (inc. ADABAS), Java, Visual Basic, RPG, C & C++ and other legacy languages; Extensible SDK to support 3rd party parsers. Supports automated Metrics (including Function Points), Business Rule Mining, Componentisation and SOA Analysis. Rich ad hoc diagramming, AST search & reporting)
  • Ounce Labs (from 2010 IBM Rational Appscan Source) Automated source code analysis that enables organizations to identify and eliminate software security vulnerabilities in languages including Java, JSP, C/C++, C#, ASP.NET and VB.Net.
  • Parasoft Analyzes Java (Jtest), JSP, C, C++ (C++test), .NET (C#, ASP.NET, VB.NET, etc.) using .TEST, WSDL, XML, HTML, CSS, JavaScript, VBScript/ASP, and configuration files for security[7], compliance[8], and defect prevention.
  • Polyspace Uses abstract interpretation to detect and prove the absence of certain run-time errors in source code for C, C++, and Ada
  • Rational Asset Analyzer (IBM); Supports COBOL(multiple variants), PL/I, Java
  • Rational Software Analyzer Supports Java, C/C++ (and others available through extensions)
  • Security Reviewer 1500+ Rules with up to 12 variants each, specialized per language with thousands of API and Frameworks covered. Supports languages: ABAP, Android Mobile, ASP, ASPX, C, C++, CSS, Objective-C, COBOL, C#, Forms, HTML5, Java-JSP-JSF, JavaScript, PHP, Ruby, Python, 11 SQL dialects including PL/SQL and T-SQL and TeradataSQL, VB.net, Visual Basic 6, Windows Mobile, XML, XPath. NIST and CVE checking. OWASP, CWE standards. 200+ Quality Metrics. Best Practices. SQALE dashboard.
  • SofCheck Inspector Provides static detection of logic errors, race conditions, and redundant code for Java and Ada. Provides automated extraction of pre/postconditions from code itself.
  • SourceMeter A platform-independent, command-line static source code analyzer for Java, C/C++, RPG IV (AS/400) and Python[9].
  • Sotoarc/Sotograph Architecture and quality in-depth analysis and monitoring for Java, C#, C and C++
  • Syhunt Sandcat Detects security flaws in PHP, Classic ASP and ASP.NET web applications.
  • Understand Analyzes C,C++, Java, Ada, Fortran, Jovial, Delphi, VHDL, HTML, CSS, PHP, and JavaScript — reverse engineering of source, code navigation, and metrics tool.
  • Veracode Finds security flaws in application binaries and bytecode without requiring source. Supported languages include C, C++, .NET (C#, C++/CLI, VB.NET, ASP.NET), Java, JSP, ColdFusion, and PHP.
  • Visual Studio Team System Analyzes C++,C# source codes. only available in team suite and development edition.

.NET

Products covering multiple .NET languages.

  • CodeIt.Right Combines Static Code Analysis and automatic Refactoring to best practices which allows automatically correct code errors and violations. Supports both C# and VB.NET.
  • CodeRush A plugin for Visual Studio, it addresses a multitude of short comings with the popular IDE. Including alerting users to violations of best practices by using static code analysis.
  • JustCode Add-on for Visual Studio 2005/2008/2010 for real-time, solution-wide code analysis for C#, VB.NET, ASP.NET, XAML, JavaScript, HTML and multi-language solutions.
  • NDepend Simplifies managing a complex .NET code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and by comparing different versions of the code. Integrates into Visual Studio.
  • ReSharper Add-on for Visual Studio 2003/2005/2008/2010 from the creators of IntelliJ IDEA, which also provides static code analysis for C#.
  • Kalistick Mixing from the Cloud: static code analysis with best practice tips and collaborative tools for Agile teams

Ada

  • Ada-ASSURED A tool that offers coding style checks, standards enforcement and pretty printing features.
  • AdaCore CodePeer Automated code review and bug finder for Ada programs that uses control-flow, data-flow, and other advanced static analysis techniques.
  • LDRA Testbed A software analysis and testing tool suite for Ada83/95.
  • SofCheck Inspector Provides static detection of logic errors, race conditions, and redundant code for Ada. Provides automated extraction of pre/postconditions from code itself.

C / C++

  • CppDepend Simplifies managing a complex C/C++ code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and by comparing different versions of the code. Integrates into Visual Studio.
  • FlexeLint A multiplatform version of PC-Lint.
  • Green Hills Software DoubleCheck A software analysis tool for C/C++.
  • Intel - Intel Parallel Studio XE: Contains Static Security Analysis (SSA) feature
  • LDRA Testbed A software analysis and testing tool suite for C/C++.
  • Monoidics INFER A sound tool for C/C++ based on Separation Logic.
  • PC-Lint A software analysis tool for C/C++.
  • PVS-Studio A software analysis tool for C,C++,C++11,C++/CX.
  • QA-C (and QA-C++) Deep static analysis of C/C++ for quality assurance and guideline enforcement.
  • Red Lizard's Goanna Static analysis for C/C++ in Eclipse and Visual Studio.
  • SourceMeter A platform-independent, command-line static source code analyzer for Java, C/C++, RPG IV (AS/400) and Python.

Java

  • JArchitect Simplifies managing a complex Java code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and by comparing different versions of the code.
  • Jtest Testing and static code analysis product by Parasoft.
  • LDRA Testbed A software analysis and testing tool suite for Java.
  • Oversecured A static SaaS-based vulnerability scanner for Android apps. Contains 90+ vulnerability categories.
  • SemmleCode Object oriented code queries for static program analysis.
  • SonarJ Monitors conformance of code to intended architecture, also computes a wide range of software metrics.
  • Kalistick A Cloud-based platform to manage and optimize code quality for Agile teams with DevOps spirit
  • SourceMeter A platform-independent, command-line static source code analyzer for Java, C/C++, RPG IV (AS/400) and Python.

Formal methods tools

Tools that use a formal methods approach to static analysis (e.g., using static program assertions):

  • ESC/Java and ESC/Java2 Based on Java Modeling Language, an enriched version of Java.
  • Polyspace Uses abstract interpretation (a formal methods based technique[10]) to detect and prove the absence of certain run-time errors in source code for C, C++, and Ada
  • SofCheck Inspector Statically determines and documents pre- and postconditions for Java methods; statically checks preconditions at all call sites; also supports Ada.
  • SPARK Toolset including the SPARK Examiner Based on the SPARK programming language, a subset of Ada.

References

  1. "Static Analysis in Xcode". Apple. Retrieved 2009-09-03.
  2. "Static Analysis". Oclint. Retrieved 2015-09-06.
  3. "Static Analysis". Faux Pas. Retrieved 2015-09-06.
  4. "Static Analysis". Facebook. Retrieved 2015-09-06.
  5. "Static Analysis in Sonar". Boto. Retrieved 2015-09-06.
  6. "Static Analysis". Boto. Retrieved 2015-09-06.
  7. Parasoft Application Security Solution
  8. Parasoft Compliance Solution
  9. SourceMeter
  10. Cousot, Patrick (2007). "The Role of Abstract Interpretation in Formal Methods". IEEE International Conference on Software Engineering and Formal Methods. Retrieved 2010-11-08.
Category:Book:Introduction to Software Engineering