User:Nickj/List of tools for static code analysis
Appearance
Anyone is welcome to constructively update this user-page with new information; However if you wish to delete it please email me first, and I will move it off-site.
This is a list of software tools that perform various kinds of static code analysis, grouped by programming language and in alphabetical order:
- Axivion Bauhaus Suite - Architecture Visualization, Architecture Checking, Interface Analysis, Metrics, Clone Detection, Dominance Analysis, etc.
- CloneDR for Ada83/95 Detects exact and near-miss duplicate code across large code bases.
- LDRA Testbed
- PolySpace Verifier
- SofCheck Inspector for Ada Static Error Detection of Ada 83 & 95 with 100% path and control flow coverage
- SPARK programming language
- RapiTime WCET Analyzer
- Telelogic Logiscope RuleChecker (coding standards checking) and Audit (metrics measurement and ISO 9126-based quality modeling).
- Understand for AdaIDE with reverse engineering, automatic documentation, code navigation and understanding, metrics, maintenance and cross reference.
- [1] reverse engineering, code navigation, and metrics tool
- Astrée (AbsInt and ENS)
- Axivion Bauhaus Suite
- AQtime
- BLAST
- Cantata
- CCured (BSD, partly dynamic)
- Cleanscape lints for C++ and for C
- CloneDR for C/C++ Detects exact and near-miss duplicate code across large code bases.
- CMT++
- CodeSonar based on work by Reps et al at the University of Wisconsin.
- CodeWizard
- Coverity See the MC Checker for background.
- cppcheck
- Cqual
- CScout Source code analyzer and refactoring browser for collections of C programs; handles the preprocessor constructs.
- C++test
- Flawfinder (GPL) Contains a good list of other security-based static checking tools.
- Ounce, which is a security-focused source code analysis tool.
- Fortify Software See Fortify Source Code Analysis
- GCC Introspector (GPL) C, but is expanding to include Perl, Bison, m4, bash, C#, Java, C++, Fortran, Objective-C, Lisp, Scheme.
- Gimpel Software FlexeLint and PC-Lint
- HP Code Advisor Identifies potential coding errors, porting issues, and security vulnerabilities.
- ITS4 Scans source code for potentially dangerous function calls.
- LDRA Testbed
- Klocwork
- Lattix LDM - Architecture Management using Dependency Analysis
- MOPS (BSD style license)
- OpenC++
- OSPC
- PMD's Copy/Paste Detector
- PolySpace
- Predator – a tool for automated formal verification of sequential C programs operating with pointers and linked lists
- PREfast Part of DDK, for driver development, see VS2005 for user-land.
- QAC, QAC-MISRA, QAC++ Coding style, metrics, dataflow, good enforcing of MISRA standards.
- Resource Standard Metrics
- Rough Auditing Tool for Security
- Security Reviewer 100+ Rules Specialized for C and C++ with up to 12 variants each and thousands of API covered. OWASP, CWE and MISRA standards. 200+ Quality Metrics. Besta Practices. SQALE dashboard.
- Smatch C source checker, used mainly for Linux kernel code.
- Sotograph
- Sparse (GPL)
- Stacktool
- Splint (GPL)
- Surveyor C/C++, Java, COBOL, VB/VB.NET, Tcl, ASP, others.
- Telelogic Logiscope RuleChecker (coding standards checking) and Audit (metrics measurement and ISO 9126-based quality modeling).
- Visual Studio 2005 Team Edition only.
- RapiTime WCET Analyzer
- Understand for C/C++ ANSI C, C++ and K&R C reverse source engineering, code navigation, and metrics tool.
- AQtime
- CloneDR for C#2.0/3.0/4.0 Detects exact and near-miss duplicate code across large code bases.
- .TEST
- Resource Standard Metrics Configurable Static Source Code Metrics and Analysis Tool from M Squared Technologies, Online-Documentation
- Fortify Software See Fortify Source Code Analysis
- FxCop
- Lattix LDM - Architecture Management using Dependency Analysis
- LDRA Testbed
- NDepend - Architecture Management (Dependencies, Metrics, Build comparison)
- ReSharper
- Security Reviewer 500+ Rules Specialized for C# and thousands of API covered. OWASP, CWE standards. 200+ Quality Metrics. Best Practices. SQALE dashboard.
- Source Monitor - Simple analytical tool displaying metrics such as complexity, depth, lines/method, methods/class among others. Nice use of Kiviat graph. (C#, VB, C++, among others)
- Sotograph - Architecture and quality in-depth analysis and monitoring
- Visual Studio - Visual Studio 2005 Team Suite or Team Edition for Software Developers only, has integrated FxCop and PREFast functionality.
- DevMetrics and DevAdvantage (Now open source)
- Compuware DevPartner Studio
- CloneDR for COBOL Detects exact and near-miss duplicate code across large code bases.
- Security Reviewer 120+ Security Rules, 100+ Quality Mertics and SQALE for COBOL
- CloneDR for Fortran 77/90/95 Detects exact and near-miss duplicate code across large code bases.
- FortranLint
- FTNCHEK
- Understand for FORTRAN FORTRAN 77, 90, 95 reverse source engineering, metrics and cross reference tool
- Agitator Dashboard
- AntiC
- Axivion Bauhaus Suite - Architecture Visualization, Architecture Checking, Interface Analysis, Metrics, Clone Detection, Dominance Analysis, etc.
- Checkstyle
- CloneDR for Java Detects exact and near-miss duplicate code across large code bases.
- CMTJava - Complexity Measures Tool for Java
- ESC/Java - Extended Static Checking for Java
- ESC/Java2
- FindBugs-Find Bugs in Java Programs
- Fortify Software See Fortify Source Code Analysis
- Hammurapi
- JDepend
- Oracle JDeveloper - Code auditing framework and code metrics
- Jlint
- Jtest
- Kaveri (Indus) - Program Comprehension/Slicing Tool (Library) for Java
- Klocwork
- Lattix LDM - Architecture Management using Dependency Analysis
- Lint4j Static source code analysis with plugins for Maven, Ant and Eclipse
- PMD
- QAJ
- Refactorit
- Resource Standard Metrics Configurable Static Source Code Metrics and Analysis Tool from M Squared Technologies, Online-Documentation
- Security Reviewer 500+ Rules Specialized for JAVA and thousands of API and Frameworks covered. OWASP, CWE standards. 200+ Quality Metrics. Best Practices. SQALE dashboard.
- SofCheck Inspector for Java Static Error Detection of Java byte code with 100% path coverage
- SonarJ Light weight management of architecture and technical quality for Java projects
- Sotograph - Architecture and quality in-depth analysis and monitoring
- Spoon - Spoon is a Java program processor that fully supports Java 5
- STAN - Eclipse integrated structure analysis for Java. Visualize design, understand code, measure quality, generate reports.
- Structure101 - Structural dependency analysis. Rate & analyze the quality of your software architecture.
- Surveyor - Java and many other languages
- Telelogic Logiscope RuleChecker (coding standards checking) and Audit (metrics measurement and ISO 9126-based quality modeling).
- TorqueWrench
- UCDetector - Unnecessary Code Detector, eclipse PlugIn to find unnecessary (dead) public java code
- Understand for Java reverse source engineering, code navigation, and metrics
- WALA T. J. Watson Libraries for Analysis
- JSLint - An online tool which you can also download and run from command line
- Javascript Lint - A lint like tool for javascript written in C/C++ and based on JavaScript engine for the Firefox browser.
- JavaScript Reporter - A static JavaScript analyzer/verifier.
- CloneDR for JavaScript Detects exact and near-miss duplicate code across large code bases.
- Fortify [2] - See Fortify Source Code Analysis.
- http://code.google.com/intl/de-DE/closure/compiler/
- jsmeter - Javascript code metrics through static analysis. Includes Cyclomatic Complexity, Halstead Metrics, Maintainability Index, etc...
- Security Reviewer 100+ Rules Specialized for JavaScript and 100+ of Frameworks covered. OWASP, CWE standards. 200+ Quality Metrics. Best Practices. SQALE dashboard.
- Understand for JOVIAL reverse engineering, metrics, and cross referencing tool
- PHP executes a built-in basic Lint check when invoked with the -l switch. Example usage:
for i in `find . -name \*.php`; do php -l $i | grep -v "No syntax errors"; done
- Copy/Paste Detector
- CloneDR for PHP4/PHP5 Detects exact and near-miss duplicate code across large code bases.
- Zend Studio IDE includes static code analysis for PHP, called the "Code Analyzer".
- ocProducts code quality checker
- Armorize CodeSecure - The first security appliance for PHP source code scanning with traceback support and Web 2.0 interface.
- PHPUnit
- PHP_CodeSniffer - Checks for coding standard violations.
- PHPLint - A validator and documentator for PHP 4 and PHP 5 programs
- PHP-SAT - Checks for bug patterns.
- Security Reviewer 500+ Rules Specialized for PHP and thousands of Frameworks covered. OWASP, CWE standards. 200+ Quality Metrics. Best Practices. SQALE dashboard.
- Fortify Software See Fortify Source Code Analysis.
- CloneDR for Python 2.6 Detects exact and near-miss duplicate code across large code bases.
- PyChecker
- Pyflakes
- PyLint
- Security Reviewer 200+ Rules Specialized for Python and tenths of Frameworks covered. OWASP, CWE standards. 200+ Quality Metrics. Best Practices. SQALE dashboard.
- Tcl Cruncher
- Spyglass by Atrenta
- RTL Analysis by Blue Pearl Software
- Hal by Cadence
- Leda by Synopsys
- Aivosto Project Analyzer finds dead code and programming problems. It will also tell you which modules call which, and provide cyclomatic complexity metrics.
- AQtime
- Axivion Bauhaus Suite - Clone Detection
- CloneDR for VisualBasic (VBScript, VB6, VB.net) Detects exact and near-miss duplicate code across large code bases.
- Compuware DevPartner Studio
- Resource Standard Metrics Configurable Static Source Code Metrics and Analysis Tool from M Squared Technologies, Online-Documentation
- Fortify Software See Fortify Source Code Analysis
- FxCop
- Lattix LDM - Architecture Management using Dependency Analysis
- Security Reviewer 500+ Rules Specialized for legacy VB and all fashions of VB.net with thousands of API covered. OWASP, CWE standards. 200+ Quality Metrics. Best Practices. SQALE dashboard.
- Sotograph - Architecture and quality in-depth analysis and monitoring
- Visual Studio - Visual Studio 2005 Team Suite or Team Edition for Software Developers only, has integrated FxCop and PREFast functionality.
- DevMetrics and DevAdvantage (Now open source)
- Compuware DevPartner Studio
Not language-specific
[edit]- PAG and PAG/WWW - The Program Analyzer Generator, not for a specific language, but for building analyzers.
- StackAnalyzer - Stack Usage Analysis.
- CodeHawk™
- DMS Software Reengineering Toolkit System for implementing custom static analysis tools, with many industrial strength parsers and flow analysis capabilities. Front ends for many langauges/dialects.
Unknown language
[edit]- Broadway
- SLAM
- BOON
- Kaylo
External links
[edit]- software Introspector Wikibook lists more software programs of this type.