Summary of static code analysis tools

Source: Internet
Author: User
Tags coding standards static class checkstyle


Static code scan, borrow a section of the online text to explain (here is called static check): "Static testing, including code inspection, static structure analysis, code quality metrics." It can be carried out manually, give full play to people's logical thinking advantages, can also use software tools to automate. Code check code checks include code walking, desktop inspection, code review, mainly check the code and design consistency, code compliance with the standard, readability, the correctness of the logical expression of the code, the rationality of the code structure, and so on, can be found to violate the procedures of writing standards, the program is unsafe, ambiguous and vague parts, To find out the non portable part of the program, the problem of violating programming style, including variable checking, naming and type review, Program logic Review, program grammar checking and program structure checking. ”。

I saw a series of static code scanning or static code analysis tool, summed up the view of the tool: Static code scanning Tool, and the compiler some of the functions are very similar, they also need lexical analysis, grammar analysis, semantic analysis ... But unlike compilers, they can customize a variety of complex rules to analyze the code.

The static code-scanning tools listed below will vary greatly in functionality due to implementation methods, algorithms, and levels of analysis. Some can do SQL injection check, some can not (of course, because the time problem has not yet been studied, but to examine complex code security vulnerabilities, it requires a more advanced analysis algorithm, so some things should not set up the rules of the library can be checked, but in the security aspects of the check, To some extent, it can be checked by setting rules.

The following I collected online analysis tools, I sorted out the following picked some out, here is only part of the others can be seen on the reference link:

Tool Name Static Scan language Open Source/Pay Manufacturers Introduced Home Page URL
ounec5.0, C, C + +, and C #,
Java is also supported.
Pay Ounce Labs \
Coverity Prevent C/c++,c#,java Pay Coverity There are other accessibility tools:
1.Coverity Thread Analyzer for Java
2.Coverity Software Readiness Manager for Java
3.Coverity Architecture Analyzer
@stake smartrisk™
C/c++,java Pay Symantec
@stake Smartrisk™analyzer harnesses the power of
Static analysis of binary executables (c, C + +, and Java) to
Identify, categorize and prioritize security.
Note: This product was not found in Symantec.
Rational Purify C/c++,java Pay Ibm Provides memory leak and memory corruption for
PREfix \ \ Microsoft The static analysis tool used by Microsoft, but was not found to download at the moment,
Now it seems to be considering the release!
Jtext Java Pay Parasoft At the same time there are other static analysis code products, such as: C++test ...
For more information please check the website
Flawfinder C + + Open source \ C, C + + program security audit tools written in Python,
You can check for potential security risks.
Static Code
C/c++,c#,java Pay Fortify \
Klocwork Insight C + +, Java Pay Klocwork \ Http://
C + +, Ada language Pay MathWorks \
Rats C + +, Python,
Tools for security audits of PHP code
Open source \ \
lapse Java Open source \ lapse stands for a lightweight analysis for Pro Gram
Security in Eclipse. Lapse is designed to help with
the task of auditing Java EE applications for common
types of security Vulnerab Ilities found in WEB applications.
Lapse is developed by Benjamin Livshits as part of the
Griffin Software security Project.
Fluid Java Open source \ We have explored properties including:

* Race conditions and locking policies,
* Unique references and other programmer-significant
Aliasing Properties,
* Effects,
* Appropriate typing,
* Realtime threading policies, and
* single-threading policies.
Splint C Open source University of
Department of
Static detection for C-language security tools and vulnerability detection.
Cqual C + + Open source University of Maryland Lightweight static scanners that run on Linux-like systems.
Mops C Open source Berkeley University Mops is a tool to finding security bugs in C programs
And for verifying conformance to rules of defensive programming
BOON C Open source Berkeley University BOON is a tool for automatically finding buffer overrun
Vulnerabilities in C source code. Buffer overruns are one
Of the most common types of security holes, and we hope
That BOON would enable software developers and code auditors
To improve the quality of security-critical programs.
BLAST C Open source The BLAST
2.0 Team
BLAST is a software model checker for C programs.
The goal of BLAST is to able to check that software
Satisfies behavioral properties of the interfaces it uses.
BLAST uses Counterexample-driven automatic abstraction
Refinement to construct a abstract model which is model
Checked for safety properties. The abstraction is constructed
On-the-fly, and only to the required precision.
Spikewamp Php Open source \ For analyzing PHP Programs Http://
Pixy Php Open source \ Finding XSS and Sqli vulnerabilities
Mike Java Open source \ Java source code security scanner built on the top of Orizon.
They are connected to OWASP.
Smatch C Open source \ \
Oink C++ Open source \ C + + Static analysis Tools Http://
Frama-c C Open source \ static analyzers for the C language.
Rtl-check \ Open source \ Rtl-check is a extensible and powerful abstract interpretation
Framework for static analysis of the programs from a safety and
Security perspective
Pmd Java Open source \ PMD scans Java source code and looks for potential problems like:

* Possible Bugs-empty try/catch/finally/
Switch statements
* Dead code-unused Local variables, parameters
and Private methods
* suboptimal code-wasteful String/stringbuffer usage
* overcomplicated Expressions-unnecessary IF statements,
For loops that could is while loops
* Duplicate code-copied/pasted code means copied/pasted bugs
Findbugs Java Open source University of Maryland Uses static analysis to look for bugs in Java code.
Note: Eclipse Plug-ins are available.
ITS4 C\c++ Open source \ Cigital developed ITS4 to help automate source code
Review for Security.
Qj-pro Java Open source \ Qj-pro is a comprehensive software inspection tool targeted
Towards the software developer.

Qj-pro Checks:
* Conformance to coding standards,
* Misuse of the Java language,
* Best Practice Conformence
* Code Structure and
* Potential bugs at the earliest stages of development.
Note: Various IDE plug-ins are available.
Jint Java Open source \ Jlint'll check your Java code and find bugs, inconsistencies
and synchronization problems by doing data flow analysis and
Building the lock graph.
Hammurapi Java Open source \ Code review system captures coding best practices and delivers
them to developers ' fingertips. It also generates consolidated
Reports for leads developers, architects, and managers to
Monitor codebase quality and evolution.
Doctorj Java Open source \ Among what it detects:

* Misspelled words
* Parameter and exception names:
o Missing
o misordered
o misspelled
* Javadoc Tags:
o Invalid
o misordered
O Missing expected arguments
o Invalid arguments
O Missing Descriptions
* Undocumented classes, methods, fields,
Dependency finder Java Open source \ Dependency Finder is a suite of too LS for analyzing
compiled Java code. At the core are a powerful dependency
analysis application This extracts dependency graphs and
mines for them L information. This application comes
in many forms for your ease the use, including command-line
Tools, a swing-based applicatio N, a Web application ready
to is deployed in a application server, and a set of Ant
Checkstyle Java Open source \ Checkstyle is a development tool to help programmers
Write Java code that adheres to a coding standard.
It automates the process of checking Java code to spare
Humans of this boring (but important) task. This makes
It ideal for projects which want to enforce a coding standard.
Note: A variety of IDE plug-ins are available.
Classycle Java Open source \ Classycle ' s analyser analyses the static class and package
Dependencies in Java applications or libraries.
JDepend Java Open source \ JDepend traverses Java class file directories and generates
Design quality metrics for each Java package.
JDepend allows you to automatically measure the quality
of a design in terms of its extensibility, reusability,
and maintainability to manage package dependencies effectively.
Jcsc Java Open source \ JCSC is a powerful tool to check source code against a highly
Definable coding standard and potential bad code.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.