A Free Trial That Lets You Build Big!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
Static code scan, borrow a section of the online text to explain (here is called static check): "Static testing, including code inspection, static structure analysis, code quality metrics." It can be carried out manually, give full play to people's logical thinking advantages, can also use software tools to automate. Code check code checks include code walking, desktop inspection, code review, mainly check the code and design consistency, code compliance with the standard, readability, the correctness of the logical expression of the code, the rationality of the code structure, and so on, can be found to violate the procedures of writing standards, the program is unsafe, ambiguous and vague parts, To find out the non portable part of the program, the problem of violating programming style, including variable checking, naming and type review, Program logic Review, program grammar checking and program structure checking. ”。
I saw a series of static code scanning or static code analysis tool, summed up the view of the tool: Static code scanning Tool, and the compiler some of the functions are very similar, they also need lexical analysis, grammar analysis, semantic analysis ... But unlike compilers, they can customize a variety of complex rules to analyze the code.
The static code-scanning tools listed below will vary greatly in functionality due to implementation methods, algorithms, and levels of analysis. Some can do SQL injection check, some can not (of course, because the time problem has not yet been studied, but to examine complex code security vulnerabilities, it requires a more advanced analysis algorithm, so some things should not set up the rules of the library can be checked, but in the security aspects of the check, To some extent, it can be checked by setting rules.
The following I collected online analysis tools, I sorted out the following picked some out, here is only part of the others can be seen on the reference link:
|Tool Name||Static Scan language||Open Source/Pay||Manufacturers||Introduced||Home Page URL|
|ounec5.0||VB.net, C, C + +, and C #,
Java is also supported.
|Coverity Prevent||C/c++,c#,java||Pay||Coverity||There are other accessibility tools:
1.Coverity Thread Analyzer for Java
2.Coverity Software Readiness Manager for Java
3.Coverity Architecture Analyzer
|@stake Smartrisk™analyzer harnesses the power of
Static analysis of binary executables (c, C + +, and Java) to
Identify, categorize and prioritize security.
Note: This product was not found in Symantec.
|Rational Purify||C/c++,java||Pay||Ibm||Provides memory leak and memory corruption for
|PREfix||\||\||Microsoft||The static analysis tool used by Microsoft, but was not found to download at the moment,
Now it seems to be considering the release!
|Jtext||Java||Pay||Parasoft||At the same time there are other static analysis code products, such as: C++test ...
For more information please check the website
|Flawfinder||C + +||Open source||\||C, C + + program security audit tools written in Python,
You can check for potential security risks.
|Klocwork Insight||C + +, Java||Pay||Klocwork||\||Http://www.klocwork.com/products/insight.asp|
|C + +, Ada language||Pay||MathWorks||\||http://www.mathworks.cn/|
|Rats||C + +, Python,
Tools for security audits of PHP code
|lapse||Java||Open source||\|| lapse stands for a lightweight analysis for Pro Gram
Security in Eclipse. Lapse is designed to help with
the task of auditing Java EE applications for common
types of security Vulnerab Ilities found in WEB applications.
Lapse is developed by Benjamin Livshits as part of the
Griffin Software security Project.
|Fluid||Java||Open source||\||We have explored properties including:
* Race conditions and locking policies,
* Unique references and other programmer-significant
* Appropriate typing,
* Realtime threading policies, and
* single-threading policies.
|Splint||C||Open source||University of
|Static detection for C-language security tools and vulnerability detection.||http://www.splint.org/|
|Cqual||C + +||Open source||University of Maryland||Lightweight static scanners that run on Linux-like systems.||http://www.cs.umd.edu/~jfoster/cqual/|
|Mops||C||Open source||Berkeley University||Mops is a tool to finding security bugs in C programs
And for verifying conformance to rules of defensive programming
|BOON||C||Open source||Berkeley University||BOON is a tool for automatically finding buffer overrun
Vulnerabilities in C source code. Buffer overruns are one
Of the most common types of security holes, and we hope
That BOON would enable software developers and code auditors
To improve the quality of security-critical programs.
|BLAST||C||Open source||The BLAST
|BLAST is a software model checker for C programs.
The goal of BLAST is to able to check that software
Satisfies behavioral properties of the interfaces it uses.
BLAST uses Counterexample-driven automatic abstraction
Refinement to construct a abstract model which is model
Checked for safety properties. The abstraction is constructed
On-the-fly, and only to the required precision.
|Spikewamp||Php||Open source||\||For analyzing PHP Programs||Http://developer.spikesource.com/wiki/index.php/SpikeWAMP|
|Pixy||Php||Open source||\||Finding XSS and Sqli vulnerabilities||http://pixybox.seclab.tuwien.ac.at/pixy/|
|Mike||Java||Open source||\||Java source code security scanner built on the top of Orizon.
They are connected to OWASP.
|Oink||C++||Open source||\||C + + Static analysis Tools||Http://www.cubewano.org/oink|
|Frama-c||C||Open source||\||static analyzers for the C language.||http://frama-c.cea.fr/|
|Rtl-check||\||Open source||\||Rtl-check is a extensible and powerful abstract interpretation
Framework for static analysis of the programs from a safety and
|Pmd||Java||Open source||\||PMD scans Java source code and looks for potential problems like:
* Possible Bugs-empty try/catch/finally/
* Dead code-unused Local variables, parameters
and Private methods
* suboptimal code-wasteful String/stringbuffer usage
* overcomplicated Expressions-unnecessary IF statements,
For loops that could is while loops
* Duplicate code-copied/pasted code means copied/pasted bugs
|Findbugs||Java||Open source||University of Maryland||Uses static analysis to look for bugs in Java code.
Note: Eclipse Plug-ins are available.
|ITS4||C\c++||Open source||\||Cigital developed ITS4 to help automate source code
Review for Security.
|Qj-pro||Java||Open source||\||Qj-pro is a comprehensive software inspection tool targeted
Towards the software developer.
* Conformance to coding standards,
* Misuse of the Java language,
* Best Practice Conformence
* Code Structure and
* Potential bugs at the earliest stages of development.
Note: Various IDE plug-ins are available.
|Jint||Java||Open source||\||Jlint'll check your Java code and find bugs, inconsistencies
and synchronization problems by doing data flow analysis and
Building the lock graph.
|Hammurapi||Java||Open source||\||Code review system captures coding best practices and delivers
them to developers ' fingertips. It also generates consolidated
Reports for leads developers, architects, and managers to
Monitor codebase quality and evolution.
|Doctorj||Java||Open source||\||Among what it detects:
* Misspelled words
* Parameter and exception names:
* Javadoc Tags:
O Missing expected arguments
o Invalid arguments
O Missing Descriptions
* Undocumented classes, methods, fields,
|Dependency finder||Java||Open source||\|| Dependency Finder is a suite of too LS for analyzing
compiled Java code. At the core are a powerful dependency
analysis application This extracts dependency graphs and
mines for them L information. This application comes
in many forms for your ease the use, including command-line
Tools, a swing-based applicatio N, a Web application ready
to is deployed in a application server, and a set of Ant
|Checkstyle||Java||Open source||\||Checkstyle is a development tool to help programmers
Write Java code that adheres to a coding standard.
It automates the process of checking Java code to spare
Humans of this boring (but important) task. This makes
It ideal for projects which want to enforce a coding standard.
Note: A variety of IDE plug-ins are available.
|Classycle||Java||Open source||\||Classycle ' s analyser analyses the static class and package
Dependencies in Java applications or libraries.
|JDepend||Java||Open source||\||JDepend traverses Java class file directories and generates
Design quality metrics for each Java package.
JDepend allows you to automatically measure the quality
of a design in terms of its extensibility, reusability,
and maintainability to manage package dependencies effectively.
|Jcsc||Java||Open source||\||JCSC is a powerful tool to check source code against a highly
Definable coding standard and potential bad code.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service