List of tools for static code analysis

This list of tools for static code analysis contains tools that can be used to perform static code analysis .

Such tools can usually not only run on their own, but also integrated into the development environment or the build server . They are not limited to coding rules such as the MISRA-C rules, but also recognize functional and technical errors, potential bugs and qualitative weaknesses in the code (so-called code smells ), such as duplicated code (also called software clones ). Some tools can also check the code for safety-related programming errors such as buffer overflows or race situations. Furthermore, there are tools that also architecture metrics and the conformity of the code with the architecture specification check.

This list is divided into programming languages, beginning with tools that support several programming languages or are independent of programming languages. These tools are not listed again under the supported tools.

Language-independent or cross-language tools

App-Ray: Tool to find security vulnerabilities and data breaches in Android and iOS apps. Supports bytecode (Java, Kotlin) and binary code (Swift, Objective-C).
Axivion Bauhaus Suite: Tool for code, design and architecture analysis. Available for the programming languages Ada, C, C ++, C # and Java.
Black Duck Suite: Tool for analyzing source code and binaries for reusable code, necessary licenses and potential security aspects.
BugScout: Tool for detecting potential security problems in Java, PHP, ASP and C # web applications.
CAST Application Intelligence Platform: Dashboard for measuring code quality and productivity. Supports more than 30 programming languages as well as various databases.
ChecKing: Software quality portal for displaying the quality of all phases of software development. Supports static code analysis of Java, JSP, JavaScript, HTML, XML, .NET (C #, ASP.NET, VB.NET etc.), PL / SQL, embedded SQL, SAP ABAP IV, Natural / Adabas, C / C ++, Cobol , JCL and PowerBuilder.
Cigital SecureAssist: Extension for integrated development environments, which shows security problems during development. Supports Java, .NET and PHP.
Clang: a compiler front end for the programming languages C, C ++, Objective-C and Objective-C ++. Compared to other compiler front ends, it has more extensive and more precise static and dynamic analysis methods that make troubleshooting easier.
ConQAT: (Continuous quality assessment toolkit) Enables various quality analyzes such as architectural compliance, checking for duplicate code, quality metrics and can display these on a dashboard. Supported among others Java, C #, C ++, JavaScript, ABAP and Ada.
Coverity SAVE: Commercial tool for finding errors based on the Stanford Checker. Supports the languages C, C ++, C # and Java.
DMS software reengineering toolkit: Tool to detect duplicate code, totem code and inappropriate programming style. Supports the analysis of source code in C, C ++, C #, Java, COBOL, PHP, VisualBasic and other programming languages.
Feram: A commercial GitHub-based service based on other open source tools. Supports the languages JavaScript, HTML, CSS, Python, Ruby, PHP, JSON, C, C ++, C #, Objective C, D, Java, Pawn and VALA.
Fluctuat: Abstract interpreter for the validation of numerical properties of Ada and C / C ++ programs.
HP Fortify Source Code Analyzer: Tool for uncovering security problems in C / C ++, Java, JSP, .NET, ASP.NET, ColdFusion, ASP, PHP, Visual Basic 6, VBScript, JavaScript, PL / SQL, T-SQL, Python and COBOL programs as well as configuration files.
GrammaTech CodeSonar: Detects potential errors (buffer overflows, memory leaks, ...), checks concurrency and security, visualizes the architecture and calculates various software metrics for C, C ++ and Java code.
gamma: An intelligent software analysis platform that identifies problems from multiple lenses: design problems, code problems, duplications, and metrics. Available for Java, C / C ++ and C #.
IBM Rational AppScan: Analyzes source code for security gaps. Supports C / C ++, .NET, Java, JSP, JavaScript, ColdFusion, Classic ASP, PHP, Perl, VisualBasic 6, PL / SQL, T-SQL and COBOL
Imagix 4D: Detects problems with the use of variables, task interactions and multiple runs, especially in embedded applications. Also assists in understanding and documenting C, C ++ and Java code.
Potash stick: A cloud-based platform for static code analysis with practical tips. Tool for collaboration in agile teams.
Kiuwan: Software quality portal for displaying the quality of all phases of software development. Supports static code analysis of Java, JSP, JavaScript, HTML, XML, .NET (C #, ASP.NET, VB.NET etc.), PL / SQL, embedded SQL, SAP ABAP IV, Natural / Adabas, C / C ++, Cobol , JCL and PowerBuilder.
Klocwork Insight: Detects security gaps and other technical problems including the trend of these metrics. Supports C, C ++, C # and Java.
LDRA testbed: A software analysis and test tool for the languages C, C ++, Ada83, Ada95 and Assembler (Intel, Freescale, Texas Instruments).
MALPAS Software Static Analysis Toolset: A set of tools for static code analysis for different languages like Ada, C, Pascal and Assembler (Intel, PowerPC and Motorola). Mainly used for safety-critical applications in aviation and nuclear power.
Mosses: Software analysis platform with tools to visualize, manipulate and analyze software. Can be expanded into a generic data analysis platform. Supports C, C ++, Java, Smalltalk and .NET.
Parasoft: Static code analysis (pattern and flow based, in-line and metrics) for C, C ++, Java, .NET (C #, VB.NET etc.), JSP, JavaScript, XML and other programming languages. Through a Development Testing Platform, static code analysis functionality is integrated with unit testing , peer code review , runtime error detection and traceability . Plugins for Visual Studio and Eclipse .
Copy / Paste Detector (CPD)

.NET

.NET Compiler Platform: (Code name "Roslyn") - Compiler framework for C # and VB.NET with API for analysis and manipulation of code.
CodeIt.Right: Tool for static code analysis and automated refactoring towards best practices. Enables automatic correction of errors and violations. Supports C # and VB.NET.
CodeRush: A plugin for Visual Studio . Extends Visual Studio, among other things, with warnings of violations of best practices based on static code analysis.
FxCop: Static code analysis for .NET programs that compile against the Common Intermediate Language . Runs standalone and integrated into some Microsoft Visual Studio editions.
NDepend: Sister project to JDepend . Analyzes and visualizes dependencies and cycles in the code. Allows you to define and check design rules, create impact analyzes and compare different versions of the code with one another. Integrated in Visual Studio .
StyleCop: Analyzes C # source code and checks code style rules and consistency rules. Runs integrated in Microsoft Visual Studio or in an MSBuild project.

ABAP

ABAP Test Cockpit (ATC): A central quality inspection tool for ABAP applications in SAP landscapes; Successor to the SAP internal tool CheckMan, the SAP Code Inspector (SCI) and the extended program check (SLIN)
SAST Code Security Advisor: A SAP add-on belonging to the SAST Suite that checks ABAP code for weaknesses such as security and other quality defects, taking into account the specific context. The SAST CSA checks for all critical weak points in accordance with common recommendations such as those of the OWASP. By checking directly in the SAP system, the tool can include the context of a reference in the assessment and thus delivers high-quality results with a low false positive rate.
Virtual Forge CodeProfiler: A tool integrated into the SAP development environment that checks applications written in ABAP for security gaps, compliance and quality weaknesses. Contains more than 240 test cases that users can expand themselves. The Automated Correction Engine (ACE) module enables the automated correction of programming errors. There is also a function for finding and cleaning up "legacy" (ABAP code that is no longer required).

ActionScript

apparatus: A language manipulation and optimization framework. Based on an intermediate representation of ActionScript.

Ada

AdaControl: Tool to find entities and programming patterns in Ada source code. Is used to check coding rules, ensure safety-relevant rules and support manual code inspections.
CodePeer: A tool for static code analysis, which detects potential runtime errors in Ada programs.

C / C ++

Astrée: Uses abstract interpretation to find runtime errors, data races, and assertion violations, or to prove their absence. Includes checker for MISRA C.
BLAST model checker: BLAST stands for Berkeley Lazy Abstraction Software Verification Tool, a tool to check software models based on lazy abstraction in C programs.
Cppcheck: Open source tool for checking various types of errors, for example correct use of the standard template library .
cpplint: Checks code against the Google Style Guide for C ++
Coccinelle: Software for pattern matching and transformation of source code
ECLAIR: A platform for the automated analysis, verification, testing and transformation of C and C ++ programs.
Frama-C: Static code analysis framework for C.
Goanna: Software analysis tool for C / C ++.
Lint: Static code analysis tool for C / C ++
makedepend: A Unix tool to show dependencies between C sources
QA-C: Static code analysis tool for C / C ++ for quality assurance and ensuring coding standards.
SLAM project: A Microsoft Research project to test whether software complies with critical behavior of the interfaces it uses.
Sparse: A tool to find bugs in the Linux kernel .
Sapwood: A successor to Lint.
Testwell ctc ++: Static code analysis also for cross-platform and small projects.

Fortran

Ftnchek: A tool for static code analysis in Fortran Code.

Eiffel

Inspector Eiffel: Rule-based analysis based on the AST and Control Flow Graph from Eiffel code.

IEC 61131-3

CODESYS Static Analysis

Rule-based analysis of application code for machines and systems as an add-on for CODESYS

Java

AgileJ StructureViews: Reverse engineering tool for displaying class diagrams from Java code with a focus on filtering
ObjectWeb ASM: Tool for splitting, modifying and assembling Java bytecode classes.
Check style: Free tool for static code analysis, especially with regard to compliance with coding standards.
FindBugs: A free tool for analyzing the bytecode of Java programs with regard to possible errors (based on the Jakarta Byte Code Engineering Library (BCEL)). Developed by the University of Maryland.
Hammurabi: Versatile software for code reviews. Free for non-commercial use.
JDepend: Analyzes and visualizes dependencies and cycles in the code. Allows you to define and check design rules, create impact analyzes and compare different versions of the code with one another.
Jtest: Static code analysis and testing tool from Parasoft .
PMD: Static code analysis for the identification of potential quality problems.
RIPS: Language-specific static code analysis to identify exploitable security vulnerabilities, code quality defects and incorrect configurations in the development process.
SonarGraph: Checks whether the defined architecture has also been implemented and shows deviations from the defined architecture and cycles. Can also calculate various software metrics.
Soot: Framework for manipulation and optimization for Java code
Squale: Platform for software quality (can be extended to languages other than Java with commercial analysis tools).
ThreadSafe: Static analysis tool for Java with a focus on concurrency errors.
Xanitizer: Tool for uncovering security problems in Java and JSP programs (especially web applications ).

JavaScript

JSLint: A JavaScript validator that examines the syntax of JavaScript.
JSHint: A fork from JSLint that allows less stringent auditing.
eslint: A modular tool for checking JavaScript as free software can use the Espree or babel-eslint parsers.
jsonlint: Especially tailored to JavaScript Object Notation (JSON).
jscs: Especially for checking source code style rules.

Pearl

Perl :: Critic: A tool to ensure Perl best practices. Most of these best practices are based on Damian Conway's book Perl Best Practices.
PerlTidy: Syntax check, as well as testing and securing of coding guidelines in Perl
Padre: Integrated development environment for Perl, which also includes a static code analysis for checking typical beginner errors.

PHP

RIPS: Automatic detection of complex security vulnerabilities
Mondrian: Collection of command line tools for the analysis and refactoring of object-oriented PHP code.

python

Pychecker: Tool for checking Python source code
Pylint: Static code analysis
Pyflakes: Program to check Python code for errors

Tools for testing using formal methods

Tools that use formal methods (e.g. static assertions ) to do static code analysis:

ECLAIR: Uses code analysis techniques based on formal methods such as abstract interpretation or model checking, combined with techniques for assuring constraints. Can detect the presence or absence of certain runtime errors in the source code.
ESC / Java and ESC / Java2: Can review code based on the Java Modeling Language , an enhanced version of Java.
MALPAS Software Static Analysis Toolset: A tool based on formal methods that uses directed graphs and regular algebra to prove that the analyzed software correctly implements its mathematical specification.
SofCheck Inspector: Statically recognizes and documents pre- and post-conditions for Java methods. methods; Statically checks preconditions for all callers. Also supports Ada .
SPARK toolset: Based on the SPARK programming language, the SPARK Examiner checks code.

literature

Nick Rutar, Christian Almazan, Jeff Foster: A Comparison of Bug Finding Tools for Java . Ed .: University of Maryland, College Park . (English, umd.edu [PDF] Compares Bandera, ESC / Java 2, FindBugs, JLint and PMD).

Walter W. Schilling Jr., Mansoor Alam: Integrate static analysis into a software development process . November 1, 2006 (English, embedded.com ).

Web links

Static Code Analysis List of the Web Application Security Consortium
Link catalog on the topic of Java Static Checkers at curlie.org (formerly DMOZ )
Static Source Code Analysis Tools for C - List of a manufacturer
Static Source Code Analysis Tools - List of the CERT Coordination Center (CERT)
Source Code Security Analyzers - List of the National Institute of Standards and Technology (NIST)

Individual evidence

^ Static Analysis in Xcode . Apple. Retrieved September 3, 2009.

↑ PMD - Browse /pmd/5.0.0 at SourceForge.net . Retrieved on Sun Dec 09 2012.

↑ Patrick Cousot: The Role of Abstract Interpretation in Formal Methods . IEEE International Conference on Software Engineering and Formal Methods. 2007. Retrieved November 8, 2010.

^ Simian Features

↑ Boris Baldassari: SQuORE: a new approach to software project assessment . ( Page no longer available , search in web archives ) Info: The link was automatically marked as defective. Please check the link according to the instructions and then remove this notice. (PDF) International Conference on Software and Systems Engineering and their Applications, November 2012, Paris, France.@1@ 2Template: Dead Link / www.squoring.com

↑ SAST Code Security Advisor for ABAP . SAST team, ACQUINET. Retrieved January 10, 2019.

↑ ABAP code audits at the push of a button . Virtual Forge. Retrieved January 26, 2016.

^ Testwell CTC ++ Product description . Verifysoft GmbH. Retrieved May 10, 2020.

↑ Masters Thesis (PDF)

↑ Xanitizer feature overview ( Memento of the original from August 19, 2014 in the Internet Archive ) Info: The archive link was automatically inserted and not yet checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2
↑ eslint.org
↑ jsonlint.com
↑ jscs.info