Code Analysis Software

Multi-language[edit source | edit]Axivion Bauhaus Suite – A tool for Ada, C, C++, C#, and Java code that performs various analyses such as architecture checking, interface analyses, and clone detection.
Black Duck Suite – Analyzes the composition of software source code and binary files, searches for reusable code, manages open source and third-party code approval, honors the legal obligations associated with mixed-origin code, and monitors related security vulnerabilities.
BugScout – Detects security flaws in Java, PHP, ASP and C# web applications.
CAST Application Intelligence Platform – Detailed, audience-specific dashboards to measure quality and productivity. 30+ languages, C, C++, Java, .NET, Oracle, PeopleSoft, SAP, Siebel, Spring, Struts, Hibernate and all major databases.
ChecKing – Integrated software quality portal that helps manage the quality of all phases of software development. It includes static code analyzers for Java, JSP, Javascript, HTML, XML, .NET (C#, ASP.NET, VB.NET, etc.), PL/SQL, embedded SQL, SAP ABAP IV, Natural/Adabas, C, C++, Cobol, JCL, and PowerBuilder.
ConQAT – Continuous quality assessment toolkit that allows flexible configuration of quality analyses (architecture conformance, clone detection, quality metrics, etc.) and dashboards. Supports Java, C#, C++, JavaScript, ABAP, Ada and many other languages.
Coverity SAVE – A static code analysis tool for C, C++, C# and Java source code. Coverity commercialized a research tool for finding bugs through static analysis, the Stanford Checker, which used abstract interpretation to identify defects in source code.
DMS Software Reengineering Toolkit – Supports custom analysis of C, C++, C#, Java, COBOL, PHP, VisualBasic and many other languages. Also COTS tools for clone analysis, dead code analysis, and style checking.
HP Fortify Static Code Analyzer – Helps developers identify software security vulnerabilities in C/C++, Java, JSP, .NET, ASP.NET, classic ASP, ColdFusion, PHP, Visual Basic 6, VBScript, JavaScript, PL/SQL, T-SQL, Python, Objective-C and COBOL and configuration files.
GrammaTech CodeSonar – Defect detection (buffer overruns, memory leaks, etc.), concurrency and security checks, architecture visualization and software metrics for C, C++, and Java source code.
IBM Rational AppScan Source Edition – Analyzes source code to identify security vulnerabilities while integrating security testing with software development processes and systems. Supports C/C++, .NET, Java, JSP, JavaScript, ColdFusion, Classic ASP, PHP, Perl, VisualBasic 6, PL/SQL, T-SQL, and COBOL
Imagix 4D – Identifies problems in variable use, task interaction and concurrency, especially in embedded applications, as part of an overall system for understanding, improving and documenting C, C++ and Java code.
Klocwork Insight – Provides security vulnerability, defect detection and build-over-build trend analysis for C, C++, C# and Java.
LDRA Testbed – A software analysis and testing tool suite for C, C++, Ada83, Ada95 and Assembler (Intel, Freescale, Texas Instruments).
MALPAS – A software static analysis toolset for a variety of languages including Ada, C, Pascal and Assembler (Intel, PowerPC and Motorola). Used primarily for safety critical applications in Nuclear and Aerospace industries.
Moose – Moose started as a software analysis platform with many tools to manipulate, assess or visualize software. It can evolve to a more generic data analysis platform. Supported languages are C/C++, Java, Smalltalk, .NET, more may be added.
Parasoft – Provides static analysis (pattern-based, flow-based, in-line, metrics) for C, C++, Java, .NET (C#, VB.NET, etc.), JSP, JavaScript, XML, and other languages. Through a Development Testing Platform, static code analysis functionality is integrated with unit testing, peer code review, runtime error detection and traceability.
Copy/Paste Detector (CPD) – PMDs duplicate code detection for (e.g.) Java, JSP, C, C++, ColdFusion, PHP and JavaScript[1] code.
Polyspace – Uses abstract interpretation to detect and prove the absence of certain run time errors in source code for C, C++, and Ada
Pretty Diff – A language specific code comparison tool that features language specific analysis reporting in addition to language specific minification and beautification algorithms.
Protecode – Analyzes the composition of software source code and binary files, searches for open source and third party code and their associated licensing obligations. Can also detect secuity vulnerabilities.
ResourceMiner – Architecture down to details multipurpose analysis and metrics, develop own rules for masschange and generator development. Supports 30+ legacy and modern languages and all major databases.
Semmle – supports Java, C, C++, C#.
SofCheck Inspector – Static detection of logic errors, race conditions, and redundant code for Ada and Java; automatically extracts pre/postconditions from code.
SonarQube – A continuous inspection engine to manage the technical debt: unit tests, complexity, duplication, design, comments, coding standards and potential problems. Supports languages: ABAP, C, Cobol, C#, Flex, Forms, Groovy, Java, JavaScript, Natural, PHP, PL/SQL, Visual Basic 6, Web, XML, Python.
Sotoarc/Sotograph – Architecture and quality in-depth analysis and monitoring for C, C++, C#, Java.
SQuORE is a multi-purpose and multi-language monitoring tool[2] for software projects.
Understand – Analyzes Ada, C, C++, C#, COBOL, CSS, Delphi, Fortran, HTML, Java, JavaScript, Jovial, Pascal, PHP, PL/M, Python, VHDL, and XML – reverse engineering of source, code navigation, and metrics tool.
Veracode – Finds security flaws in application binaries and bytecode without requiring source. Supported languages include C, C++, .NET (C#, C++/CLI, VB.NET, ASP.NET), Java, JSP, ColdFusion, PHP, Ruby on Rails, and Objective-C, including mobile applications on the Windows Mobile, BlackBerry, Android, and iOS platforms.
Visual Studio Team System – Analyzes C++, C# source codes. only available in team suite and development edition.
Yasca – Yet Another Source Code Analyzer, a plugin-based framework to scan arbitrary file types, with plugins for C/C++, Java, JavaScript, ASP, PHP, HTML/CSS, ColdFusion, COBOL, and other file types. It integrates with other scanners, including FindBugs, PMD, and Pixy.
.NET[edit source | edit]CodeIt.Right – Combines static code analysis and automatic refactoring to best practices which allows automatically correct code errors and violations; supports C# and VB.NET.
CodeRush – A plugin for Visual Studio, it addresses a multitude of shortcomings with the popular IDE. Including alerting users to violations of best practices by using static code analysis.
FxCop – Free static analysis for Microsoft .NET programs that compiles to CIL. Standalone and integrated in some Microsoft Visual Studio editions; by Microsoft.
Kalistick – Mixing from the Cloud: static code analysis with best practice tips and collaborative tools for Agile teams.
NDepend – Simplifies managing a complex .NET code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and by comparing different versions of the code. Integrates into Visual Studio.
Parasoft dotTEST – A static analysis, unit testing, and code review plugin for Visual Studio; works with languages for Microsoft .NET Framework and .NET Compact Framework, including C#, VB.NET, ASP.NET and Managed C++.
StyleCop – Analyzes C# source code to enforce a set of style and consistency rules. It can be run from inside of Microsoft Visual Studio or integrated into an MSBuild project. Free download from Microsoft.
ActionScript[edit source | edit]Apparat – A language manipulation and optimization framework consisting of intermediate representations for ActionScript.
Ada[edit source | edit]AdaControl – A tool to control occurrences of various entities or programming patterns in Ada code, used for checking coding standards, enforcement of safety related rules, and support for various manual inspections.
Fluctuat – Abstract interpreter for the validation of numerical properties of programs.
LDRA Testbed – A software analysis and testing tool suite for Ada83/95.
Polyspace – Uses abstract interpretation to detect and prove the absence of certain run time errors in source code.
SofCheck Inspector – (Bought by AdaCore) Static detection of logic errors, race conditions, and redundant code for Ada; automatically extracts pre/postconditions from code.
C/C++[edit source | edit]Astrée – exhaustive search for runtime errors and assertion violations by abstract interpretation; tailored towards critical code (avionics).
BLAST – (Berkeley Lazy Abstraction Software verification Tool) – An open-source software model checker for C programs based on lazy abstraction.
Cppcheck – Open-source tool that checks for several types of errors, including use of STL.
cpplint – An open-source tool that checks for compliance with Google’s style guide for C++ coding.
Clang – An open-source compiler that includes a static analyzer.
Coccinelle – An open-source source code pattern matching and transformation.
ECLAIR – A platform for the automatic analysis, verification, testing and transformation of C and C++ programs.
Eclipse (software) – An open-source IDE that includes a static code analyzer (CODAN).
Fluctuat – Abstract interpreter for the validation of numerical properties of programs.
Frama-C – An open-source static analysis framework for C.
Goanna – A software analysis tool for C/C++.
GrammaTech CodeSonar – Defect detection (Buffer overruns, memory leaks, …), concurrency and security checks, architecture visualization and software metrics for C, C++ and Java source code.
Lint – The original static code analyzer for C.
LDRA Testbed – A software analysis and testing tool suite for C/C++.
Parasoft C/C++test – A C/C++ tool that does static analysis, unit testing, code review, and runtime error detection; plugins available for Visual Studio and Eclipse-based IDEs.
PC-Lint – A software analysis tool for C/C++.
Polyspace – Uses abstract interpretation to detect and prove the absence of certain run time errors in source code.
PVS-Studio – A software analysis tool for C, C++, C++11, C++/CX (Component Extensions).
PRQA QA·C and QA·C++ – Deep static analysis of C/C++ for quality assurance and guideline/coding standard enforcement.
SLAM project – a project of Microsoft Research for checking that software satisfies critical behavioral properties of the interfaces it uses.
Sparrow – An abstraction interpretation-based static analyzer for detecting memory errors in C source.
Sparse – An open-source tool designed to find faults in the Linux kernel.
Splint – An open-source evolved version of Lint, for C.
Java[edit source | edit]AgileJ StructureViews – Reverse engineered Java class diagrams with an emphasis on filtering.
ObjectWeb ASM – allows decomposing, modifying, and recomposing binary Java classes (i.e. bytecode).
Checkstyle – Besides some static code analysis, it can be used to show violations of a configured coding standard.
FindBugs – An open-source static bytecode analyzer for Java (based on Jakarta BCEL) from the University of Maryland.
GrammaTech CodeSonar – Defect detection (Buffer overruns, memory leaks, …), concurrency and security checks, architecture visualization and software metrics for C, C++ and Java source code.
Hammurapi – Versatile code review program; free for non-commercial use.
IntelliJ IDEA– Cross-platform Java IDE with own set of several hundreds code inspections available for analyzing code on-the-fly in the editor and bulk analysis of the whole project.
Jtest – Testing and static code analysis product by Parasoft.
Kalistick – A Cloud-based platform to manage and optimize code quality for Agile teams with DevOps spirit.
LDRA Testbed – A software analysis and testing tool suite for Java.
PMD – A static ruleset based Java source code analyzer that identifies potential problems.
SemmleCode – Object oriented code queries for static program analysis.
SonarJ – Monitors conformance of code to intended architecture, also computes a wide range of software metrics.
Soot – A language manipulation and optimization framework consisting of intermediate languages for Java.
Squale – A platform to manage software quality (also available for other languages, using commercial analysis tools though).
JavaScript[edit source | edit]Closure Compiler – JavaScript optimizer that rewrites code to be faster and smaller, and checks use of native JavaScript functions.
JSLint – JavaScript syntax checker and validator.
JSHint – A community driven fork of JSLint.
Objective-C[edit source | edit]Clang – The free Clang project includes a static analyzer. As of version 3.2, this analyzer is included in Xcode.[3]
Opa[edit source | edit]Opa includes its own static analyzer. As the language is intended for web application development, the strongly statically typed compiler checks the validity of high-level types for web data, and prevents by default many vulnerabilities such as XSS attacks and database code injections.
Packaging[edit source | edit]Lintian – Checks Debian software packages for common inconsistencies and errors.
Rpmlint – Checks for common problems in rpm packages.
Perl[edit source | edit]Perl::Critic – A tool to help enforce common Perl best practices. Most best practices are based on Damian Conway’s Perl Best Practices book.
PerlTidy – Program that act as a syntax checker and tester/enforcer for coding practices in Perl.
Padre – An IDE for Perl that also provides static code analysis to check for common beginner errors.
Python[edit source | edit]Pychecker – A source code checking tool.
Pylint – Static code analyzer.
Formal methods tools[edit source | edit]Tools that use a formal methods approach to static analysis (e.g., using static program assertions):

ECLAIR – Uses formal methods-based static code analysis techniques such as abstract interpretation and model checking combined with constraint satisfaction techniques to detect or prove the absence of certain run time errors in source code.
ESC/Java and ESC/Java2 – Based on Java Modeling Language, an enriched version of Java.
MALPAS – A formal methods tool that uses directed graphs and regular algebra to prove that software under analysis correctly meets its mathematical specification.
Polyspace – Uses abstract interpretation, a formal methods based technique,[4] to detect and prove the absence of certain run time errors in source code for C/C++, and Ada
SofCheck Inspector – Statically determines and documents pre- and post-conditions for Java methods; statically checks preconditions at all call sites; also supports Ada.
SPARK Toolset including the SPARK Examiner – Based on the SPARK language, a subset of Ada.
See also[edit source | edit] Software Testing portal
Automated code review
Best Coding Practices
Dynamic code analysis
Software metrics
Integrated development environment (IDE) and Comparison of integrated development environments. IDEs will usually come with built-in support for static code analysis, or with an option to integrate such support. Eclipse offers such integration mechanism for most different types of extensions (plug-ins).
References[edit source | edit]1.Jump up ^ “PMD – Browse /pmd/5.0.0 at”. Retrieved Sun Dec 09 2012.
2.Jump up ^ Baldassari, Boris (2012). “SQuORE: a new approach to software project assessment”, International Conference on Software and Systems Engineering and their Applications, Nov. 2012, Paris, France.
3.Jump up ^ “Static Analysis in Xcode”. Apple. Retrieved 2009-09-03.
4.Jump up ^ Cousot, Patrick (2007). “The Role of Abstract Interpretation in Formal Methods”. IEEE International Conference on Software Engineering and Formal Methods. Retrieved 2010-11-08.
External links[edit source | edit]The Web Application Security Consortium’s Static Code Analysis Tool List
Java Static Checkers at the Open Directory Project
List of Java static code analysis plugins for Eclipse
List of static source code analysis tools for C
List of static source code analysis tools at CERT
SAMATE-Source Code Security Analyzers
SATE – Static Analysis Tool Exposition
“A Comparison of Bug Finding Tools for Java”, by Nick Rutar, Christian Almazan, and Jeff Foster, University of Maryland. Compares Bandera, ESC/Java 2, FindBugs, JLint, and PMD.
“Mini-review of Java Bug Finders”, by Rick Jelliffe, O’Reilly Media.
Parallel Lint, by Andrey Karpov
Integrate static analysis into a software development process Explains how one goes about integrating static analysis into a software development process


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s