User:Nickj/List of tools for static code analysis

Anyone is welcome to constructively update this user-page with new information; However if you wish to delete it please email me first, and I will move it off-site.

This is a list of software tools that perform various kinds of static code analysis, grouped by programming language and in alphabetical order:

Ada[edit]

• Axivion Bauhaus Suite - Architecture Visualization, Architecture Checking, Interface Analysis, Metrics, Clone Detection, Dominance Analysis, etc.
• CloneDR for Ada83/95 Detects exact and near-miss duplicate code across large code bases.
• LDRA Testbed
• PolySpace Verifier
• SofCheck Inspector for Ada Static Error Detection of Ada 83 & 95 with 100% path and control flow coverage
• SPARK programming language
• RapiTime WCET Analyzer
• Telelogic Logiscope RuleChecker (coding standards checking) and Audit (metrics measurement and ISO 9126-based quality modeling).
• Understand for AdaIDE with reverse engineering, automatic documentation, code navigation and understanding, metrics, maintenance and cross reference.

Borland Delphi[edit]

• [1] reverse engineering, code navigation, and metrics tool

C and/or C++[edit]

• Astrée (AbsInt and ENS)
• Axivion Bauhaus Suite
• AQtime
• BLAST
• Cantata
• CCured (BSD, partly dynamic)
• Cleanscape lints for C++ and for C
• CloneDR for C/C++ Detects exact and near-miss duplicate code across large code bases.
• CMT++
• CodeSonar based on work by Reps et al at the University of Wisconsin.
• CodeWizard
• Coverity See the MC Checker for background.
• cppcheck
• Cqual
• CScout Source code analyzer and refactoring browser for collections of C programs; handles the preprocessor constructs.
• C++test
• Flawfinder (GPL) Contains a good list of other security-based static checking tools.
• Ounce, which is a security-focused source code analysis tool.
• Fortify Software See Fortify Source Code Analysis
• GCC Introspector (GPL) C, but is expanding to include Perl, Bison, m4, bash, C#, Java, C++, Fortran, Objective-C, Lisp, Scheme.
• Gimpel Software FlexeLint and PC-Lint
• HP Code Advisor Identifies potential coding errors, porting issues, and security vulnerabilities.
• ITS4 Scans source code for potentially dangerous function calls.
• LDRA Testbed
• Klocwork
• Lattix LDM - Architecture Management using Dependency Analysis
• MOPS (BSD style license)
• OpenC++
• OSPC
• PMD's Copy/Paste Detector
• PolySpace
• Predator – a tool for automated formal verification of sequential C programs operating with pointers and linked lists
• PREfast Part of DDK, for driver development, see VS2005 for user-land.
• QAC, QAC-MISRA, QAC++ Coding style, metrics, dataflow, good enforcing of MISRA standards.
• Resource Standard Metrics
• Rough Auditing Tool for Security
• Security Reviewer 100+ Rules Specialized for C and C++ with up to 12 variants each and thousands of API covered. OWASP, CWE and MISRA standards. 200+ Quality Metrics. Besta Practices. SQALE dashboard.
• Smatch C source checker, used mainly for Linux kernel code.
• Sotograph
• Sparse (GPL)
• Stacktool
• Splint (GPL)
• Surveyor C/C++, Java, COBOL, VB/VB.NET, Tcl, ASP, others.
• Telelogic Logiscope RuleChecker (coding standards checking) and Audit (metrics measurement and ISO 9126-based quality modeling).
• Visual Studio 2005 Team Edition only.
• RapiTime WCET Analyzer
• Understand for C/C++ ANSI C, C++ and K&R C reverse source engineering, code navigation, and metrics tool.

C#[edit]

• AQtime
• CloneDR for C#2.0/3.0/4.0 Detects exact and near-miss duplicate code across large code bases.
• .TEST
• Resource Standard Metrics Configurable Static Source Code Metrics and Analysis Tool from M Squared Technologies, Online-Documentation
• Fortify Software See Fortify Source Code Analysis
• FxCop
• Lattix LDM - Architecture Management using Dependency Analysis
• LDRA Testbed
• NDepend - Architecture Management (Dependencies, Metrics, Build comparison)
• ReSharper
• Security Reviewer 500+ Rules Specialized for C# and thousands of API covered. OWASP, CWE standards. 200+ Quality Metrics. Best Practices. SQALE dashboard.
• Source Monitor - Simple analytical tool displaying metrics such as complexity, depth, lines/method, methods/class among others. Nice use of Kiviat graph. (C#, VB, C++, among others)
• Sotograph - Architecture and quality in-depth analysis and monitoring
• Visual Studio - Visual Studio 2005 Team Suite or Team Edition for Software Developers only, has integrated FxCop and PREFast functionality.
• DevMetrics and DevAdvantage (Now open source)
• Compuware DevPartner Studio

COBOL[edit]

• CloneDR for COBOL Detects exact and near-miss duplicate code across large code bases.
• Security Reviewer 120+ Security Rules, 100+ Quality Mertics and SQALE for COBOL

Fortran[edit]

• CloneDR for Fortran 77/90/95 Detects exact and near-miss duplicate code across large code bases.
• FortranLint
• FTNCHEK
• Understand for FORTRAN FORTRAN 77, 90, 95 reverse source engineering, metrics and cross reference tool

HTML[edit]

• W3C Markup Validation Service

Java[edit]

• Agitator Dashboard
• AntiC
• Axivion Bauhaus Suite - Architecture Visualization, Architecture Checking, Interface Analysis, Metrics, Clone Detection, Dominance Analysis, etc.
• Checkstyle
• CloneDR for Java Detects exact and near-miss duplicate code across large code bases.
• CMTJava - Complexity Measures Tool for Java
• ESC/Java - Extended Static Checking for Java
• ESC/Java2
• FindBugs-Find Bugs in Java Programs
• Fortify Software See Fortify Source Code Analysis
• Hammurapi
• JDepend
• Oracle JDeveloper - Code auditing framework and code metrics
• Jlint
• Jtest
• Kaveri (Indus) - Program Comprehension/Slicing Tool (Library) for Java
• Klocwork
• Lattix LDM - Architecture Management using Dependency Analysis
• Lint4j Static source code analysis with plugins for Maven, Ant and Eclipse
• PMD
• QAJ
• Refactorit
• Resource Standard Metrics Configurable Static Source Code Metrics and Analysis Tool from M Squared Technologies, Online-Documentation
• Security Reviewer 500+ Rules Specialized for JAVA and thousands of API and Frameworks covered. OWASP, CWE standards. 200+ Quality Metrics. Best Practices. SQALE dashboard.
• SofCheck Inspector for Java Static Error Detection of Java byte code with 100% path coverage
• SonarJ Light weight management of architecture and technical quality for Java projects
• Sotograph - Architecture and quality in-depth analysis and monitoring
• Spoon - Spoon is a Java program processor that fully supports Java 5
• STAN - Eclipse integrated structure analysis for Java. Visualize design, understand code, measure quality, generate reports.
• Structure101 - Structural dependency analysis. Rate & analyze the quality of your software architecture.
• Surveyor - Java and many other languages
• Telelogic Logiscope RuleChecker (coding standards checking) and Audit (metrics measurement and ISO 9126-based quality modeling).
• TorqueWrench
• UCDetector - Unnecessary Code Detector, eclipse PlugIn to find unnecessary (dead) public java code
• Understand for Java reverse source engineering, code navigation, and metrics
• WALA T. J. Watson Libraries for Analysis

JavaScript[edit]

• JSLint - An online tool which you can also download and run from command line
• Javascript Lint - A lint like tool for javascript written in C/C++ and based on JavaScript engine for the Firefox browser.
• JavaScript Reporter - A static JavaScript analyzer/verifier.
• CloneDR for JavaScript Detects exact and near-miss duplicate code across large code bases.
• Fortify [2] - See Fortify Source Code Analysis.
• http://code.google.com/intl/de-DE/closure/compiler/
• jsmeter - Javascript code metrics through static analysis. Includes Cyclomatic Complexity, Halstead Metrics, Maintainability Index, etc...
• Security Reviewer 100+ Rules Specialized for JavaScript and 100+ of Frameworks covered. OWASP, CWE standards. 200+ Quality Metrics. Best Practices. SQALE dashboard.

JOVIAL[edit]

• Understand for JOVIAL reverse engineering, metrics, and cross referencing tool

Perl[edit]

• fluff
• Perl::Critic

PHP[edit]

• PHP executes a built-in basic Lint check when invoked with the -l switch. Example usage: for i in `find . -name \*.php`; do php -l $i | grep -v "No syntax errors"; done
• Copy/Paste Detector
• CloneDR for PHP4/PHP5 Detects exact and near-miss duplicate code across large code bases.
• Zend Studio IDE includes static code analysis for PHP, called the "Code Analyzer".
• ocProducts code quality checker
• Armorize CodeSecure - The first security appliance for PHP source code scanning with traceback support and Web 2.0 interface.
• PHPUnit
• PHP_CodeSniffer - Checks for coding standard violations.
• PHPLint - A validator and documentator for PHP 4 and PHP 5 programs
• PHP-SAT - Checks for bug patterns.
• Security Reviewer 500+ Rules Specialized for PHP and thousands of Frameworks covered. OWASP, CWE standards. 200+ Quality Metrics. Best Practices. SQALE dashboard.
• Fortify Software See Fortify Source Code Analysis.

Python[edit]

• CloneDR for Python 2.6 Detects exact and near-miss duplicate code across large code bases.
• PyChecker
• Pyflakes
• PyLint
• Security Reviewer 200+ Rules Specialized for Python and tenths of Frameworks covered. OWASP, CWE standards. 200+ Quality Metrics. Best Practices. SQALE dashboard.

TCL[edit]

• Tcl Cruncher

Verilog & VHDL[edit]

• Spyglass by Atrenta
• RTL Analysis by Blue Pearl Software
• Hal by Cadence
• Leda by Synopsys

Visual Basic[edit]

• Aivosto Project Analyzer finds dead code and programming problems. It will also tell you which modules call which, and provide cyclomatic complexity metrics.
• AQtime
• Axivion Bauhaus Suite - Clone Detection
• CloneDR for VisualBasic (VBScript, VB6, VB.net) Detects exact and near-miss duplicate code across large code bases.
• Compuware DevPartner Studio
• Resource Standard Metrics Configurable Static Source Code Metrics and Analysis Tool from M Squared Technologies, Online-Documentation
• Fortify Software See Fortify Source Code Analysis
• FxCop
• Lattix LDM - Architecture Management using Dependency Analysis
• Security Reviewer 500+ Rules Specialized for legacy VB and all fashions of VB.net with thousands of API covered. OWASP, CWE standards. 200+ Quality Metrics. Best Practices. SQALE dashboard.
• Sotograph - Architecture and quality in-depth analysis and monitoring
• Visual Studio - Visual Studio 2005 Team Suite or Team Edition for Software Developers only, has integrated FxCop and PREFast functionality.
• DevMetrics and DevAdvantage (Now open source)
• Compuware DevPartner Studio

Not language-specific[edit]

• PAG and PAG/WWW - The Program Analyzer Generator, not for a specific language, but for building analyzers.
• StackAnalyzer - Stack Usage Analysis.
• CodeHawk™
• DMS Software Reengineering Toolkit System for implementing custom static analysis tools, with many industrial strength parsers and flow analysis capabilities. Front ends for many langauges/dialects.

Unknown language[edit]

• Broadway
• SLAM
• BOON
• Kaylo

External links[edit]

• software Introspector Wikibook lists more software programs of this type.