https://www.softwaretestinghelp.com/tools/top-40-static-code-analysis-tools/

In this article, I have summarised some of the top static code analysis tools.

Can we ever imagine sitting back and manually reading each line of codes to find flaws? To ease our work, several types of static analysis tools are available in the market which helps to analyze the code during the development and detect fatal defects early in the SDLC phase.

Such defects can be eliminated before the code is actually pushed for functional QA. A defect found later are always expensive to fix.

Read this to get an idea of what can help you the most based on your needs –

This is the list of top source code analysis tools for different languages.

What You Will Learn: [show]

40 Best Static Code Analysis Tools

Here we go.

**********
=>> Contact us to add your listing here
**********

#1) Veracode

Veracode is static analysis tool which is built on the SaaS model. This tool is mainly used to analyze the code from a Security point of view. This tool uses binary code/byte code and hence ensures 100% test coverage. This tool proves to be a good choice if you want to write secure code.

Website Link: Veracode

******

#2) RIPS Technologies

RIPS is the only code analysis solution dedicated to the PHP language. It detects the most complex security vulnerabilities deeply nested within the PHP code that no other tools are able to find.

It supports all major PHP frameworks, SDLC integration, relevant industry standards and can be deployed as a self-hosted software or used as a cloud service. With its high accuracy and very few instances of false positive noise RIPS is the ideal choice for analyzing PHP applications.

Website link: RIPS Technologies

******

#3) PVS-Studio

PVS-Studio is a tool for bugs and weaknesses detection in the source code of programs, written in C, C++ and C#. It works in Windows and Linux environment.

It is possible to integrate it into Visual Studio and other widespread IDE. The results of the analysis can be imported into SonarQube.

Website Link: Visit PVS-Studio

******

#4) Kiuwan

Kiuwan is a SAST and SCA platform with the largest technology coverage and integrations in the market. With a DevSecOps approach, Kiuwan achieves outstanding benchmark scores (Owasp, NIST, CWE, etc) and offers a wealth of features that go beyond static analysis, catering to every stakeholder in the SDLC.

Website Link: Visit Kiuwan Code Security

******

#5) Parasoft

Parasoft, no doubt one of the best tools for Static Analysis Testing. This is slightly different when compared to other static analysis tools because of its ability to support various types of static analysis techniques like Pattern Based, Flow Based, Third Party Analysis, and Metrics and Multivariate analysis. Another good thing about the tool is beside identifying defects it allows provides a feature which prevents defects.

Website Link: Parasoft

******

#6) Gamma

Gamma is an intelligent software analytics platform, developed by Acellere. It supports developers and teams in building higher quality software in less time, by speeding up code reviews.

It automatically prioritises hotspots in the code and provides clear visualizations. With its multi-vector diagnostic technology, it analyses software from multiple lenses, including software design, and enables companies to manage and improve their software quality transparently.

Visit Website: Gamma

******

#7) HP Fortify SCA

Fortify, a tool from HP which lets a developer build an error free and secure code. This tool can be used by both development and security teams by working together to find and fix security related issues. While scanning the code, it ranks the issues found and ensures the most critical ones are fixed first.

Website Link: HP Fortify SCA

******

#8) SnappyTick

SnappyTick is easy to Setup and cost effective for Application Security. It will scan the source code at a faster rate and deliver reliable results with the less false positive rate. It is used for development groups and security professionals to analyze the source code of an application for security vulnerabilities.

SnappyTick is the Standalone applications (develops platform-independent applications, so that the user can use any Operating System of their choice on the system). It covers OWASP Top 10, Sans 25, CWE.  SnappyTick Static Analysis supports 15+ highly used languages.

Visit the website: SnappyTick

******

#9) Coverity

Coverity Scan is an open source cloud based tool. It works for projects written using C, C++, Java C# or JavaScript. This tool provides a very detailed and clear description of the issues which helps in faster resolution. A good choice if you are looking for an open source tool.

Website Link: Coverity

******

#10) CAST

An automated tool which can be used to analyze more than 50+ languages works excellently regardless the size of the project. In addition, it provides Dashboard to users which help in measuring quality and productivity.

Website Link: CAST

******

#11) CodeSonar

A Static analysis tool by Grammatech not only lets a user find programming error, it also helps in finding out domain related coding errors. It also allows customizing checkpoints and also built in checks can be configured as per the requirement. Overall a great tool to detect security vulnerabilities and its ability to do a deep static analysis makes this stand out from rest of the other static analysis tools available in the market.

Website Link: CodeSonar

******

#12) Understand

Just like its name, this tool lets user UNDERSTAND code by analyzing, measuring, visualizing and maintaining. This allows quick analysis of massive codes. This is one tool which is mainly used by aerospace and automakers industry. Supports major languages like C/C++, ADA, COBOL, FORTRAN, PASCAL, Python and other web languages.

Website Link: Understand

******

#13) Checkmarx

A security Analysis tool which lets users scan the uncompiled code and find out vulnerabilities early during design phase itself. The tool comes with the feature to do incremental scanning means the first time it does a full scan and later it scans only the areas which have undergone changes, hence proves to be automatically performing regression and retest, and saves time as it reduces the amount of scan required in consecutive runs.

Website Link: Checkmarx

******

#13) Clang Static Analyzer

This is an open source tool which can be used to analyze a C, C++ code. It uses the clang library, hence forming a reusable component and can be used by multiple clients.

Website Link: Clang Static Analyzer

******

#14) CppDepend

A very easy to use the tool when compared to other static analysis tools. As the name suggests, this tool is used to analyze C/C++ codes. Supports different code quality metrics, provides facility to monitor trends, has an add in to integrate with Visual Studio, allows writing custom queries and comes with a very good diagnostic facility.

Website Link: CppDepend

#15) Klocwork

Apart from finding semantics and syntax error, this tool also lets user detect vulnerabilities in the code. This tool is well integrated with many common IDE’s like Eclipse, Visual Studio, and Intellij IDEA. This can run in parallel to code creation, it does a line by line check and provides a feature for addressing the defects immediately.

Website Link: Klocwork

#16) Cppcheck

Another free static analysis tool for C/C++.The good thing about this tool is its integration with several other development tools like Eclipse, Jenkins, CLion, Visual Studio and many more. Its installer can be found at sourceforge.net.

Website Link: Cppcheck

#17) Programming Research (PR QA)

PR QA is an excellent static analysis testing tool for C and C++ codes. The tool comes with a single installer and supports platforms like Windows 7, Linex Rhel 5 and Solaris 10.This gives very clear diagnostics which helps in identifying root cause and quick defect fixes.

Website Link: Programming Research (PR QA)

#18) Goanna

A security static analysis tool for C/C++ and allows integration with Microsoft Visual Studio, Eclipse, Texas Instruments Code Composer and many more IDE’s.This can be run like a compiler and hence allows analyzing file level details in addition to whole projects. Also, has excellent error reporting feature.

Website Link: Goanna

#19) Polyspace

Polyspace bug finder helps in finding defects for C/C++; this is integrated with Eclipse and also is compliant with coding rule standards like MISRA C, MISRA C++, and JSF++.

Website Link: Polyspace

#20) Sourcemeter

A tool which helps in analyzing C/C++, Java, C#, RPG and Python codes. Another good thing about this tool is it allows integration with free static checker tools like cppcheck, PMD, FindBugs. Basic Version of this tool is free but it comes with fewer features. Based on the need, you can decide whether the free version satisfies the requirement or not.

Website Link: Sourcemeter

#21) ConQAT

An excellent tool which can be used for clone detection, supports multiple languages, allows integration with other static analysis tools, provides dashboard which shows the details on the issues found and other quality metrics.

Website Link: ConQAT

#22) JArchitect

An excellent tool which makes analyzing Java code simple and easier supports for Code Query over LINQ, provides a number of code metrics, allows code comparison between builds and comes with a very good customizable reporting feature.

Website Link: JArchitect

#23) OCLint

A standalone tool used for analyzing C/C++ and Objective- C programs, this supports Linux and Mac OX platforms. It does everything a static analysis tool is expected to do like finding bugs, unused piece of code, redundant code, and in addition to all that, it comes with a very customizable configuration which really helps user customize as per their needs.

Website Link: OCLint

#24) Watchtower

This tool is mainly used by a security specialist who wants to perform manual code reviews, works best on the local system, but can also scan remote web sites. Maintains an extensive configuration file and hence different reporting options can be configured. Creation of alternate config files helps in execution of multiple projects simultaneously.

Website Link: Watchtower

#25) OWASP Code crawler

A Static analysis tool for .NET and Java/J2EE code

Website Link: OWASP Code crawler

#26) OWASP Orizon

A tool which can be used by security specialist to perform code reviews from a security point of view. It also provides set of API’s which can be integrated with security tools to provide code review services.

Website Link: OWASP Orizon

#27) PC-Lint and Flexe Lint

Static Analysis tools which are used to test C/C++ source code. PC Lint works on windows OS whereas Flexe Lint is designed to work on non-windows OS, and runs on systems that support a C compiler including UNIX.

Website Link: PC-Lint and Flexe Lint

#28) IBM Rational Software analyzer

IBM Rational provides the user with different types of tool, one such tool is the software analyzer which can be used for static analysis of code. This tool is designed on an extensible framework and integrates well with other Rational products.

Website Link: IBM Rational Software analyzer

Other Tools

#29) Eclair

This static analysis tool is very flexible and easily configurable tool and supports almost all platforms like Windows, UNIX, Linus, Mac OS X.This tool comes with an ability to verify conformance against a number of coding standard as well as other coding standards which include proprietary and project based standards.

Website Link: Eclair

#30) SonarQube

It is an open source web based tool, extending its coverage to more than 20 languages, and also allows a number of plug ins.

Website Link: SonarQube

#31) Rosecheckers

If you are looking for a tool to ensure the developed code is compliant with CERT coding rules, you can opt for Rosecheckers. It is available for free is sourceforge. This tool does check for C/C++ codes and sometimes finds the problem which other static analysis tools cannot find, but this cannot be considered a full grown standalone tool due to its inability to fully test since this is only a prototype.

Website Link: Rosecheckers

#32) Frama-c

An open source tool which lets analysis of C, comes with a very flexible framework.

Website Link: Frama-c

#33) Semmle

Open source security analysis tool for Java and C codes.

Website Link: Semmle

#34) PMD

PMD is an open source code analyzer for C/C++, Java, Java Script. This is a simple tool and can be used to find common flaws. It also detects duplicate code in java.

Website Link: PMD

#35) FindBugs

Free tool to find bugs in Java code. It supports any version of Java but requires JRE (or JDK) 1.7.0 or later to run.

Website Link: FindBugs

#36) IBM Appscan Source

This is used to identify vulnerabilities early in the SDLC phase. Also, supports mobile scanning.

Website Link: IBM Appscan Source

#37) Flawfinder

This is an open source tool mainly used to find security vulnerabilities in C/C++ program. It can be downloaded, installed and run on systems like UNIX.

Website Link: Flawfinder

#38) Splint

An open source static and security analysis tool for C programs. Comes with the very basic feature but if additional annotations are added, this can perform like any other standard tools.

Website Link: Splint

#39) Hfcca

Header Free Cyclomatic Complexity Analyser is a tool which performs analysis and doesn’t care about the C/C++ headers or Java imports. Simple to use and doesn’t require installation. This can be used for C/C++, Java and Objective C.

Website Link: Hfcca

#40) Cloc

This utility written in Perl lets the user find blank lines, comment lines, and physical lines and supports multiple languages. Overall an easy to tool with good features like providing outputs in multiple formats runs on multiple systems and comes with an easy installation pack.

Website Link: Cloc

#41) SLOCCount

Open source tool which lets user count physical source lines of code in multiple languages and on multiple platforms.

Website Link: SLOCCount

#42) JSHint

This is a free tool which supports static analysis of JavaScript.

Website Link: JSHint

Conclusion

Above is a summary of some selective good Static Code Analysis Tools which can be used for Static analysis. Since covering all the available tools in one article isn’t possible, now I am letting the ball go in your court, feel free to bring up any tool you think is a good one for Static Analysis.

Top 40 Static Code Analysis Tools的更多相关文章

  1. Comparison of Static Code Analysis Tools for Java

    http://www.sw-engineering-candies.com/blog-1/comparison-of-findbugs-pmd-and-checkstyle https://stack ...

  2. The Ultimate List of Open Source Static Code Analysis Security Tools

    https://www.checkmarx.com/2014/11/13/the-ultimate-list-of-open-source-static-code-analysis-security- ...

  3. Pure C static coding analysis tools

    Cppcheck - A tool for static C/C++ code analysiscppcheck.sourceforge.netCppcheck is a static analysi ...

  4. Cppcheck - A tool for static C/C++ code analysis

    cppcheck是一个个检测源码的工具,对编译工具的一个补充,mark Cppcheck - A tool for static C/C++ code analysis Syntax: cppchec ...

  5. 10 Code Coverage Tools for C & C++

    Code coverage is a measure used in software testing that describes the degree to which the source co ...

  6. PMD -- An extensible cross-language static code analyzer.

    PMD An extensible cross-language static code analyzer. https://github.com/pmd/pmd 跨语言静态代码分析工具.可以查找通用 ...

  7. 静态时序分析(static timing analysis)

    静态时序分析(static timing analysis,STA)会检测所有可能的路径来查找设计中是否存在时序违规(timing violation).但STA只会去分析合适的时序,而不去管逻辑操作 ...

  8. static timing analysis 基础

    此博文依据 特权同学在电子发烧友上的讲座PPT进行整理而成. static timing analysis   静态时序分析基础 过约束:有不必要的约束,或者是约束不能再某一情况下满足.——约束过头了 ...

  9. .NET CORE 框架ABP的代码生成器(ABP Code Power Tools )使用说明文档

    前言 各位好,又是一个多月没更新文章了. 原因嘛,大家都懂的,太忙了~ 临近年末,公司的项目.年会的做技术支持,同事朋友聚餐也比较频繁. 当然视频教程也没有继续更新.我的锅~ 但是这个月好歹抽空做了一 ...

随机推荐

  1. POJ_3342_Party_at_Hali-Bula

    #include <iostream> #include <map> #include <cstring> using namespace std; int Gra ...

  2. Httpclient 4, error 302. How to redirect?

    http://stackoverflow.com/questions/3658721/httpclient-4-error-302-how-to-redirect DefaultHttpClient ...

  3. Banner尺寸多大最好!

    关于网站图片的大小问题 最近发现各大网站的图片做的都很大 随笔找了一个,下载其页面banner, 详细属性:基本全是1920*高.Get√

  4. java面试第五天

    修饰符abstract:抽象的,定义框架不去实现,可以修饰类和方法 abstract修饰类: 会使这个类成为一个抽象类,这个类将不能生成对象实例,但可以做为对象变量声明的类型,也就是编译时类型 抽象类 ...

  5. oracle 快速备份表数据

      oracle 快速备份表数据 CreateTime--2018年2月28日17:04:50 Author:Marydon UpdateTime--2017年1月20日11:45:07 1.1.9. ...

  6. 引入css的几种方式

      使用CSS样式的几种方式 CreateTime--2017年10月11日16:45:26 Author:Marydon a.外部样式 a1.链接式(推荐使用) <link href=&quo ...

  7. 〖Linux〗VirtualBox修改虚拟电脑硬盘(vdi)空间大小

    1. 查看需要修改的虚拟硬盘: [scue@Link:tftpserver]$ vboxmanage list hdds UUID: 79d65850--40c3-a8e7-715b199d1673 ...

  8. sybase数据库学习笔记(一)

    sybase的基本框架 sybase数据库由系统数据库.用户数据库.数据库设备和辅助文件组成. 1. 系统数据库 sybase数据库是多个数据库结构的数据库管理系统.分为系统数据库和用户数据库. 系统 ...

  9. 利用kaptcha生成验证码的详细教程

    kaptcha是一个简单好用的验证码生成工具,有了它,你可以生成各种样式的验证码,因为它是可配置的.kaptcha工作的原理是调用 com.google.code.kaptcha.servlet.Ka ...

  10. Linux 添加硬盘设备

    fdisk命令用于管理磁盘分区,格式为:“fdisk [磁盘名称]”. 管理Linux系统中的硬盘设备最常用的方法就当属是用fdisk命令了,这条命令提供了添加.删除.转换分区等等功能于一身的“一站式 ...