List of tools for static code analysis

Last updated

This is a list of notable tools for static program analysis (program analysis is a synonym for code analysis).

Contents

Static code analysis tools

ToolLatest release Free software Supported languages Notes
Ada C, C++, C#, Objective-C JVM JavaScript, TypeScript .NET, VB.NET Python Other languages
AdaControl 2021-09-21 (1.22r15)Yes; GPLv2 AdaA tool to control occurrences of various entities or programming patterns in Ada code, used for checking coding standards, enforcement of safety related rules, and support for various manual inspections. Features automatic fixing of violations.
Apache Yetus 2020-12-17 (0.13.0)Yes; ASL 2 C, C++ Java Python Perl, Ruby, Shell, XML A collection of build and release tools. Included is the 'precommit' module that is used to execute full and partial/patch CI builds that provides static analysis of code via other tools as part of a configurable report. Built-in support may be extended with plug-ins.
Astrée 2021-10 (21.10)No; proprietaryCFinds all potential runtime errors and data races by abstract interpretation, can prove their absence, and can prove functional assertions; tailored towards safety-critical C code (e.g. avionics and automotive). Includes MISRA checker.
BLAST (retired)2015-10-30 (2.7.3)Yes; ASL 2 CAn open-source software model checker for C programs based on lazy abstraction (follow-on project is CPAchecker. [1] ).
Clang 2024-04-12 (18.1.3)Yes; ASL 2 with LLVM ExceptionsC, C++, Objective-CAn open-source compiler that includes a static analyzer. As of version 3.2, this analyzer is included in Xcode. [2] [3]
Coccinelle 2021-09-06 (1.1.1)Yes; GPLv2 CAn open-source source code pattern matching and transformation.
Code Dx No; proprietaryC, C++, C#Java, JSP, Scala JavaScriptVB.NETPythonPHP, Rails, Ruby, XML [4] Software application vulnerability correlation and management system that uses multiple SAST and DAST tools, as well as the results of manual code reviews. Can calculate cyclomatic complexity.
CodePeer 2021-05-07 (21)No; proprietaryAdaAn advanced static analysis tool that detects potential run-time logic errors in Ada programs.
CodeScene 2023-10-13

(6.3.5)

No; proprietaryC, C++, C#, Objective-CJava, Groovy, ScalaJavaScript, TypeScriptVB.NETPythonSwift, Go, PHP, RubyBehavioral analysis of code. Helps identify, prioritize, and manage technical debt. Measures organizational aspects of developer teams. Automated pull request integrations.
CodeQL 2023-02-07 (CLI: 2.12.2)No; proprietaryC, C++, C#Java, KotlinJavaScript, TypeScript.NETPythonGo, RubyA code searching tool with an emphasis on finding software bugs. Search patterns are written in a query language which can search the AST and graphs (CFG, DFG, etc.) of supported languages. A plugin is available for Visual Studio.
ConQAT (retired)2015-02-01Yes; ASL 2 AdaC#, C++JavaJavaScriptABAPContinuous quality assessment toolkit that allows flexible configuration of quality analyses (architecture conformance, clone detection, quality metrics, etc.) and dashboards.
Coverity 2023-04-29 (2022.12) [5] No; proprietaryC, C++, C#, Objective-CJavaJavaScript, TypeScriptPythonRuby, PHPMulti-language tool for security and quality issues. Supports compliance standards (MISRA, ISO 26262 and others). Free to use for open-source projects.
ECLAIR 2021-07-15 (3.11) [6] No; proprietaryC, C++Multi-language tool for software verification. Applications range from coding rule validation, to automatic generation of testcases, to the proof of absence of run-time errors or generation of counterexamples, and to the specification of code matchers and rewriters based both syntactic and semantic conditions. Supports compliance standards (MISRA, Embedded C Coding Standard and others).
CPAchecker 2022-01-24 (2.1.1)Yes; ASL 2 CA configurable software verification tool for execution path checking of C.
Cppcheck 2023-09-10 (2.12)Yes; GPLv3 C, C++Open-source tool that checks for several types of errors, including use of STL. MISRA support is being added.
Cppdepend 2023-03-01 (2023.1) [7] No; proprietaryC, C++Simplifies managing a complex C/C++ code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and comparing different versions of the code.
Cpplint 2020-07-29Yes; CC-BY-3.0 [8] C++An open-source tool that checks for compliance with Google's style guide for C++ coding.
Fluctuat 2001No; proprietaryAda95C Abstract interpreter for the validation of numerical properties of programs.
Frama-C 2022-06-21Yes; LGPL v2.1, BSD, QPL CAn open-source extensible analysis framework for C with several analyzers and a specification language common to all of them. Includes analyses based on abstract interpretation, deductive verification and runtime monitoring.
GrammaTech CodeSonar 2020-06-01 (5.3)No; proprietaryC, C++, Objective-CJavaDefect detection (buffer overruns, memory leaks, etc.), concurrency and security checks, architecture visualization and software metrics.
GCC 2023-4-26 (13.1)Yes; GPLv3+ with GCC Runtime Library ExceptionCCompiling with -fanalyzer flag (available from GCC 10) enables the static analyzer functionality [9]
HCL Security AppScan Source2020-12-01 (10.0.3)No; proprietaryC, C++Java, JSPJavaScript.NETPythonColdFusion, ASP, PHP, Perl, Visual Basic 6, PL/SQL, T-SQL, COBOLAnalyzes source code to identify security vulnerabilities while integrating security testing with software development processes and systems.
Helix QAC 2023-04 (2023.1)No; proprietaryC, C++Formerly PRQA QA·C and QA·C++, deep static analysis of C/C++ for quality assurance and guideline/coding standard enforcement with MISRA support.
Infer Static Analyzer 2021-03-26 (1.1.0)Yes; MIT C, C++, Objective-CJavaTargets null pointer problems, leaks, concurrency issues and API usage for Facebook's mobile apps. Available as open source on GitHub. Sometimes referred as Facebook Infer.
Imagix 4D 2020-10-01 (10.1.0)No; proprietaryC, C++JavaWindows and Linux versions.
Kiuwan 2020-07-22No; proprietaryC, C++, C#, Objective-CJava, JSPJavaScriptVB.NETABAP, COBOL, PHP, PL/SQL, T-SQL, SQL, Visual Basic, Android Software Analytics end-to-end platform for static code analysis and automated code review. It covers defect detection, application security & IT Risk Management, with enhanced life cycle and application governance features. Support for over 20 languages.
Klocwork 2023-04-04 (2023.1)No; proprietaryC, C++, C#JavaJavaScriptPythonKotlinProvides security vulnerability, standards compliance (MISRA, ISO 26262 and others), defect detection and build-over-build trend analysis
LDRA Testbed 2021-05-07 (v9.8.6)No; proprietaryAda83, Ada95C, C++Assembler (Intel, Freescale, Texas Instruments)A software analysis and testing tool suite, that performs static analysis, standards enforcement (eg. MISRA C/C++), dynamic analysis, unit testing and requirements traceability.
Lint 1978-07-26Yes; permissive BSD-like [10] CThe original, from 1978, static code analyzer for C.
MALPAS No; proprietaryAdaCPascal, Assembler (Intel, PowerPC and Motorola)A software static analysis toolset for a variety of languages. Used primarily for safety critical applications in Nuclear and Aerospace industries.
Moose 2021-01-21 (7.0.3)Yes; MIT C, C++Java.NETSmalltalkMoose started as a software analysis platform with many tools to manipulate, assess or visualize software. It can evolve to a more generic data analysis platform.
NDepend 2022-03-16 (2022.1) [11] No; proprietaryC# VB.NET .NETSimplifies managing a complex .NET code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and by comparing different versions. Integrates into Visual Studio.
.NET Compiler Platform (Roslyn)2020-12-08 (3.8.0)Yes; MIT C#VB.NETOpen-source compiler framework for C# and Visual Basic .NET developed by Microsoft .NET. Provides an API for analyzing and manipulating syntax. FxCop rules were implemented into Roslyn.
Parasoft C/C++test 2020-11-12 (2020.2)No; proprietaryC, C++A C/C++ tool that does static analysis, unit testing, code review, and runtime error detection; plugins available for Visual Studio and Eclipse-based IDEs.
PC-lint Plus 2022-08-02 (2.0 Beta 2)No; proprietaryC, C++A static analysis tool used to detect a wide range of defects, identify suspicious code, enforce various coding standards (MISRA/AUTOSAR/etc), calculate and report complex metrics, and implement user-defined checks.
PMD 2023-2-25 (6.55.0)Yes; BSD-likeC, C++Java, JSPJavaScript ColdFusion, PHP duplicate code detection (e.g.) [12] code.
Polyspace No; proprietaryAdaC, C++Uses abstract interpretation to detect and prove the absence of certain run time errors and dead code in source code as well as used to check all MISRA (2004, 2012) rules (directives, non directives).
Pretty Diff 2019-04-21 (101.0.0)Yes; CC0 JavaScript, TypeScriptMarkup, script and style languages (like XML, CSS)A language-specific code comparison tool that features language-specific analysis reporting in addition to language-specific minification and beautification algorithms.
PVS-Studio 2021-10-07 (7.15)No; proprietaryC, C++, C++/CLI, C++/CX, C#JavaA software analysis tool.
Qodana 2023-07-23 (2023.2)No; proprietaryC#Java, KotlinJavaScript, TypeScriptVB.NETPythonGo, HTML, PHP, CSS, Android, Vue.jsA code quality analysis tool that uses static code analysis.
RIPS 2020-02-17 (3.4)No; proprietaryJavaPHPA static code analysis solution with many integration options for the automated detection of complex security vulnerabilities.
SAST Online 2022-03-07 (1.1.0)No; proprietaryJava Kotlin, APK Check the Android Source code thoroughly to uncover and address potential security concerns and vulnerabilities. Static application security testing (Static Code Analysis) tool Online
Semgrep 2024-03-28 (1.67.0)Yes; LGPL v2.1 JavaJavaScript, TypeScriptPythonGo, JSON, Ruby, language-agnostic modeA static analysis tool that helps expressing code standards and surfacing bugs early. It also has experimental support for eleven other languages. A CI service and a rule library is also available.
Sider 2021-02-02No; proprietaryJavaScript, CoffeeScriptPythonRuby, PHP, GoStatic code analysis based automated code review tool working on GitHub and GitLab. Checks style, quality, dependencies, security and bugs. It integrates a number of open source static analysis tools.
SLAM project 2010-07-14No; proprietaryCA project of Microsoft Research for checking that software (drivers) satisfies critical behavioral properties of the interfaces it uses.
SofCheck Inspector, Codepeer2020-08-24 (21.x)No; proprietaryAdaJavaStatic detection of logic errors, race conditions, and redundant code. automatically extracts pre-postconditions from code.
SonarQube 2024-02-05 (10.4)Partly; framework is LGPL v3.0, but some features can be proprietaryC, C#, C++, Objective-CJava, Kotlin, ScalaJavaScript, TypeScriptVB.NETPythonABAP, Apex, CSS, COBOL, Flex, Go, HTML, PHP, PLI, PL/SQL, Ruby, Swift, TSQL, Visual Basic 6, XMLA continuous inspection engine that finds vulnerabilities, bugs and code smells. Also tracks code complexity, unit test coverage and duplication. Offers branch analysis and C/C++/Objective-C support via commercial licenses.
SourceMeter 2016-12-16 (8.2)No; proprietaryC, C++JavaPythonRPG IV (AS/400)A platform-independent, command-line static source code analyzer. Integrates with PMD and SpotBugs.
Sourcetrail (retired)2021-04 (2021.4.19)Yes; GPL C, C++JavaPythonPerlAn open-source source code explorer that provides interactive dependency graphs and supports multiple programming languages.
Sparse 2021-09-06 (0.6.4)Yes; MIT CGCC extensionsAn open-source tool designed to find faults in the Linux kernel.
Splint 2007-07-12 (3.1.2)Yes; GPLv2 CAn open-source tool statically checking C programs for security vulnerabilities and coding mistakes.
StyleCop 2016-05-02 (2016.1.0)Yes; Ms-PL C#.NETAnalyzes C# source code to enforce a set of style and consistency rules. It can be run from inside of Microsoft Visual Studio or integrated into an MSBuild project.
Squore 2020-11-27 (20.1)No; proprietaryAdaC, C++, C#, Objective-CJavaJavaScript, TypeScriptVB.NETPythonFortran, PHP, PL/SQL, Swift, T-SQL, XAMLA multi-purpose and multi-language monitoring tool for software projects. It integrates with other scanners.
Understand 2023-01-19 (6.3)No; proprietaryAdaC, C++, C#, Objective-CJavaJavaScriptPythonFORTRAN, Jovial, Pascal, VHDL, HTML, PHP, XMLA multi-platform tool for code analysis and comprehension of large code bases. Can recognize multiple dialects of C, C++ and C# like ANSI, K&R and Objective C++.
Visual Expert 2021-09-10No; proprietaryPowerBuilder, Oracle PL/SQL, SQL Server Transact-SQL (T-SQL)Continuous Code inspection, reports on quality and security issues, helps understand complex code (cross-references, source code documentation, code comparison, code performance analysis).
Visual Studio 2021-10-12 (16.11)No; proprietaryC, C++, C#VB.NETAn IDE that provides static code analysis for C/C++ both in the editor environment and from the compiler command line. Also includes the .NET Compiler Platform (Roslyn) which provides C# and VB.NET analysis.
Yasca (retired)2010-11-01 (2.21)Yes; multiple licensesC, C++JavaJavaScriptASP, PHP, HTML, CSS, ColdFusion, COBOL Yet Another Source Code Analyzer, a plugin-based framework to scan arbitrary file types, with plugins. It integrates with other scanners, including FindBugs, PMD, and Pixy.
ToolReleaseFree softwareSupported languagesNotes

Languages

Ada

C, C++

C#

IEC 61131-3

Java

ToolLatest release Free software Duplicate
code 		Notes
Checkstyle 2020-01-26Yes;  LGPL NoBesides some static code analysis, it can be used to show violations of a configured coding standard. Duplicate code detection was removed [13] from Checkstyle.
Eclipse 2017-06-28Yes; EPL NoCross-platform IDE with own set of several hundred code inspections available for analyzing code on-the-fly in the editor and bulk analysis of the whole project. Plugins for Checkstyle, FindBugs, and PMD.
FindBugs 2015-03-06Yes; LGPL Based on Jakarta BCEL from the University of Maryland. SpotBugs is the spiritual successor of FindBugs, carrying on from the point where it left off with support of its community.
IntelliJ IDEA 2021-04-06Yes; ASL 2 YesA leading Java IDE with built-in code inspection and analysis. Plugins for Checkstyle, FindBugs, and PMD.
JArchitect 2017-06-11No; proprietarySimplifies managing a complex code base by analyzing and visualizing code dependencies, defining design rules, doing impact analysis, and by comparing different versions of the code.
Jtest 2019-05-21No; proprietaryYesTesting and static code analysis product by Parasoft.
Soot 2020-10-28Yes; LGPL A language manipulation and optimization framework consisting of intermediate languages.
PMD 2021-01-30Yes; BSD License YesStatic code analyzer with support for plugins, including CPD. PMD supports checking of several languages.
Squale 2011-05-26Yes; LGPL A platform to manage software quality.
ThreadSafe 2014-03-28No; proprietaryA static analysis tool focused on finding concurrency bugs.

JavaScript

Objective-C, Objective-C++

Opa

Packaging

Perl

PL/SQL

PowerBuilder, PowerScript

Python

Transact-SQL

Tools with duplicate code detection

Formal methods tools

Tools that use sound, i.e. over-approximating a rigorous model, formal methods approach to static analysis (e.g., using static program assertions). Sound methods contain no false negatives for bug-free programs, at least with regards to the idealized mathematical model they are based on (there is no "unconditional" soundness). Note that there is no guarantee they will report all bugs for buggy programs, they will report at least one.

See also

Related Research Articles

An integrated development environment (IDE) is a software application that provides comprehensive facilities for software development. An IDE normally consists of at least a source-code editor, build automation tools, and a debugger. Some IDEs, such as IntelliJ IDEA, Eclipse and Lazarus contain the necessary compiler, interpreter or both; others, such as SharpDevelop and NetBeans, do not.

In computer science, static program analysis is the analysis of computer programs performed without executing them, in contrast with dynamic program analysis, which is performed on programs during their execution in the integrated environment.

<span class="mw-page-title-main">Debugger</span> Computer program used to test and debug other programs

A debugger or debugging tool is a computer program used to test and debug other programs. The main use of a debugger is to run the target program under controlled conditions that permit the programmer to track its execution and monitor changes in computer resources that may indicate malfunctioning code. Typical debugging facilities include the ability to run or halt the target program at specific points, display the contents of memory, CPU registers or storage devices, and modify memory or register contents in order to enter selected test data that might be a cause of faulty program execution.

<span class="mw-page-title-main">WebObjects</span> Java web application server and framework originally developed by NeXT Software

WebObjects is a discontinued Java web application server and a server-based web application framework originally developed by NeXT Software, Inc.

A programming tool or software development tool is a computer program that software developers use to create, debug, maintain, or otherwise support other programs and applications. The term usually refers to relatively simple programs, that can be combined to accomplish a task, much as one might use multiple hands to fix a physical object. The most basic tools are a source code editor and a compiler or interpreter, which are used ubiquitously and continuously. Other tools are used more or less depending on the language, development methodology, and individual engineer, often used for a discrete task, like a debugger or profiler. Tools may be discrete programs, executed separately – often from the command line – or may be parts of a single large program, called an integrated development environment (IDE). In many cases, particularly for simpler use, simple ad hoc techniques are used instead of a tool, such as print debugging instead of using a debugger, manual timing instead of a profiler, or tracking bugs in a text file or spreadsheet instead of a bug tracking system.

<span class="mw-page-title-main">PMD (software)</span>

PMD is an open source static source code analyzer that reports on issues found within application code. PMD includes built-in rule sets and supports the ability to write custom rules. PMD does not report compilation errors, as it only can process well-formed source files. Rather, PMD is designed to detect inefficient code or bad programming habits, which can reduce the performance and maintainability of the program if they accumulate. It can analyze files written in Java, JavaScript, Apex and Visualforce, PLSQL, Apache Velocity, XML, and XSL.

This is an alphabetical list of articles pertaining specifically to software engineering.

<span class="mw-page-title-main">Call graph</span> Structure in computing

A call graph is a control-flow graph, which represents calling relationships between subroutines in a computer program. Each node represents a procedure and each edge (f, g) indicates that procedure f calls procedure g. Thus, a cycle in the graph indicates recursive procedure calls.

The Apple Developer Tools are a suite of software tools from Apple to aid in making software dynamic titles for the macOS and iOS platforms. The developer tools were formerly included on macOS install media, but are now exclusively distributed over the Internet. As of macOS 10.12, Xcode is available as a free download from the Mac App Store.

Coding conventions are a set of guidelines for a specific programming language that recommend programming style, practices, and methods for each aspect of a program written in that language. These conventions usually cover file organization, indentation, comments, declarations, statements, white space, naming conventions, programming practices, programming principles, programming rules of thumb, architectural best practices, etc. These are guidelines for software structural quality. Software programmers are highly recommended to follow these guidelines to help improve the readability of their source code and make software maintenance easier. Coding conventions are only applicable to the human maintainers and peer reviewers of a software project. Conventions may be formalized in a documented set of rules that an entire team or company follows, or may be as informal as the habitual coding practices of an individual. Coding conventions are not enforced by compilers.

<span class="mw-page-title-main">Comment (computer programming)</span> Explanatory note in the source code of a computer program

In computer programming, a comment is a programmer-readable explanation or annotation in the source code of a computer program. They are added with the purpose of making the source code easier for humans to understand, and are generally ignored by compilers and interpreters. The syntax of comments in various programming languages varies considerably.

<span class="mw-page-title-main">FindBugs</span> Software that finds possible errors in Java programs

FindBugs is an open-source static code analyser created by Bill Pugh and David Hovemeyer which detects possible bugs in Java programs. Potential errors are classified in four ranks: (i) scariest, (ii) scary, (iii) troubling and (iv) of concern. This is a hint to the developer about their possible impact or severity. FindBugs operates on Java bytecode, rather than source code. The software is distributed as a stand-alone GUI application. There are also plug-ins available for Eclipse, NetBeans, IntelliJ IDEA, Gradle, Hudson, Maven, Bamboo and Jenkins.

<span class="mw-page-title-main">Yasca</span>

Yasca is an open source program which looks for security vulnerabilities, code-quality, performance, and conformance to best practices in program source code. It leverages external open source programs, such as FindBugs, PMD, JLint, JavaScript Lint, PHPLint, Cppcheck, ClamAV, Pixy, and RATS to scan specific file types, and also contains many custom scanners developed for Yasca. It is a command-line tool that generates reports in HTML, CSV, XML, MySQL, SQLite, and other formats. It is listed as an inactive project at the well-known OWASP security project, and also in a government software security tools review at the U.S Department of Homeland Security web site.


The Wing Python IDE is a family of integrated development environments (IDEs) from Wingware created specifically for the Python programming language, with support for editing, testing, debugging, inspecting/browsing, and error-checking Python code.

<span class="mw-page-title-main">SonarQube</span> Open-source platform for continuous inspection of code quality

SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs and code smells on 29 programming languages. SonarQube offers reports on duplicated code, coding standards, unit tests, code coverage, code complexity, comments, bugs, and security recommendations.

Polyspace is a static code analysis tool for large-scale analysis by abstract interpretation to detect, or prove the absence of, certain run-time errors in source code for the C, C++, and Ada programming languages. The tool also checks source code for adherence to appropriate code standards.

<span class="mw-page-title-main">SourceMeter</span> Source code analyzer tool

SourceMeter is a source code analyzer tool, which can perform deep static program analysis of the source code of complex programs in C, C++, Java, Python, C#, and RPG (AS/400). FrontEndART has developed SourceMeter based on the Columbus technology researched and developed at the Department of Software Engineering of the University of Szeged.

Visual Expert is a static code analysis tool, extracting design and technical information from software source code by reverse-engineering, used by programmers for software maintenance, modernization or optimization.

Infer, sometimes referred to as "Facebook Infer", is a static code analysis tool developed by an engineering team at Facebook along with open-source contributors. It provides support for Java, C, C++, and Objective-C, and is deployed at Facebook in the analysis of its Android and iOS apps.

References

  1. "CPAchecker". 2015-02-08.
  2. "Static Analysis in Xcode". Apple. Archived from the original on 2009-09-05. Retrieved 2009-09-03.
  3. "Running the analyzer within Xcode". Archived from the original on 5 December 2021. Retrieved 14 January 2022.
  4. "Supported Application Security Testing Tools and Languages". codedx.com. Retrieved Apr 25, 2017.
  5. "Coverity Scan website" . Retrieved 2023-08-23.
  6. "ECLAIR website" . Retrieved 2021-10-07.
  7. "CppDepend what's new". cppdepend.com. Retrieved 1 March 2023.
  8. "Readme.md of Google Style Guides". GitHub. Retrieved 8 November 2021.
  9. Malcolm, David (2020-03-26). "Static analysis in GCC 10". Red Hat Developer. Retrieved 2022-04-13.
  10. "UNIX is free!". lemis.com. 2002-01-24.
  11. "NDepend what's new". ndepend.com. Retrieved 15 June 2022.
  12. "PMD - Browse /pmd/5.0.0 at SourceForge.net" . Retrieved Dec 9, 2012.
  13. "Remove StrictDuplicateCodeCheck and whole package · Issue #523 · checkstyle/Checkstyle". GitHub .
  14. "Static Analysis in Xcode". Apple. Retrieved 2009-09-03.
  15. "Visual Expert for Oracle - PL/SQL Code Analyzer". www.visual-expert.com. 2017-08-24.
  16. "Visual Expert for SQL Server - Transact SQL Code Analyzer". www.visual-expert.com. 2017-08-24.
  17. Cousot, Patrick (2007). "The Role of Abstract Interpretation in Formal Methods". Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007). IEEE International Conference on Software Engineering and Formal Methods. pp. 135–140. doi:10.1109/SEFM.2007.42. ISBN   978-0-7695-2884-7. S2CID   67212.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.