Liste von Werkzeugen zur statischen Codeanalyse

• Lint — The original static code analyzer of C code.

• Copy/Paste Detector (CPD) — PMDs duplicate code detection for (e.g.) Java, JSP, C, C++ and PHP code.
• Yasca — Yet Another Source Code Analyzer, a plugin-based framework for scanning arbitrary file types, with plugins for scanning C/C++, Java, JavaScript, ASP, PHP, HTML/CSS, ColdFusion, COBOL, and other file types. It integrates with other scanners, including FindBugs, JLint, PMD, and Pixy.

• FxCop — Free static analysis for Microsoft .NET programs that compile to CIL. Standalone and integrated in some Microsoft Visual Studio editions. From Microsoft.
• Gendarme — Open-source (MIT License) equivalent to FxCop created by the Mono project. Extensible rule-based tool to find problems in .NET applications and libraries, particularly those that contain code in ECMA CIL format.
• OWASP_O2_Platform — Creates a static representation of C# or VB.NET source-code and performs/visualizes its Taint Analysis. Allows the detection of typical Source-Sink vulnerablities and the scripting of complex code/data-flows vulnerabilities.
• StyleCop — Analyzes C# source code to enforce a set of style and consistency rules. It can be run from inside of Microsoft Visual Studio or integrated into an MSBuild project. Free download from Microsoft.

• Apparat — A language manipulation and optimization framework consisting of intermediate representations for ActionScript.

• BLAST (Berkeley Lazy Abstraction Software verification Tool) — A software model checker for C programs based on lazy abstraction.
• Clang — A compiler that includes a static analyzer.
• Frama-C — A static analysis framework for C.
• Lint — The original static code analyzer for C.
• Sparse — A tool designed to find faults in the Linux kernel.
• Splint — An open source evolved version of Lint (for C).

• cppcheck — Open-source tool that checks for several types of errors, including the use of STL.

• Checkstyle — Besides some static code analysis, it can be used to show violations of a configured coding standard.
• FindBugs — An open-source static bytecode analyzer for Java (based on Jakarta BCEL) from the University of Maryland.
• Hammurapi — (Free for non-commercial use only) versatile code review solution.
• PMD — A static ruleset based Java source code analyzer that identifies potential problems.
• Sonar — A continuous inspection engine to manage the technical debt (unit tests, complexity, duplication, design, comments, coding standards and potential problems).
• Soot — A language manipulation and optimization framework consisting of intermediate languages for Java.
• Squale — A platform to manage software quality (also available for other languages, using commercial analysis tools though).

• Closure Compiler — JavaScript optimizer that rewrites JavaScript code to make it faster and more compact. It also checks your usage of native javascript functions.
• JSLint — JavaScript syntax checker and validator.

• Clang — The free Clang project includes a static analyzer. As of version 3.2, this analyzer is included in Xcode.^[1]

• Axivion Bauhaus Suite — A tool for C, C++, C#, Java and Ada code that comprises various analyses such as architecture checking, interface analyses, and clone detection.
• Black Duck Suite — Analyze the composition of software source code and binary files, search for reusable code, manage open source and third-party code approval, honor the legal obligations associated with mixed-origin code, and monitor related security vulnerabilities.
• CAST Application Intelligence Platform — Detailed, audience-specific dashboards to measure quality and productivity. 30+ languages, SAP, Oracle, PeopleSoft, Siebel, .NET, Java, C/C++, Struts, Spring, Hibernate and all major databases.
• Coverity Prevent — Identifies security vulnerabilities and code defects in C, C++, C# and Java code. Complements Coverity Dynamic Code Analysis and Architecture Analysis.
• DMS Software Reengineering Toolkit — Supports custom analysis of C, C++, C#, Java, COBOL, PHP, VisualBasic and many other languages. Also COTS tools for clone analysis, dead code analysis, and style checking.
• Compuware DevEnterprise — Analysis of COBOL, PL/I, JCL, CICS, DB2, IMS and others.
• Fortify — Helps developers identify software security vulnerabilities in C/C++, .NET, Java, JSP, ASP.NET, ColdFusion, "Classic" ASP, PHP, VB6, VBScript, JavaScript, PL/SQL, T-SQL, python and COBOL as well as configuration files.
• GrammaTech CodeSonar — Analyzes C,C++.
• Imagix 4D — Identifies problems in variable usage, task interaction and concurrency, particularly in embedded applications, as part of an overall solution for understanding, improving and documenting C, C++ and Java software.
• JustCode — Code analysis and refactoring productivity tool for JavaScript, C#, Visual Basic.NET, and ASP.NET
• Klocwork Insight — Provides security vulnerability and defect detection as well as architectural and build-over-build trend analysis for C, C++, C# and Java.
• Lattix, Inc. LDM — Architecture and dependency analysis tool for Ada, C/C++, Java, .NET software systems.
• LDRA Testbed — A software analysis and testing tool suite for C, C++, Ada83, Ada95 and Assembler (Intel, Freescale, Texas Instruments).
• Micro Focus (formerly Relativity Technologies) Modernization Workbench — Parsers included for COBOL (multiple variants including IBM, Unisys, MF, ICL, Tandem), PL/I, Natural (inc. ADABAS), Java, Visual Basic, RPG, C & C++ and other legacy languages; Extensible SDK to support 3rd party parsers. Supports automated Metrics (including Function Points), Business Rule Mining, Componentisation and SOA Analysis. Rich ad hoc diagramming, AST search & reporting)
• Ounce Labs (from 2010 IBM Rational Appscan Source) — Automated source code analysis that enables organizations to identify and eliminate software security vulnerabilities in languages including Java, JSP, C/C++, C#, ASP.NET and VB.Net.
• Parasoft — Analyzes Java (Jtest), JSP, C, C++ (C++test), .NET (C#, ASP.NET, VB.NET, etc.) using .TEST, WSDL, XML, HTML, CSS, JavaScript, VBScript/ASP, and configuration files for security^[2], compliance^[3], and defect prevention.
• Polyspace — Uses abstract interpretation to detect and prove the absence of certain run-time errors in source code for C, C++, and Ada
• PVS-Studio — static analyzer that detects errors in source code of C/C++/C++0x applications. There are 3 sets of rules included into PVS-Studio: diagnosis of 64-bit errors (Viva64), diagnosis of parallel errors (VivaMP) and general-purpose diagnosis.
• Rational Software Analyzer — Supports Java, C/C++ (and others available through extensions)
• SofCheck Inspector — Provides static detection of logic errors, race conditions, and redundant code for Java and Ada. Provides automated extraction of pre/postconditions from code itself.
• Sotoarc/Sotograph — Architecture and quality in-depth analysis and monitoring for Java, C#, C and C++
• Syhunt Sandcat — Detects security flaws in PHP, Classic ASP and ASP.NET web applications.
• Understand — Analyzes C,C++, Java, Ada, Fortran, Jovial, Delphi, VHDL, HTML, CSS, PHP, and JavaScript — reverse engineering of source, code navigation, and metrics tool.
• Veracode — Finds security flaws in application binaries and bytecode without requiring source. Supported languages include C, C++, .NET (C#, C++/CLI, VB.NET, ASP.NET), Java, JSP, ColdFusion, and PHP.
• Visual Studio Team System — Analyzes C++,C# source codes. only available in team suite and development edition.

Products covering multiple .NET languages.

• CodeIt.Right — Combines Static Code Analysis and automatic Refactoring to best practices which allows automatically correct code errors and violations. Supports both C# and VB.NET.
• CodeRush — A plugin for Visual Studio, it addresses a multitude of short comings with the popular IDE. Including alerting users to violations of best practices by using static code analysis.
• JustCode — Add-on for Visual Studio 2005/2008/2010 for real-time, solution-wide code analysis for C#, VB.NET, ASP.NET, XAML, JavaScript, HTML and multi-language solutions.
• NDepend — Simplifies managing a complex .NET code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and by comparing different versions of the code. Integrates into Visual Studio.
• ReSharper — Add-on for Visual Studio 2003/2005/2008/2010 from the creators of IntelliJ IDEA, which also provides static code analysis for C#.

• Ada-ASSURED — A tool that offers coding style checks, standards enforcement and pretty printing features.
• AdaCore CodePeer — Automated code review and bug finder for Ada programs that uses control-flow, data-flow, and other advanced static analysis techniques.
• LDRA Testbed — A software analysis and testing tool suite for Ada83/95.
• SofCheck Inspector — Provides static detection of logic errors, race conditions, and redundant code for Ada. Provides automated extraction of pre/postconditions from code itself.

• Green Hills Software DoubleCheck — A software analysis tool for C/C++.
• LDRA Testbed — A software analysis and testing tool suite for C/C++.
• PC-Lint — A software analysis tool for C/C++.
• QA-C (and QA-C++) — Deep static analysis of C/C++ for quality assurance and guideline enforcement.
• Red Lizard's Goanna — Static analysis for C/C++ in Eclipse and Visual Studio.

• Jtest — Testing and static code analysis product by Parasoft.
• LDRA Testbed — A software analysis and testing tool suite for Java.
• SemmleCode — Object oriented code queries for static program analysis.
• SonarJ — Monitors conformance of code to intended architecture, also computes a wide range of software metrics.

Tools that use a formal methods approach to static analysis (e.g., using static program assertions):

• ESC/Java and ESC/Java2 — Based on Java Modeling Language, an enriched version of Java.
• Polyspace — Uses abstract interpretation (a formal methods based technique ^[4]) to detect and prove the absence of certain run-time errors in source code for C, C++, and Ada
• SofCheck Inspector — Statically determines and documents pre- and postconditions for Java methods; statically checks preconditions at all call sites; also supports Ada.
• SPARK Toolset including the SPARK Examiner — Based on the SPARK programming language, a subset of Ada.

• Automated code review
• Best Coding Practices
• Dynamic code analysis
• Software metrics
• Static code analysis
• Integrated development environment (IDE) and Comparison of integrated development environments. IDEs will usually come with build-in support for static code analysis, or with an option to integrate such support. Eclipse offers such integration mechasism for most different types of extensions (plug-ins).

Vorlage:Reflist

• List of static source code analysis tools for C
• SAMATE-Source Code Security Analyzers
• SATE - Static Analysis Tool Exposition
• List of Java static code analysis plugins for Eclipse
• “A Comparison of Bug Finding Tools for Java”, by Nick Rutar, Christian Almazan, and Jeff Foster, University of Maryland. Compares Bandera, ESC/Java 2, FindBugs, JLint, and PMD.
• “Mini-review of Java Bug Finders”, by Rick Jelliffe, O'Reilly Media.
• Parallel Lint, by Andrey Karpov
• List of Static Source Code Analysis Tools at CERT
• Integrate static analysis into a software development process Explains how one goes about integrating static analysis into a software development process

1. ↑ Static Analysis in Xcode. Apple, abgerufen am 3. September 2009. 
2. ↑ Parasoft Application Security Solution
3. ↑ Parasoft Compliance Solution
4. ↑ Patrick Cousot: The Role of Abstract Interpretation in Formal Methods. IEEE International Conference on Software Engineering and Formal Methods, 2007, abgerufen am 8. November 2010.