User:Nickj/List of tools for static code analysis

Anyone is welcome to constructively update this user-page with new information; However if you wish to delete it please email me first, and I will move it off-site.

This is a list of software tools that perform various kinds of static code analysis, grouped by programming language and in alphabetical order:

Ada

 * Axivion Bauhaus Suite - Architecture Visualization, Architecture Checking, Interface Analysis, Metrics, Clone Detection, Dominance Analysis, etc.
 * CloneDR for Ada83/95 Detects exact and near-miss duplicate code across large code bases.
 * LDRA Testbed
 * PolySpace Verifier
 * SofCheck Inspector for Ada Static Error Detection of Ada 83 & 95 with 100% path and control flow coverage
 * SPARK programming language
 * RapiTime WCET Analyzer
 * Telelogic Logiscope RuleChecker (coding standards checking) and Audit (metrics measurement and ISO 9126-based quality modeling).
 * Understand for AdaIDE with reverse engineering, automatic documentation, code navigation and understanding, metrics, maintenance and cross reference.

Borland Delphi

 * reverse engineering, code navigation, and metrics tool

C and/or C++

 * Astr&eacute;e (AbsInt and ENS)
 * Axivion Bauhaus Suite
 * AQtime
 * BLAST
 * Cantata
 * CCured (BSD, partly dynamic)
 * Cleanscape lints for C++ and for C
 * CloneDR for C/C++ Detects exact and near-miss duplicate code across large code bases.
 * CMT++
 * CodeSonar based on work by Reps et al at the University of Wisconsin.
 * CodeWizard
 * Coverity See the MC Checker for background.
 * cppcheck
 * Cqual
 * CScout Source code analyzer and refactoring browser for collections of C programs; handles the preprocessor constructs.
 * C++test
 * Flawfinder (GPL) Contains a good list of other security-based static checking tools.
 * Ounce, which is a security-focused source code analysis tool.
 * Fortify Software See Fortify Source Code Analysis
 * GCC Introspector (GPL) C, but is expanding to include Perl, Bison, m4, bash, C#, Java, C++, Fortran, Objective-C, Lisp, Scheme.
 * Gimpel Software FlexeLint and PC-Lint
 * HP Code Advisor Identifies potential coding errors, porting issues, and security vulnerabilities.
 * ITS4 Scans source code for potentially dangerous function calls.
 * LDRA Testbed
 * Klocwork
 * Lattix LDM - Architecture Management using Dependency Analysis
 * MOPS (BSD style license)
 * OpenC++
 * OSPC
 * PMD's Copy/Paste Detector
 * PolySpace
 * Predator – a tool for automated formal verification of sequential C programs operating with pointers and linked lists
 * PREfast Part of DDK, for driver development, see VS2005 for user-land.
 * QAC, QAC-MISRA, QAC++ Coding style, metrics, dataflow, good enforcing of MISRA standards.
 * Resource Standard Metrics
 * Rough Auditing Tool for Security
 * Security Reviewer 100+ Rules Specialized for C and C++ with up to 12 variants each and thousands of API covered. OWASP, CWE and MISRA standards. 200+ Quality Metrics. Besta Practices. SQALE dashboard.
 * Smatch C source checker, used mainly for Linux kernel code.
 * Sotograph
 * Sparse (GPL)
 * Stacktool
 * Splint (GPL)
 * Surveyor C/C++, Java, COBOL, VB/VB.NET, Tcl, ASP, others.
 * Telelogic Logiscope RuleChecker (coding standards checking) and Audit (metrics measurement and ISO 9126-based quality modeling).
 * Visual Studio 2005 Team Edition only.
 * RapiTime WCET Analyzer
 * Understand for C/C++ ANSI C, C++ and K&R C reverse source engineering, code navigation, and metrics tool.

C#

 * AQtime
 * CloneDR for C#2.0/3.0/4.0 Detects exact and near-miss duplicate code across large code bases.
 * .TEST
 * Resource Standard Metrics Configurable Static Source Code Metrics and Analysis Tool from M Squared Technologies, Online-Documentation
 * Fortify Software See Fortify Source Code Analysis
 * FxCop
 * Lattix LDM - Architecture Management using Dependency Analysis
 * LDRA Testbed
 * NDepend - Architecture Management (Dependencies, Metrics, Build comparison)
 * ReSharper
 * Security Reviewer 500+ Rules Specialized for C# and thousands of API covered. OWASP, CWE standards. 200+ Quality Metrics. Best Practices. SQALE dashboard.
 * Source Monitor - Simple analytical tool displaying metrics such as complexity, depth, lines/method, methods/class among others. Nice use of Kiviat graph. (C#, VB, C++, among others)
 * Sotograph - Architecture and quality in-depth analysis and monitoring
 * Visual Studio - Visual Studio 2005 Team Suite or Team Edition for Software Developers only, has integrated FxCop and PREFast functionality.
 * DevMetrics and DevAdvantage (Now open source)
 * Compuware DevPartner Studio

COBOL

 * CloneDR for COBOL Detects exact and near-miss duplicate code across large code bases.
 * Security Reviewer 120+ Security Rules, 100+ Quality Mertics and SQALE for COBOL

Fortran

 * CloneDR for Fortran 77/90/95 Detects exact and near-miss duplicate code across large code bases.
 * |Cleanscape FortranLint
 * FTNCHEK
 * Understand for FORTRAN FORTRAN 77, 90, 95 reverse source engineering, metrics and cross reference tool

HTML

 * W3C Markup Validation Service

Java

 * Agitator Dashboard
 * AntiC
 * Axivion Bauhaus Suite - Architecture Visualization, Architecture Checking, Interface Analysis, Metrics, Clone Detection, Dominance Analysis, etc.
 * Checkstyle
 * CloneDR for Java Detects exact and near-miss duplicate code across large code bases.
 * CMTJava - Complexity Measures Tool for Java
 * ESC/Java - Extended Static Checking for Java
 * ESC/Java2
 * FindBugs-Find Bugs in Java Programs
 * Fortify Software See Fortify Source Code Analysis
 * Hammurapi
 * JDepend
 * Oracle JDeveloper - Code auditing framework and code metrics
 * Jlint
 * Jtest
 * Kaveri (Indus) - Program Comprehension/Slicing Tool (Library) for Java
 * Klocwork
 * Lattix LDM - Architecture Management using Dependency Analysis
 * Lint4j Static source code analysis with plugins for Maven, Ant and Eclipse
 * PMD
 * QAJ
 * Refactorit
 * Resource Standard Metrics Configurable Static Source Code Metrics and Analysis Tool from M Squared Technologies, Online-Documentation
 * Security Reviewer 500+ Rules Specialized for JAVA and thousands of API and Frameworks covered. OWASP, CWE standards. 200+ Quality Metrics. Best Practices. SQALE dashboard.
 * SofCheck Inspector for Java Static Error Detection of Java byte code with 100% path coverage
 * SonarJ Light weight management of architecture and technical quality for Java projects
 * Sotograph - Architecture and quality in-depth analysis and monitoring
 * Spoon - Spoon is a Java program processor that fully supports Java 5
 * STAN - Eclipse integrated structure analysis for Java. Visualize design, understand code, measure quality, generate reports.
 * Structure101 - Structural dependency analysis. Rate & analyze the quality of your software architecture.
 * Surveyor - Java and many other languages
 * Telelogic Logiscope RuleChecker (coding standards checking) and Audit (metrics measurement and ISO 9126-based quality modeling).
 * TorqueWrench
 * UCDetector - Unnecessary Code Detector, eclipse PlugIn to find unnecessary (dead) public java code
 * Understand for Java reverse source engineering, code navigation, and metrics
 * WALA T. J. Watson Libraries for Analysis

JavaScript

 * JSLint - An online tool which you can also download and run from command line
 * Javascript Lint - A lint like tool for javascript written in C/C++ and based on JavaScript engine for the Firefox browser.
 * JavaScript Reporter - A static JavaScript analyzer/verifier.
 * CloneDR for JavaScript Detects exact and near-miss duplicate code across large code bases.
 * Fortify - See Fortify Source Code Analysis.
 * http://code.google.com/intl/de-DE/closure/compiler/
 * jsmeter - Javascript code metrics through static analysis. Includes Cyclomatic Complexity, Halstead Metrics, Maintainability Index, etc...
 * Security Reviewer 100+ Rules Specialized for JavaScript and 100+ of Frameworks covered. OWASP, CWE standards. 200+ Quality Metrics. Best Practices. SQALE dashboard.

JOVIAL

 * Understand for JOVIAL reverse engineering, metrics, and cross referencing tool

Perl

 * fluff
 * Perl::Critic

PHP

 * PHP executes a built-in basic Lint check when invoked with the -l switch. Example usage:
 * |PMD's Copy/Paste Detector
 * CloneDR for PHP4/PHP5 Detects exact and near-miss duplicate code across large code bases.
 * Zend Studio IDE includes static code analysis for PHP, called the "Code Analyzer".
 * ocProducts code quality checker
 * Armorize CodeSecure - The first security appliance for PHP source code scanning with traceback support and Web 2.0 interface.
 * PHPUnit
 * PHP_CodeSniffer - Checks for coding standard violations.
 * PHPLint - A validator and documentator for PHP 4 and PHP 5 programs
 * PHP-SAT - Checks for bug patterns.
 * Security Reviewer 500+ Rules Specialized for PHP and thousands of Frameworks covered. OWASP, CWE standards. 200+ Quality Metrics. Best Practices. SQALE dashboard.
 * Fortify Software See Fortify Source Code Analysis.

Python

 * CloneDR for Python 2.6 Detects exact and near-miss duplicate code across large code bases.
 * PyChecker
 * Pyflakes
 * PyLint
 * Security Reviewer 200+ Rules Specialized for Python and tenths of Frameworks covered. OWASP, CWE standards. 200+ Quality Metrics. Best Practices. SQALE dashboard.

TCL

 * Tcl Cruncher

Verilog & VHDL

 * Spyglass by Atrenta
 * |Indigo RTL Analysis by Blue Pearl Software
 * Hal by Cadence
 * Leda by Synopsys

Visual Basic

 * Aivosto Project Analyzer finds dead code and programming problems. It will also tell you which modules call which, and provide cyclomatic complexity metrics.
 * AQtime
 * Axivion Bauhaus Suite - Clone Detection
 * CloneDR for VisualBasic (VBScript, VB6, VB.net) Detects exact and near-miss duplicate code across large code bases.
 * Compuware DevPartner Studio
 * Resource Standard Metrics Configurable Static Source Code Metrics and Analysis Tool from M Squared Technologies, Online-Documentation
 * Fortify Software See Fortify Source Code Analysis
 * FxCop
 * Lattix LDM - Architecture Management using Dependency Analysis
 * Security Reviewer 500+ Rules Specialized for legacy VB and all fashions of VB.net with thousands of API covered. OWASP, CWE standards. 200+ Quality Metrics. Best Practices. SQALE dashboard.
 * Sotograph - Architecture and quality in-depth analysis and monitoring
 * Visual Studio - Visual Studio 2005 Team Suite or Team Edition for Software Developers only, has integrated FxCop and PREFast functionality.
 * DevMetrics and DevAdvantage (Now open source)
 * Compuware DevPartner Studio

Not language-specific

 * PAG and PAG/WWW - The Program Analyzer Generator, not for a specific language, but for building analyzers.
 * StackAnalyzer - Stack Usage Analysis.
 * CodeHawk™
 * DMS Software Reengineering Toolkit System for implementing custom static analysis tools, with many industrial strength parsers and flow analysis capabilities. Front ends for many langauges/dialects.

Unknown language

 * Broadway
 * SLAM
 * BOON
 * Kaylo