In this article, I have summarised some of top static code analysis tools.
Can we ever imagine sitting back and manually reading each line of codes to find flaws? To ease our work, several types of static analysis tools are available in the market which helps analysing the code during the development and detect fatal defects early in the SDLC phase. Such defects can be eliminated before the code is actually pushed for functional QA. Defect found later are always expensive to fix.
Read this to get an idea of what can help you the most based on your needs –
40 Best Static Code Analysis Tools
=>> Contact us to add your listing here
Veracode is static analysis tool which is built on the SaaS model. This tool is mainly used to analyse the code from Security point of view. This tool uses binary code/byte code and hence ensures 100% test coverage. This tool proves to be a good choice if you want to write secured code.
Website Link: Veracode
A security Analysis tool which lets users scan the uncompiled code and find out vulnerabilities early during design phase itself. Tool comes with the feature to do incremental scanning means the first time it does a full scan and later it scans only the areas which have undergone changes, hence proves to be automatically performing regression and retest, and saves time as it reduces the amount of scan required in consecutive runs.
Website Link: Checkmarx
Website Link: Coverity
#4) HP Fortify SCA
Fortify, a tool from HP which lets developer build an error free and secured code. This tool can be used by both development and security teams by working together to find and fix security related issues. While scanning the code, it ranks the issues found and ensures the most critical ones are fixed first.
Website Link: HP Fortify SCA
Parasoft, no doubt one of the best tools for Static Analysis Testing. This is slightly different when compared to other static analysis tools because of its ability to support various types of static analysis techniques like Pattern Based, Flow Based, Third Party Analysis, and Metrics and Multivariate analysis. Another good thing about the tool is besides identifying defects it allows provides feature which prevents defects.
Website Link: Parasoft
This is an open source tool written in PHP to identify different types for security vulnerabilities in PHP codes. It can be controlled via web interface.
Website Link: RIPS
#7) Clang Static Analyzer
This is an open source tool which can be used to analyse a C, C++ code. It uses the clang library, hence forming a reusable component and can be used by multiple clients.
Website Link: Clang Static Analyzer
An automated tool which can be used to analyse more than 50+ languages, works excellently regardless the size of the project. In addition it provides Dashboard to users which help in measuring quality and productivity.
Website Link: CAST
A Static analysis tool by Grammatech not only lets a user find programming error, it also helps in finding out domain related coding errors. It also allows customizing checkpoints and also built in checks can be configured as per the requirement. Overall a great tool to detect security vulnerabilities and its ability to do a deep static analysis makes this stand out from rest of the other static analysis tools available in the market.
Website Link: CodeSonar
Just like its name, this tool lets user UNDERSTAND code by analysing, measuring, visualizing and maintaining. This allows quick analysis of massive codes. This is one tool which is mainly used by aerospace and automakers industry. Supports major languages like C/C++, ADA, COBOL, FORTRAN, PASCAL, Python and other web languages.
Website Link: Understand
A very easy to use tool when compared to other static analysis tools. As the name suggests, this tool is used to analyse C/C++ codes. Supports different code quality metrics, provides facility to monitor trends, has an add in to integrate with Visual Studio, allows writing custom queries and comes with a very good diagnostic facility.
Website Link: CppDepend
Apart from finding semantics and syntax error, this tool also lets user detect vulnerabilities in the code .This tool is well integrated with many common IDE’s like Eclipse, Visual Studio and Intellij IDEA. This can run in parallel to code creation, it does a line by line check and provides feature for addressing the defects immediately.
Website Link: Klocwork
Another free static analysis tool for C/C++.Good thing about this tool is its integration with several other development tools like Eclipse,Jenkins,CLion,Visual Studio and many more. Its installer can be found at sourceforge.net.
Website Link: Cppcheck
#14) Programming Research (PR QA)
PR QA is an excellent static analysis testing tool for C and C++ codes. Tool comes with a single installer and supports platforms like Windows 7,Linex Rhel 5 and Solaris 10.This gives very clear diagnostics which helps in identifying root cause and quick defect fixes.
Website Link: Programming Research (PR QA)
A security static analysis tool for C/C++ and allows integration with Microsoft Visual Studio,Eclipse,Texas Instruments Code Composer and many more IDE’s.This can be run like a compiler and hence allows analysing file level details in addition to whole projects. Also, has excellent error reporting feature.
Website Link: Goanna
Polyspace bug finder helps in finding defects for C/C++; this is integrated with Eclipse and also is compliant with coding rule standards like MISRA C, MISRA C++, and JSF++.
Website Link: Polyspace
Tool which helps in analysing C/C++, Java, C#, RPG and Python codes. Another good thing about this tool is it allows integration with free static checker tools like cppcheck, PMD, FindBugs. Basic Version of this tool is free but it comes with less features. Based on the need, you can decide whether the free version satisfies the requirement or not.
Website Link: Sourcemeter
An excellent tool which can be used for clone detection, supports multiple languages, allows integration with other static analysis tools, provides dashboard which shows the details on the issues found and other quality metrics.
Website Link: ConQAT
An excellent tool which makes analysing Java code simple and easier, supports for Code Query over LINQ, provides a number of code metrics, allows code comparison between builds and comes with a very good customizable reporting feature.
Website Link: JArchitect
A standalone tool used for analysing C/C++ and Objective- C programs, this supports Linux and Mac OX platforms. It does everything a static analysis tool is expected to do like finding bugs, unused piece of code, redundant code, and in addition to all that, it comes with a very customizable configuration which really helps user customize as per their needs.
Website Link: OCLint
This tool is mainly used by security specialist who wants to perform manual code reviews, works best on local system, but can also scan remote websites. Maintains an extensive configuration file and hence different reporting options can be configured. Creation of alternate config files helps in execution of multiple projects simultaneously.
Website Link: Watchtower
#22) OWASP Code crawler
A Static analysis tool for .NET and Java/J2EE code
Website Link: OWASP Code crawler
#23) OWASP Orizon
A tool which can be used by security specialist to perform code reviews from security point of view. It also provides set of API’s which can be integrated with security tools to provide code review services.
Website Link: OWASP Orizon
#24) PC-Lint and Flexe Lint
Static Analysis tools which is used to test C/C++ source code. PC Lint works on windows OS whereas Flexe Lint is designed to work on non windows OS, and runs on systems that support a C compiler including UNIX.
Website Link: PC-Lint and Flexe Lint
#25) IBM Rational Software analyzer
IBM Rational provides user with different types of tool, one such tool is the software analyzer which can be used for static analysis of code. This tool is designed on an extensible framework and integrates well with other Rational products.
Website Link: IBM Rational Software analyzer
This static analysis tool is very flexible and easily configurable tool and supports almost all platforms like Windows, UNIX, Linus, Mac OS X.This tool comes with an ability to verify conformance against a number of coding standard as well as other coding standards which includes proprietary and project based standards.
Website Link: Eclair
It is an open source web based tool, extending its coverage to more than 20 languages, and also allows a number of plug ins.
Website Link: SonarQube
If you are looking for a tool to ensure the developed code is compliant with CERT coding rules, you can opt for Rosecheckers. It is available for free is sourceforge. This tool does check for C/C++ codes and sometimes finds problem which other static analysis tools cannot find, but this cannot be considered a full grown standalone tool due to its inability to fully test since this is only a prototype.
Website Link: Rosecheckers
#29) PVS Studio
Tool used for static analysis of C/C++ and C# codes
Website Link: PVS Studio
An open source tool which lets analysis of C, comes with a very flexible framework.
Website Link: Frama-c
Open source security analysis tool for Java and C codes.
Website Link: Semmle
PMD is an open source code analyser for C/C++, java, Java Script. This is a simple tool and can be used to find common flaws. It also detects duplicate code in java.
Website Link: PMD
Free tool to find bugs in Java code. It supports any version of Java but requires JRE (or JDK) 1.7.0 or later to run.
Website Link: FindBugs
#34) IBM Appscan Source
This is used to identify vulnerabilities early in the SDLC phase. Also supports mobile scanning.
Website Link: IBM Appscan Source
This is an open source tool mainly used to find security vulnerabilities in C/C++ program. It can be downloaded, installed and run on systems like UNIX.
Website Link: Flawfinder
An open source static and security analysis tool for C programs. Comes with very basic feature but if additional annotations are added, this can perform like any other standard tools.
Website Link: Splint
Header Free Cyclomatic Complexity Analyser is a tool which performs analysis and doesn’t care about the C/C++ headers or Java imports. Simple to use and doesn’t require installation. This can be used for C/C++, Java and Objective C.
Website Link: Hfcca
This utility written in Perl lets user find blank lines, comment lines and physical lines and supports multiple languages. Overall an easy to tool with good features like providing outputs in multiple formats, runs on multiple systems and comes with an easy installation pack.
Website Link: Cloc
Open source tool which lets user count physical source lines of code in multiple languages and on multiple platform.
Website Link: SLOCCount
Website Link: JSHint
Above is a summary of some selective good Static Code Analysis Tools which can be used for Static analysis. Since, covering all the available tools in one article isn’t possible, now I am letting the ball go in your court, feel free to bring up any tool you think is good one for Static Analysis.
=>> Contact us to add your listing here