Introduction to Software Engineering/Tools/Static Code Analysis

This is a list of tools for static code analysis.

Historical products

 * Lint &mdash; The original static code analyzer of C code.

Multi-language

 * PMD Copy/Paste Detector (CPD) &mdash; PMDs duplicate code detection for (e.g.) Java, JSP, C, C++ and PHP code.
 * Sonar &mdash; A continuous inspection engine to manage the technical debt (unit tests, complexity, duplication, design, comments, coding standards and potential problems). Supported languages are Java, Flex, PHP, PL/SQL, Cobol and Visual Basic 6.
 * Yasca &mdash; Yet Another Source Code Analyzer, a plugin-based framework for scanning arbitrary file types, with plugins for scanning C/C++, Java, JavaScript, ASP, PHP, HTML/CSS, ColdFusion, COBOL, and other file types. It integrates with other scanners, including FindBugs, JLint, PMD, and Pixy.

.NET (C#, VB.NET and all .NET compatible languages)

 * FxCop &mdash; Free static analysis for Microsoft .NET programs that compile to CIL. Standalone and integrated in some Microsoft Visual Studio editions. From Microsoft.
 * Gendarme &mdash; Open-source (MIT License) equivalent to FxCop created by the Mono project. Extensible rule-based tool to find problems in .NET applications and libraries, particularly those that contain code in ECMA CIL format.
 * StyleCop &mdash; Analyzes C# source code to enforce a set of style and consistency rules. It can be run from inside of Microsoft Visual Studio or integrated into an MSBuild project. Free download from Microsoft.

ActionScript

 * Apparat &mdash; A language manipulation and optimization framework consisting of intermediate representations for ActionScript.

C

 * BLAST (Berkeley Lazy Abstraction Software verification Tool) &mdash; A software model checker for C programs based on lazy abstraction.
 * Clang &mdash; A compiler that includes a static analyzer.
 * Frama-C &mdash; A static analysis framework for C.
 * Lint &mdash; The original static code analyzer for C.
 * Sparse &mdash; A tool designed to find faults in the Linux kernel.
 * Splint &mdash; An open source evolved version of Lint (for C).

C++

 * cppcheck &mdash; Open-source tool that checks for several types of errors, including the use of STL.

Java

 * Checkstyle &mdash; Besides some static code analysis, it can be used to show violations of a configured coding standard.
 * FindBugs &mdash; An open-source static bytecode analyzer for Java (based on Jakarta BCEL) from the University of Maryland.
 * Hammurapi &mdash; (Free for non-commercial use only) versatile code review solution.
 * PMD &mdash; A static ruleset based Java source code analyzer that identifies potential problems.
 * Soot &mdash; A language manipulation and optimization framework consisting of intermediate languages for Java.
 * Squale &mdash; A platform to manage software quality (also available for other languages, using commercial analysis tools though).

JavaScript

 * Closure Compiler &mdash; JavaScript optimizer that rewrites JavaScript code to make it faster and more compact. It also checks your usage of native javascript functions.
 * JSLint &mdash; JavaScript syntax checker and validator.

Objective-C

 * Clang &mdash; The free Clang project includes a static analyzer. As of version 3.2, this analyzer is included in Xcode.
 * Oclint &mdash; OCLint is a static code analysis tool for improving quality and reducing defects by inspecting C, C++ and Objective-C code
 * Faux Pas &mdash; Faux Pas inspects your iOS or Mac app’s Xcode project and warns about possible bugs, as well as about maintainability and style issues.
 * Facebook Infer &mdash; Open Source Tool by Facebook to detect bugs in Android and iOS apps
 * Sonar for Objective C &mdash; Open Source Sonar plugin for xcode.
 * Sonar for Objective C (Commercial version ) &mdash; Paid Sonar plugin for xcode.

Multi-language

 * Axivion Bauhaus Suite &mdash; A tool for C, C++, C#, Java and Ada code that comprises various analyses such as architecture checking, interface analyses, and clone detection.
 * Black Duck Suite &mdash; Analyze the composition of software source code and binary files, search for reusable code, manage open source and third-party code approval, honor the legal obligations associated with mixed-origin code, and monitor related security vulnerabilities.
 * CAST Application Intelligence Platform &mdash; Detailed, audience-specific dashboards to measure quality and productivity. 30+ languages, SAP, Oracle, PeopleSoft, Siebel, .NET, Java, C/C++, Struts, Spring, Hibernate and all major databases.
 * Checkmarx CxSuite &mdash; Source code analysis tool which identifies application security vulnerabilities in the following languages: Java, C# / .NET, PHP, C, C++, Visual Basic 6.0, VB.NET, APEX, Ruby, Javascript, ASP, Perl, Android, Objective C, PL/SQL, HTML5, Python and Groovy.
 * Coverity Static Analysis (formerly Coverity Prevent) &mdash; Identifies security vulnerabilities and code defects in C, C++, C# and Java code. Complements Coverity Dynamic Code Analysis and Architecture Analysis.
 * DMS Software Reengineering Toolkit &mdash; Supports custom analysis of C, C++, C#, Java, COBOL, PHP, VisualBasic and many other languages. Also COTS tools for clone analysis, dead code analysis, and style checking.
 * Compuware DevEnterprise &mdash; Analysis of COBOL, PL/I, JCL, CICS, DB2, IMS and others.
 * Fortify &mdash; Helps developers identify software security vulnerabilities in C/C++, .NET, Java, JSP, ASP.NET, ColdFusion, "Classic" ASP, PHP, VB6, VBScript, JavaScript, PL/SQL, T-SQL, python and COBOL as well as configuration files.
 * GrammaTech CodeSonar &mdash; Analyzes C,C++.
 * Imagix 4D &mdash; Identifies problems in variable usage, task interaction and concurrency, particularly in embedded applications, as part of an overall solution for understanding, improving and documenting C, C++ and Java software.
 * Intel - Intel Parallel Studio XE: Contains Static Security Analysis (SSA) feature supports C/C++ and Fortran
 * JustCode &mdash; Code analysis and refactoring productivity tool for JavaScript, C#, Visual Basic.NET, and ASP.NET
 * Klocwork Insight &mdash; Provides security vulnerability and defect detection as well as architectural and build-over-build trend analysis for C, C++, C# and Java.
 * Kiuwan – Software Analytics end-to-end platform for static code analysis, defect detection, application security & IT Risk Management, with enhanced life cycle and application governance features. It supports over 25 languages, including Objective-C, Java, JSP, JavaScript, PHP, C, C++, ABAP, COBOL, JCL, C#, PL/SQL, Transact-SQL, SQL, Visual Basic, Visual Basic .NET, Android (operating system).
 * Lattix, Inc. LDM &mdash; Architecture and dependency analysis tool for Ada, C/C++, Java, .NET software systems.
 * LDRA Testbed &mdash; A software analysis and testing tool suite for C, C++, Ada83, Ada95 and Assembler (Intel, Freescale, Texas Instruments).
 * Micro Focus (formerly Relativity Technologies) Modernization Workbench &mdash; Parsers included for COBOL (multiple variants including IBM, Unisys, MF, ICL, Tandem), PL/I, Natural (inc. ADABAS), Java, Visual Basic, RPG, C & C++ and other legacy languages; Extensible SDK to support 3rd party parsers. Supports automated Metrics (including Function Points), Business Rule Mining, Componentisation and SOA Analysis. Rich ad hoc diagramming, AST search & reporting)
 * Ounce Labs (from 2010 IBM Rational Appscan Source) &mdash; Automated source code analysis that enables organizations to identify and eliminate software security vulnerabilities in languages including Java, JSP, C/C++, C#, ASP.NET and VB.Net.
 * Parasoft &mdash; Analyzes Java (Jtest), JSP, C, C++ (C++test), .NET (C#, ASP.NET, VB.NET, etc.) using .TEST, WSDL, XML, HTML, CSS, JavaScript, VBScript/ASP, and configuration files for security, compliance , and defect prevention.
 * Polyspace &mdash; Uses abstract interpretation to detect and prove the absence of certain run-time errors in source code for C, C++, and Ada
 * Rational Asset Analyzer (IBM); Supports COBOL(multiple variants), PL/I, Java
 * Rational Software Analyzer &mdash; Supports Java, C/C++ (and others available through extensions)
 * Security Reviewer 1500+ Rules with up to 12 variants each, specialized per language with thousands of API and Frameworks covered. Supports languages: ABAP, Android Mobile, ASP, ASPX, C, C++, CSS, Objective-C, COBOL, C#, Forms, HTML5, Java-JSP-JSF, JavaScript, PHP, Ruby, Python, 11 SQL dialects including PL/SQL and T-SQL and TeradataSQL, VB.net, Visual Basic 6, Windows Mobile, XML, XPath. NIST and CVE checking. OWASP, CWE standards. 200+ Quality Metrics. Best Practices. SQALE dashboard.
 * SofCheck Inspector &mdash; Provides static detection of logic errors, race conditions, and redundant code for Java and Ada.  Provides automated extraction of pre/postconditions from code itself.
 * SourceMeter &mdash; A platform-independent, command-line static source code analyzer for Java, C/C++, RPG IV (AS/400) and Python.
 * Sotoarc/Sotograph &mdash; Architecture and quality in-depth analysis and monitoring for Java, C#, C and C++
 * Syhunt Sandcat &mdash; Detects security flaws in PHP, Classic ASP and ASP.NET web applications.
 * Understand &mdash; Analyzes C,C++, Java, Ada, Fortran, Jovial, Delphi, VHDL, HTML, CSS, PHP, and JavaScript — reverse engineering of source, code navigation, and metrics tool.
 * Veracode &mdash; Finds security flaws in application binaries and bytecode without requiring source. Supported languages include C, C++, .NET (C#, C++/CLI, VB.NET, ASP.NET), Java, JSP, ColdFusion, and PHP.
 * Visual Studio Team System &mdash; Analyzes C++,C# source codes. only available in team suite and development edition.

.NET
Products covering multiple .NET languages.
 * CodeIt.Right &mdash; Combines Static Code Analysis and automatic Refactoring to best practices which allows automatically correct code errors and violations. Supports both C# and VB.NET.
 * CodeRush &mdash; A plugin for Visual Studio, it addresses a multitude of short comings with the popular IDE. Including alerting users to violations of best practices by using static code analysis.
 * JustCode &mdash; Add-on for Visual Studio 2005/2008/2010 for real-time, solution-wide code analysis for C#, VB.NET, ASP.NET, XAML, JavaScript, HTML and multi-language solutions.
 * NDepend &mdash; Simplifies managing a complex .NET code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and by comparing different versions of the code. Integrates into Visual Studio.
 * ReSharper &mdash; Add-on for Visual Studio 2003/2005/2008/2010 from the creators of IntelliJ IDEA, which also provides static code analysis for C#.
 * Kalistick &mdash; Mixing from the Cloud: static code analysis with best practice tips and collaborative tools for Agile teams

Ada

 * Ada-ASSURED &mdash; A tool that offers coding style checks, standards enforcement and pretty printing features.
 * AdaCore CodePeer &mdash; Automated code review and bug finder for Ada programs that uses control-flow, data-flow, and other advanced static analysis techniques.
 * LDRA Testbed &mdash; A software analysis and testing tool suite for Ada83/95.
 * SofCheck Inspector &mdash; Provides static detection of logic errors, race conditions, and redundant code for Ada.  Provides automated extraction of pre/postconditions from code itself.

C / C++

 * CppDepend &mdash; Simplifies managing a complex C/C++ code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and by comparing different versions of the code. Integrates into Visual Studio.
 * FlexeLint &mdash; A multiplatform version of PC-Lint.
 * Green Hills Software DoubleCheck &mdash; A software analysis tool for C/C++.
 * Intel - Intel Parallel Studio XE: Contains Static Security Analysis (SSA) feature
 * LDRA Testbed &mdash; A software analysis and testing tool suite for C/C++.
 * Monoidics INFER &mdash; A sound tool for C/C++ based on Separation Logic.
 * PC-Lint &mdash; A software analysis tool for C/C++.
 * PVS-Studio &mdash; A software analysis tool for C,C++,C++11,C++/CX.
 * QA-C (and QA-C++) &mdash; Deep static analysis of C/C++ for quality assurance and guideline enforcement.
 * Red Lizard's Goanna &mdash; Static analysis for C/C++ in Eclipse and Visual Studio.
 * SourceMeter &mdash; A platform-independent, command-line static source code analyzer for Java, C/C++, RPG IV (AS/400) and Python.

Java

 * JArchitect &mdash; Simplifies managing a complex Java code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and by comparing different versions of the code.
 * Jtest &mdash; Testing and static code analysis product by Parasoft.
 * LDRA Testbed &mdash; A software analysis and testing tool suite for Java.
 * Oversecured &mdash; A static SaaS-based vulnerability scanner for Android apps. Contains 90+ vulnerability categories.
 * SemmleCode &mdash; Object oriented code queries for static program analysis.
 * SonarJ &mdash; Monitors conformance of code to intended architecture, also computes a wide range of software metrics.
 * Kalistick &mdash; A Cloud-based platform to manage and optimize code quality for Agile teams with DevOps spirit
 * SourceMeter &mdash; A platform-independent, command-line static source code analyzer for Java, C/C++, RPG IV (AS/400) and Python.

Formal methods tools
Tools that use a formal methods approach to static analysis (e.g., using static program assertions):


 * ESC/Java and ESC/Java2 &mdash; Based on Java Modeling Language, an enriched version of Java.
 * Polyspace &mdash; Uses abstract interpretation (a formal methods based technique ) to detect and prove the absence of certain run-time errors in source code for C, C++, and Ada
 * SofCheck Inspector &mdash; Statically determines and documents pre- and postconditions for Java methods; statically checks preconditions at all call sites; also supports Ada.
 * SPARK Toolset including the SPARK Examiner &mdash; Based on the SPARK programming language, a subset of Ada.