List of tools for static code analysis
Contributors to Wikimedia projects
Article ImagesThis is a list of notable tools for static program analysis (program analysis is a synonym for code analysis).
This section is a sublist. Links here will take you to the full list on the top of this article.
This section is a sublist. Links here will take you to the full list on the top of this article.
- Astree
- BLAST
- Clang
- Coccinelle
- Coverity
- CPAchecker
- Cppcheck
- Cppdepend
- Cpplint
- ECLAIR
- Eclipse
- Fluctuat
- Frama-C
- GCC
- Helix QAC
- Facebook Infer
- Klocwork
- Lint
- LDRA Testbed
- Parasoft C/C++test
- PC-lint Plus
- Polyspace
- PVS-Studio
- SLAM project
- Sparse
- SonarQube
- Splint
- Understand
- Visual Studio
This section is a sublist. Links here will take you to the full list on the top of this article.
- Code Dx
- CodeScene
- CodeQL
- Coverity
- Kiuwan
- Klocwork
- .NET Compiler Platform
- PVS-Studio
- SonarQube
- Sotoarc
- StyleCop
- Squore
- Understand
- Visual Studio
- CODESYS Static Analysis – integrated add-on for CODESYS (application code realized e.g. in ST, FBD, LD)
Tool | Latest release | Free software | Duplicate code |
Notes |
---|---|---|---|---|
Checkstyle | 2020-01-26 | Yes; LGPL | No | Besides some static code analysis, it can be used to show violations of a configured coding standard. Duplicate code detection was removed[13] from Checkstyle. |
Eclipse | 2017-06-28 | Yes; EPL | No | Cross-platform IDE with own set of several hundred code inspections available for analyzing code on-the-fly in the editor and bulk analysis of the whole project. Plugins for Checkstyle, FindBugs, and PMD. |
FindBugs | 2015-03-06 | Yes; LGPL | Based on Jakarta BCEL from the University of Maryland. SpotBugs is the spiritual successor of FindBugs, carrying on from the point where it left off with support of its community. | |
IntelliJ IDEA | 2021-04-06 | Yes; ASL 2 | Yes | A leading Java IDE with built-in code inspection and analysis. Plugins for Checkstyle, FindBugs, and PMD. |
JArchitect | 2017-06-11 | No; proprietary | Simplifies managing a complex code base by analyzing and visualizing code dependencies, defining design rules, doing impact analysis, and by comparing different versions of the code. | |
Jtest | 2019-05-21 | No; proprietary | Yes | Testing and static code analysis product by Parasoft. |
Soot | 2020-10-28 | Yes; LGPL | A language manipulation and optimization framework consisting of intermediate languages. | |
PMD | 2021-01-30 | Yes; BSD License | Yes | Static code analyzer with support for plugins, including CPD. PMD supports checking of several languages. |
Squale | 2011-05-26 | Yes; LGPL | A platform to manage software quality. | |
ThreadSafe | 2014-03-28 | No; proprietary | A static analysis tool focused on finding concurrency bugs. |
This section is a sublist. Links here will take you to the full list on the top of this article.
- ESLint – JavaScript syntax checker and formatter.
- Google's Closure Compiler – JavaScript optimizer that rewrites code to be faster and smaller, and checks use of native JavaScript functions.
- CodeScene – Behavioral analysis of code.
- JSHint – A community driven fork of JSLint.
- JSLint – JavaScript syntax checker and validator.
- Klocwork
- Semgrep – A static analysis tool that helps expressing code standards and surfacing bugs early. A CI service and a rule library is also available.
- Understand
- Clang – The free Clang project includes a static analyzer. As of version 3.2, this analyzer is included in Xcode.[14]
- Infer – Developed by an engineering team at Facebook with open-source contributors. Targets null pointers, leaks, API usage and other lint checks. Available as open source on github.
- Understand
- Opa includes its own static analyzer. As the language is intended for web application development, the strongly statically typed compiler checks the validity of high-level types for web data, and prevents by default many vulnerabilities such as XSS attacks and database code injections.
- Lintian – Checks Debian software packages for common inconsistencies and errors.
- Rpmlint – Checks for common problems in rpm packages.
- Perl::Critic – A tool to help enforce common Perl best practices. Most best practices are based on Damian Conway's Perl Best Practices book.
- PerlTidy – Program that acts as a syntax checker and tester/enforcer for coding practices in Perl.
- Padre – An IDE for Perl that also provides static code analysis to check for common beginner errors.
- TOAD – A PL/SQL development environment with a Code xPert component that reports on general code efficiency as well as specific programming issues.
- Visual Expert – A PL/SQL code analysis tool[15] that reports on programming issues and helps understand and maintain complex code (Impact Analysis, Source Code documentation, Call trees, CRUD matrix, etc.).
- Visual Expert – A tool scanning PowerBuilder libraries (PBLs) for code inspection, Impact Analysis, Source Code documentation, Call trees, CRUD matrix.
- PyCharm – Cross-platform Python IDE with code inspections available for analyzing code on-the-fly in the editor and bulk analysis of the whole project.
- PyDev – Eclipse-based Python IDE with code analysis available on-the-fly in the editor or at save time.
- Pylint – Static code analyzer. Quite stringent; includes many stylistic warnings as well.
- Klocwork
- Semgrep – Static code analyzer that helps expressing code standards and surfacing bugs early. A CI service and a rule library is also available.
- Understand
- Visual Expert – A SQLServer code analysis tool[16] that reports on programming issues and helps understand and maintain complex code (Impact Analysis, source code documentation, call trees, CRUD matrix, etc.).
This section is a sublist. Links here will take you to the full list on the top of this article.
Tools that use sound, i.e. over-approximating a rigorous model, formal methods approach to static analysis (e.g., using static program assertions). Sound methods contain no false negatives for bug-free programs, at least with regards to the idealized mathematical model they are based on (there is no "unconditional" soundness). Note that there is no guarantee they will report all bugs for buggy programs, they will report at least one.
- Astrée – finds all potential runtime errors by abstract interpretation, can prove the absence of runtime errors and can prove functional assertions; tailored towards safety-critical C code (e.g. avionics).
- CodePeer – Statically determines and documents pre- and post-conditions for Ada subprograms; statically checks preconditions at all call sites.
- ECLAIR – Uses formal methods-based static code analysis techniques such as abstract interpretation and model checking combined with constraint satisfaction techniques to detect or prove the absence of certain run time errors in source code.
- ESC/Java and ESC/Java2 – Based on Java Modeling Language, an enriched version of Java
- Frama-C – An open-source analysis framework for C, based on the ANSI/ISO C Specification Language (ACSL). Its main techniques include abstract interpretation, deductive verification and runtime monitoring.
- KeY – analysis platform for Java based on theorem proving with specifications in the Java Modeling Language; can generate test cases as counterexamples; stand-alone GUI or Eclipse integration
- MALPAS – A formal methods tool that uses directed graphs and regular algebra to prove that software under analysis correctly meets its mathematical specification.
- Polyspace – Uses abstract interpretation, a formal methods based technique,[17] to detect and prove the absence of certain run time errors in source code for C/C++, and Ada
- SPARK Toolset including the SPARK Examiner – Based on the SPARK language, a subset of Ada.
- Automated code review
- Best Coding Practices
- List of software development philosophies
- Dynamic program analysis
- Software metrics
- Integrated development environment (IDE) and comparison of integrated development environments. IDEs will usually come with built-in support for static program analysis, or with an option to integrate such support. Eclipse offers such integration mechanism for most different types of extensions (plug-ins).
- ^ "CPAchecker". 2015-02-08.
- ^ "Static Analysis in Xcode". Apple. Archived from the original on 2009-09-05. Retrieved 2009-09-03.
- ^ "Running the analyzer within Xcode". Archived from the original on 5 December 2021. Retrieved 14 January 2022.
- ^ "Supported Application Security Testing Tools and Languages". codedx.com. Retrieved Apr 25, 2017.
- ^ "Coverity Scan website". Retrieved 2023-08-23.
- ^ "ECLAIR website". Retrieved 2021-10-07.
- ^ "CppDepend what's new". cppdepend.com. Retrieved 1 March 2023.
- ^ "Readme.md of Google Style Guides". GitHub. Retrieved 8 November 2021.
- ^ Malcolm, David (2020-03-26). "Static analysis in GCC 10". Red Hat Developer. Retrieved 2022-04-13.
- ^ "UNIX is free!". lemis.com. 2002-01-24.
- ^ "NDepend what's new". ndepend.com. Retrieved 15 June 2022.
- ^ "PMD - Browse /pmd/5.0.0 at SourceForge.net". Retrieved Dec 9, 2012.
- ^ "Remove StrictDuplicateCodeCheck and whole package · Issue #523 · checkstyle/Checkstyle". GitHub.
- ^ "Static Analysis in Xcode". Apple. Retrieved 2009-09-03.
- ^ "Visual Expert for Oracle - PL/SQL Code Analyzer". www.visual-expert.com. 2017-08-24.
- ^ "Visual Expert for SQL Server - Transact SQL Code Analyzer". www.visual-expert.com. 2017-08-24.
- ^ Cousot, Patrick (2007). "The Role of Abstract Interpretation in Formal Methods". Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007). IEEE International Conference on Software Engineering and Formal Methods. pp. 135–140. doi:10.1109/SEFM.2007.42. ISBN 978-0-7695-2884-7. S2CID 67212.
- The Web Application Security Consortium's Static Code Analysis Tool List
- Java Static Checkers at Curlie
- SAMATE-Source Code Security Analyzers
- SATE – Static Analysis Tool Exposition
- "A Comparison of Bug Finding Tools for Java", by Nick Rutar, Christian Almazan, and Jeff Foster, University of Maryland. Compares Bandera, ESC/Java 2, FindBugs, JLint, and PMD.
- "Mini-review of Java Bug Finders", by Rick Jelliffe, O'Reilly Media.