Source Static Analysis Tools

Static Analysis Tools

Klocwork
Preferred vendor approved by Intel strategic purchasing. See the Klocwork page for more information on the product and its licensing structure. For a quick overview of the Klocwork K7 tool suite and FAQ, visit Klocwork K7 Overview.

FxCop - Best tool available to date for analyzing "Managed Code" (aka .NET code) such as C#, VB or managed C++. Freely available from Microsoft.

Coverity

Fortify

Ounce Labs

Lintra - Static Analysis tool for RTL

Open-source or Noncommercial products

Multi-language

RATS — Rough Auditing Tool for Security, which can scan C, C++, Perl, PHP and Python source code.

Yasca - Yet Another Source Code Analyzer, a plugin-based framework for scanning arbitrary file types, with plugins for scanning C/C++, Java, JavaScript, ASP, PHP, HTML/CSS, COBOL, and other file types. It integrates with other scanners, including FindBugs, JLint, and PMD.

.NET (C#, VB.NET and all .NET compatible languages)

FxCop — Free static analysis for Microsoft .NET programs that compile to CIL. Standalone and integrated in some Microsoft Visual Studio editions. From Microsoft.

Java

FindBugs — an open-source static bytecode analyzer for Java (based on Jakarta BCEL).

PMD (software) — a static ruleset based Java source code analyzer that identifies potential problems.

Hammurapi - a versatile code review solution.

C

Sparse — a tool designed to find faults in the Linux kernel.

Splint — an open source evolved version of Lint (C language).

Cppcheck — a tool that can find memory leaks, buffer overruns and many other common errors.

C++

Cppcheck — a tool that can find memory leaks, buffer overruns and many other common errors.