Historical

• Lint — The original static code analyzer of C code
  C (programming language)
  C is a general-purpose computer programming language developed between 1969 and 1973 by Dennis Ritchie at the Bell Telephone Laboratories for use with the Unix operating system....
  
  .
• NuMega Code Review — now part of Micro Focus DevPartner
  DevPartner
  DevPartner is a set of software development and testing tools developed by Nu-Mega Technologies, acquired by Compuware Corporation in 1997, which on June 1, 2009 sold it to Micro Focus International...
  
   suite.

Multi-language

• Moose
  Moose (analysis)
  Moose is a free and open source platform for software and data analysis built in Pharo.Moose offers multiple services ranging from importing and parsing data, to modeling, to measuring, querying, mining, and to building interactive and visual analysis tools. Moose was born in a research context,...
  
   — Moose started as a software analysis platform with many tools to manipulate, assess or visualize software. It can evolve to a more generic data analysis platform. Supported languages are C/C++, Java, Smalltalk, .NET, more may be added.
• Copy/Paste Detector (CPD) — PMDs
  PMD (software)
  PMD is a static ruleset based Java source code analyzer that identifies potential problems like:* Possible bugs - Empty try/catch/finally/switch blocks.* Dead code - Unused local variables, parameters and private methods....
  
   duplicate code
  Duplicate code
  Duplicate code is a computer programming term for a sequence of source code that occurs more than once, either within a program or across different programs owned or maintained by the same entity. Duplicate code is generally considered undesirable for a number of reasons...
  
   detection for (e.g.) Java
  Java (programming language)
  Java is a programming language originally developed by James Gosling at Sun Microsystems and released in 1995 as a core component of Sun Microsystems' Java platform. The language derives much of its syntax from C and C++ but has a simpler object model and fewer low-level facilities...
  
  , JSP
  JavaServer Pages
  JavaServer Pages is a Java technology that helps software developers serve dynamically generated web pages based on HTML, XML, or other document types...
  
  , C
  C (programming language)
  C is a general-purpose computer programming language developed between 1969 and 1973 by Dennis Ritchie at the Bell Telephone Laboratories for use with the Unix operating system....
  
  , C++
  C++
  C++ is a statically typed, free-form, multi-paradigm, compiled, general-purpose programming language. It is regarded as an intermediate-level language, as it comprises a combination of both high-level and low-level language features. It was developed by Bjarne Stroustrup starting in 1979 at Bell...
  
   and PHP
  PHP
  PHP is a general-purpose server-side scripting language originally designed for web development to produce dynamic web pages. For this purpose, PHP code is embedded into the HTML source document and interpreted by a web server with a PHP processor module, which generates the web page document...
  
   code.
• Sonar
  Sonar (software quality)
  Sonar is an open source software quality platform. Sonar uses various static code analysis tools such as Checkstyle, PMD, FindBugs, Clover to extract software metrics, which then can be used to improve software quality.-Features:...
  
   — A continuous inspection engine to manage the technical debt: unit tests, complexity, duplication, design, comments, coding standards and potential problems. Supports languages: COBOL, Flex, Java, PHP, PL/SQL, Visual Basic 6 and Javascript.
• Yasca
  Yasca
  Yasca is an open source program which looks for security vulnerabilities, code-quality, performance, and conformance to best practices in program source code. It leverages external open source programs, such as FindBugs, PMD, JLint, JavaScript Lint, PHPLint, Cppcheck, ClamAV, Pixy, and RATS to scan...
  
   — Yet Another Source Code Analyzer, a plugin-based framework to scan arbitrary file types, with plugins for C/C++, Java, JavaScript, ASP, PHP, HTML/CSS, ColdFusion, COBOL
  COBOL
  COBOL is one of the oldest programming languages. Its name is an acronym for COmmon Business-Oriented Language, defining its primary domain in business, finance, and administrative systems for companies and governments....
  
  , and other file types. It integrates with other scanners, including FindBugs
  FindBugs
  FindBugs is an open source program created by Bill Pugh and David Hovemeyer which looks for bugs in Java code. It uses static analysis to identify hundreds of different potential types of errors in Java programs. FindBugs operates on Java bytecode, rather than source code. The software is...
  
  , PMD
  PMD (software)
  PMD is a static ruleset based Java source code analyzer that identifies potential problems like:* Possible bugs - Empty try/catch/finally/switch blocks.* Dead code - Unused local variables, parameters and private methods....
  
  , and Pixy.
• Axivion Bauhaus Suite
  Axivion Bauhaus Suite
  The Bauhaus project is a software research project collaboration among the University of Stuttgart, the University of Bremen) and a commercial spin-off company Axivion, formerly called Bauhaus Software Technologies...
  
   — A tool for Ada, C, C++, C#, and Java code that comprises various analyses such as architecture checking, interface analyses, and clone detection.
• Black Duck Suite
  Black Duck Software
  Black Duck Software is a Massachusetts US private company. Black Duck Software pioneered the automation of mixed-origin software component reuse management...
  
   — Analyze the composition of software source code and binary files, search for reusable code, manage open source
  Open source
  The term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...
  
   and third-party code approval, honor the legal obligations associated with mixed-origin code, and monitor related security vulnerabilities.
• BugScout — Detects security flaws in Java, PHP, ASP and C# web applications.
• CAST Application Intelligence Platform
  CAST Application Intelligence Platform
  The CAST Application Intelligence Platform is an automated system for measuring the quality and size of business applications. It is made by CAST Inc., based in Meudon in France. The AIP inspects the source code, identifies and tracks quality issues, and provides the data to monitor development...
  
   — Detailed, audience-specific dashboards to measure quality and productivity. 30+ languages, C/C++, Java, .NET, Oracle, PeopleSoft, SAP, Siebel, Spring, Struts, Hibernate and all major databases.
• ChecKing
  ChecKing
  checKing QA is a web application developed by Optimyth Software intended for monitoring the quality of software development process and its results, for organizations that want to control software quality before it is put into production....
  
   — Integrated software quality portal that allows manage the quality of all phases of software development. It includes static code analyzers for Java, JSP, Javascript, HTML, XML, .NET (C#, ASP.NET, VB.NET, etc.), PL/SQL, embedded SQL, SAP ABAP IV, Natural/Adabas, C/C++, Cobol, JCL, PowerBuilder.
• Coverity
  Coverity
  Coverity is a software vendor based in San Francisco. It was incorporated in November 2002. It develops static code analysis tools, for C, C++ and other programming languages, used to find defects and security vulnerabilities in source code...
  
   Static Analysis (formerly Coverity Prevent) — Identifies security vulnerabilities and code defects in C, C++, C# and Java code. Complements Coverity Dynamic Code Analysis and Architecture Analysis.
• DevPartner
  DevPartner
  DevPartner is a set of software development and testing tools developed by Nu-Mega Technologies, acquired by Compuware Corporation in 1997, which on June 1, 2009 sold it to Micro Focus International...
  
   Code Review. Offered by Micro Focus. Static metrics and bug pattern detection for C#, VB.NET, and ASP.NET languages. Plugin to Visual Studio. Customized parsers provide extension through regular expressions and tailored rulesets.
• DMS Software Reengineering Toolkit
  DMS Software Reengineering Toolkit
  The DMS Software Reengineering Toolkit is a proprietary set of program transformation tools available for automating custom source program analysis, modification, translation or generation of software systems for arbitrary mixtures of source languages for large scale software systems.DMS has been...
  
   — Supports custom analysis of C, C++, C#, Java, COBOL, PHP, VisualBasic and many other languages. Also COTS tools for clone analysis, dead code analysis, and style checking.
• Compuware
  Compuware
  Compuware Corporation is a software company with products aimed at the information technology departments of large businesses. The company's services also include testing, development, professional services automation, project and portfolio management, cloud-based collaboration and performance...
  
   DevEnterprise — Analysis of COBOL, PL/I, JCL, CICS, DB2, IMS and others.
• GrammaTech
  GrammaTech
  GrammaTech is a software-development tools vendor based in Ithaca, New York. The company was founded in 1988 as a technology spin-off of Cornell University...
  
   CodeSonar — Analyzes C, C++.
• HP Fortify Source Code Analyzer
  Fortify Software
  Fortify Software is a San Mateo, California-based software vendor. The company was founded in 2003 and provides products that identify and remove security vulnerabilities from software applications. Its initial funding was provided by Kleiner, Perkins, Caufield & Byers. In September, 2010, the...
  
   — Helps developers identify software security vulnerabilities in C/C++, Java, JSP, .NET, ASP.NET, ColdFusion, classic ASP, PHP, Visual Basic 6, VBScript, JavaScript, PL/SQL, T-SQL, Python and COBOL and configuration files.
• Imagix 4D
  Imagix 4D
  Imagix 4D is a source code analysis tool from Imagix Corporation, used primarily for understanding, documenting and evolving existing C, C++ and Java software....
  
   — Identifies problems in variable use, task interaction and concurrency, especially in embedded applications, as part of an overall system for understanding, improving and documenting C, C++ and Java code.
• Intel - Intel Parallel Studio XE: Contains Static Security Analysis (SSA) feature supports C/C++ and Fortran
• JustCode
  JustCode
  JustCode is a refactoring and code analysis productivity plug-in for Microsoft Visual Studio .NET 2005, 2008 and 2010. JustCode is developed by Telerik and launched in 2009...
  
   — Code analysis and refactoring productivity tool for JavaScript, C#, Visual Basic.NET, and ASP.NET
• Klocwork
  Klocwork
  Klocwork is a software company with headquarters in Burlington, MA and R&D based in Ottawa, ON, Canada. Klocwork was founded in 2001 as a spin-out of Nortel Networks and has over 850 customers who use its software development tools.-Products:...
  
   Insight — Provides security vulnerability, defect detection, architectural and build-over-build trend analysis for C, C++, C#, Java.
• LDRA Testbed — A software analysis and testing tool suite for C, C++, Ada83, Ada95 and Assembler (Intel, Freescale, Texas Instruments).
• MALPAS
  MALPAS Software Static Analysis Toolset
  - MALPAS :MALPAS is a software toolset that provides a means of investigating and proving the correctness of software by applying a rigorous form of static program analysis. The tool uses directed graphs and regular algebra to represent the program under analysis...
  
  ; A software static analysis toolset for a variety of languages including Ada, C, Pascal and Assembler (Intel, PowerPC and Motorola). Used primarily for safety critical applications in Nuclear and Aerospace industries.
• Micro Focus (formerly Relativity Technologies) Modernization Workbench — Parsers included for C/C++, COBOL (multiple variants including IBM, Unisys, MF, ICL, Tandem), Java, PL/I, Natural (inc. ADABAS), Visual Basic, RPG, and other legacy languages; Extensible SDK to support 3rd party parsers. Supports automated metrics (including function points), business rule mining, componentisation and SOA analysis. Rich ad hoc diagramming, AST search & reporting)
• Parasoft
  Parasoft
  Parasoft is an independent software vendor with headquarters in Monrovia, California. It was founded in 1987 by five graduates of the California Institute of Technology who had been working on Caltech Cosmic Cube....
  
   — Analyzes Java (Jtest), JSP, C, C++ (C++test), .NET (C#, ASP.NET, VB.NET, etc.) using .TEST, WSDL, XML, HTML, CSS, JavaScript, VBScript/ASP, and configuration files for security, compliance, and defect prevention.
• Polyspace
  Polyspace
  Polyspace is a static code analysis tool inspired by the failure of the maiden flight of Ariane 5 where a run time error resulted in destruction of the launch vehicle. It is the first example of large-scale static code analysis by abstract interpretation to detect and prove the absence of certain...
  
   — Uses abstract interpretation
  Abstract interpretation
  In computer science, abstract interpretation is a theory of sound approximation of the semantics of computer programs, based on monotonic functions over ordered sets, especially lattices. It can be viewed as a partial execution of a computer program which gains information about its semantics In...
  
   to detect and prove the absence of certain run time errors in source code
  Source code
  In computer science, source code is text written using the format and syntax of the programming language that it is being written in. Such a language is specially designed to facilitate the work of computer programmers, who specify the actions to be performed by a computer mostly by writing source...
  
   for C, C++, and Ada
• ProjectCodeMeter — Warns on code quality issues such as insufficient commenting or complex code structure. Counts code metrics, gives cost & time estimations. Analyzes C, C++, C#, J#, Java, PHP, Objective-C, JavaScript, UnrealEngine script, ActionScript, DigitalMars D.
• Rational Software
  Rational Software
  Rational Machines was founded by Paul Levy and Mike Devlin in 1981 to provide tools to expand the use of modern software engineering practices, particularly explicit modular architecture and iterative development...
  
   Analyzer — Supports Java, C, C++, others available via extensions
• ResourceMiner
  ResourceMiner
  ResourceMiner is a commercial static code analysis tool for software architects and developers.It graphically visualizes the static structure of single or multiple integrated applications written in...
  
   — Architecture down to details multipurpose analysis and metrics, develop own rules for masschange and generator development. Supports 30+ legacy and modern languages and all major databases.
• SofCheck Inspector
  SofCheck Inspector
  The SofCheck Inspector is a static analysis tool for Java and Ada. It statically determines and documents the pre- and postconditions of Java methods or Ada subprograms, and uses that information to identify logic flaws , race conditions, and redundant code in an individual Java class or Ada...
  
   — Static detection of logic errors, race condition
  Race condition
  A race condition or race hazard is a flaw in an electronic system or process whereby the output or result of the process is unexpectedly and critically dependent on the sequence or timing of other events...
  
  s, and redundant code for Ada
  Ada (programming language)
  Ada is a structured, statically typed, imperative, wide-spectrum, and object-oriented high-level computer programming language, extended from Pascal and other languages...
  
   and Java
  Java (programming language)
  Java is a programming language originally developed by James Gosling at Sun Microsystems and released in 1995 as a core component of Sun Microsystems' Java platform. The language derives much of its syntax from C and C++ but has a simpler object model and fewer low-level facilities...
  
  ; automatically extracts pre
  Precondition
  In computer programming, a precondition is a condition or predicate that must always be true just prior to the execution of some section of code or before an operation in a formal specification....
  
  /postcondition
  Postcondition
  In computer programming, a postcondition is a condition or predicate that must always be true just after the execution of some section of code or after an operation in a formal specification. Postconditions are sometimes tested using assertions within the code itself...
  
  s from code.
• Sotoarc/Sotograph
  Sotoarc
  Sotoarc is a commercial static code analysis tool for software architects. It graphically visualizes the static structure of software systems written in Java, C# or in C++ code. The code structure is displayed as hierarchies of modules, packages and files.Besides the user can describe by...
  
   — Architecture and quality in-depth analysis and monitoring for C, C++, C#, Java
• SPARROW - SPARROW is a static analysis tool that understands the semantics of C/C++ and Java code based on static analysis theory by automatically detecting fatal errors such as memory leaks and buffer overrun
• Syhunt
  Syhunt
  Syhunt is a world wide web network security software company with headquarters in Rio de Janeiro, Brazil. Syhunt was founded on August, 2003, by Felipe Aragon, a network security specialist...
  
   Sandcat — Detects security flaws in PHP, Classic ASP and ASP.NET web applications.
• Understand — Analyzes Ada, C, C++, Java, Fortran, Jovial, Delphi, VHDL, HTML, CSS, PHP, and JavaScript — reverse engineering of source, code navigation, and metrics tool.
• Veracode
  Veracode
  Veracode is a Burlington, Massachusetts-based application security company offering a cloud-based platform for application risk management. Veracode was founded in 2006 by a team of application security practitioners from @stake, Guardent, Symantec, and VeriSign to provide an automated third party...
  
   — Finds security flaws in application binaries and bytecode without requiring source. Supported languages include C, C++, .NET (C#, C++/CLI
  C++/CLI
  C++/CLI is Microsoft's language specification intended to supersede Managed Extensions for C++. It is a complete revision that aims to simplify the older Managed C++ syntax . C++/CLI is standardized by Ecma as ECMA-372...
  
  , VB.NET, ASP.NET), Java, JSP, ColdFusion
  ColdFusion
  In computing, ColdFusion is the name of a commercial rapid application development platform invented by Jeremy and JJ Allaire in 1995. ColdFusion was originally designed to make it easier to connect simple HTML pages to a database, by version 2 it had...
  
  , PHP
  PHP
  PHP is a general-purpose server-side scripting language originally designed for web development to produce dynamic web pages. For this purpose, PHP code is embedded into the HTML source document and interpreted by a web server with a PHP processor module, which generates the web page document...
  
  , and Objective-C
  Objective-C
  Objective-C is a reflective, object-oriented programming language that adds Smalltalk-style messaging to the C programming language.Today, it is used primarily on Apple's Mac OS X and iOS: two environments derived from the OpenStep standard, though not compliant with it...
  
  , including mobile applications on the Windows Mobile
  Windows Mobile
  Windows Mobile is a mobile operating system developed by Microsoft that was used in smartphones and Pocket PCs, but by 2011 was rarely supplied on new phones. The last version is "Windows Mobile 6.5.5"; it is superseded by Windows Phone, which does not run Windows Mobile software.Windows Mobile is...
  
  , BlackBerry
  BlackBerry
  BlackBerry is a line of mobile email and smartphone devices developed and designed by Canadian company Research In Motion since 1999.BlackBerry devices are smartphones, designed to function as personal digital assistants, portable media players, internet browsers, gaming devices, and much more...
  
  , Android, and iOS platforms.
• Visual Studio Team System
  Visual Studio Team System
  Visual Studio Application Lifecycle Management is a collection of integrated software development tools developed by Microsoft. These tools include IDEs, source control, work items, collaboration, metrics, and reporting tools.-Platform:...
  
   — Analyzes C++, C# source codes. only available in team suite and development edition.

.NET

.NET Framework

The .NET Framework is a software framework that runs primarily on Microsoft Windows. It includes a large library and supports several programming languages which allows language interoperability...

• FxCop
  FxCop
  FxCop is a free static code analysis tool from Microsoft that checks .NET managed code assemblies for conformance to Microsoft's .NET Framework Design Guidelines. Unlike the lint programming tool for the C programming language, FxCop analyzes the compiled object code, not the original source code...
  
   — Free static analysis for Microsoft .NET programs that compile to CIL
  Common Intermediate Language
  Common Intermediate Language is the lowest-level human-readable programming language defined by the Common Language Infrastructure specification and is used by the .NET Framework and Mono...
  
  . Standalone and integrated in some Microsoft Visual Studio
  Microsoft Visual Studio
  Microsoft Visual Studio is an integrated development environment from Microsoft. It is used to develop console and graphical user interface applications along with Windows Forms applications, web sites, web applications, and web services in both native code together with managed code for all...
  
   editions; by Microsoft.
• Gendarme
  Mono (software)
  Mono, pronounced , is a free and open source project led by Xamarin to create an Ecma standard compliant .NET-compatible set of tools including, among others, a C# compiler and a Common Language Runtime....
  
   — Open-source (MIT License
  MIT License
  The MIT License is a free software license originating at the Massachusetts Institute of Technology . It is a permissive license, meaning that it permits reuse within proprietary software provided all copies of the licensed software include a copy of the MIT License terms...
  
  ) equivalent to FxCop created by the Mono
  Mono (software)
  Mono, pronounced , is a free and open source project led by Xamarin to create an Ecma standard compliant .NET-compatible set of tools including, among others, a C# compiler and a Common Language Runtime....
  
   project. Extensible rule-based tool to find problems in .NET applications and libraries, especially those containing code in ECMA CIL format.
• StyleCop
  StyleCop
  StyleCop is an open source static code analysis tool from Microsoft that checks C# code for conformance to StyleCop's recommended coding styles and a subset of Microsoft's .NET Framework Design Guidelines. StyleCop analyzes the source code, allowing it to enforce a different set of rules from FxCop...
  
   — Analyzes C# source code to enforce a set of style and consistency rules. It can be run from inside of Microsoft Visual Studio
  Microsoft Visual Studio
  Microsoft Visual Studio is an integrated development environment from Microsoft. It is used to develop console and graphical user interface applications along with Windows Forms applications, web sites, web applications, and web services in both native code together with managed code for all...
  
   or integrated into an MSBuild
  MSBuild
  MSBuild is a Microsoft build platform typically used in conjunction with Visual Studio. MSBuild version 2.0 is part of .NET Framework 2.0 and works together with Visual Studio 2005...
  
   project. Free download from Microsoft.
• CodeIt.Right
  CodeIt.Right
  CodeIt.Right combines static code analysis and automatic refactoring in one application. CodeIt.Right is productivity add-on for Microsoft Visual Studio .NET 2008, 2005 and 2003.-External links:**...
  
   — Combines static code analysis and automatic refactoring to best practices which allows automatically correct code errors and violations; supports C# and VB.NET.
• CodeRush
  CodeRush
  CodeRush is a refactoring and productivity plugin by DevExpress that extends native functionality of Microsoft Visual Studio .NET 2003, 2005, 2008 and 2010....
  
   — A plugin for Visual Studio, it addresses a multitude of shortcomings with the popular IDE. Including alerting users to violations of best practices by using static code analysis.
• Parasoft dotTEST
  Parasoft
  Parasoft is an independent software vendor with headquarters in Monrovia, California. It was founded in 1987 by five graduates of the California Institute of Technology who had been working on Caltech Cosmic Cube....
  
   — A static analysis, unit testing, and code review plugin for Visual Studio; works with languages for Microsoft .NET Framework and .NET Compact Framework, including C#, VB.NET, ASP.NET and Managed C++.
• JustCode
  JustCode
  JustCode is a refactoring and code analysis productivity plug-in for Microsoft Visual Studio .NET 2005, 2008 and 2010. JustCode is developed by Telerik and launched in 2009...
  
   — Add-on for Visual Studio 2005/2008/2010 for real-time, system-wide code analysis for C#, VB.NET, ASP.NET, XAML, JavaScript, HTML and multi-language systems.
• NDepend
  NDepend
  NDepend is a static analysis tool for .NET managed code. This tool supports a large number of code metrics, allows for visualization of dependencies using directed graphs and dependency matrix. The tools also performs code base snapshots comparison, and validation of architectural and quality rules...
  
   — Simplifies managing a complex .NET code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and by comparing different versions of the code. Integrates into Visual Studio.
• ReSharper
  ReSharper
  ReSharper is a refactoring and productivity extension by JetBrains that extends native functionality of Microsoft Visual Studio 2003, 2005, 2008 and 2010....
  
   — Add-on for Visual Studio 2003/2005/2008/2010 from the creators of IntelliJ IDEA
  IntelliJ IDEA
  IntelliJ IDEA is a commercial Java IDE by JetBrains. It is often simply referred to as "IDEA" or "IntelliJ."-History:The first version of IntelliJ IDEA was released in January 2001, and at the time was the only available Java IDE with advanced code navigation and code refactoring capabilities...
  
  , which also does static code analysis of C#.
• Kalistick
  Kalistick
  Kalistick is a French based company editing a software radiography platform for Java and C# developments. Its goal is to help test teams improve their efficiency in software testing.-Overview:...
  
   — Mixing from the Cloud: static code analysis with best practice tips and collaborative tools for Agile teams.

ActionScript

ActionScript

ActionScript is an object-oriented language originally developed by Macromedia Inc. . It is a dialect of ECMAScript , and is used primarily for the development of websites and software targeting the Adobe Flash Player platform, used on Web pages in the form of...

 

• Apparat — A language manipulation and optimization framework consisting of intermediate representations for ActionScript.

Ada

Ada (programming language)

Ada is a structured, statically typed, imperative, wide-spectrum, and object-oriented high-level computer programming language, extended from Pascal and other languages...

 

• Ada-ASSURED — A tool that offers coding style checks, standards enforcement and pretty printing features.
• AdaControl
  AdaControl
  AdaControl is a free tool that detects the use ofvarious kinds of constructs in Ada programs. Its first goal is tocontrol proper usage of style or programming rules, but it can also beused as a powerful tool to search for use of various...
  
   - A tool to control occurrences of various entities or programming patterns in Ada code, used for checking coding standards, enforcement of safety related rules, and support for various manual inspections.
• AdaCore
  AdaCore
  AdaCore is a computer software company that provides open source software tools and expertise for the development of mission-critical, safety-critical, and security-critical software...
  
   CodePeer — Automated code review and bug finder for Ada programs that uses control-flow, data-flow, and other advanced static analysis techniques.
• Fluctuat — Abstract interpreter
  Abstract interpretation
  In computer science, abstract interpretation is a theory of sound approximation of the semantics of computer programs, based on monotonic functions over ordered sets, especially lattices. It can be viewed as a partial execution of a computer program which gains information about its semantics In...
  
   for the validation of numerical properties of programs: value analysis, accuracy of finite precision computations, uncertainty propagation, worst case generation, etc.
• LDRA Testbed — A software analysis and testing tool suite for Ada83/95.
• Polyspace
  Polyspace
  Polyspace is a static code analysis tool inspired by the failure of the maiden flight of Ariane 5 where a run time error resulted in destruction of the launch vehicle. It is the first example of large-scale static code analysis by abstract interpretation to detect and prove the absence of certain...
  
   — Uses abstract interpretation
  Abstract interpretation
  In computer science, abstract interpretation is a theory of sound approximation of the semantics of computer programs, based on monotonic functions over ordered sets, especially lattices. It can be viewed as a partial execution of a computer program which gains information about its semantics In...
  
   to detect and prove the absence of certain run time errors in source code
  Source code
  In computer science, source code is text written using the format and syntax of the programming language that it is being written in. Such a language is specially designed to facilitate the work of computer programmers, who specify the actions to be performed by a computer mostly by writing source...
  
  
• SofCheck Inspector
  SofCheck Inspector
  The SofCheck Inspector is a static analysis tool for Java and Ada. It statically determines and documents the pre- and postconditions of Java methods or Ada subprograms, and uses that information to identify logic flaws , race conditions, and redundant code in an individual Java class or Ada...
  
   — Static detection of logic errors, race condition
  Race condition
  A race condition or race hazard is a flaw in an electronic system or process whereby the output or result of the process is unexpectedly and critically dependent on the sequence or timing of other events...
  
  s, and redundant code for Ada; automatically extracts pre
  Precondition
  In computer programming, a precondition is a condition or predicate that must always be true just prior to the execution of some section of code or before an operation in a formal specification....
  
  /postcondition
  Postcondition
  In computer programming, a postcondition is a condition or predicate that must always be true just after the execution of some section of code or after an operation in a formal specification. Postconditions are sometimes tested using assertions within the code itself...
  
  s from code.

C

C (programming language)

C is a general-purpose computer programming language developed between 1969 and 1973 by Dennis Ritchie at the Bell Telephone Laboratories for use with the Unix operating system....

/C++

C++

C++ is a statically typed, free-form, multi-paradigm, compiled, general-purpose programming language. It is regarded as an intermediate-level language, as it comprises a combination of both high-level and low-level language features. It was developed by Bjarne Stroustrup starting in 1979 at Bell...

 

• cppcheck
  Cppcheck
  Cppcheck is an open source static code analyzer tool for C/C++ programming languages. It's a versatile tool that can check non-standard code.-Plugins:Plugins for the following IDEs exist* Code::Blocks - integrated.* CodeLite - integrated....
  
   — Open-source tool that checks for several types of errors, including use of STL
  Standard Template Library
  The Standard Template Library is a C++ software library which later evolved into the C++ Standard Library. It provides four components called algorithms, containers, functors, and iterators. More specifically, the C++ Standard Library is based on the STL published by SGI. Both include some...
  
  .
• Eclipse (software)
  Eclipse (software)
  Eclipse is a multi-language software development environment comprising an integrated development environment and an extensible plug-in system...
  
   — An IDE that includes a static code analyzer (CODAN).
• BLAST
  BLAST model checker
  The Berkeley Lazy Abstraction Software Verification Tool is a software model checking tool for C programs. The task addressed by BLAST is the need to check whether software satisfies the behavioral requirements of its associated interfaces...
  
   — (Berkeley Lazy Abstraction Software verification Tool) — A software model checker for C programs based on lazy abstraction.
• Clang
  Clang
  Clang is a compiler front end for the C, C++, Objective-C, and Objective-C++ programming languages. It uses the Low Level Virtual Machine as its back end, and Clang has been part of LLVM releases since LLVM 2.6....
  
   — A compiler that includes a static analyzer.
• Coccinelle
  Coccinelle (software)
  Coccinelle is a tool to match and transform the source code of programs written in the programming language C. Coccinelle was initially used to aid the evolution of Linux; with support for changes to library application programming interfaces such as renaming a function, adding a function...
  
   — Source code pattern matching and transformation
• Frama-C
  Frama-C
  Frama-C stands for Framework for Modular Analysis of C programs. Frama-C is a set of interoperable program analyzers for C programs. Frama-C has been developed by Commissariat à l'Énergie Atomique et aux Énergies Alternatives and Inria...
  
   — A static analysis framework for C.
• Lint — The original static code analyzer for C.
• Sparse
  Sparse
  In computer science, Sparse is a tool designed to find possible coding faults in the Linux kernel. This static analysis tool differed from other such tools in that it was initially designed to flag constructs that were only likely to be of interest to kernel developers, e.g...
  
   — A tool designed to find faults in the Linux
  Linux
  Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
  
   kernel.
• Splint
  Splint (programming tool)
  Splint, short for Secure Programming Lint, is a programming tool for statically checking C programs for security vulnerabilities and coding mistakes...
  
   — An open source evolved version of Lint, for C.
• Astrée
  Astrée (static analysis)
  Astrée is a static analyzer based on abstract interpretation. It analyzes programs written in a subset of the C programming language and outputs an exhaustive list of possible runtime errors and assertion violations....
  
  ; exhaustive search for runtime errors and assertion violations by abstract interpretation
  Abstract interpretation
  In computer science, abstract interpretation is a theory of sound approximation of the semantics of computer programs, based on monotonic functions over ordered sets, especially lattices. It can be viewed as a partial execution of a computer program which gains information about its semantics In...
  
  ; tailored towards critical code (avionics)
• FlexeLint — A multiplatform version of PC-Lint
  PC-Lint
  PC-lint is a commercial static code analysis software tool produced by Gimpel Software for the C/C++ languages.PC-lint is a command-line tool for developers, indicating suspicious or plain wrong issues in source code...
  
  .
• Green Hills Software
  Green Hills Software
  Green Hills Software is a privately owned company that builds operating systems and development tools for embedded systems. The company was founded in 1982 by Dan O'Dowd and Carl Rosenberg...
  
   DoubleCheck — A software analysis tool for C/C++.
• Intel - Intel Parallel Studio XE: has static security analysis (SSA) feature.
• LDRA Testbed — A software analysis and testing tool suite for C/C++.
• Monoidics
  Monoidics
  Monoidics is the commercial developer of INFER™, an automatic static analysis tool aimed at proving memory safety for C and C++.The company was founded in 2009 and has offices in the United States, the United Kingdom, and Japan.-References:**...
  
   INFER — A sound tool for C/C++ based on Separation Logic.
• Parasoft C/C++test
  Parasoft
  Parasoft is an independent software vendor with headquarters in Monrovia, California. It was founded in 1987 by five graduates of the California Institute of Technology who had been working on Caltech Cosmic Cube....
  
  — A C/C++ tool that does static analysis, unit testing, code review, and runtime error detection; plugins available for Visual Studio and Eclipse
  Eclipse (software)
  Eclipse is a multi-language software development environment comprising an integrated development environment and an extensible plug-in system...
  
  -based IDEs.
• PC-Lint
  PC-Lint
  PC-lint is a commercial static code analysis software tool produced by Gimpel Software for the C/C++ languages.PC-lint is a command-line tool for developers, indicating suspicious or plain wrong issues in source code...
  
   — A software analysis tool for C/C++.
• Polyspace
  Polyspace
  Polyspace is a static code analysis tool inspired by the failure of the maiden flight of Ariane 5 where a run time error resulted in destruction of the launch vehicle. It is the first example of large-scale static code analysis by abstract interpretation to detect and prove the absence of certain...
  
   — Uses abstract interpretation
  Abstract interpretation
  In computer science, abstract interpretation is a theory of sound approximation of the semantics of computer programs, based on monotonic functions over ordered sets, especially lattices. It can be viewed as a partial execution of a computer program which gains information about its semantics In...
  
   to detect and prove the absence of certain run time errors in source code
  Source code
  In computer science, source code is text written using the format and syntax of the programming language that it is being written in. Such a language is specially designed to facilitate the work of computer programmers, who specify the actions to be performed by a computer mostly by writing source...
  
  
• PVS-Studio
  PVS-Studio
  PVS-Studio is a commercial static code analysis tool for C\C++\C++0x developed by Program Verification Systems. PVS-Studio is developed on the basis of the open source VivaCore library which itself is based on the OpenC++ library....
  
   — A software analysis tool for C/C++/C++0x.
• QA-C
  QA-C
  QA-C is a commercial static code analysis software tool produced by Programming Research for the C language created in 1986.This is the tool that was used to make the C source code measurements given in the book Safer C by Les Hatton:...
  
   (and QA-C++) — Deep static analysis of C/C++ for quality assurance and guideline enforcement.
• Red Lizard
  Red Lizard Software
  Red Lizard Software is a privately held software vendor for static analysis tools. The company was founded in 2009 as a spinout from NICTA, after four years of research. Its headquarters are in Sydney, Australia.-Products:...
  
  's Goanna — Static analysis for C/C++ in Eclipse
  Eclipse (software)
  Eclipse is a multi-language software development environment comprising an integrated development environment and an extensible plug-in system...
  
   and Visual Studio.

Java

Java (programming language)

Java is a programming language originally developed by James Gosling at Sun Microsystems and released in 1995 as a core component of Sun Microsystems' Java platform. The language derives much of its syntax from C and C++ but has a simpler object model and fewer low-level facilities...

• Checkstyle
  Checkstyle
  Checkstyle is a static code analysis tool used in software development for checking if Java source code complies with coding rules.- Advantages and limits :...
  
   — Besides some static code analysis, it can be used to show violations of a configured coding standard.
• FindBugs
  FindBugs
  FindBugs is an open source program created by Bill Pugh and David Hovemeyer which looks for bugs in Java code. It uses static analysis to identify hundreds of different potential types of errors in Java programs. FindBugs operates on Java bytecode, rather than source code. The software is...
  
   — An open-source static bytecode analyzer for Java (based on Jakarta
  Jakarta Project
  The Jakarta Project creates and maintains open source software for the Java platform. It operates as an umbrella project under the auspices of the Apache Software Foundation, and all of Jakarta products are released under the Apache License.-Subprojects:...
  
   BCEL
  Byte Code Engineering Library
  The Byte Code Engineering Library is a project sponsored by the Apache Foundation under their Jakarta charter to provide a simple API for decomposing, modifying, and recomposing binary Java classes . The project was originally conceived and developed by Markus Dahm prior to officially being...
  
  ) from the University of Maryland.
• Hammurapi
  Hammurapi code review tool
  Hammurapi is a static analysis tool for identifying potential problems in source code and collecting metrics. The tool's architecture allows to analyze source files written in different programming languages. As of version 5.6.0 only Java is supported...
  
   — Versatile code review program; free for non-commercial use.
• PMD
  PMD (software)
  PMD is a static ruleset based Java source code analyzer that identifies potential problems like:* Possible bugs - Empty try/catch/finally/switch blocks.* Dead code - Unused local variables, parameters and private methods....
  
   — A static ruleset based Java source code analyzer that identifies potential problems.
• Soot — A language manipulation and optimization framework consisting of intermediate languages for Java.
• Squale — A platform to manage software quality (also available for other languages, using commercial analysis tools though).
• Jtest
  Jtest
  Jtest is an automated Java testing and static code analysis product that is made by Parasoft. It aims to improve Java code reliability, functionality, security, performance, and maintainability. Basic functionality includes Unit test-case generation, static analysis, regression testing, runtime...
  
   — Testing and static code analysis product by Parasoft
  Parasoft
  Parasoft is an independent software vendor with headquarters in Monrovia, California. It was founded in 1987 by five graduates of the California Institute of Technology who had been working on Caltech Cosmic Cube....
  
  .
• LDRA Testbed — A software analysis and testing tool suite for Java.
• SemmleCode
  SemmleCode
  SemmleCode is a tool for improving the quality of computer software. It can be used to find programming bug patterns, to compute software metrics, and to enforce coding conventions. All these tasks can be formulated as queries in an object-oriented query language named .QL.- Academic :SemmleCode...
  
   — Object oriented code queries for static program analysis.
• SonarJ
  SonarJ
  Sonargraph is a commercial tool for static code analysis of software written in Java. By parsing the compiled classes and the source code it builds an in memory dependency and metrics model of the analyzed code. The model dependencies can then be visualized graphically so that the user is able to...
  
   — Monitors conformance of code to intended architecture, also computes a wide range of software metrics.
• Kalistick
  Kalistick
  Kalistick is a French based company editing a software radiography platform for Java and C# developments. Its goal is to help test teams improve their efficiency in software testing.-Overview:...
  
   — A Cloud-based platform to manage and optimize code quality for Agile teams with DevOps spirit

JavaScript

JavaScript

JavaScript is a prototype-based scripting language that is dynamic, weakly typed and has first-class functions. It is a multi-paradigm language, supporting object-oriented, imperative, and functional programming styles....

 

• Closure Compiler — JavaScript optimizer that rewrites code to be faster and smaller, and checks use of native JavaScript functions.
• JSLint
  JSLint
  JSLint is a static code analysis tool used in software development for checking if JavaScript source code complies with coding rules. It is developed by Douglas Crockford. It is provided primarily as an online tool, but there are also command-line adaptations....
  
   — JavaScript syntax checker and validator.

Objective-C

Objective-C

Objective-C is a reflective, object-oriented programming language that adds Smalltalk-style messaging to the C programming language.Today, it is used primarily on Apple's Mac OS X and iOS: two environments derived from the OpenStep standard, though not compliant with it...

 

• Clang
  Clang
  Clang is a compiler front end for the C, C++, Objective-C, and Objective-C++ programming languages. It uses the Low Level Virtual Machine as its back end, and Clang has been part of LLVM releases since LLVM 2.6....
  
   — The free Clang project includes a static analyzer. As of version 3.2, this analyzer is included in Xcode
  Xcode
  Xcode is a suite of tools, developed by Apple, for developing software for Mac OS X and iOS. Xcode 4.2, the latest major version, is available on the Mac App Store for free for Mac OS X 10.7 , and on the Apple Developer Connection website for free to registered developers Xcode is a suite of tools,...
  
  .

Perl

Perl

Perl is a high-level, general-purpose, interpreted, dynamic programming language. Perl was originally developed by Larry Wall in 1987 as a general-purpose Unix scripting language to make report processing easier. Since then, it has undergone many changes and revisions and become widely popular...

 

• Perl::Critic
  Perl::Critic
  Perl::Critic is a static code analysis system for Perl. Perl::Critic is available as a source-code distribution on CPAN. It comes with a commandline tool, perlcritic, which can check Perl source code files and report on the code quality therein...
  
   - A tool to help enforce common best practices for programming in Perl. Most best practices are based on Damian Conway
  Damian Conway
  Damian Conway is a prominent member of the Perl community, a proponent of object-oriented programming, and the author of several books. He is also an Adjunct Associate Professor in the Faculty of Information Technology at Monash University....
  
  's Perl Best Practices
  Perl Best Practices
  Perl Best Practices is a programming book focusing on standard practices for Perl coding style, encouraging the development of maintainable source code. It was written by Damian Conway and published by O'Reilly.-External links:...
  
   book.
• PerlTidy
  PerlTidy
  * Page 35 of...
  
   - Program that act as a syntax checker and tester/enforcer for coding practices in Perl.
• Padre
  Padre (software)
  Padre is a multi-language software development platform comprising an IDE and a plug-in system to extend it...
  
   - An IDE for Perl that also provides static code analysis to check for common beginner errors.

Python

Python (programming language)

Python is a general-purpose, high-level programming language whose design philosophy emphasizes code readability. Python claims to "[combine] remarkable power with very clear syntax", and its standard library is large and comprehensive...

 

• Pychecker
  Pychecker
  PyChecker is a source code bug checker for the Python programming language.- External links :* *...
  
   - A python source code checking tool.
• Pylint
  Pylint
  Pylint is a source code bug and quality checker for the Python programming language. It follows the style recommended by PEP 8, the Python style guide.- External links :* * *...
  
   — Static code analyzer for the Python language.

Formal methods tools

• ESC/Java
  ESC/Java
  ESC/Java , the "Extended Static Checker for Java," is a programming tool that attempts to find common run-time errors in Java programs at compile time...
  
   and ESC/Java2 — Based on Java Modeling Language
  Java Modeling Language
  The Java Modeling Language is a specification language for Java programs, using Hoare style pre- and postconditions and invariants, that follows the design by contract paradigm...
  
  , an enriched version of Java.
• MALPAS
  MALPAS Software Static Analysis Toolset
  - MALPAS :MALPAS is a software toolset that provides a means of investigating and proving the correctness of software by applying a rigorous form of static program analysis. The tool uses directed graphs and regular algebra to represent the program under analysis...
  
  ; A formal methods tool that uses directed graphs
  Graph (mathematics)
  In mathematics, a graph is an abstract representation of a set of objects where some pairs of the objects are connected by links. The interconnected objects are represented by mathematical abstractions called vertices, and the links that connect some pairs of vertices are called edges...
  
   and regular algebra to prove that software under analysis correctly meets its mathematical specification.
• Polyspace
  Polyspace
  Polyspace is a static code analysis tool inspired by the failure of the maiden flight of Ariane 5 where a run time error resulted in destruction of the launch vehicle. It is the first example of large-scale static code analysis by abstract interpretation to detect and prove the absence of certain...
  
   — Uses abstract interpretation
  Abstract interpretation
  In computer science, abstract interpretation is a theory of sound approximation of the semantics of computer programs, based on monotonic functions over ordered sets, especially lattices. It can be viewed as a partial execution of a computer program which gains information about its semantics In...
  
  , a formal methods based technique, to detect and prove the absence of certain run time errors in source code
  Source code
  In computer science, source code is text written using the format and syntax of the programming language that it is being written in. Such a language is specially designed to facilitate the work of computer programmers, who specify the actions to be performed by a computer mostly by writing source...
  
   for C/C++, and Ada
• SofCheck Inspector
  SofCheck Inspector
  The SofCheck Inspector is a static analysis tool for Java and Ada. It statically determines and documents the pre- and postconditions of Java methods or Ada subprograms, and uses that information to identify logic flaws , race conditions, and redundant code in an individual Java class or Ada...
  
   — Statically determines and documents pre
  Precondition
  In computer programming, a precondition is a condition or predicate that must always be true just prior to the execution of some section of code or before an operation in a formal specification....
  
  - and postcondition
  Postcondition
  In computer programming, a postcondition is a condition or predicate that must always be true just after the execution of some section of code or after an operation in a formal specification. Postconditions are sometimes tested using assertions within the code itself...
  
  s for Java
  Java (programming language)
  Java is a programming language originally developed by James Gosling at Sun Microsystems and released in 1995 as a core component of Sun Microsystems' Java platform. The language derives much of its syntax from C and C++ but has a simpler object model and fewer low-level facilities...
  
   methods; statically checks precondition
  Precondition
  In computer programming, a precondition is a condition or predicate that must always be true just prior to the execution of some section of code or before an operation in a formal specification....
  
  s at all call sites; also supports Ada
  Ada (programming language)
  Ada is a structured, statically typed, imperative, wide-spectrum, and object-oriented high-level computer programming language, extended from Pascal and other languages...
  
  .
• SPARK Toolset including the SPARK Examiner — Based on the SPARK language, a subset of Ada
  Ada (programming language)
  Ada is a structured, statically typed, imperative, wide-spectrum, and object-oriented high-level computer programming language, extended from Pascal and other languages...
  
  .

See also

• Automated code review
  Automated code review
  Automated code review software checks source code for compliance with a predefined set of rules or best practices. The use of analytical methods to inspect and review source code to detect bugs has been a standard development practice. This process can be accomplished both manually and in an...
  
  
• Best Coding Practices
  Best Coding Practices
  Best coding practices for software development can be broken into many levels based on the coding language, the platform, the target environment and so forth...
  
  
• Dynamic code analysis
• Software metrics
• Static code analysis
  Static code analysis
  Static program analysis is the analysis of computer software that is performed without actually executing programs built from that software In most cases the analysis is performed on some version of the source code and in the other cases some form of the object code...
  
  
• Integrated development environment
  Integrated development environment
  An integrated development environment is a software application that provides comprehensive facilities to computer programmers for software development...
  
   (IDE) and Comparison of integrated development environments
  Comparison of integrated development environments
  The following tables list notable software packages that are nominal IDEs; standalone tools such as source code editors and GUI builders are not included.- ActionScript :- Ada :- Basic :- C/C++ :...
  
  . IDEs will usually come with built-in support for static code analysis, or with an option to integrate such support. Eclipse
  Eclipse (software)
  Eclipse is a multi-language software development environment comprising an integrated development environment and an extensible plug-in system...
  
   offers such integration mechasism for most different types of extensions (plug-ins).

External links

• List of Java static code analysis plugins for Eclipse
• List of static source code analysis tools for C
• List of static source code analysis tools at CERT
  CERT Coordination Center
  The CERT Coordination Center was created by DARPA in November 1988 after the Morris worm struck. It is a major coordination center in dealing with Internet security problems....
  
  
• SAMATE-Source Code Security Analyzers
• SATE - Static Analysis Tool Exposition
• “A Comparison of Bug Finding Tools for Java”, by Nick Rutar, Christian Almazan, and Jeff Foster, University of Maryland
  University of Maryland, College Park
  The University of Maryland, College Park is a top-ranked public research university located in the city of College Park in Prince George's County, Maryland, just outside Washington, D.C...
  
  . Compares Bandera, ESC/Java
  ESC/Java
  ESC/Java , the "Extended Static Checker for Java," is a programming tool that attempts to find common run-time errors in Java programs at compile time...
  
   2, FindBugs
  FindBugs
  FindBugs is an open source program created by Bill Pugh and David Hovemeyer which looks for bugs in Java code. It uses static analysis to identify hundreds of different potential types of errors in Java programs. FindBugs operates on Java bytecode, rather than source code. The software is...
  
  , JLint, and PMD.
• “Mini-review of Java Bug Finders”, by Rick Jelliffe, O'Reilly Media
  O'Reilly Media
  O'Reilly Media is an American media company established by Tim O'Reilly that publishes books and Web sites and produces conferences on computer technology topics...
  
  .
• Parallel Lint, by Andrey Karpov
• Integrate static analysis into a software development process Explains how one goes about integrating static analysis into a software development process