Static Code Analysis Tools
Static analysis tools are designed to detect defects in the source code of programs. The name itself says that the principle of their work is based on static code analysis.
There are many static analysis tools created for various programming languages. A large list of such tools can be found on the Wikipedia website: List of tools for static code analysis. And there is also this interesting list: Awesome Static Analysis.
Our company develops the PVS-Studio analyzer meant for checking code in C, C++, C#, and Java languages. The analyzer is a paid B2B solution, but there are several options of free licenses. A few more popular tools for checking code in these languages are listed below.
C/C++
- Cppcheck. A very popular free open source project. Originally had the goal to report no false positives at all, but nowadays the goal is very few false positives. The parser is generic and was designed to be able to analyze the C/C++ code found in embedded projects etc that use various language extensions. However the parser does not support all constructs described by the new C++ language standards. The data flow analysis is primarily flow-sensitive and bidirectional. In theory you can more or less check your code directly without configuration however in practice you will want to configure the analysis. Links: site, Wikipedia website page.
- Clang Static Analyzer. Static code analyzer for C/C++/Objective-C languages built into the Clang compiler. However, many other compilers also have decent built-in code analyzers. For example, Visual Studio supports static analysis of Visual C ++ projects (compiler flag /analyze). The popularity of Clang Static Analyzer is due to the openness of its code and the ability to write custom extensions. Links: site, page on the Wikipedia website, about checking Clang code using PVS-Studio - 1, 2, 3, 4.
- Clang-Tidy differs from diagnostic abilities of Clang Static Analyzer in the fact that Clang-Tidy is a linter that checks code compliance with coding standards. More information about Clang-Tidy can be found on the official website.
- Frama-C. An open source C program analyzer. Links: site, page on the Wikipedia site.
- Lint. Mentioned here, as it is of historical value. This tool can be called the first static code analyzer for the C language. The names of many modern analyzers are derived from the word "lint" (cpplint, PC-Lint, Splint, JSLint, Rpmlint, Puppet Lint, Pylint). You can learn more about the tool from the Wikipedia article.
- Parasoft C/C++test. Widely known and popular code analyzer. There is a trial. Links: site, page on the Wikipedia site.
- PC-Lint. A highly flexible static analysis tool. Analysis flexibility comes at a price of a large number of settings in configuration files. You can try it for 30 days for educational purposes. Links: page on the Wikipedia site.
- Helix QAC. Static analyzer for C, C ++ languages. It is possible to request a trial version. Links: site, page on the Wikipedia site.
C#
- ReSharper. It is not a static analyzer in the classical sense, as it provides few usage scenarios. Plugin for Visual Studio, performs static analysis of the C# code and others. A 30-day trial is available. In 2020, the price for it was $12.90 per month for individual use. Links: site, page on the Wikipedia site.
- FxCop. Free static code analysis tool from Microsoft. Performs bytecode analysis (CIL) for compliance with Microsoft application design guidelines. At the moment, the project is dead.
- Roslyn Analyzers. A set of static code analyzers for C# and Visual Basic based on .Net Compiler Platform ("Roslyn"). It performs source code analysis, unlike FxCop. As part of this project, a port of the most important FxCop rules was also produced. Links: site, GitHub.
- Security Code Scan. Static code analyzer based on .Net Compiler Platform ("Roslyn") for C# and Visual Basic languages for detecting error patterns, related to applications security: SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), XML eXternal Entity Injection (XXE) and others. Performs source code analysis. Links: website, GitHub.
- Roslynator. A set of static code analyzers for the C# language based on the .Net Compiler Platform ("Roslyn"). Performs source code analysis. A link to GitHub.
- CodeRush. Plugin for Visual Studio. The product is commercial, but there is a trial version. Links: site.
- Parasoft dotTEST. A set of tools for testing .NET applications, including a static code analyzer. Works as a plugin for Visual Studio. The same as in the previous case, the product is commercial, there is a trial version. Links: site, page on the Wikipedia site.
Java
- FindBugs. The most famous free static Java code analyzer. Analyzes the byte code of the program. At the moment, the project is dead. Link to the site.
- SpotBugs. Became the successor of FindBugs. Open source code project. Link to the site.
- IntelliJ IDEA. A development environment from JetBrains, comprising a set of code inspections for finding, highlighting and fixing anomalies in code. Links: site, list of inspections, page on the Wikipedia site.
- SonarJava. Static code analyzer developed by SonarSource for the Java language for searching for code smells, errors and vulnerabilities. Link to the site.
Several languages
- Coverity. It is considered one of the best static code analyzers on the market. It supports the program for free verification of open source applications. Links: site, page on the Wikipedia site.
- Klocwork Insight. One of the leaders of static code analyzers market. Links: site, page on the Wikipedia site.
- Checkmarx CxSuite. A static analyzer meant to search for backdoors and vulnerabilities, which allows to detect and eliminate security issues on the source code level. Supports a wide range of programming languages: Java, C#, Visual Basic, C/C++, Ruby, JavaScript, Perl and others. Link to the site.
In addition to the above, ML-based analyzers are actively developing. The following are a few examples of such analyzers:
- DeepCode. The authors of this Swiss startup claim that DeepCode is able to detect vulnerabilities such as cross-site scripting and SQL injection capabilities, since the algorithms in it do not just analyze the code as a set of characters, but try to understand the meaning and purpose of the written program. More information about the startup can be found on the official website.
- SapFix. Created by engineers from Facebook to reduce the time spent by engineers on debugging, as well as to accelerate the process of deploying new software.
- Source{d}. Startup organized in Spain. The official site, at the time of writing this text, did not show any signs of life, so for reference, we will leave a link only to GitHub.
- CodeGuru. CodeGuru is authored by Amazon engineers. They consider the strength of their analyzer to be assistance in finding ways to optimize the performance of your code. Link to the official website here.
- Infer. Static analyzer for languages C/C++, Objective-C and Java, developed by Facebook. It is an open source analyzer. Links: site, page on the Wikipedia site.
However, despite the fact that ML cannot be denied in the field of error detection, such analyzers have many shortcomings. Looking into the future, it seems to us that ML is just one of the technologies that will help in the fight against bugs. Our attitude towards ML-based analyzers is described in the article "Machine Learning in Static Analysis of Program Source Code".
0