To get a trial key
fill out the form below
Team License (standard version)
Enterprise License (extended version)
* By clicking this button you agree to our Privacy Policy statement

** This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Request our prices
New License
License Renewal
--Select currency--
USD
EUR
GBP
RUB
* By clicking this button you agree to our Privacy Policy statement

** This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

** This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

** This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
I am interested to try it on the platforms:
* By clicking this button you agree to our Privacy Policy statement

** This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Message submitted.

Your message has been sent. We will email you at


If you haven't received our response, please do the following:
check your Spam/Junk folder and click the "Not Spam" button for our message.
This way, you won't miss messages from our team in the future.

>
>
>
Static Code Analysis Tools

Static Code Analysis Tools

Apr 14 2020

Static analysis tools are designed to detect defects in the source code of programs. The name itself says that the principle of their work is based on static code analysis.

There are many static analysis tools created for various programming languages. A large list of such tools can be found on the Wikipedia website: List of tools for static code analysis. And there is also this interesting list: Awesome Static Analysis.

Our company develops the PVS-Studio analyzer meant for checking code in C, C++, C#, and Java languages. The analyzer is a paid B2B solution, but there are several options of free licenses. A few more popular tools for checking code in these languages are listed below.

C/C++

  • Cppcheck. A very popular free open source project. Originally had the goal to report no false positives at all, but nowadays the goal is very few false positives. The parser is generic and was designed to be able to analyze the C/C++ code found in embedded projects etc that use various language extensions. However the parser does not support all constructs described by the new C++ language standards. The data flow analysis is primarily flow-sensitive and bidirectional. In theory you can more or less check your code directly without configuration however in practice you will want to configure the analysis. Links: site, Wikipedia website page.
  • Clang Static Analyzer. Static code analyzer for C/C++/Objective-C languages built into the Clang compiler. However, many other compilers also have decent built-in code analyzers. For example, Visual Studio supports static analysis of Visual C ++ projects (compiler flag /analyze). The popularity of Clang Static Analyzer is due to the openness of its code and the ability to write custom extensions. Links: site, page on the Wikipedia website, about checking Clang code using PVS-Studio - 1, 2, 3, 4.
  • Clang-Tidy differs from diagnostic abilities of Clang Static Analyzer in the fact that Clang-Tidy is a linter that checks code compliance with coding standards. More information about Clang-Tidy can be found on the official website.
  • Frama-C. An open source C program analyzer. Links: site, page on the Wikipedia site.
  • Lint. Mentioned here, as it is of historical value. This tool can be called the first static code analyzer for the C language. The names of many modern analyzers are derived from the word "lint" (cpplint, PC-Lint, Splint, JSLint, Rpmlint, Puppet Lint, Pylint). You can learn more about the tool from the Wikipedia article.
  • Parasoft C/C++test. Widely known and popular code analyzer. There is a trial. Links: site, page on the Wikipedia site.
  • PC-Lint. A highly flexible static analysis tool. Analysis flexibility comes at a price of a large number of settings in configuration files. You can try it for 30 days for educational purposes. Links: site, page on the Wikipedia site.
  • Helix QAC. Static analyzer for C, C ++ languages. It is possible to request a trial version. Links: site, page on the Wikipedia site.

C#

  • ReSharper. It is not a static analyzer in the classical sense, as it provides few usage scenarios. Plugin for Visual Studio, performs static analysis of the C# code and others. A 30-day trial is available. In 2020, the price for it was $12.90 per month for individual use. Links: site, page on the Wikipedia site.
  • FxCop. Free static code analysis tool from Microsoft. Performs bytecode analysis (CIL) for compliance with Microsoft application design guidelines. At the moment, the project is dead.
  • Roslyn Analyzers. A set of static code analyzers for C# and Visual Basic based on .Net Compiler Platform ("Roslyn"). It performs source code analysis, unlike FxCop. As part of this project, a port of the most important FxCop rules was also produced. Links: site, GitHub.
  • Security Code Scan. Static code analyzer based on .Net Compiler Platform ("Roslyn") for C# and Visual Basic languages for detecting error patterns, related to applications security: SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), XML eXternal Entity Injection (XXE) and others. Performs source code analysis. Links: website, GitHub.
  • Roslynator. A set of static code analyzers for the C# language based on the .Net Compiler Platform ("Roslyn"). Performs source code analysis. A link to GitHub.
  • CodeRush. Plugin for Visual Studio. The product is commercial, but there is a trial version. Links: site, page on the Wikipedia site.
  • Parasoft dotTEST. A set of tools for testing .NET applications, including a static code analyzer. Works as a plugin for Visual Studio. The same as in the previous case, the product is commercial, there is a trial version. Links: site, page on the Wikipedia site.

Java

  • FindBugs. The most famous free static Java code analyzer. Analyzes the byte code of the program. At the moment, the project is dead. Link to the site.
  • SpotBugs. Became the successor of FindBugs. Open source code project. Link to the site.
  • IntelliJ IDEA. A development environment from JetBrains, comprising a set of code inspections for finding, highlighting and fixing anomalies in code. Links: site, list of inspections, page on the Wikipedia site.
  • SonarJava. Static code analyzer developed by SonarSource for the Java language for searching for code smells, errors and vulnerabilities. Link to the site.

Several languages

  • Coverity. It is considered one of the best static code analyzers on the market. It supports the program for free verification of open source applications. Links: site, page on the Wikipedia site.
  • Klocwork Insight. One of the leaders of static code analyzers market. Links: site, page on the Wikipedia site.
  • Checkmarx CxSuite. A static analyzer meant to search for backdoors and vulnerabilities, which allows to detect and eliminate security issues on the source code level. Supports a wide range of programming languages: Java, C#, Visual Basic, C/C++, Ruby, JavaScript, Perl and others. Link to the site.

In addition to the above, ML-based analyzers are actively developing. The following are a few examples of such analyzers:

  • DeepCode. The authors of this Swiss startup claim that DeepCode is able to detect vulnerabilities such as cross-site scripting and SQL injection capabilities, since the algorithms in it do not just analyze the code as a set of characters, but try to understand the meaning and purpose of the written program. More information about the startup can be found on the official website.
  • SapFix. Created by engineers from Facebook to reduce the time spent by engineers on debugging, as well as to accelerate the process of deploying new software. You can read about it by this Facebook link.
  • Source{d}. Startup organized in Spain. The official site, at the time of writing this text, did not show any signs of life, so for reference, we will leave a link only to GitHub.
  • CodeGuru. CodeGuru is authored by Amazon engineers. They consider the strength of their analyzer to be assistance in finding ways to optimize the performance of your code. Link to the official website here.
  • Infer. Static analyzer for languages C/C++, Objective-C and Java, developed by Facebook. It is an open source analyzer. Links: site, page on the Wikipedia site.

However, despite the fact that ML cannot be denied in the field of error detection, such analyzers have many shortcomings. Looking into the future, it seems to us that ML is just one of the technologies that will help in the fight against bugs. Our attitude towards ML-based analyzers is described in the article "Machine Learning in Static Analysis of Program Source Code".

Popular related articles
The Evil within the Comparison Functions

Date: May 19 2017

Author: Andrey Karpov

Perhaps, readers remember my article titled "Last line effect". It describes a pattern I've once noticed: in most cases programmers make an error in the last line of similar text blocks. Now I want t…
The Ultimate Question of Programming, Refactoring, and Everything

Date: Apr 14 2016

Author: Andrey Karpov

Yes, you've guessed correctly - the answer is "42". In this article you will find 42 recommendations about coding in C++ that can help a programmer avoid a lot of errors, save time and effort. The au…
The way static analyzers fight against false positives, and why they do it

Date: Mar 20 2017

Author: Andrey Karpov

In my previous article I wrote that I don't like the approach of evaluating the efficiency of static analyzers with the help of synthetic tests. In that article, I give the example of a code fragment…
PVS-Studio ROI

Date: Jan 30 2019

Author: Andrey Karpov

Occasionally, we're asked a question, what monetary value the company will receive from using PVS-Studio. We decided to draw up a response in the form of an article and provide tables, which will sho…
How PVS-Studio Proved to Be More Attentive Than Three and a Half Programmers

Date: Oct 22 2018

Author: Andrey Karpov

Just like other static analyzers, PVS-Studio often produces false positives. What you are about to read is a short story where I'll tell you how PVS-Studio proved, just one more time, to be more atte…
Characteristics of PVS-Studio Analyzer by the Example of EFL Core Libraries, 10-15% of False Positives

Date: Jul 31 2017

Author: Andrey Karpov

After I wrote quite a big article about the analysis of the Tizen OS code, I received a large number of questions concerning the percentage of false positives and the density of errors (how many erro…
The Last Line Effect

Date: May 31 2014

Author: Andrey Karpov

I have studied many errors caused by the use of the Copy-Paste method, and can assure you that programmers most often tend to make mistakes in the last fragment of a homogeneous code block. I have ne…
Static analysis as part of the development process in Unreal Engine

Date: Jun 27 2017

Author: Andrey Karpov

Unreal Engine continues to develop as new code is added and previously written code is changed. What is the inevitable consequence of ongoing development in a project? The emergence of new bugs in th…
Appreciate Static Code Analysis!

Date: Oct 16 2017

Author: Andrey Karpov

I am really astonished by the capabilities of static code analysis even though I am one of the developers of PVS-Studio analyzer myself. The tool surprised me the other day as it turned out to be sma…
PVS-Studio for Java

Date: Jan 17 2019

Author: Andrey Karpov

In the seventh version of the PVS-Studio static analyzer, we added support of the Java language. It's time for a brief story of how we've started making support of the Java language, how far we've co…

Comments (0)

Next comments

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
This website uses cookies and other technology to provide you a more personalized experience. By continuing the view of our web-pages you accept the terms of using these files. If you don't want your personal data to be processed, please, leave this site.
Learn More →
Accept