...
- BLAST: BLAST is a software model checker for C programs (http://mtc.epfl.ch/software-tools/blast/)
- BOON: BOON is a tool for automatically finding buffer overrun vulnerabilities in C source code (http://www.cs.berkeley.edu/~daw/boon/)
- cadvise (hpux only)
- calysto (work in progress by Domagoj Babic; already tried on krb5 code, found some problems; currently a service only, send email to developer)
- ccfinder, ccfinderx (www.ccfinder.net; code clone finder; supports Java, C/C++, VB, C#; runs on Windows XP)
- checkstyle (checkstyle.sourceforge.net; runs many checks on java code including coding conventions, code duplication)
- codesonar (www.grammatech.com; commercial, free trial available; supports c/c++, runs on Windows, Linux and Solaris; does interprocedural, whole-program analysis)
- coverity (current status as of early February: Kerberos team evaluating)
- crap4j: java Change Risk Analysis and Predictions tool: http://www.crap4j.org/
- Eclipse metrics tools:
- flawfinder: basic scanning, easy to set up, GPL -amb (http://www.dwheeler.com/flawfinder/, http://sourceforge.net/projects/flawfinder/)
- fortify findbugs (java only)
- fortify sca
- its4 (www.cigital.com/its4; not supported; just matches on token sequences in un-preprocessed code)
- klocwork insight, klocwork developer (www.klocwork.com; works on c, c++, java)
- MOPS: a tool for finding security bugs in C programs and for verifying conformance to rules of defensive programming http://www.cs.berkeley.edu/~daw/mops/; requires user-supplied properties to check; not currently maintained?
- oink (based on cqual) www.cubewano.org/oink
- Ounce Labs' patented Contextual Analysis technology allows source code to be automatically analyzed in a depth and level of detail never before possible: http://www.ouncelabs.com/solutions/solutions-software-portfolio-security.asp
- Pixy (http://pixybox.seclab.tuwien.ac.at/pixy/) checks PHP for XSS and SQL injection vulnerabilities.
- pmd (java only)
- polyspace (www.mathworks.com; supports C/C++, Ada for embedded systems)
- PScan (format string problems mainly; flawfinder, RATS, and gcc can do similar things; server not responding 1/24)
- pychecker (Python only)
- rats (Rough Auditing Tool for Security; rough analysis intended as a starting point for manual analysis; http://www.fortifysoftware.com/security-resources/rats.jsp)
- simian (similarity analyser; www.redhillconsulting.com.au/products/simian/overview.html; identifies duplication in c, c++, c#, java, html, ml, vb, text, etc; runs in .net 1.1 or java 1.4 or later; free for non-commercial or open source use)
- skavenger: mostly for php (fancy grep replacement, really? not interesting. -amb) (http://code.google.com/p/skavenger/)
- SmartRisk Analyzer (gone? originally @stake, which was acquired by Symantec)
- SMATCH: Smatch is C source checker but mainly focused checking the Linux kernel code (http://smatch.sourceforge.net/)
- SourceAudit: C/C++; interesting on paper, at least; costs money? -amb (http://www.sourceaudit.com/products_sa.php)
- SPARROW (http://www.spa-arrow.com/) looks for memory leaks, use-after-free, buffer overruns. Supports Mac, Windows, Linux, Solaris, FreeBSD. On-site demo and trial copy available.
- sparse (http://www.kernel.org/pub/software/devel/sparse/)
- xrefactory (www.xref-tech.com; c and java refactoring tool and source browser; includes emacs support)
- unpaste (finds parallel syntactic constructs that are sometimes duplicated or nearly identical code)
- Veracode SecurityReview (binary code analysis service; web site says results are generally returned in 24-72 hours, which might be useful when preparing for release or deployment but perhaps not as a regular, automatic part of the development process)
...