Page History

...

• BLAST: BLAST is a software model checker for C programs (http://mtc.epfl.ch/software-tools/blast/)
• BOON: BOON is a tool for automatically finding buffer overrun vulnerabilities in C source code (http://www.cs.berkeley.edu/~daw/boon/)
• cadvise (hpux only)
• calysto (work in progress by Domagoj Babic; already tried on krb5 code, found some problems; currently a service only, send email to developer)
• ccfinder, ccfinderx (www.ccfinder.net; code clone finder; supports Java, C/C++, VB, C#; runs on Windows XP)
• checkstyle (checkstyle.sourceforge.net; runs many checks on java code including coding conventions, code duplication)
• codesonar (www.grammatech.com; commercial, free trial available; supports c/c++, runs on Windows, Linux and Solaris; does interprocedural, whole-program analysis)
• coverity (current status as of early February: Kerberos team evaluating)
• crap4j: java Change Risk Analysis and Predictions tool: http://www.crap4j.org/
• Eclipse metrics tools:
  • http://metrics.sourceforge.net
  • http://eclipse-metrics.sourceforge.net
• flawfinder: basic scanning, easy to set up, GPL -amb (http://www.dwheeler.com/flawfinder/, http://sourceforge.net/projects/flawfinder/)
• fortify findbugs (java only)
• fortify sca
• its4 (www.cigital.com/its4; not supported; just matches on token sequences in un-preprocessed code)
• klocwork insight, klocwork developer (www.klocwork.com; works on c, c++, java)
• MOPS: a tool for finding security bugs in C programs and for verifying conformance to rules of defensive programming http://www.cs.berkeley.edu/~daw/mops/; requires user-supplied properties to check; not currently maintained?
• oink (based on cqual) www.cubewano.org/oink
• Ounce Labs' patented Contextual Analysis technology allows source code to be automatically analyzed in a depth and level of detail never before possible: http://www.ouncelabs.com/solutions/solutions-software-portfolio-security.asp
• Pixy (http://pixybox.seclab.tuwien.ac.at/pixy/) checks PHP for XSS and SQL injection vulnerabilities.
• pmd (java only)
• polyspace (www.mathworks.com; supports C/C++, Ada for embedded systems)
• PScan (format string problems mainly; flawfinder, RATS, and gcc can do similar things; server not responding 1/24)
• pychecker (Python only)
• rats (Rough Auditing Tool for Security; rough analysis intended as a starting point for manual analysis; http://www.fortifysoftware.com/security-resources/rats.jsp)
• simian (similarity analyser; www.redhillconsulting.com.au/products/simian/overview.html; identifies duplication in c, c++, c#, java, html, ml, vb, text, etc; runs in .net 1.1 or java 1.4 or later; free for non-commercial or open source use)
• skavenger: mostly for php (fancy grep replacement, really?  not interesting. -amb) (http://code.google.com/p/skavenger/)
• SmartRisk Analyzer (gone? originally @stake, which was acquired by Symantec)
• SMATCH: Smatch is C source checker but mainly focused checking the Linux kernel code (http://smatch.sourceforge.net/)
• SourceAudit: C/C++; interesting on paper, at least; costs money?  -amb (http://www.sourceaudit.com/products_sa.php)
• SPARROW (http://www.spa-arrow.com/) looks for memory leaks, use-after-free, buffer overruns. Supports Mac, Windows, Linux, Solaris, FreeBSD. On-site demo and trial copy available.
• sparse (http://www.kernel.org/pub/software/devel/sparse/)
• xrefactory (www.xref-tech.com; c and java refactoring tool and source browser; includes emacs support)
• unpaste (finds parallel syntactic constructs that are sometimes duplicated or nearly identical code)
• Veracode SecurityReview (binary code analysis service?; web site says results are generally returned in 24-72 hours, which might be useful when preparing for release or deployment but perhaps not as a regular, automatic part of the development process)

See also lists at:

• http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis (has some commentary, and includes many tools not explicitly listed above)
• http://samate.nist.gov/index.php/Tools
• http://www.dwheeler.com/flawfinder/ (has commentary on some tools)
• http://www.securityfocus.com/tools/
• http://www.vanheusden.com/audit.html
• http://seclab.cs.ucdavis.edu/projects/testing/tools/ (in-depth analysis of many tools)

...

• tool status: prototype, fully functional, development ongoing, maintained, stagnant, dead
• license: Is it open source, or do we have to keep access restricted? What restrictions are there on how we can use it? (Can we use it on a shared build engine?) Can we make minor fixes if necessary? Price? Can we make public a review or analysis of the tool? Do we have to restrict who can see the results?
• support: Is help available if we run into problems?
• languages: Which programming languages are supported, and how well?
• platforms: Windows? Mac? UNIX? What implementation language? Other packages that need to be installed to support it?
• ease of use: Invoke via command line or makefile? Plug in to Eclipse? Has its own GUI? Does it need to be fed all the source for a program at once? Can it analyze libraries we write, and applications using analyzed libraries, or only whole-program analysis?
• intrusiveness: Does it require stylized code, magic comments, additional input or generated files? Would the stylized code, if needed, trigger complaints from other tools?
• Types of analysis: What kind of problems or issues does it look for?
• hit rate: Does it miss a lot of problems? Does it report a lot of false positives?
• Can we suppress false positives we've analyzed and found to be okay?
• Is it being actively developed, or at least maintained?