一些可以用来做机器代码审查的工具列表

工具名称 语言 费用 描述 日期
ASTRÉE C 联系 undefined code constructs or run-time errors, e.g., out-of-bounds array indexing or arithmetic overflow. 1 Mar 2007
BOON C 免费 integer range analysis determines if an array can be indexed outside its bounds 15 Feb 2005
C Code Analyzer C 免费 out-of-bounds array indexing or arithmetic overflow. aims for no false positives 20 Apr 2006
C++test C++ Parasoft “defects, poor constructs, potentially malicious code and other elements” 4 Apr 2006
.TEST C#, VB.NET, MC++
Jtest Java
WebKing HTML
CodeAssure C, C++, Java Secure Software unvalidated input, cryptographic problems, missed exceptions, etc. 2005
CodeCenter C CenterLine Systems incorrect pointer values, illegal array indices, bad function arguments, type mismatches, and uninitialized variables 28 Oct 2005
CodeScan .ASP PHP CodeScan Labs … security holes and source code issues … 10 Oct 2006
CodeSonar C, C++ GrammaTech null-pointer dereferences, divide-by-zeros, buffer over- and underruns 21 Mar 2005
CQual C 免费 uses type qualifiers to perform a taint analysis, which detects format string vulnerabilities 15 Feb 2005
Csur C 免费 cryptographic protocol-related vulnerabilities 10 Apr 2006
DevInspect C#, Visual Basic, JavaScript, VB Script SPI Dynamics application vulnerabilities 21 Dec 2004
DevPartner SecurityChecker C#, Visual Basic Compuware known and potential security vulnerabilities 10 Oct 2006
Eau Claire C 未知 array bounds errors, null pointer dereferences, string functions 15 Feb 2005
Flawfinder C/C++ 免费 uses of risky functions, buffer overflow (strcpy()), format string ([v][f]printf()), race conditions (access(), chown(), and mktemp()), shell metacharacters (exec()), and poor random numbers (random()). 2005
Fluid Java 联系 “analysis based verification” for attributes such as race conditions, thread policy, and object access with no false negatives 28 Oct 2005
ITS4 C, C++ 免费 potentially dangerous function calls, with risk analysis of some 11 Feb 2005
Jlint Java 免费 bugs, inconsistencies and synchronization problems 3 Feb 2006
K7 C, C++, and Java Klocwork Access problems, buffer overflow, injection flaws, insecure storage, unvalidated input, etc. 6 July 2005
LAPSE Java 免费 helps audit Java J2EE applications for common types of security vulnerabilities found in Web applications. 19 Sep 2006
MILK Java 免费 Milk is a security source code assessment tool using Orizon as API. Milk scans java and .NET source file in order to perform a security code review trying to point out safe coding best practices misuse. 19 Sep 2006
PHP-Sat PHP 免费 static analysis tool, XSS, etc. description (http://ericbouwers.blogspot.com/ ) 18 Sep 2006
PMD Java 免费 questionable constructs, dead code, duplicate code 3 Feb 2006
PolySpace Ada, C, C++ PolySpace Technologies run-time errors, unreachable code 25 Feb 2005
PREfix and PREfast C, C++ Microsoft proprietary   10 Feb 2006
Prevent C, C++ Coverity flaws and security vulnerabilities - reduces false positives while minimizing the likelihood of false negatives. 11 Mar 2005
Prexis C, C++, Java, JSP, J2EE, STRUTS, “and more” Ounce Labs coding errors, design flaws, and policy violations 7 Dec 2005
QA-C, QA-C++, QA-J,
QA-FORTRAN, QA-High-Integrity C
C, C++, Java, FORTRAN Programming Research out-of-bounds array indexing 10 Dec 2004
RATS C 免费 potential security risks 2005
Resource Standard Metrics C, C++, C#, and Java M Squared Technologies Scan for 50 readability or portability problems or questionable constructs, e.g. different number of “new” and “delete” key words or an assignment operator (=) in a conditional (if). 10 Dec 2004
Smatch C 免费 simple scripts look for problems in simplified representation of code. primarily for Linux kernel code 20 Apr 2006
SoftCheck Inspector Java SofCheck creates assertions for each module, tries to prove the system obeys assertions and the absence of runtime errors. 8 Jun 2006
SCA ASP.NET, C, C++, C# and other .NET languages, Java, JSP, PL/SQL, T-SQL, VB.NET, XML Fortify Software security vulnerabilities, tainted data flow, etc. 21 Apr 2006
SCARE C, maybe any lanuage 免费 The Source Code Analysis Risk Evaluation project is a study to create a security complexity metric that will analyze source code and provide a realistic and factual representation of the potential of that source code to create a problematic binary. 10 Dec 2007
Skavenger php, but also used for any kind of source code file; 免费 Skavenger is a source code auditing tool written in php, works in the same way as egrep/sed with the possibility to parse more files at one run, or even an entire directory. Also can take a series of regular expressions from a file which to use simultaneously on the targeted file. 15 Dec 2007
SPARK tool set SPARK (Ada subset) Praxis ambiguous constructs, data- and information-flow errors, any property expressible in first-order logic (Examiner, Simplifier, and SPADE) 29 Aug 2006
Splint C 免费 security vulnerabilities and coding mistakes. with annotations, it performs stronger checks 2005
UNO C 免费 uninitialized variables, null-pointers, and out-of-bounds array indexing and “allows for the specification and checking of a broad range of user-defined properties”. aims for a very low false alarm rate. 3 Feb 2006
Viva64< C++ Viva64 finds problems in porting to 64-bit architecture, e.g. out-of-bounds indexing or arithmetic overflow. 07 Feb 2007
xg++ C 未知 kernel and device driver vulnerabilities in Linux and OpenBSD through range checking (http://www.stanford.edu/~engler/sp-ieee-02.pdf ) , etc. 15 Feb 2005
orizon Java 免费 Orizon is a framework intended to provide tools and facilities to test java sources for security flaws. The main goal is to detect common threats as described in Owasp top 10 vulnerability document. 07 May 2007
Pixy Php 免费(Free) Pixy is a Java program that performs automatic scans of PHP 4 source code, aimed at the detection of XSS and SQL injection vulnerabilities. 27 June 2007

你可能感兴趣的:(java,C++,c,C#,vb)