ASTRÉE | C | 联系 | undefined code constructs or run-time errors, e.g., out-of-bounds array indexing or arithmetic overflow. | 1 Mar 2007 |
BOON | C | 免费 | integer range analysis determines if an array can be indexed outside its bounds | 15 Feb 2005 |
C Code Analyzer | C | 免费 | out-of-bounds array indexing or arithmetic overflow. aims for no false positives | 20 Apr 2006 |
C++test | C++ | Parasoft | “defects, poor constructs, potentially malicious code and other elements” | 4 Apr 2006 |
.TEST | C#, VB.NET, MC++ | |||
Jtest | Java | |||
WebKing | HTML | |||
CodeAssure | C, C++, Java | Secure Software | unvalidated input, cryptographic problems, missed exceptions, etc. | 2005 |
CodeCenter | C | CenterLine Systems | incorrect pointer values, illegal array indices, bad function arguments, type mismatches, and uninitialized variables | 28 Oct 2005 |
CodeScan | .ASP PHP | CodeScan Labs | … security holes and source code issues … | 10 Oct 2006 |
CodeSonar | C, C++ | GrammaTech | null-pointer dereferences, divide-by-zeros, buffer over- and underruns | 21 Mar 2005 |
CQual | C | 免费 | uses type qualifiers to perform a taint analysis, which detects format string vulnerabilities | 15 Feb 2005 |
Csur | C | 免费 | cryptographic protocol-related vulnerabilities | 10 Apr 2006 |
DevInspect | C#, Visual Basic, JavaScript, VB Script | SPI Dynamics | application vulnerabilities | 21 Dec 2004 |
DevPartner SecurityChecker | C#, Visual Basic | Compuware | known and potential security vulnerabilities | 10 Oct 2006 |
Eau Claire | C | 未知 | array bounds errors, null pointer dereferences, string functions | 15 Feb 2005 |
Flawfinder | C/C++ | 免费 | uses of risky functions, buffer overflow (strcpy()), format string ([v][f]printf()), race conditions (access(), chown(), and mktemp()), shell metacharacters (exec()), and poor random numbers (random()). | 2005 |
Fluid | Java | 联系 | “analysis based verification” for attributes such as race conditions, thread policy, and object access with no false negatives | 28 Oct 2005 |
ITS4 | C, C++ | 免费 | potentially dangerous function calls, with risk analysis of some | 11 Feb 2005 |
Jlint | Java | 免费 | bugs, inconsistencies and synchronization problems | 3 Feb 2006 |
K7 | C, C++, and Java | Klocwork | Access problems, buffer overflow, injection flaws, insecure storage, unvalidated input, etc. | 6 July 2005 |
LAPSE | Java | 免费 | helps audit Java J2EE applications for common types of security vulnerabilities found in Web applications. | 19 Sep 2006 |
MILK | Java | 免费 | Milk is a security source code assessment tool using Orizon as API. Milk scans java and .NET source file in order to perform a security code review trying to point out safe coding best practices misuse. | 19 Sep 2006 |
PHP-Sat | PHP | 免费 | static analysis tool, XSS, etc. description (http://ericbouwers.blogspot.com/ ) | 18 Sep 2006 |
PMD | Java | 免费 | questionable constructs, dead code, duplicate code | 3 Feb 2006 |
PolySpace | Ada, C, C++ | PolySpace Technologies | run-time errors, unreachable code | 25 Feb 2005 |
PREfix and PREfast | C, C++ | Microsoft proprietary | 10 Feb 2006 | |
Prevent | C, C++ | Coverity | flaws and security vulnerabilities - reduces false positives while minimizing the likelihood of false negatives. | 11 Mar 2005 |
Prexis | C, C++, Java, JSP, J2EE, STRUTS, “and more” | Ounce Labs | coding errors, design flaws, and policy violations | 7 Dec 2005 |
QA-C, QA-C++, QA-J, QA-FORTRAN, QA-High-Integrity C |
C, C++, Java, FORTRAN | Programming Research | out-of-bounds array indexing | 10 Dec 2004 |
RATS | C | 免费 | potential security risks | 2005 |
Resource Standard Metrics | C, C++, C#, and Java | M Squared Technologies | Scan for 50 readability or portability problems or questionable constructs, e.g. different number of “new” and “delete” key words or an assignment operator (=) in a conditional (if). | 10 Dec 2004 |
Smatch | C | 免费 | simple scripts look for problems in simplified representation of code. primarily for Linux kernel code | 20 Apr 2006 |
SoftCheck Inspector | Java | SofCheck | creates assertions for each module, tries to prove the system obeys assertions and the absence of runtime errors. | 8 Jun 2006 |
SCA | ASP.NET, C, C++, C# and other .NET languages, Java, JSP, PL/SQL, T-SQL, VB.NET, XML | Fortify Software | security vulnerabilities, tainted data flow, etc. | 21 Apr 2006 |
SCARE | C, maybe any lanuage | 免费 | The Source Code Analysis Risk Evaluation project is a study to create a security complexity metric that will analyze source code and provide a realistic and factual representation of the potential of that source code to create a problematic binary. | 10 Dec 2007 |
Skavenger | php, but also used for any kind of source code file; | 免费 | Skavenger is a source code auditing tool written in php, works in the same way as egrep/sed with the possibility to parse more files at one run, or even an entire directory. Also can take a series of regular expressions from a file which to use simultaneously on the targeted file. | 15 Dec 2007 |
SPARK tool set | SPARK (Ada subset) | Praxis | ambiguous constructs, data- and information-flow errors, any property expressible in first-order logic (Examiner, Simplifier, and SPADE) | 29 Aug 2006 |
Splint | C | 免费 | security vulnerabilities and coding mistakes. with annotations, it performs stronger checks | 2005 |
UNO | C | 免费 | uninitialized variables, null-pointers, and out-of-bounds array indexing and “allows for the specification and checking of a broad range of user-defined properties”. aims for a very low false alarm rate. | 3 Feb 2006 |
Viva64< | C++ | Viva64 | finds problems in porting to 64-bit architecture, e.g. out-of-bounds indexing or arithmetic overflow. | 07 Feb 2007 |
xg++ | C | 未知 | kernel and device driver vulnerabilities in Linux and OpenBSD through range checking (http://www.stanford.edu/~engler/sp-ieee-02.pdf ) , etc. | 15 Feb 2005 |
orizon | Java | 免费 | Orizon is a framework intended to provide tools and facilities to test java sources for security flaws. The main goal is to detect common threats as described in Owasp top 10 vulnerability document. | 07 May 2007 |
Pixy | Php | 免费(Free) | Pixy is a Java program that performs automatic scans of PHP 4 source code, aimed at the detection of XSS and SQL injection vulnerabilities. | 27 June 2007 |