Tool Language(s) Avail. CCR Finds or Checks for       as of
ABASH Bash free String expansion errors, option insertion errors, and other weaknesses that may lead to security vulnerabilities. Mar-12
ApexSec Security Console PL/SQL(Oracle Apex) Recx SQL Injection, Cross-Site Scripting, Access Control and Configuration issues within an Apex application Mar-10
Astrée C AbsInt undefined code constructs and run-time errors, e.g., out-of-bounds array indexing or arithmetic overflow. Jun-09
BOON C free integer range analysis determines if an array can be indexed outside its bounds Feb-05
bugScout Java, C#, Visual Basic, ASP, php buguroo multiple security failures, such as deprecated libraries errors, vulnerable functions, sensitive information within the source code comments, etc. Mar-12
C/C++test® C, C++ Parasoft defects such as memory leaks, buffer issues, security issues and arithmetic issues, plus SQL injection, cross-site scripting, exposure of sensitive data and other potential issues Dec-13
dotTEST™ C#, VB.NET, MC++
Jtest® Java
HP Code Advisor (cadvise) C, C++ HP many lint-like checks plus memory leak, potential null pointer dereference, tainted data for file paths, and many others Dec-13
Checkmarx CxSAST Java, JavaScript, PHP, C#, VB.NET, VB6, ASP.NET, C/C++, Apex, Ruby, Perl, Objective-C, Python, Groovy, HTML5, Swift, APEX, J2SE, J2EE Checkmarx All OWASP Top 10 and SANS 25 vulnerabilities and compliance with PCI-DSS, HIPAA, and MISRA requirements along with custom queries, all with a low rate of false-positives and easy to integrate throughout the SDLC. Mar-16
Clang Static Analyzer C, Objective-C free Resports dead stores, memory leaks, null pointer deref, and more. Uses source annotations like “nonnull”. Aug-10
Closure Compiler JavaScript free Removes dead code, checks syntax, variable references and types and warns about common JavaScript pitfalls. Feb-14
CodeCenter C ICS incorrect pointer values, illegal array indices, bad function arguments, type mismatches, and uninitialized variables Apr-11
CodePeer Ada AdaCore detects uninitialized data, pointer misuse, buffer overflow, numeric overflow, division by zero, dead code, concurrency faults (race conditions), unused variables, etc. Apr-10
CodeSecure ASP.NET, C#, PHP, Java, JSP, VB.NET, others Armorize Technologies XSS, SQL Injection, Command Injection, tainted data flow, etc. Aug-12
CodeSonar C and C++ GrammaTech null-pointer dereferences, divide-by-zeros, buffer over- and underruns Nov-12
Coverity SAVE™ C, C++, Java, C# Coverity flaws and security vulnerabilities – reduces false positives while minimizing the likelihood of false negatives. Apr-11
Cppcheck C, C++ free pointer to a variable that goes out of scope, bounds, classes (missing constructors, unused private functions, etc.), exception safety, memory leaks, invalid STL usage, overlapping data in sprintf, division by zero, null pointer dereference, unused struct member, passing parameter by value, etc. Aims for no false positives. Feb-10
CQual C free uses type qualifiers to perform a taint analysis, which detects format string vulnerabilities Feb-05
Csur C free cryptographic protocol-related vulnerabilities Apr-06
DoubleCheck C, C++ Green Hills Software like buffer overflows, resource leaks, invalid pointer references, and violations of … MISRA Jul-07
FindBugs Java, Groovy, Scala free Null pointer deferences, synchronization errors, vulnerabilities to malicious code, etc. It can be used to analyse any JVM languages. Sep-12
FindSecurityBugs Java, Groovy, Scala free Extends FindBugs with more security detectors (Command Injection, XPath Injection, SQL/HQL Injection, Cryptography weakness and many more). Jun-16
Flawfinder C/C++ free uses of risky functions, buffer overflow (strcpy()), format string ([v][f]printf()), race conditions (access(), chown(), and mktemp()), shell metacharacters (exec()), and poor random numbers (random()). 2005
Fluid Java call “analysis based verification” for attributes such as race conditions, thread policy, and object access with no false negatives Oct-05
Goanna Studio and Goanna Central C, C++ Red Lizard Software memory corruptions, resource leaks, buffer overruns, null pointer dereferences, C++ hazards, MISRA C 2012, … Mar-15
HP QAInspect C#, Visual Basic, JavaScript, VB Script Fortify application vulnerabilities Apr-11
Insight C, C++, Java, and C# Klocwork Buffer overflow, un-validated user input, SQL injection, path injection, file injection, cross-site scripting, information leakage, weak encryption and vulnerable coding practices, as well as quality, reliability and maintainability issues. May-11
Jlint Java free bugs, inconsistencies, and synchronization problems Aug-12
LAPSE Java free helps audit Java J2EE applications for common types of security vulnerabilities found in Web applications. Sep-06
ObjectCenter C/C++ ICS “run-time and static error detection … more than 250 types of errors, including more than 80 run-time errors … inter-module inconsistencies” Apr-11
Parfait C/C++ ? Oracle proprietary Apr-13
PLSQLScanner 2008 PLSQL Red-Database-Security SQL Injection, hardcoded passwords, Cross-site scripting (XSS), etc. Jun-08
PHP-Sat PHP free static analysis tool, XSS, etc. description Sep-06
Pixy PHP free static analysis tool, only detect XSS and SQL Injection. No home page? Jun-14
PMD Java free questionable constructs, dead code, duplicate code Feb-06
PolySpace Ada, C, C++ MathWorks run-time errors, unreachable code Sep-13
PREfix and PREfast C, C++ Microsoft proprietary Feb-06
pylint Python free Checks for errors and looks for bad code smells. Feb-14
QA-C, QA-C++, QA-J C, C++, Java Programming Research A suite of static analysis tools, with over 1400 messages. Detects a variety of problems from undefined language features to redundant or unreachable code. May-09
Qualitychecker VB6, Java, C# Qualitychecker static analysis tool Sep-07
Rational AppScan Source Edition C, C++, Java, JSP, ASP.NET, VB.NET, C# IBM (formerly Ounce Labs) coding errors, security vulnerabilities, design flaws, policy violations and offers remediation Aug-10
RATS (Rough Auditing Tool for Security) C, C++, Perl, PHP, Python free potential security risks Sep-13
Resource Standard Metrics(RSM) C, C++, C#, and Java M Squared Technologies Scan for 50 readability or portability problems or questionable constructs, e.g. different number of “new” and “delete” key words or an assignment operator (=) in a conditional (if). Apr-11
RIPS PHP free and RIPS Tech all types of injection vulnerabilities, including PHP-specific and second-order vulnerabilities May-16
Smatch C free simple scripts look for problems in simplified representation of code. primarily for Linux kernel code Apr-06
SCA ASP.NET, C, C++, C# and other .NET languages, COBOL, Java, JavaScript/AJAX, JSP, PHP, PL/SQL, Python, T-SQL, XML, and others Fortify Software security vulnerabilities, tainted data flow, etc. “more than 470 types of software security vulnerabilities” Aug-12
SPARK tool set SPARK (Ada subset) Altran ambiguous constructs, data- and information-flow errors, any property expressible in first-order logic (Examiner, Simplifier, and SPADE) Aug-06
SPARROW C/C++, Java, JSP, JavaScript, C#, ASP(.NET), Objective-C, PHP, VB.NET, VBScript, HTML, SQL, XML Fasoo OWASP Top 10, SANS 25, CWE, CERT vulnerabilities, MISRA, efficient and effective issue management based on machine learning technology Aug-16
Splint C free security vulnerabilities and coding mistakes. with annotations, it performs stronger checks 2005
TBmisra®, TBsecure® C, C++, Java, Ada, Assembler LDRA The TBsecure module for LDRA Testbed® comes with the Carnegie Mellon Software Engineering Institute (SEI) CERT C secure coding standard. TBsecure identifies concerns such as buffer overflow, out-of-bounds array access, dangling pointers, double-free, and dereferencing null pointer. Other modules handle High Intergrity C++, HIS, IPA/SEC C, JSF++ AV, MISRA C/C++, and Netrino C. 2013
UNO C free uninitialized variables, null-pointers, and out-of-bounds array indexing and “allows for the specification and checking of a broad range of user-defined properties”. aims for a very low false alarm rate. Oct-07
PVS-Studio C++ OOO “Program Verification Systems” (Co LTD) PVS-Studio is a static analyer that detects errors in source code of C/C++/C++0x applitations. There are 3 sets of rules included in PVS-Studio: (1) Diagnosis of 64-bit errors (Viva64) (2) Diagnosis of parallel errors (VivaMP) (3) General-purpose diagnosis Jan-10
xg++ C unk kernel and device driver vulnerabilities in Linux and OpenBSD through range checking, etc. Feb-05
Yasca Java, C/C++, JavaScript, ASP, ColdFusion, PHP, COBOL, .NET, etc. free a “glorified grep” and aggregator of other tools, including: FindBugs, PMD, JLint, JavaScript Lint, PHPLint, CppCheck, ClamAV, RATS, and Pixy. “It is designed to be very flexible and easy to extend. … writing a new rule is as easy as coming up with a regular expression” Mar-10
WAP PHP free Finds or checks for: SQL Injection (SQLI) / Cross-site scripting (XSS) / Remote File Inclusion (RFI) / Local File Inclusion (LFI) / Directory Traversal or Path Traversal (DT/PT) / Source Code Disclosure (SCD) / OS Command Injection (OSCI) / PHP Code Injection


您的电子邮箱地址不会被公开。 必填项已用 * 标注