Tool | Latest release | Free software | Duplicate code | Notes |
---|---|---|---|---|
Astrée | No; Proprietary | finds all potential runtime errors and data races by abstract interpretation, can prove their absence, and can prove functional assertions; tailored towards safety-critical C code (e.g. avionics and automotive). Includes MISRA checker. | ||
Axivion Bauhaus Suite | No; Proprietary | A static code analysis tool suite for Ada, C, C++, C#, and Java code that performs various analyses such as architecture checking, interface analyses, MISRA checking, and clone detection. | ||
BLAST – (Berkeley Lazy Abstraction Software verification Tool) | 2.7.2 | Yes | An open-source software model checker for C programs based on lazy abstraction (follow-on project is CPAchecker.[5]). | |
Clang | 8.0.0 | Yes | An open-source compiler that includes a static analyzer. | |
CLion | 2019.1 | No; Proprietary | An IDE with a built-in source code analysis. | |
Coccinelle | 1.0.7 | Yes | An open-source source code pattern matching and transformation. | |
Coverity | No; Proprietary | A static analysis tool for C/C++. | ||
Cppcheck | Yes; GPL | Open-source tool that checks for several types of errors, including use of STL. | ||
Cppdepend | 2019.1 | No;Proprietary | Simplifies managing a complex C/C++ code base by analyzing and visualizing code dependencies, by defining design rules, by doing impact analysis, and comparing different versions of the code. | |
cpplint | Yes | An open-source tool that checks for compliance with Google's style guide for C++ coding. | ||
ECLAIR | A platform for the automatic analysis, verification, testing and transformation of C and C++ programs. | |||
Eclipse | Yes | An open-source IDE that includes a static code analyzer. | ||
Fluctuat | Abstract interpreter for the validation of numerical properties of programs. | |||
Frama-C | Yes | An open-source static analysis framework for C. | ||
Goanna | A software analysis tool for C/C++. | |||
Helix QAC | Formerly PRQA QA·C and QA·C++, deep static analysis of C/C++ for quality assurance and guideline/coding standard enforcement with MISRA support. | |||
Infer | Yes | Developed by an engineering team at Facebook with open-source contributors. Targets null pointer and other memory problems. Available as open-source on github. | ||
Lint | The original, from 1978, static code analyzer for C. | |||
LDRA Testbed | v9.8.1 (2019-07-30) | A software analysis and testing tool suite for C/C++, that performs static analysis, standards enforcement (eg MISRA C/C++) , dynamic analysis, unit testing and requirements traceability. | ||
Parasoft C/C++test | 10.4.2 | No; Proprietary | Yes | A C/C++ tool that does static analysis, unit testing, code review, and runtime error detection; plugins available for Visual Studio and Eclipse-based IDEs. |
PC-Lint | No | A software analysis tool for C with partial support for C++2011. | ||
Polyspace | No | Uses abstract interpretation to detect and prove the absence of run time errors, Dead Code in source code as well as used to check all MISRA (2004, 2012) rules (directives, non directives). | ||
SLAM project | a project of Microsoft Research for checking that software satisfies critical behavioral properties of the interfaces it uses. | |||
Sparse | Yes | An open-source tool designed to find faults in the Linux kernel. | ||
SonarQube | No | An open-source tool which offers C/C++ support via a commercial license | ||
Splint | Yes | An open-source tool statically checking C programs for security vulnerabilities and coding mistakes. | ||
Visual Studio | No | An IDE that provides static code analysis for C/C++ both in the editor environment and from the compiler command line. |
Tool | Latest release | Free software | Duplicate code | Notes |
---|---|---|---|---|
Checkstyle | 2018-06-30 | Yes; LGPL | No | Besides some static code analysis, it can be used to show violations of a configured coding standard. Duplicate code detection was removed[6] from Checkstyle. |
Coverity | 2017-01-19 | No; Proprietary | Coverity is a static analysis and Static Application Security Testing (SAST) platform that finds critical defects and security weaknesses in code as it’s written before they become vulnerabilities, crashes, or maintenance headaches. | |
Eclipse | 2017-06-28 | Yes; EPL | No | Cross-platform IDE with own set of several hundred code inspections available for analyzing code on-the-fly in the editor and bulk analysis of the whole project. Plugins for Checkstyle, FindBugs, and PMD. |
FindBugs | 2015-03-06 | Yes; LGPL | Based on JakartaBCEL from the University of Maryland. SpotBugs is the spiritual successor of FindBugs, carrying on from the point where it left off with support of its community. | |
Infer | 2017-10-19 | Yes; BSD with additio- nal patent clause | Developed by an engineering team at Facebook with open-source contributors. Targets null pointer exceptions, leaks, and thread safety issues. | |
IntelliJ IDEA | 2017-11-30 | Yes; ASL 2 | Yes | A leading Java IDE with built-in code inspection and analysis. Plugins for Checkstyle, FindBugs, and PMD. |
JArchitect | 2017-06-11 | No; Proprietary | Simplifies managing a complex code base by analyzing and visualizing code dependencies, defining design rules, doing impact analysis, and by comparing different versions of the code. | |
Jtest | 2019-05-21 | No; Proprietary | Yes | Testing and static code analysis product by Parasoft. |
LDRA Testbed | No; Proprietary | Analysis and testing tool suite. | ||
PMD | 2019-06-30 | Yes; BSD, ASL 2, LGPL | Yes | A static ruleset based source code analyzer that identifies potential problems. |
RIPS | 2019-01-07 | No; Proprietary | Language-specific source code analysis solution with many integration options for accurate detection of complex security and quality issues. | |
SemmleCode | No; Proprietary | Object oriented code queries for static program analysis. | ||
Soot | Yes; LGPL | A language manipulation and optimization framework consisting of intermediate languages. | ||
SpotBugs | 2019-01-21 | Yes; LGPL | Based on FindBugs and BCEL from the University of Maryland. | |
Squale | 2011-05-26 | Yes; LGPL | A platform to manage software quality. | |
SourceMeter | 2016-02-01 | No; Proprietary | Yes | A platform-independent, command-line static source code analyzer. |
ThreadSafe | 2014-03-28 | No; Proprietary | A static analysis tool focused on finding concurrency bugs. |