Narzędzie | Języki | Dostępność | Co sprawdza? | Dostępny od | |
ABASH | Bash | free | String expansion errors, option insertion errors i inne podatności, które mogą prowadzić do luk w zabezpieczeniach. | Marzec 2012 | |
ApexSec Security Console | PL/SQL(Oracle Apex) | Recx | SQL Injection, Cross-Site Scripting, Access Control i problems konfiguracyjne w Apex | Marzec 2010 | |
Astrée | C | AbsInt | undefined code constructs and run-time errors, e.g., out-of-bounds array indexing or arithmetic overflow. | Czerwiec 2009 | |
BOON | C | free | integer range analysis determines if an array can be indexed outside its bounds | Luty 2005 | |
bugScout | Java, C#, Visual Basic, ASP, php | buguroo | wielokrotne awarie bezpieczeństwa takie jak nieaktualne biblioteki błędów, wrażliwe funkcje, wrażliwe informacje w komentarzach kodu źródłowego itp. | Marzec 2012 | |
C/C++test® | C, C++ | Parasoft | wady , takie jak wycieki pamięci , problemy buforowe , kwestie bezpieczeństwa i zagadnień arytmetycznych , plus SQL injection , cross- site scripting , narażenia wrażliwych danych i inne potencjalne problemy | Grudzień 2013 | |
dotTEST™ | C#, VB.NET, MC++ | ||||
Jtest® | Java | ||||
HP Code Advisor (cadvise) | C, C++ | HP | many lint-like checks plus memory leak, potential null pointer dereference, tainted data for file paths, and many others | Grudzień 2013 | |
Checkmarx CxSAST | Java, JavaScript, PHP, C#, VB.NET, VB6, ASP.NET, C/C++, Apex, Ruby, Perl, Objective-C, Python, Groovy, HTML5, Swift, APEX, J2SE, J2EE | Checkmarx | All OWASP Top 10 and SANS 25 vulnerabilities and compliance with PCI-DSS, HIPAA, and MISRA requirements along with custom queries, all with a low rate of false-positives and easy to integrate throughout the SDLC. | Marzec 2016 | |
Clang Static Analyzer | C, Objective-C | free | Resports dead stores, memory leaks, null pointer deref, and more. Uses source annotations like „nonnull”. | Sierpień 2010 | |
Closure Compiler | JavaScript | free | Removes dead code, checks syntax, variable references and types and warns about common JavaScript pitfalls. | Luty 2014 | |
CodeCenter | C | ICS | incorrect pointer values, illegal array indices, bad function arguments, type mismatches, and uninitialized variables | Kwiecień 2011 | |
CodePeer | Ada | AdaCore | detects uninitialized data, pointer misuse, buffer overflow, numeric overflow, division by zero, dead code, concurrency faults (race conditions), unused variables, etc. | Kwiecień 2010 | |
CodeSecure | ASP.NET, C#, PHP, Java, JSP, VB.NET, others | Armorize Technologies | XSS, SQL Injection, Command Injection, tainted data flow, etc. | Sierpień 2012 | |
CodeSonar | C and C++ | GrammaTech | null-pointer dereferences, divide-by-zeros, buffer over- and underruns | Listopad 2012 | |
Coverity SAVE™ | C, C++, Java, C# | Coverity | flaws and security vulnerabilities – reduces false positives while minimizing the likelihood of false negatives. | Kwiecień 2011 | |
Cppcheck | C, C++ | free | pointer to a variable that goes out of scope, bounds, classes (missing constructors, unused private functions, etc.), exception safety, memory leaks, invalid STL usage, overlapping data in sprintf, division by zero, null pointer dereference, unused struct member, passing parameter by value, etc. Aims for no false positives. | Luty 2010 | |
CQual | C | free | uses type qualifiers to perform a taint analysis, which detects format string vulnerabilities | Luty 2005 | |
Csur | C | free | cryptographic protocol-related vulnerabilities | Kwiecień 2006 | |
DoubleCheck | C, C++ | Green Hills Software | like buffer overflows, resource leaks, invalid pointer references, and violations of … MISRA | Czerwiec 2007 | |
FindBugs | Java, Groovy, Scala | free | Null pointer deferences, synchronization errors, vulnerabilities to malicious code, etc. It can be used to analyse any JVM languages. | Wrzesień 2012 | |
FindSecurityBugs | Java, Groovy, Scala | free | Extends FindBugs with more security detectors (Command Injection, XPath Injection, SQL/HQL Injection, Cryptography weakness and many more). | Czerwiec 2016 | |
Flawfinder | C/C++ | free | uses of risky functions, buffer overflow (strcpy()), format string ([v][f]printf()), race conditions (access(), chown(), and mktemp()), shell metacharacters (exec()), and poor random numbers (random()). | 2005 | |
Fluid | Java | call | „analysis based verification” for attributes such as race conditions, thread policy, and object access with no false negatives | Październik 2005 | |
Goanna Studio and Goanna Central | C, C++ | Red Lizard Software | memory corruptions, resource leaks, buffer overruns, null pointer dereferences, C++ hazards, MISRA C 2012, … | Marzec 2015 | |
HP QAInspect | C#, Visual Basic, JavaScript, VB Script | Fortify | application vulnerabilities | Kwiecień 2011 | |
Insight | C, C++, Java, and C# | Klocwork | Buffer overflow, un-validated user input, SQL injection, path injection, file injection, cross-site scripting, information leakage, weak encryption and vulnerable coding practices, as well as quality, reliability and maintainability issues. | Maj 2011 | |
Jlint | Java | free | bugs, inconsistencies, and synchronization problems | Sierpień 2012 | |
LAPSE | Java | free | helps audit Java J2EE applications for common types of security vulnerabilities found in Web applications. | Wrzesień 2006 | |
ObjectCenter | C/C++ | ICS | „run-time and static error detection … more than 250 types of errors, including more than 80 run-time errors … inter-module inconsistencies” | Kwiecień 2011 | |
Parfait | C/C++ | Oracle proprietary | Kwiecień 2013 | ||
PLSQLScanner 2008 | PLSQL | Red-Database-Security | SQL Injection, hardcoded passwords, Cross-site scripting (XSS), etc. | Czerwiec 2008 | |
PHP-Sat | PHP | free | static analysis tool, XSS, etc. description | Wrzesień 2006 | |
Pixy | PHP | free | static analysis tool, only detect XSS and SQL Injection. No home page? | Czerwiec 2014 | |
PMD | Java | free | questionable constructs, dead code, duplicate code | Luty 2006 | |
PolySpace | Ada, C, C++ | MathWorks | run-time errors, unreachable code | Wrzesień 2013 | |
PREfix and PREfast | C, C++ | Microsoft proprietary | Luty 2006 | ||
pylint | Python | free | Sprawdza czy kod jest zgodny z zaleceniami PEP8 | Luty 2014 | |
QA-C, QA-C++, QA-J | C, C++, Java | Programming Research | A suite of static analysis tools, with over 1400 messages. Detects a variety of problems from undefined language features to redundant or unreachable code. | Maj 2009 | |
Qualitychecker | VB6, Java, C# | Qualitychecker | static analysis tool | Wrzesień 2007 | |
Rational AppScan Source Edition | C, C++, Java, JSP, ASP.NET, VB.NET, C# | IBM (formerly Ounce Labs) | coding errors, security vulnerabilities, design flaws, policy violations and offers remediation | Sierpień 2010 | |
Resource Standard Metrics (RSM) | C, C++, C#, and Java | M Squared Technologies | Scan for 50 readability or portability problems or questionable constructs, e.g. different number of „new” and „delete” key words or an assignment operator (=) in a conditional (if). | Kwiecień 2011 | |
RIPS | PHP | free and RIPS Tech | all types of injection vulnerabilities, including PHP-specific and second-order vulnerabilities | Maj 2016 | |
Smatch | C | free | simple scripts look for problems in simplified representation of code. primarily for Linux kernel code | Kwiecień 2006 | |
SCA | ASP.NET, C, C++, C# and other .NET languages, COBOL, Java, JavaScript/AJAX, JSP, PHP, PL/SQL, Python, T-SQL, XML, and others | Fortify Software | security vulnerabilities, tainted data flow, etc. „more than 470 types of software security vulnerabilities” | Sierpień 2012 | |
SPARK tool set | SPARK (Ada subset) | Altran | ambiguous constructs, data- and information-flow errors, any property expressible in first-order logic (Examiner, Simplifier, and SPADE) | Sierpień 2006 | |
SPARROW | C/C++, Java, JSP, JavaScript, C#, ASP(.NET), Objective-C, PHP, VB.NET, VBScript, HTML, SQL, XML | Fasoo | OWASP Top 10, SANS 25, CWE, CERT vulnerabilities, MISRA, efficient and effective issue management based on machine learning technology | Sierpień 2016 | |
Splint | C | free | security vulnerabilities and coding mistakes. with annotations, it performs stronger checks | 2005 | |
TBmisra®, TBsecure® | C, C++, Java, Ada, Assembler | LDRA | The TBsecure module for LDRA Testbed® comes with the Carnegie Mellon Software Engineering Institute (SEI) CERT C secure coding standard. TBsecure identifies concerns such as buffer overflow, out-of-bounds array access, dangling pointers, double-free, and dereferencing null pointer. Other modules handle High Intergrity C++, HIS, IPA/SEC C, JSF++ AV, MISRA C/C++, and Netrino C. | 2013 | |
UNO | C | free | uninitialized variables, null-pointers, and out-of-bounds array indexing and „allows for the specification and checking of a broad range of user-defined properties”. aims for a very low false alarm rate. | Październik 2007 | |
PVS-Studio | C++ | OOO „Program Verification Systems” (Co LTD) | PVS-Studio is a static analyer that detects errors in source code of C/C++/C++0x applitations. There are 3 sets of rules included in PVS-Studio: (1) Diagnosis of 64-bit errors (Viva64) (2) Diagnosis of parallel errors (VivaMP) (3) General-purpose diagnosis | Styczeń 2010 | |
xg++ | C | unk | kernel and device driver vulnerabilities in Linux and OpenBSD through range checking, etc. | Luty 2005 | |
Yasca | Java, C/C++, JavaScript, ASP, ColdFusion, PHP, COBOL, .NET, etc. | free | a „glorified grep” and aggregator of other tools, including: FindBugs, PMD, JLint, JavaScript Lint, PHPLint, CppCheck, ClamAV, RATS, and Pixy. „It is designed to be very flexible and easy to extend. … writing a new rule is as easy as coming up with a regular expression” | Marzec 2010 | |
WAP | PHP | free | Finds or checks for: SQL Injection (SQLI) / Cross-site scripting (XSS) / Remote File Inclusion (RFI) / Local File Inclusion (LFI) / Directory Traversal or Path Traversal (DT/PT) / Source Code Disclosure (SCD) / OS Command Injection (OSCI) / PHP Code Injection | Styczeń 2016 |
Źródło: https://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html .