程序质量：代码静态检查

刚毕业的时候在搜狐畅游做白盒测试，最开始接触的是这一部分，那个时候做的是针对C/C++代码的，相比较而言要复杂一些，以及到后面我们不仅仅做简单的语法检查，还包括圈复杂度、代码规模、LLT、HLT等等。

什么是程序静态分析？

程序静态分析（Program Static Analysis）是指在不运行代码的方式下，通过词法分析、语法分析、控制流、数据流分析等技术对程序代码进行扫描，验证代码是否满足规范性、安全性、可靠性、可维护性等指标的一种代码分析技术。

下面是常见编程语言的静态检查工具，欢迎指导和交流！

Ada
C/C++
C#
Containers
Configuration Management
CSS
Elixir
Erlang
Go
Groovy
Haskell
Haxe
Html
Java
JavaScript
Lua
Makefile
Packages
Perl
PHP
Python
R
Ruby
Rust
Scala
Shell
SQL
Swift
TypeScript
Meta
- Build tools
- Multiple languages
- Other Collections
- Web services

Ada

Codepeer [PROPRIETARY] - detects run-time and logic errors

C/C++

CMetrics [OSS] - Measures size and complexity for C files
cqmetrics [OSS] - quality metrics for C code
clang-tidy [OSS] - clang static analyser
cppcheck [OSS] - static analysis of C/C++ code
flawfinder [OSS] - finds possible security weaknesses
flint++ [OSS] - cross-platform, zero-dependency port of flint, a lint program for C++ developed and used at Facebook.
oclint [OSS] - static analysis of C/C++ code
splint [OSS] - static analysis of C/C++ code
tis-interpreter [OSS] - An interpreter for finding subtle bugs in programs written in standard C
vera++ [OSS] - Vera++ is a programmable tool for verification, analysis and transformation of C++ source code.

C#

Code Analysis Rule Collection [OSS] - Contains a set of diagnostics, code fixes and refactorings built on the Microsoft .NET Compiler Platform “Roslyn”.
code-cracker [OSS] - An analyzer library for C# and VB that uses Roslyn to produce refactorings, code analysis, and other niceties.
CSharpEssentials [OSS] - C# Essentials is a collection of Roslyn diagnostic analyzers, code fixes and refactorings that make it easy to work with C# 6 language features.
Designite [PROPRIETARY] - Designite is a software design quality assessment tool. It supports detection of implementation and design smells, computation of various code quality metrics, and trend analysis.
Gendarme [OSS] - Gendarme inspects programs and libraries that contain code in ECMA CIL format (Mono and .NET) and looks for common problems with the code, problems that compiler do not typically check or have not historically checked.
.NET Analyzers [OSS] - An organization for the development of analyzers (diagnostics and code fixes) using the .NET Compiler Platform.
Roslyn Security Guard [OSS] - Project that focus on the identification of potential vulnerabilities such as SQL injection, cross-site scripting (XSS), CSRF, cryptography weaknesses, hardcoded passwords and many more.
SonarLint for Visual Studio [OSS] - SonarLint is a Visual Studio 2015 extension that provides on-the-fly feedback to developers on new bugs and quality issues injected into .NET code.
Refactoring Essentials [OSS] - The premier free Visual Studio 2015 extension for C# and VB.NET refactorings, including code best practice analyzers to improve your projects.
ReSharper [PROPRIETARY] - Extends Visual Studio with on-the-fly code inspections for C#, VB.NET, ASP.NET, JavaScript, TypeScript and other technologies.
VSDiagnostics [OSS] - A collection of static analyzers based on Roslyn that integrate with VS.
Wintellect.Analyzers [OSS] - .NET Compiler Platform (“Roslyn”) diagnostic analyzers and code fixes written by Wintellect.

Containers

clair [OSS] - Vulnerability Static Analysis for Containers
collector [OSS] - Run arbitrary scripts inside containers, and gather useful information
Docker Label Inspector [OSS] - Lint and validate Dockerfile labels
Haskell Dockerfile Linter [OSS] - A smarter Dockerfile linter that helps you build best practice Docker images

Configuration Management

Puppet Lint [OSS] - Check that your Puppet manifests conform to the style guide.

CSS

CSScomb [OSS] - a coding style formatter for CSS. Supports own configurations to make style sheets beautiful and consistent
CSSLint [OSS] - Does basic syntax checking and finds problematic patterns or signs of inefficiency
CSS Stats [OSS] - Potentially interesting stats on stylesheets
Parker [OSS] - Stylesheet analysis tool
scsslint [OSS] - Linter for SCSS files
Specificity Graph [OSS] - CSS Specificity Graph Generator
Stylelint [OSS] - Linter for SCSS/CSS files

Elixir

credo [OSS] - A static code analysis tool with a focus on code consistency and teaching.
Dogma [OSS] - A code style enforcer for Elixir

Erlang

elvis [OSS] - Erlang Style Reviewer

Go

dingo-hunter [OSS] - Static analyser for finding deadlocks in Go
flen [OSS] - Get info on length of functions in a Go package
go/ast [OSS] - Package ast declares the types used to represent syntax trees for Go packages.
gocyclo [OSS] - Calculate cyclomatic complexities of functions in Go source code
golint [OSS] - Prints out coding style mistakes in Go source code.
go-staticcheck [OSS] - go vet on steroids, similar to ReSharper for C#
Go Meta Linter [OSS] - Concurrently run Go lint tools and normalise their output
go vet [OSS] - Examines Go source code and reports suspicious constructs
ineffassign [OSS] - Detect ineffectual assignments in Go code
safesql [OSS] - Static analysis tool for Golang that protects against SQL injections

Groovy

CodeNarc [OSS] - a static analysis tool for Groovy source code, enabling monitoring and enforcement of many coding standards and best practices

Haskell

HLint [OSS] - HLint is a tool for suggesting possible improvements to Haskell code.

Haxe

Haxe Checkstyle [OSS] - A static analysis tool to help developers write Haxe code that adheres to a coding standard.

HTML

HTMLHint [OSS] - A Static Code Analysis Tool for HTML
HTML Inspector [OSS] - HTML Inspector is a code quality tool to help you and your team write better markup.

Java

Checker Framework [OSS] - Pluggable type-checking for Java http://checkerframework.org/
checkstyle [OSS] - checking Java source code for adherence to a Code Standard or set of validation rules (best practices)
ckjm [OSS] - calculates Chidamber and Kemerer object-oriented metrics by processing the bytecode of compiled Java files
Error-prone [OSS] - Catch common Java mistakes as compile-time errors
fb-contrib [OSS] - A plugin for FindBugs with additional bug detectors
Findbugs [OSS] - FindBugs is a program to find bugs in Java programs. It looks for patterns are likely to be errors.
Find Security Bugs [OSS] - IDE/SonarQube plugin for security audits of Java web applications.
HuntBugs [OSS] - Bytecode static analyzer tool based on Procyon Compiler Tools aimed to supersede FindBugs.
OWASP Dependency Check [OSS] - Checks dependencies for known, publicly disclosed, vulnerabilities.
PMD [OSS] - A Java source code analyzer

JavaScript

aether [OSS] - Lint, analyze, normalize, transform, sandbox, run, step through, and visualize user JavaScript, in node or the browser.
ClosureLinter [OSS] - ensures that all of your project’s JavaScript code follows the guidelines in the Google JavaScript Style Guide. It can also automatically fix many common errors
coffeelint [OSS] - A style checker that helps keep CoffeeScript code clean and consistent.
complexity-report [OSS] - Software complexity analysis for JavaScript projects
escomplex [OSS] - Software complexity analysis of JavaScript-family abstract syntax trees.
eslint [OSS] - A fully pluggable tool for identifying and reporting on patterns in JavaScript
Esprima [OSS] - ECMAScript parsing infrastructure for multipurpose analysis
quality [OSS] - zero configuration code and module linting
jshint [OSS] - detect errors and potential problems in JavaScript code and enforce your team’s coding conventions
JSLint [PROPRIETARY] - The JavaScript Code Quality Tool
plato [OSS] - Visualize JavaScript source complexity
standard [OSS] - An npm module that checks for Javascript Styleguide issues
yardstick [OSS] - Javascript code metrics
XO [OSS] - Enforce strict code style. Never discuss code style on a pull request again!

Lua

luacheck [OSS] - A tool for linting and static analysis of Lua code.

Makefile

portlint [OSS] - A verifier for FreeBSD and DragonFlyBSD port directories

Packages

lintian [OSS] - Static analysis tool for Debian packages

Perl

Perl::Critic [OSS] - Critique Perl source code for best-practices.

PHP

DesignPatternDetector [OSS] - detection of design patterns in PHP code
dephpend [OSS] - Dependency analysis tool
deptrac [OSS] - Enforce rules for dependencies between software layers.
exakat [OSS] - An automated code reviewing engine for PHP
GrumPHP [OSS] - checks code on every commit
phan [OSS] - a modern static analyzer from etsy
php7cc [OSS] - PHP 7 Compatibility Checker
php7mar [OSS] - assist developers in porting their code quickly to PHP 7
phpcpd [OSS] - Copy/Paste Detector (CPD) for PHP code.
PHP_CodeSniffer [OSS] - detects violations of a defined set of coding standards
phpdcd [OSS] - Dead Code Detector (DCD) for PHP code.
PhpDependencyAnalysis [OSS] - builds a dependency graph for a project
phpdoc-to-typehint [OSS] - Add scalar type hints and return types to existing PHP projects using PHPDoc annotations
Php Inspections (EA Extended) [OSS] - A Static Code Analyzer for PHP.
phpsa [OSS] - Static analysis tool for PHP.
PHPMD [OSS] - finds possible bugs in your code
PhpMetrics [OSS] - calculates code complexity metrics
PHPQA [OSS] - A tool for running QA tools (phploc, phpcpd, phpcs, pdepend, phpmd, phpmetrics)
PHP Refactoring Browser [OSS] - Refactoring helper
PHP-Token-Reflection [OSS] - Library emulating the PHP internal reflection
PHP-Parser [OSS] - A PHP parser written in PHP
RIPS [OSS] - A static source code analyser for vulnerabilities in PHP scripts
Tuli [OSS] - A static analysis engine
twig-lint [OSS] - twig-lint is a lint tool for your twig files.

Python

bandit [OSS] - a tool to find common security issues in Python code
jedi [OSS] - autocompletion/static analysis library for Python
linty fresh [OSS] - parse lint errors and report them to Github as comments on a pull request
mccabe [OSS] - check McCabe complexity
mypy [OSS] - an experimental optional static type checker for Python that aims to combine the benefits of dynamic (or “duck”) typing and static typing
py-find-injection [OSS] - find SQL injection vulnerabilities in Python code
pycodestyle [OSS] - (formerly pep8) check Python code against some of the style conventions in PEP 8
pydocstyle [OSS] - check compliance with Python docstring conventions
pyflakes [OSS] - check Python source files for errors
pylint [OSS] - looks for programming errors, helps enforcing a coding standard and sniffs for some code smells. It additionally includes pyreverse (an UML diagram generator) and symilar (a similarities checker). Optional extensions are also included.
pyroma [OSS] - rate how well a Python project complies with the best practices of the Python packaging ecosystem, and list issues that could be improved
pytype [OSS] - a static type inferencer for Python code - commented out because it is very buggy and is not even installable from pypi )
vulture [OSS] - find unused classes, functions and variables in Python code
xenon [OSS] - monitor code complexity using radon

Wrappers:

ciocheck [OSS] - linter, formatter and test suite helper. As a linter, it is a wrapper around pep8, pydocstyle, flake8, and pylint.
flake8 [OSS] - a wrapper around pyflakes, pycodestyle and mccabe
prospector [OSS] - a wrapper around pylint, pep8, mccabe and others

R

lintr [PROPRIETARY] - Static Code Analysis for R

Ruby

brakeman [OSS] - A static analysis security vulnerability scanner for Ruby on Rails applications
cane [OSS] - Code quality threshold checking as part of your build
dawnscanner [OSS] - a static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.
flay [OSS] - Flay analyzes code for structural similarities.
flog [OSS] - Flog reports the most tortured code in an easy to read pain report. The higher the score, the more pain the code is in.
laser [OSS] - Static analysis and style linter for Ruby code.
Mondrian [OSS] - a set of static analysis and refactoring tools for more abstraction
pelusa [OSS] - Static analysis Lint-type tool to improve your OO Ruby code
quality [OSS] - Runs quality checks on your code using community tools, and makes sure your numbers don’t get any worse over time.
reek [OSS] - Code smell detector for Ruby
rubocop [OSS] - A Ruby static code analyzer, based on the community Ruby style guide.
rubycritic [OSS] - A Ruby code quality reporter
ruby-lint [OSS] - Static code analysis for Ruby
SandyMeter [OSS] - Static analysis tool for checking Ruby code for Sandi Metz’ rules.

Rust

clippy [OSS] - a code linter to catch common mistakes and improve your Rust code
electrolysis [OSS] - A tool for formally verifying Rust programs by transpiling them into definitions in the Lean theorem prover.
herbie [OSS] - Adds warnings or errors to your crate when using a numerically unstable floating point expression.
linter-rust [OSS] - Linting your Rust-files in Atom, using rustc and cargo
rustfix [OSS] - read and apply the suggestions made by rustc (and third-party lints, like those offered by clippy).

Scala

linter [OSS] - Linter is a Scala static analysis compiler plugin which adds compile-time checks for various possible bugs, inefficiencies, and style problems.
ScalaStyle [OSS] - Scalastyle examines your Scala code and indicates potential problems with it.
scapegoat [OSS] - Scala compiler plugin for static code analysis
WartRemover [OSS] - a flexible Scala code linting tool.

【引用】

静态检查工具

程序质量：代码静态检查相关推荐

linux sparse 内核代码静态检查
Sparse简介 Sparse诞生于2004年,是由Linux之父开发的,目的就是提供一个静态检查代码的工具,从而减少Linux内核的隐患.起始,在Sparse之前已经有了一个不错的代码静态检查工具( ...
Jenkins 在 Tomcat 中的部署及代码静态检查工具集成
Jenkins 的简单部署在安装了 Jenkins 运行所需的依赖(主要是 JDK)之后,可以通过如下步骤简单快速地部署 Jenkins: 下载 Jenkins. 打开终端并切换至下载目录. 运行命 ...
代码静态检查工具PC-Lint运用实践
代码静态检查工具PC-Lint运用实践如何提交zero bug的产品,如何尽早发现bug,是软件开发工程师和测试工程师都需要思考的问题.我认为高质量的代码是关键,具体实施保障办法有:框架约束,代码评 ...
你需要的代码静态检查
代码静态检查使用cppcheck给工程代码做静态检查,主要发现了以下几个问题: 1. 使用C风格的类型转换警告如下: C-style pointer casting detected. C++ o ...
一些代码静态检查工具的简介
1.KLOCWORK: 适用语言:C, C++, JAVA 是否开源:否, 是否需要编译:是作用:代码静态检查工具.用于高效检测软件缺陷和安全隐患,提供优秀的静态源代码分析解决方案.软件号称是业界领 ...
基于MISRA-C和VS Code的代码静态检查的开源解决方案
基于MISRA-C和VS Code的代码静态检查的开源解决方案简介工具配置步骤简介 MISRA-C是汽车嵌入式软件开发中常用的静态代码检查工具.常用的商用静态代码分析工具,比如QAC.Cove ...
【Dart】Dart代码静态检查
介绍代码检查可以有效的提高代码质量,更进一步的说代码检查不仅仅是为了提高代码质量,已深入到代码程序的逻辑检查.内存使用情况的检查甚至更高层面的检查,很大程度上影响了程序的功能和性能. 代码检查分类 ...
React——Flow代码静态检查
为什么80%的码农都做不了架构师?>>> Flow Flow是Facebook开源的静态代码检查工具,他的作用是在运行代码之前对React组件以及Jsx语法进行静态代码的检查以 ...
代码静态检查工具汇总
静态代码扫描,借用一段网上的原文解释一下(这里叫静态检查):"静态测试包括代码检查.静态结构分析.代码质量度量等.它可以由人工进行,充分发挥人的逻辑思维优势,也可以借助软件工具自动进行.代码 ...
cppcheck linux,cppcheck实现c++代码静态检查
本文案旨在输出方法: 通过jenkins集成cppcheck实现对c++代码的检查,并输出报告,通过报表可以明确分析出问题 Cppcheck是c/c++代码的静态分析工具.它提供了独特的代码分析来检测 ...