代码静态检查工具汇总
静态代码扫描,借用一段网上的原文解释一下(这里叫静态检查):“静态测试包括代码检查、静态结构分析、代码质量度量等。它可以由人工进行,充分发挥人的逻辑思维优势,也可以借助软件工具自动进行。代码检查代码检查包括代码走查、桌面检查、代码审查等,主要检查代码和设计的一致性,代码对标准的遵循、可读性,代码的逻辑表达的正确性,代码结构的合理性等方面;可以发现违背程序编写标准的问题,程序中不安全、不明确和模糊的部分,找出程序中不可移植部分、违背程序编程风格的问题,包括变量检查、命名和类型审查、程序逻辑审查、程序语法检查和程序结构检查等内容。”。
我看了一系列的静态代码扫描或者叫静态代码分析工具后,总结对工具的看法:静态代码扫描工具,和编译器的某些功能其实是很相似的,他们也需要词法分析,语法分析,语意分析...但和编译器不一样的是他们可以自定义各种各样的复杂的规则去对代码进行分析。
以下将会列出的静态代码扫描工具,会由于实现方法,算法,分析的层次不同,功能上会差异很大。有的可以做SQL注入的检查,有的则不能(当然,由于时间问题还没有对规则进行研究,但要检查复杂的代码安全漏洞,是需要更高深分析算法的,所以有的东西应该不是设置规则库就可以检查到的,但在安全方面的检查,一定程度上也是可以通过设置规则进行检查的)。
以下我在网上搜集到的分析工具,我整理了以下挑了一些出来,这里只是一部分,另外一些可以到参考链接上看一下:
| 工具名 | 静态扫描语言 | 开源/付费 | 厂商 | 介绍 | 主页网址 |
| ounec5.0 |
VB.Net、C、C++和C#, 还支持Java。 |
付 费 | Ounce Labs | \ | http://www.ouncelabs.com/ |
| Coverity Prevent | C/C++,C#,JAVA | 付费 | Coverity |
还有其他辅助工具: 1.Coverity Thread Analyzer for Java 2.Coverity Software Readiness Manager for Java 3.Coverity Architecture Analyzer |
http://www.coverity.com/index.html |
|
@stake SmartRisk™ Analyzer |
C/C++,Java | 付费 |
Symantec Corporation |
@stake SmartRisk™ Analyzer harnesses the power of static analysis of binary executables (C, C++, and Java) to identify, categorize and prioritize security。 注:在Symantec没有搜到此产品?! |
http://www.symantec.com/business/index.jsp |
| Rational Purify | C/C++,Java | 付费 | IBM |
Provides memory leak and memory corruption detection for Windows,Runtime?! |
http://www-01.ibm.com/software/awdtools/purify/ |
| PREfix | \ | \ | microsoft |
微软用的静态分析工具,但暂时没有找到下载, 现在好像在考虑发布中! |
\ |
| Jtext | Java | 付费 | parasoft |
同时还有其他静态分析代码的产品,如:C++Test... 详细请查询官网 |
http://www.parasoft.com/jsp/cn/support.jsp |
| flawfinder | C/C++ | 开源 | \ |
用Python编写的c、c++程序安全审核工具, 可以检查潜在的安全风险。 |
http://www.dwheeler.com/flawfinder/ |
|
Static Code Analyzer |
C/C++,C#,JAVA | 付费 | Fortify | \ | http://www.fortify.com/ |
| Klocwork Insight | C/C++ ,Java | 付费 | Klocwork | \ | http://www.klocwork.com/products/insight.asp |
|
PolySpace Client/Server |
C/C++、Ada语言 | 付费 | MathWorks | \ | http://www.mathworks.cn/ |
| rats |
C/C++, Python, Perl, PHP代码进行安全审核的工具 |
开源 | \ | \ | http://www.fortify.com/security-resources/rats.jsp |
| LAPSE | Java | 开源 | \ |
LAPSE stands for a Lightweight Analysis for Program Security in Eclipse. LAPSE is designed to help with the task of auditing Java J2EE applications for common types of security vulnerabilities found in Web applications. LAPSE was developed by Benjamin Livshits as part of the Griffin Software Security Project. |
http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project |
| Fluid | java | 开源 | \ |
We have explored properties including:
* race conditions and locking policies, |
http://www.fluid.cs.cmu.edu:8080/Fluid |
| Splint | C | 开源 |
University of Virginia, Department of Computer Science |
静态检测针对C语言的安全工具和漏洞检测。 | http://www.splint.org/ |
| cqual | C/C++ | 开源 | 马里兰大学 | 轻量级的静态扫描器,在类Linux系统下运行。 | http://www.cs.umd.edu/~jfoster/cqual/ |
| MOPS | C | 开源 | berkeley大学 |
MOPS is a tool for finding security bugs in C programs and for verifying conformance to rules of defensive programming |
http://www.cs.berkeley.edu/~daw/mops/ |
| BOON | C | 开源 | berkeley大学 |
BOON is a tool for automatically finding buffer overrun vulnerabilities in C source code. Buffer overruns are one of the most common types of security holes, and we hope that BOON will enable software developers and code auditors to improve the quality of security-critical programs. |
http://www.cs.berkeley.edu/~daw/boon/ |
| BLAST | C | 开源 |
The BLAST 2.0 Team |
BLAST is a software model checker for C programs. The goal of BLAST is to be able to check that software satisfies behavioral properties of the interfaces it uses. BLAST uses counterexample-driven automatic abstraction refinement to construct an abstract model which is model checked for safety properties. The abstraction is constructed on-the-fly, and only to the required precision. |
http://mtc.epfl.ch/software-tools/blast/ |
| SpikeWAMP | Php | 开源 | \ | for analyzing PHP programs | http://developer.spikesource.com/wiki/index.php/SpikeWAMP |
| Pixy | Php | 开源 | \ | Finding XSS and SQLI vulnerabilities | http://pixybox.seclab.tuwien.ac.at/pixy/ |
| Mike | Java | 开源 | \ |
Java source code security scanner built on top of Orizon. They are connected to OWASP. |
http://milk.sourceforge.net/download.html |
| Smatch | C | 开源 | \ | \ | http://smatch.sourceforge.net/ |
| Oink | C++ | 开源 | \ | C++ Static Analysis Tools | http://www.cubewano.org/oink |
| Frama-C | C | 开源 | \ | static analyzers for the C language. | http://frama-c.cea.fr/ |
| RTL-check | \ | 开源 | \ |
RTL-check is an extensible and powerful abstract interpretation framework for static analysis of programs from a safety and security perspective |
http://rtlcheck.sourceforge.net/ |
| PMD | Java | 开源 | \ |
PMD scans Java source code and looks for potential problems like:
* Possible bugs - empty try/catch/finally/ |
http://pmd.sourceforge.net/ |
| FindBugs | Java | 开源 | 马里兰大学 |
uses static analysis to look for bugs in Java code. 注意:提供Eclipse插件。 |
http://findbugs.sourceforge.net/ |
| ITS4 | C\C++ | 开源 | \ |
Cigital developed ITS4 to help automate source code review for security. |
http://www.cigital.com/its4/ |
| QJ-Pro | Java | 开源 | \ |
QJ-Pro is a comprehensive software inspection tool targeted towards the software developer. QJ-Pro checks: |
http://qjpro.sourceforge.net/ |
| Jint | Java | 开源 | \ |
Jlint will check your Java code and find bugs, inconsistencies and synchronization problems by doing data flow analysis and building the lock graph. |
http://artho.com/jlint/ |
| Hammurapi | Java | 开源 | \ |
code review system captures coding best practices and delivers them to developers' fingertips. It also generates consolidated reports for lead developers, architects, and managers to monitor codebase quality and evolution. |
http://www.hammurapi.biz/hammurapi-biz/ef/xmenu/hammurapi-group/index.html |
| DoctorJ | Java | 开源 | \ |
Among what it detects:
* misspelled words |
http://www.incava.org/projects/java/doctorj/index.html |
| Dependency Finder | Java | 开源 | \ |
Dependency Finder is a suite of tools for analyzing compiled Java code. At the core is a powerful dependency analysis application that extracts dependency graphs and mines them for useful information. This application comes in many forms for your ease of use, including command-line tools, a Swing-based application, a web application ready to be deployed in an application server, and a set of Ant tasks. |
http://depfind.sourceforge.net/ |
| Checkstyle | Java | 开源 | \ |
Checkstyle is a development tool to help programmers write Java code that adheres to a coding standard. It automates the process of checking Java code to spare humans of this boring (but important) task. This makes it ideal for projects that want to enforce a coding standard. 注意:提供多种IDE的插件。 |
http://checkstyle.sourceforge.net/ |
| Classycle | Java | 开源 | \ |
Classycle's Analyser analyses the static class and package dependencies in Java applications or libraries. |
http://classycle.sourceforge.net/ |
| JDepend | Java | 开源 | \ |
JDepend traverses Java class file directories and generates design quality metrics for each Java package. JDepend allows you to automatically measure the quality of a design in terms of its extensibility, reusability, and maintainability to manage package dependencies effectively. |
http://www.clarkware.com/software/JDepend.html |
| JCSC | Java | 开源 | \ |
JCSC is a powerful tool to check source code against a highly definable coding standard and potential bad code. |
http://jcsc.sourceforge.net/ |
......
以下是直接提供代码检查/相关帮助的厂商:
Fortify:
http://www.fortify.com/
ASPECT:
http://www.aspectsecurity.com/
OWASP:
http://www.owasp.org/index.php/Main_Page
securitycompass:
http://www.securitycompass.com/resources.shtml
参考资料:
1. http://www.dwheeler.com/flawfinder/
2. http://www.java2s.com/Product/Java/Byte-Source-Code/Source-Analysis-Diagram.htm
3. http://www.softwarelist.cn/?fsid=53&cid=530&cpath=ABAN
4. http://www.hacker.com.cn/article/view_14804.html
5. http://www.cs.cmu.edu/~aldrich/courses/654/tools/
注:以上链接列举了大量相关工具
Source URL: http://www.pin5i.com/showtopic-22624.html
代码静态检查工具汇总相关推荐
- php代码静态检查工具,代码静态检查工具汇总
工具名 静态扫描语言开源/付费 厂商 介绍 主页网址 ounec5.0 VB.Net.C.C++和C#, 还支持Java. 付 费 Ounce Labs \ http://www.ouncelabs. ...
- Jenkins 在 Tomcat 中的部署及代码静态检查工具集成
Jenkins 的简单部署 在安装了 Jenkins 运行所需的依赖(主要是 JDK)之后,可以通过如下步骤简单快速地部署 Jenkins: 下载 Jenkins. 打开终端并切换至下载目录. 运行命 ...
- 代码静态检查工具PC-Lint运用实践
代码静态检查工具PC-Lint运用实践 如何提交zero bug的产品,如何尽早发现bug,是软件开发工程师和测试工程师都需要思考的问题.我认为高质量的代码是关键,具体实施保障办法有:框架约束,代码评 ...
- 一些代码静态检查工具的简介
1.KLOCWORK: 适用语言:C, C++, JAVA 是否开源:否, 是否需要编译:是 作用:代码静态检查工具.用于高效检测软件缺陷和安全隐患,提供优秀的静态源代码分析解决方案.软件号称是业界领 ...
- cppcheck 自定义规则_cppcheck代码静态检查工具及相关工具插件用法介绍
摘要:介绍代码缺陷静态检查工具(static code analyzer)cppcheck,以及其vs.qtcreator.git.jenkins插件及用法. Cppcheck着重于检测未定义的行为和 ...
- c++代码静态检查工具——cpplint使用技巧
cpplint使用技巧 google c++ 编码规范 (中文 ) 李开复微博爆谷歌公开 C++编码规范 称全球最好, 开复认证,值得信赖@@@ 这篇文档确实值得去细看,不过条条框框太多,不强制 ...
- C/C++代码静态检查工具PC-lint在VS2008开发环境中的安装配置和使用
PC-Lint偏重于代码的逻辑分析,它能够发现代码中潜在的错误,比如数组访问越界.内存泄漏.使用未初始化变量等. 1. 从http://download.csdn.net/detail/liucha ...
- Windows 64位机上C/C++代码静态检查工具Logiscope RuleChecker的安装和使用
1. 从http://download.csdn.net/detail/zmywly/3611820 和 http://download.csdn.net/detail/zmywly/361 ...
- Ubuntu中C代码静态检查工具Splint的安装配置和使用
1. 从http://www.splint.org/download.html下载splint-3.1.2.src.tgz,存放到/home/spring/Splint文件夹下: 2. 打开终端: ...
最新文章
- 最佳网页宽度及其实现
- Linux 字符设备驱动开发基础(一)—— 编写简单 LED 设备驱动
- 安卓驱动开发(五)----搭建开发板的测试环境
- Python学习记录--关于列表和字典的比较
- 网络层QoS分类和标记字段详解
- 8uftp cuteftp,8uftp cuteftp之间的差别
- 智能控制在计算机领域的应用,智能控制的主要应用领域
- cad解除块的快捷命令_CAD撤销上一步和恢復下一步的快捷键是什么?
- python爬虫微信公众号视频
- __ieee80211_data_to_8023
- 微信公众号通过a标签打开小程序
- android知识点(好)
- 如何解决fillRect方法画矩形变形的问题?
- VUE自定义日历组件,计算年月日,上个月份的空白展示,点击某一天进入详情页面
- pr2020lut导入_pr lut预设怎么安装-PR下导入lut预设的方法 - 河东软件园
- 【3D视觉原理】2-3D传感器原理
- Android 下使用 FFmpeg 命令行工具与问题排查
- winform界面渐变色绘制
- Python学习——绘制世界人口地图
- MT25QU02GCBB8E12-0SIT(2Gb)串行NOR闪存,pdf