源代码审计

开源和非商业公司
2.3.1.1 .NET (C#, VB.NET and all .NET compatible languages)
• Reflector.CodeMetrics — (an add-in for the essential Reflector)
• CCMetrics
• CRPlugin (plugin for DxCore)
• FxCop — Free static analysis for Microsoft .NET programs that compile to CIL. Standalone and integrated in some Microsoft Visual Studio editions. From Microsoft.
• Source Monitor
• vil
2.3.1.2 Java
• Bandera — analyzer for Java
• Checkstyle — analyze Java and apply coding standard
• Classycle — analyze Java class cycles and class and package dependencies (Layers)
• FindBugs — an open-source static bytecode analyzer for Java (based on Jakarta BCEL).
• Jlint — for Java
• PMD (software) — a static ruleset based Java source code analyzer that identifies potential problems.
• Soot — A Java program analysis and compiler optimization framework
• Hammurapi — Customizable static code analysis tool for java (based on coding standards) that can also generate metrics report
2.3.1.3 C
• CQual — A tool for adding type qualifiers in C.
• SNav — Red Hat Source Navigator.
• Sparse — a tool designed to find faults in the Linux kernel.
• Splint — an open source evolved version of Lint (C language).
• Frama-C — Frama-C is a suite of tools dedicated to the analysis of the source code of software written in C.
• Deputy - Deputy is a C compiler that is capable of preventing common C programming errors, including out-of-bounds memory accesses as well as many other common type-safety errors.
• CCured - CCured is a source-to-source translator for C. It analyzes the C program to determine the smallest number of run-time checks that must be inserted in the program to prevent all memory safety violations.
• RATS - RATS is a tool for scanning C, C++, Perl, PHP and Python source code and flagging common security related programming errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions.
• LLVM/Clang Static Analyzer - standalone tool that find bugs in C and Objective-C programs.
• MOPS - MOPS is a tool for finding security bugs in C programs and for verifying conformance to rules of defensive programming.
• BOON - BOON is a tool for automatically finding buffer overrun vulnerabilities in C source code.
• BLAST - BLAST is a software model checker for C programs.
2.3.1.4 C++
• Flawfinder — open source programming tool that examines C or C++ source code for security weaknesses.
• Oink — collaboration of C++ static analysis tools, based on the research of CQual [1]
• LDRA Testbed - A software analysis and testing tool suite for C++.
• Dehydra - A scriptable static analysis tool based on GCC. Developed by Mozilla.
• EDoc++ - Examines C++ code to identify problems with C++ exception propagation and usage.
2.3.1.5 Fortran
• ftnchek — static analyzer for Fortran 77 programs
• g95-xml — code parser toolkit for Fortran 95
2.3.1.6 JavaScript
• JsLint - online analyzer for JavaScript
2.3.1.7 Perl
• Perl::Critic - a static code analysis tool for Perl
2.3.1.8 PHP
• Pixy — a PHP 4 source code scanner for detection of XSS and SQL injection vulnerabilities.
• smarty-lint - a lint implementation for the popular templating engine, Smarty.
2.3.1.9 Python
• PyChecker - The original static code analyser for Python.
• pylint - A static code analyser for Python. Works as a plugin to PyDev for the Eclipse IDE.
• Pyflakes - A lint-like tool for Python, whose primary advantage is being faster than PyChecker
2.3.1.10 Visual Basic
• MZTools - MZTools 3.0 - Free Static Code Analysis & productivity enhancement tool for VB6, & VBA.
2.3.1.11 Multiple languages
• RATS — Rough Auditing Tool for Security, which can scan C, C++, Perl, PHP and Python source code.

商业工具
2.3.2.1 C/C++/C#
• ClockSharp - checks C# code against the Philips C# coding standard.
• CMT++ code metrics tool for C/C++ (also for Java).
• StyleCop - Free source code style and consistency tool for C#, integrated into Microsoft Visual Studio.
• Complexity Analyzer - for .NET
• Compuware DevPartner - static code analyzer for .NET (C#, ASP.NET) with Visual Studio 2005 integration
• Gimpel Software FlexeLint and PC-Lint - Multi-platform static code analysis tools for C and C++ code.
• Green Hills Software DoubleCheck - static analysis for C and C++ code.
• HP Code Advisor - A static analysis tool for C and C++ programs
• LDRA Testbed - A software analysis and testing tool suite for C & C++.
• Microsoft Visual Studio - Visual Studio Team System includes a static code analyzer.
• NStatic - deep static analysis of C# code.
• PREfast – A Microsoft tool which identifies defects in C/C++ source code.
• QA-C - deep static analysis of C for quality assurance and guideline enforcement.
• ReSharper - Add-on for Visual Studio 2003/2005 from the creators of IntelliJ IDEA, which also provides static code analysis for C#.
• Sparrow - C/C++ memory-bug detecting static analyzer.
• Viva64 — analyzes C, C++ code for detect 64-bit portability issues.
• ABRAXAS Software codeCheck — programmable C/C++ Standards Checking Tool .
2.3.2.2 Java
• checKing - monitors the quality of software development process, including violations of coding rules for Java, JSP, Javascript, XML and HTML.
• CodePro Analytix - Static code analysis for Java, integrated with Eclipse.
• Enerjy Software - Metrics expert system and extendable static code analyzer Eclipse plugin for Java - compares code quality against Open Source projects
• SonarJ - Architecture management solution for Java, comes with Eclipse-Plugin
• IntelliJ IDEA — IDE for Java that also provides static code analysis.
• QAValidator - Checking Java code against a defined software architecture
• STAN — Structure Analysis for Java. Eclipse integrated visual dependency analysis, quality metrics and reporting.
• Swat4j — a model based, goal oriented source code auditing tool for Java. Comes as an Eclipse plug-in.
• TorqueWrench - A static Java bytecode analysis tool by StackFrame, LLC.
2.3.2.3 Visual Basic
• Aivosto Oy's - Project Analyzer - Static code analysis tool for VBA, and VB6/VB.net
• MZTools - MZTools 6.0 - Static Code Analysis & productivity enhancement tool for VB.net, VB6, & VBA.
2.3.2.4 Fortran
• ForCheck — analyzes of FORTRAN 66, FORTRAN 77, FORTRAN 90, HPF, FORTRAN 95
2.3.2.5 Scripting languages
• Parasoft SOA Quality Solutions Static analysis for SOA and RIA (WSDL, WS-*, XML, JavaScript, HTML, Accessibility/Section 508, etc.).
• Sandcat for PHP - Static source code analysis and hardening tool for PHP
2.3.2.6 Multi-language
• Armorize Technologies CodeSecure - source code scanning (PHP, J2EE, ASP, etc.)
• Axivion Bauhaus Suite — a tool for C, C++, Java and Ada code that comprises various analyses such as architecture checking, interface analyses, and clone detection.
• CAST — provides a tool with 25+ language / product analyzers, defect detection as well as architectural and build-over-build trend analysis.
• Xpediter/DevEnterprise from Compuware — COBOL and PL/I analysis at system and program level. Uses the source code as input and provides graphical representations and tabulated output. Delivers impact analysis capabilities based on specific program variables.
• Coverity Prevent — analyzes C, C++ and Java code.
• DMS Software Reengineering Toolkit — supports custom analysis of C, C++, Java, COBOL, and many other languages.
• Fortify — helps developers identify software security vulnerabilities in C/C++, .NET, Java, JSP, ASP.NET, ColdFusion, "Classic" ASP, PHP, VB6, VBScript, JavaScript, PL/SQL, T-SQL and COBOL as well as configuration files.
• GrammaTech - GrammaTech offers products for analyzing code written in C/C++ (CodeSurfer and CodeSonar) and Ada (Ada-ASSURED and Ada-Utilities)
• Klocwork Insight and Klocwork Developer for Java — provides security vulnerability and defect detection as well as architectural and build-over-build trend analysis for C, C++ and Java
• Lattix, Inc. LDM - Architecture and dependency analysis tool for Ada, C/C++, Java, .NET software systems.
• LDRA Testbed - A software analysis and testing tool suite for C, C++, Ada83, Ada95 and Assembler (Intel, Freescale, Texas Instruments).
• M Squared Technologies Resource Standard Metrics - source code analysis and metrics (C, Ansi C, C++, Ansi C++, C#, Java, Javascript, etc.)
• Metrixware Code & Architecture quality analysis & dashboards (Java, Cobol, JSP, Javascript, Pacbase, C#, SAP/Abap, etc.)
• Ounce Labs — automated source code analysis that enables organizations to identify and eliminate software security vulnerabilities in languages including Java, JSP, C/C++, C#, ASP.NET, and VB.Net.
• Parasoft Application Security Solutions - Static analysis for detection and remeditation of security vulnerabilities in Java, C/C++, and .NET. OWASP and PCI DSS 6 suppport, as well as policy enforcement. Integrated with Eclipse and Visual Studio.
• Parasoft Application Development Quality Solutions- Java, C/C++, .NET - Static analysis for Java (including JSP, XML configuration files and property files), C/C++ (including JSF and MISRA), and .Net (IL, C#, VB.NET). Integrated with Eclipse and Visual Studio.
• PolySpace code verifiers by The MathWorks - Software verification for C, C++ and Ada
• Metrixware System Code - Static code analyzer and quality dashboard for C, C++, C#, Java, JSP, PHP and JavaScript.
• SofCheck Inspector — provides static detection of logic errors, race conditions, and redundant code for Java and Ada.
• Sotoarc/Sotograph - Architecture and quality in-depth analysis and monitoring for Java, C#, C and C++
• Telelogic Logiscope RuleChecker (coding standards checking) and Audit (metrics measurement and ISO 9126-based quality modeling) for C, C++, Ada, Java.
• Understand — analyzes C,C++, Java, Ada, Fortran, Jovial, Delphi — reverse engineering of source, code navigation, and metrics tool.
• Veracode SecurityReview — an on-demand application security testing and remediation, C, C++, Java, .Net and other languages.