Soot (software)
In static program analysis, Soot is a bytecode manipulation and optimization framework consisting of intermediate languages for Java. It has been developed by the at McGill University. Soot provides f
SofCheck Inspector
The SofCheck Inspector is a static analysis tool for Java and Ada. It statically determines and documents the pre- and postconditions of Java methods or Ada subprograms, and uses that information to i
Lint (software)
Lint, or a linter, is a static code analysis tool used to flag programming errors, bugs, stylistic errors and suspicious constructs. The term originates from a Unix utility that examined C language so
Coala (software)
coala is a free and open-source language independent analysis toolkit, written in Python. The primary goal of coala is to make it easier for developers to create rules which a project's code should co
MALPAS Software Static Analysis Toolset
MALPAS is a software toolset that provides a means of investigating and proving the correctness of software by applying a rigorous form of static program analysis. The tool uses directed graphs and re
Extended static checking
Extended static checking (ESC) is a collective name in computer science for a range of techniques for statically checking the correctness of various program constraints. ESC can be thought of as an ex
VeriFlux
VeriFlux is a formal methods based static analysis tool for programs written in Java. It is optimized for use with JamaicaVM, but can be used for any Java program. It can detect uncaught runtime excep
Software mining
Software mining is an application of knowledge discovery in the area of software modernization which involves understanding existing software artifacts. This process is related to a concept of reverse
Frama-C
Frama-C stands for Framework for Modular Analysis of C programs. Frama-C is a set of interoperable program analyzers for C programs. Frama-C has been developed by the French Commissariat à l'Énergie A
DMS Software Reengineering Toolkit
The DMS Software Reengineering Toolkit is a proprietary set of program transformation tools available for automating custom source program analysis, modification, translation or generation of software
AdaControl
AdaControl is a free (GMGPL) tool that detects the use of various kinds of constructs in Ada programs. Its first goal is to control proper usage of style or programming rules, but it can also be used
ThreadSafe
ThreadSafe is a source code analysis tool that identifies application risks and security vulnerabilities associated with concurrency in Java code bases, using whole-program interprocedural analysis. T
Cscope
cscope is a programming tool which works in console mode, text-based interface, that allows computer programmers or software developers to search source code of the programming language C, with some s
Helix QAC
Helix QAC, formerly QA·C is a commercial static code analysis software tool produced by Minneapolis, Minnesota-based software vendor Perforce Software.QAC means Quality Assurance and Control. The soft
Red Lizard Software
Red Lizard Software was a privately held software vendor for static analysis tools. The company was founded in 2009 as a spinout from the Australia research centre NICTA. It was headquartered in Sydne
AbsInt
AbsInt is a software-development tools vendor based in Saarbrücken, Germany. The company was founded in 1998 as a technology spin-off from the Department of Programming Languages and Compiler Construc
JSHint
JSHint is a static code analysis tool used in software development for checking if JavaScript source code complies with coding rules. JSHint was created in 2011 by Anton Kovalyov as a fork of the JSLi
FxCop
FxCop is a free static code analysis tool from Microsoft that checks .NET managed code assemblies for conformance to Microsoft's .NET Framework Design Guidelines.
Coverity
Coverity is a proprietary static code analysis tool from Synopsys. This product enables engineers and security teams to find and fix software defects. Coverity started as an independent software compa
Semgrep
semgrep or Semgrep CLI is a free open-source static code analysis tool developed by Return To Corporation (usually referred to as r2c) and open-source contributors. It has stable support for Go, Java,
SonarQube
SonarQube (formerly Sonar) is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs and co
ConQAT
The Continuous Quality Assessment Toolkit (ConQAT) is a configurable software quality analysis engine. ConQAT is based on a pipes and filters architecture that enables flexible complex analysis config
Cpplint
cpplint or cpplint.py is an open source lint-like tool developed by Google,designed to ensure that C++ code conforms to Google's coding style guides. Therefore cpplint implements what Google considers
Pylint
Pylint is a static code analysis tool for the Python programming language. It is named following a common convention in Python of a "py" prefix, and a nod to the C programming lint program. It follows
Jtest
Jtest is an automated Java software testing and static analysis product developed by Parasoft. The product includes technology for Data-flow analysis, Unit test-case generation and execution, static a
JSLint
JSLint is a static code analysis tool used in software development for checking if JavaScript source code complies with coding rules. It is provided primarily as a browser-based web application access
ECLAIR
ECLAIR is a commercial static code analysis tool developed by BUGSENG, LLC for automatic analysis, verification, testing and transformation of C and C++ programs.
Sotoarc
Sotoarc is a commercial static code analysis tool for software architects. It graphically visualizes the static structure of software systems written in Java, C# or in C++ code. The code structure is
Coccinelle (software)
Coccinelle (French for ladybug) is an open-source utility for matching and transforming the source code of programs written in the C programming language.
PMD (software)
PMD is an open source static source code analyzer that reports on issues found within application code. PMD includes built-in rule sets and supports the ability to write custom rules. PMD does not rep
SOAtest
Parasoft SOAtest is a testing and analysis tool suite for testing and validating APIs and API-driven applications (e.g., cloud, mobile apps, SOA). Basic testing functionality include functional unit t
TippingPoint
TippingPoint, part of Trend Micro Security, is an American software company founded in 1999 with focus on network security products, particularly intrusion prevention systems for networks.
Fortify Software
Fortify Software, later known as Fortify Inc., is a California-based software security vendor, founded in 2003 and acquired by Hewlett-Packard in 2010, Micro Focus in 2017, and OpenText in 2022. Forti
Checkstyle
Checkstyle is a static code analysis tool used in software development for checking if Java source code is compliant with specified coding rules. Originally developed by Oliver Burn back in 2001, the
StyleCop
StyleCop is an open-source static code analysis tool from Microsoft that checks C# code for conformance to StyleCop's recommended coding styles and a subset of Microsoft's .NET Framework Design Guidel
SourceMeter
SourceMeter is a source code analyzer tool, which can perform deep static program analysis of the source code of complex programs in C, C++, Java, Python, C#, and RPG (AS/400). FrontEndART has develop
CodeSonar
CodeSonar is a static code analysis tool from GrammaTech. CodeSonar is used to find and fix bugs and security vulnerabilities in source and binary code. It performs whole-program, inter-procedural ana
PerlTidy
PerlTidy is a tool written in the Perl programming language to do static code analysis against code written in that same language. It uses either command-line switches or configuration files to reform
LDRA Testbed
LDRA Testbed provides the core static and dynamic analysis engines for both host and embedded software. LDRA Testbed is made by Liverpool Data Research Associates (LDRA). LDRA Testbed provides the mea
Astrée (static analysis)
Astrée ("Analyseur statique de logiciels temps-réel embarqués") is a static analyzer based on abstract interpretation. It analyzes programs written in the C programming language and outputs an exhaust
Veracode
Veracode is an application security company based in Burlington, Massachusetts. Founded in 2006, the company provides SaaS application security that integrates application analysis into development pi
Apache Yetus
Apache Yetus is a collection of libraries and tools that enable contribution and release processes for software projects. Portions are used by a wide variety of Apache projects, including Apache Hadoo
PVS-Studio
PVS-Studio is a proprietary static code analyzer on guard of code quality, security, and code safety supporting C, C++, C++11, C++/CLI, C++/CX, C# and Java. PVS‑Studio detects various errors typos, de
Checkmarx
Checkmarx is a global software security company headquartered in Atlanta, Georgia in the United States. The company was acquired in April 2020 by Hellman & Friedman, a global private equity firm with
ESC/Java
ESC/Java (and more recently ESC/Java2), the "Extended Static Checker for Java," is a programming tool that attempts to find common run-time errors in Java programs at compile time. The underlying appr
Semmle
Semmle Inc is a code-analysis platform with offices in San Francisco, Seattle, New York, Oxford, Valencia and Copenhagen. Semmle was acquired by GitHub (itself owned by Microsoft) on 18 September 2019
Bauhaus Project (computing)
The Bauhaus project is a software research project collaboration among the University of Stuttgart, the University of Bremen, and a commercial spin-off company Axivion formerly called Bauhaus Software
Cppcheck
Cppcheck is a static code analysis tool for the C and C++ programming languages. It is a versatile tool that can check non-standard code. The creator and lead developer is Daniel Marjamäki. Cppcheck i
FindBugs
FindBugs is an open-source static code analyser created by Bill Pugh and David Hovemeyer which detects possible bugs in Java programs. Potential errors are classified in four ranks: (i) scariest, (ii)
Polyspace
Polyspace is a static code analysis tool for large-scale analysis by abstract interpretation to detect, or prove the absence of, certain run-time errors in source code for the C, C++, and Ada programm
GrammaTech
GrammaTech is a software-development tools vendor based in Bethesda, Maryland with a research center based in Ithaca, New York. The company was founded in 1988 as a technology spin-off of Cornell Univ
PC-Lint
PC-lint is a commercial software linting tool produced by Gimpel Software (formerly Gimp Suit Software Ltd.) for the C/C++ languages. PC-lint is a command-line tool for performing static code analysis
Visual Expert
Visual Expert is a static code analysis tool, extracting design and technical information from software source code by reverse-engineering, used by programmers for software maintenance, modernization
JArchitect
JArchitect is a static analysis tool for Java code. This tool supports a large number of code metrics, allows for visualization of dependencies using directed graphs and dependency matrix. The tools a
Yasca
Yasca is an open source program which looks for security vulnerabilities, code-quality, performance, and conformance to best practices in program source code. It leverages external open source program
ESLint
ESLint is a static code analysis tool for identifying problematic patterns found in JavaScript code. It was created by Nicholas C. Zakas in 2013. Rules in ESLint are configurable, and customized rules
Sourcetrail
Sourcetrail was a FOSS source code explorer that provided interactive dependency graphs and support for multiple programming languages including C, C++, Java and Python.
Imagix 4D
Imagix 4D is a source code analysis tool from Imagix Corporation, used primarily for understanding, documenting, and evolving existing C, C++ and Java software. Applied technologies include full seman
Cppdepend
CppDepend is a static analysis tool for C/C++ code. This tool supports a large number of code metrics, allows for visualization of dependencies using directed graphs and dependency matrix. The tools a
CPAchecker
CPAchecker is a framework and tool for formal software verification, and program analysis, of C programs. Some of its ideas and concepts, for example lazy abstraction, were inherited from the software
RIPS
RIPS (Research and Innovation to Promote Security) is a static code analysis software for the automated detection of security vulnerabilities in PHP and Java applications. The initial tool was written
Clang
Clang is a compiler front end for the C, C++, Objective-C, and Objective-C++ programming languages, as well as the OpenMP, OpenCL, RenderScript, CUDA, and HIP frameworks. It acts as a drop-in replacem
Liquid Haskell
Liquid Haskell is a program verifier for Haskell which allows developers to specify correctness properties by using refinement types. Properties are verified using an SMTLIB2-compliant SMT solver, suc
Understand (software)
Understand is a customizable integrated development environment (IDE) that enables static code analysis through an array of visuals, documentation, and metric tools. It was built to help software deve
BLAST model checker
The Berkeley Lazy Abstraction Software verification Tool (BLAST) is a software model checking tool for C programs. The task addressed by BLAST is the need to check whether software satisfies the behav
Daikon (system)
Daikon is a computer program that detects likely invariants of programs. An invariant is a condition that always holds true at certain points in the program. It is mainly used for debugging programs i
CodeScene
CodeScene is a behavioral code analysis tool developed by Empear AB. CodeScene provides code visualizations based on version-control data and machine learning algorithms that identify social patterns
NDepend
NDepend is a static analysis tool for .NET managed code. The tool proposes a large number features, from dependency visualization to Quality Gates and Smart Technical Debt Estimation. For that reasons
Fluctuat
Fluctuat has been developed by Commissariat à l'Énergie Atomique et aux Énergies Alternatives since 2001. Fluctuat enables the static analysis of C and Ada programs, with a special focus on floating-p
Parasoft C/C++test
Parasoft C/C++test is an integrated set of tools for testing C and C++ source code that software developers use to analyze, test, find defects, and measure the quality and security of their applicatio
Hermes (programming language)
Hermesis a language for distributed programmingthat was developed at IBM's Thomas J. Watson Research Center from 1986 through 1992,with an open-source compiler and run-time system.Hermes' primary feat
Kiuwan
Kiuwan is a software as a service (SaaS) platform providing end-to-end static application security testing. They provide services to a range of industries, but specialize in code security analysis for
CodePeer
CodePeer is a static analysis tool, which identifies constructs that are likely to lead to run-time errors such as buffer overflows, and it flags legal but suspect code, typical of logic errors in Ada
Klocwork
Klocwork is a static code analysis tool owned by Minneapolis, Minnesota-based software developer Perforce. Klocwork software analyzes source code in real time, simplifies peer code reviews, and extend
Splint (programming tool)
Splint, short for Secure Programming Lint, is a programming tool for statically checking C programs for security vulnerabilities and coding mistakes. Formerly called LCLint, it is a modern version of
.NET Reflector
.NET Reflector is a class browser, decompiler and static analyzer for software created with .NET Framework, originally written by Lutz Roeder. MSDN Magazine named it as one of the Ten Must-Have utilit
Parasoft
Parasoft (officially Parasoft Corporation) is an independent software vendor specializing in automated software testing and application security with headquarters in Monrovia, California. It was found
Automated code review
Automated code review software checks source code for compliance with a predefined set of rules or best practices. The use of analytical methods to inspect and review source code to detect bugs or sec
Sparse
Sparse is a computer software tool designed to find possible coding faults in the Linux kernel. Unlike other such tools, this static analysis tool was initially designed to only flag constructs that w