Source Code Security Analyzers
From SAMATE
(Redirected from Source Code Analyzers)
For our purposes, a source code security analyzer
- examines source code to
- detect and report weaknesses that can lead to security vulnerabilities.
They are one of the last lines of defense to eliminate software vulnerabilities during development or after deployment. A Source Code Security Analysis Tool Functional Specification is available.
Byte Code Scanners and Binary Code Scanners have similarities, but work at lower levels.
[edit]
Some Instances
DISCLAIMER: Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or endorsement by the National Institute of Standards and Technology (http://www.nist.gov/) (NIST), nor does it imply that the products are necessarily the best available for the purpose.
By selecting almost any of these links, you will be leaving NIST webspace. We provide these links because they may have information of interest to you. No inferences should be drawn because some sites are referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the assertions presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites.
By selecting almost any of these links, you will be leaving NIST webspace. We provide these links because they may have information of interest to you. No inferences should be drawn because some sites are referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the assertions presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites.
Please contact us if you think something should be included. If it has all the characteristics of the tool, techniques, etc., we will be happy to add it. We can be contacted at 
| Tool | Lan- guage(s) | Avail. | Finds or Checks for | ------Date------ |
|---|---|---|---|---|
| ASTRÉE (http://www.astree.ens.fr/) | C | contact | undefined code constructs or run-time errors, e.g., out-of-bounds array indexing or arithmetic overflow. | 1 Mar 2007 |
| BOON (http://www.cs.berkeley.edu/~daw/boon/) | C | free | integer range analysis determines if an array can be indexed outside its bounds | 15 Feb 2005 |
| C Code Analyzer (http://www.drugphish.ch/~jonny/cca.html) (CCA) | C | free | out-of-bounds array indexing or arithmetic overflow. aims for no false positives | 20 Apr 2006 |
| C++test (http://www.parasoft.com/jsp/products.jsp) | C++ | Parasoft (http://www.parasoft.com/) | "defects, poor constructs, potentially malicious code and other elements" | 4 Apr 2006 |
| .TEST (http://www.parasoft.com/jsp/products.jsp) | C#, VB.NET, MC++ | |||
| Jtest (http://www.parasoft.com/jsp/products.jsp) | Java | |||
| CodeCenter (http://www.ics.com/products/centerline/codecenter/features.html) | C | CenterLine Systems (http://www.centerline.com/) | incorrect pointer values, illegal array indices, bad function arguments, type mismatches, and uninitialized variables | 28 Oct 2005 |
| CodeScan | .ASP PHP | CodeScan Labs (http://www.codescan.com/) | ... security holes and source code issues ... | 10 Oct 2006 |
| CodeSecure (http://www.armorize.com/corpweb/en/products/codesecure) | PHP, Java (ASP.NET soon) | Armorize Technologies (http://www.armorize.com/) | XSS, SQL Injection, Command Injection, tainted data flow, etc. | 16 Mar 2007 |
| CodeSonar (http://www.grammatech.com/products/codesonar/overview.html) | C, C++ | GrammaTech (http://www.grammatech.com/) | null-pointer dereferences, divide-by-zeros, buffer over- and underruns | 21 Mar 2005 |
| CQual (http://www.cs.umd.edu/~jfoster/cqual) | C | free | uses type qualifiers to perform a taint analysis, which detects format string vulnerabilities | 15 Feb 2005 |
| Csur (http://www.lsv.ens-cachan.fr/csur/) | C | free | cryptographic protocol-related vulnerabilities | 10 Apr 2006 |
| DevInspect (http://www.spidynamics.com/products/devinspect/) | C#, Visual Basic, JavaScript, VB Script | SPI Dynamics (http://www.spidynamics.com/) | application vulnerabilities | 21 Dec 2004 |
| DevPartner SecurityChecker (http://www.compuware.com/products/devpartner/securitychecker.htm) | C#, Visual Basic | Compuware (http://www.compuware.com/) | known and potential security vulnerabilities | 10 Oct 2006 |
| DoubleCheck (http://www.ghs.com/news/20060926_multi_speed.html) | C, C++ | Green Hills Software (http://www.ghs.com/) | like buffer overflows, resource leaks, invalid pointer references, and violations of ... MISRA | 09 Jul 2007 |
| Flawfinder (http://www.dwheeler.com/flawfinder/) | C/C++ | free | uses of risky functions, buffer overflow (strcpy()), format string ([v][f]printf()), race conditions (access(), chown(), and mktemp()), shell metacharacters (exec()), and poor random numbers (random()). | 2005 |
| Fluid (http://www.fluid.cs.cmu.edu/) | Java | call | "analysis based verification" for attributes such as race conditions, thread policy, and object access with no false negatives | 28 Oct 2005 |
| ITS4 (http://www.cigital.com/its4/) | C, C++ | free for non-competing uses | potentially dangerous function calls, with risk analysis of some | 11 Feb 2005 |
| Jlint (http://artho.com/jlint/) | Java | free | bugs, inconsistencies and synchronization problems | 3 Feb 2006 |
| K7 (http://www.klocwork.com/products/k7_security.asp) | C, C++, and Java | Klocwork (http://www.klocwork.com/) | Access problems, buffer overflow, injection flaws, insecure storage, unvalidated input, etc. | 6 July 2005 |
| LAPSE (http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project) | Java | free | helps audit Java J2EE applications for common types of security vulnerabilities found in Web applications. | 19 Sep 2006 |
| Ounce (http://www.ouncelabs.com/accurate-complete-results.html) | C, C++, Java, JSP, ASP.NET, VB.NET, C# | Ounce Labs (http://www.ouncelabs.com/) | coding errors, security vulnerabilities, design flaws, policy violations and offers remediation | 19 Apr 2007 |
| Qualitychecker (http://d.cr.free.fr/) | VB6 | 10 Euros / file | static analysis tool | 4 Sep 2007 |
| PHP-Sat (http://www.program-transformation.org/PHP/PhpSat) | PHP | free | static analysis tool, XSS, etc. description (http://ericbouwers.blogspot.com/) | 18 Sep 2006 |
| Pixy (http://pixybox.seclab.tuwien.ac.at/pixy/index.php) | PHP | free | static analysis tool, only detect XSS and SQL Injection | 20 Jun 2007 |
| PMD (http://pmd.sourceforge.net/) | Java | free | questionable constructs, dead code, duplicate code | 3 Feb 2006 |
| PolySpace (http://www.polyspace.com/products.htm) | Ada, C, C++ | PolySpace Technologies (http://www.polyspace.com/) | run-time errors, unreachable code | 25 Feb 2005 |
| PREfix and PREfast (http://support.microsoft.com/vst) | C, C++ | Microsoft proprietary | 10 Feb 2006 | |
| Prevent (http://www.coverity.com/html/coverity-software-quality-products.html) | C, C++ | Coverity (http://www.coverity.com/) | flaws and security vulnerabilities - reduces false positives while minimizing the likelihood of false negatives. | 11 Mar 2005 |
| QA-C, QA-C++, QA-J (http://www.programmingresearch.com/PRODUCTS.html), QA-FORTRAN, QA-High-Integrity C | C, C++, Java, FORTRAN | Programming Research (http://www.programmingresearch.com/noflash_frameset.htm) | out-of-bounds array indexing | 10 Dec 2004 |
| RATS (http://www.fortify.com/security-resources/rats.jsp) (Rough Auditing Tool for Security) | C | free | potential security risks | 2005 |
| Resource Standard Metrics (http://msquaredtechnologies.com/m2rsm/) (RSM) | C, C++, C#, and Java | M Squared Technologies (http://msquaredtechnologies.com/m2rsm/) | Scan for 50 readability or portability problems or questionable constructs, e.g. different number of "new" and "delete" key words or an assignment operator (=) in a conditional (if). | 10 Dec 2004 |
| Smatch (http://smatch.sourceforge.net/) | C | free | simple scripts look for problems in simplified representation of code. primarily for Linux kernel code | 20 Apr 2006 |
| SCA (http://www.fortifysoftware.com/products/sca/) | ASP.NET, C, C++, C# and other .NET languages, Java, JSP, PL/SQL, T-SQL, VB.NET, XML | Fortify Software (http://www.fortifysoftware.com/) | security vulnerabilities, tainted data flow, etc. | 21 Apr 2006 |
| SPARK tool set (http://www.praxis-his.com/sparkada/spark.asp) | SPARK (Ada subset) | Praxis (http://www.praxis-his.com/) | ambiguous constructs, data- and information-flow errors, any property expressible in first-order logic (Examiner, Simplifier, and SPADE) | 29 Aug 2006 |
| Splint (http://www.splint.org/) | C | free | security vulnerabilities and coding mistakes. with annotations, it performs stronger checks | 2005 |
| SWAAT (http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project) | PHP,ASP.NET,JSP | free | SWAAT is an open source web application source code analysis tool | 2007 |
| UNO (http://spinroot.com/uno/) | C | free | uninitialized variables, null-pointers, and out-of-bounds array indexing and "allows for the specification and checking of a broad range of user-defined properties". aims for a very low false alarm rate. | 3 Feb 2006 |
| Viva64 (http://www.viva64.com/) | C++ | Viva64 (http://www.viva64.com/) | finds problems in porting to 64-bit architecture, e.g. out-of-bounds indexing or arithmetic overflow. | 07 Feb 2007 |
| xg++ (http://www.stanford.edu/~engler/mc-osdi.pdf) | C | unk | kernel and device driver vulnerabilities in Linux and OpenBSD through range checking (http://www.stanford.edu/~engler/sp-ieee-02.pdf), etc. | 15 Feb 2005 |
[edit]
Other Lists
- The Spin site hosts a list of commercial and research Static Source Code Analysis Tools for C (http://www.spinroot.com/static/) and has links to other tools and lists.
- Flawfinder (http://www.dwheeler.com/flawfinder/) site has links to other tools.
- Wikipedia has a List of tools for static code analysis (http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis) covering all kinds of analysis.
