Static code analysis is a method of debugging by examining source code before a program is run. It's done by analyzing a set of code against a set (or multiple sets) of coding rules.
Helix QAC is an excellent static analysis testing tool for C and C++ code from Perforce (formerly PRQA).
Source code analysis tools, also known as Static Application Security Testing (SAST) Tools, can help analyze source code or compiled versions of code to help find security flaws. SAST tools can be added into your IDE. Such tools can help you detect issues during software development.
Code violation detection Tools:
FxCop, excellent tool by Microsoft. Check compliance with .NET framework guidelines.
Edit October 2010: No longer available as a standalone download. It is now included in the Windows SDK and after installation can be found in Program Files\Microsoft SDKs\Windows\ [v7.1] \Bin\FXCop\FxCopSetup.exe
Edit February 2018: This functionality has now been integrated into Visual Studio 2012 and later as Code Analysis
Clocksharp, based on code source analysis (to C# 2.0)
Mono.Gendarme, similar to FxCop but with an open source licence (based on Mono.Cecil)
Smokey, similar to FxCop and Gendarme, based on Mono.Cecil. No longer on development, the main developer works with Gendarme team now.
Coverity Prevent™ for C#, commercial product
PRQA QA·C#, commercial product
PVS-Studio, commercial product
CAT.NET, visual studio addin that helps identification of security flaws Edit November 2019: Link is dead.
CodeIt.Right
Spec#
Pex
SonarQube, FOSS & Commercial options to support writing cleaner and safer code.
Quality Metric Tools:
Checking Style Tools:
Duplication Detection:
General Refactoring tools
The tool NDepend is quoted as Quality Metric Tools but it is pretty much also a Code violation detection tool. Disclaimer: I am one of the developers of the tool
With NDepend, one can write Code Rule over LINQ Queries (what we call CQLinq). More than 200 CQLinq code rules are proposed by default. The strength of CQLinq is that it is straightforward to write a code rule, and get immediately results. Facilities are proposed to browse matched code elements. For example:
Beside that, NDepend comes with many others static analysis like features. These include:
Have you seen CAT.NET?
From the blurb -
CAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection and XPath Injection.
I used an early beta and it did seem to turn up a few things worth looking at.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With