Tag Archives: staticcheck

java code static check tools

checkstyle:
http://checkstyle.sourceforge.net/

Google Java Style
http://checkstyle.sourceforge.net/reports/google-java-style.html

Findbugs
PMD
Checkstyle
Lint4J
Classycle
JDepend
SISSy
Google Codepro

Open Source or Free Tools Of This Type
Google CodeSearchDiggity – Utilizes Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.
FindBugs – Find Bugs (including some security flaws) in Java Programs
FxCop (Microsoft) – FxCop is an application that analyzes managed code assemblies (code that targets the .NET Framework common language runtime) and reports information about the assemblies, such as possible design, localization, performance, and security improvements.
PMD – PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)
PreFast (Microsoft) – PREfast is a static analysis tool that identifies defects in C/C++ programs
RATS (Fortify) – Scans C, C++, Perl, PHP and Python source code for security problems like buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions
OWASP SWAAT Project – Simplistic Beta Tool – Languages: Java, JSP, ASP .Net, and PHP
Flawfinder Flawfinder – Scans C and C++
RIPS – RIPS is a static source code analyzer for vulnerabilities in PHP web applications
Brakeman – Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications
Codesake Dawn – Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino and Ruby on Rails applications. It can work also for non web application wrote in Ruby programming language
VCG – Scans C/C++, Java, C# and PL/SQL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.
Commercial Tools Of This Type
BugScout (Buguroo Offensive Security)

Latest generation source code analysis tool bugScout detects source code vulnerabilities and makes possible an accurate management of the life cycles due to its easy use.

Contrast from Contrast Security

Contrast is not a static analysis tool like these others. It instruments the running application and provides code level results, but doesn’t actually perform static analysis. It monitors the code that is actually running.

IBM Security AppScan Source Edition (formerly Ounce)
Insight (KlocWork)
Parasoft Test (Parasoft)
Pitbull Source Code Control (Pitbull SCC)

Software application designed to solve efficiently application source code control with the appropriate compiled files to ensure integrity prior to placing it into production. Providing added value,allows the analysis of source code to identify if it has a malware that affects the normal functioning of the application.

Seeker (Quotium)

Seeker performs code security without actually doing static analysis. Seeker does Interactive Application Security Testing (IAST), correlating runtime code & data analysis with simulated attacks. It provides code level results without actually relying on static analysis.

Source Patrol (Pentest)
Static Source Code Analysis with CodeSecure™ (Armorize Technologies)
Kiuwan – SaaS Software Quality & Security Analysis (Optimyth)
Static Code Analysis (Checkmarx)
Security Advisor (Coverity)
PVS-Studio (PVS-Studio)
Source Code Analysis (HP/Fortify)
Veracode (Veracode)
Sentinel Source solution (Whitehat)

from:https://www.owasp.org/index.php/Source_Code_Analysis_Tools