The information in the automated detection sections on this wiki may be
  • provided by the vendors
  • determined by CERT by informally evaluating the analyzer
  • determined by CERT by reviewing the vendor documentation

Where possible, we try to reference the exact version of the tool for which the results were obtained. Because these tools evolve continuously, this information can rapidly become dated and obsolete.



  1. Hello,

    I wonder if it would be helpful to add Eclipse IDE's integrated Code Analysis "Codan" to the list? The intention of the checker might slightly different (API, integration of checkers), but it still comes with a default (small) list of recommendations (Coding Style, Potential Programming Problems, Security Vulnerabilities, Syntax and Semantic Errors)

    Kind regards

  2. Another question.

    PC-Lint a candidate in include in the list?


    1. Ludwig:

      Most of the information in these Analyzers pages were entered by the vendors. They did not edit these pages; instead they added their checkers to each rule page for which they have a checker. As such, we would welcome data for Eclipse and PC-Lint if a volunteer were to manually add their mappings.

      Note that Eclipse has several SA tools and compilers, such as its native Java compiler (which can be used as a SA tool).

  3. I noticed SonarQube and Polyspace are not included in this list,

    because those tool pages have no label "analyzer", I think.

    Just forgetting to add the label, or intentional?

    1. Thank you for the note. This should be fixed now.

  4. The Analyzer sections would be even more useful if they included some indication of the coverage the rule set provides, especially if broken down by severity. Has anyone already done this work?

    1. These pages are scraped from the Secure Coding rule pages. Those pages occasionally have additional details about each tool & checker.