EE. Analyzers

Created by Barbara White, last updated on Dec 13, 2016 1 minute read

Page:

Astrée
Page:

Axivion Bauhaus Suite
Page:

Clang
Page:

Codee
Page:

CodeSonar
Page:

Coverity
Page:

Cppcheck
Page:

ECLAIR
Page:

EDG
Page:

GCC
Page:

Helix QAC
Page:

Klocwork
Page:

LDRA
Page:

Parasoft
Page:

PC-lint Plus
Page:

Polyspace Bug Finder
Page:

PVS-Studio
Page:

Rose
Page:

RuleChecker
Page:

Security Reviewer - Static Reviewer
Page:

SonarQube C/C++ Plugin
Page:

Splint
Page:

TrustInSoft Analyzer

The information in the automated detection sections on this wiki may be

provided by the vendors
determined by CERT by informally evaluating the analyzer
determined by CERT by reviewing the vendor documentation

Where possible, we try to reference the exact version of the tool for which the results were obtained. Because these tools evolve continuously, this information can rapidly become dated and obsolete.

8 Comments

Ludwig Schreier
Jan 14, 2017
Hello,
I wonder if it would be helpful to add Eclipse IDE's integrated Code Analysis "Codan" to the list? The intention of the checker might slightly different (API, integration of checkers), but it still comes with a default (small) list of recommendations (Coding Style, Potential Programming Problems, Security Vulnerabilities, Syntax and Semantic Errors)
http://wiki.eclipse.org/CDT/designs/StaticAnalysis
https://drive.google.com/file/d/1UNayw6WbckeiBLb2psf0xsyGmFf9dApwoB2BbaipU0-8c-fu3bxzCz9eSt9Q/view
Kind regards
Ludwig Schreier
Jan 14, 2017
Another question.
PC-Lint a candidate in include in the list?
Regards
1. David Svoboda
  Jan 17, 2017
  Ludwig:
  Most of the information in these Analyzers pages were entered by the vendors. They did not edit these pages; instead they added their checkers to each rule page for which they have a checker. As such, we would welcome data for Eclipse and PC-Lint if a volunteer were to manually add their mappings.
  Note that Eclipse has several SA tools and compilers, such as its native Java compiler (which can be used as a SA tool).
Yozo TODA
Jan 18, 2017
I noticed SonarQube and Polyspace are not included in this list,
because those tool pages have no label "analyzer", I think.
Just forgetting to add the label, or intentional?
1. Will Snavely
  Jan 22, 2017
  Thank you for the note. This should be fixed now.
Brad Murray
May 28, 2019
The Analyzer sections would be even more useful if they included some indication of the coverage the rule set provides, especially if broken down by severity. Has anyone already done this work?
1. David Svoboda
  May 29, 2019
  These pages are scraped from the Secure Coding rule pages. Those pages occasionally have additional details about each tool & checker.
Robert Lee
Aug 07, 2020
I'd like to see the following analyzers added to the list
IAR C-STAT https://www.iar.com/iar-embedded-workbench/add-ons-and-integrations/c-stat-static-analysis/
Checkmarx https://www.checkmarx.com/

Space shortcuts

Page tree

8 Comments

Ludwig Schreier

Ludwig Schreier

David Svoboda

Yozo TODA

Will Snavely

Brad Murray

David Svoboda

Robert Lee