You are here

C - Static Analyzer Tools

// Static Analyzer
// ------------------------------------------------------------------------
 
// A static analyzer tool parses the source code and gives some information
// ofknown programmer faults. With such tools you can find some critical
// and security buggs very easy. The analyzer checks the code with
// predefined rules and shows you many warnings and errors, also false
// positive failures. To avoid the false positive warning/error output the
// user can modify the rules.
 
// PC-lint for C/C++ from Gimpel Software (http://www.gimpel.com/)
//     - static analyzer with defined rules for MISRA-standard
//     - command line tool, easy to integrate for many IDEs
//       (e.g. MPLAB from Microchip)
//     - Win, Dos, OS2
//     - *.lnt files for rule checker configuration
//       (e.g. co-picc.lnt for hitex C-compiler)
//     - usage: lint co-picc.lnt test.c
 
// Splint for C (http://splint.org/)
//     - static analyzer
//     - command line tool
//     - Win, Source-Code available
//     - usage: splint test.c
 
// Flawfinder for C/C++ (http://www.dwheeler.com/flawfinder/)
//     - reports possible security weaknesses - "flaws"
//       (race conditions, access violations, buffer overflows, ...)
//     - Linux, Source-Code available
 
// RATS
//     - Rough Auditing Tool for Security
//       (https://www.fortify.com/ssa-elements/threat-intelligence/rats.html)
//     - analyzes C, C++, Perl, PHP and Python source code for
//       security weakness (race conditions, access violations,
//       weak random, buffer overflows, ...)
//     - Win, Source-Code available
//     - usage: rats --warning 1 --html test.c >output.html
//                             1 ... only major failures
//                             2 ... middle warning density
//                             3 ... show all failures
//                               --html ... output html formated
//                               --xml  ... output xml formated
 
// other useful tools:
//     - BLAST - Berkeley Lazy Abstraction Software Verification Tool
//       (http://mtc.epfl.ch/software-tools/blast/index-epfl.php)
//     - PScan (http://deployingradius.com/pscan/)
//     - ITS4 (http://www.cigital.com/its4/)
//     - Frama-C (http://frama-c.com/)