【SQL开源代码栏目提醒】:网学会员SQL开源代码为您提供btr静态代码分析工具汇总gbk - 培训教程参考,解决您在btr静态代码分析工具汇总gbk - 培训教程学习中工作中的难题,参考学习。
静态
代码分析工具汇总转 作者Nasser 出处博客园 2011/9/8 23:55:20 阅读79次 静态
代码扫描借用一段网上的原文解释一下这里叫静态检查“静态测试包括
代码检查、静态结构分析、
代码质量度量等。
它可以由人工进行充分发挥人的逻辑思维优势也可以借助
软件工具自动进行。
代码检查
代码检查包括
代码走查、桌面检查、
代码审查等主要检查
代码和
设计的一致性
代码对标准的遵循、可读性
代码的逻辑表达的正确性
代码结构的合理性等方面可以发现违背程序编写标准的问题程序中不安全、不明确和模糊的部分找出程序中不可移植部分、违背程序编程风格的
问题包括变量检查、命名和类型审查、
程序逻辑审查、程序语法检查和程序结构检查等内容。
”。
我看了一系列的静态
代码扫描或者叫静态
代码分析工具后总结对工具的看法静态
代码扫描工具和编译器的某些功能其实是很相似的他们也需要词法分析语法分析语意分析 ...但和编译器不一样的是他们可以自定义各种各样的复杂的规则去对
代码进行分析。
以下将会列出的静态
代码扫描工具会由于实现方法算法分析的层次不同功能上会差异很大。
有的可以做
SQL注入的检查有的则不能当然由于时间问题还没有对规则进行研究但要检查复杂的
代码安全漏洞是需要更高深分析算法的所以有的东西应该不是设置规则库就可以检查到的但在安全方面的检查一定程度上也是可以通过设置规则进行检查的 。
以下我在网上搜集到的分析工具我整理了以下挑了一些出来这里只是一部分另外一些可以到参考链接上看一下: 工具名 静态扫描语言
开源/付费 厂商 介绍 主页网址 ounec5.0
VB.Net、C、C和C 还支持Java。
付 费 Ounce Labs http://www.ouncelabs.com/ Coverity Prevent C/CCJAVA 付费 Coverity 还有其他辅助工具 1.Coverity Thread Analyzer for Java 2.Coverity Software Readiness Manager for Java http://www.coverity.com/index.html 3.Coverity Architecture Analyzer stake SmartRisk?? Analyzer C/CJava 付费 Symantec Corporation stake SmartRisk?? Analyzer harnesses the power of static analysis of binary executables C C and Java to identify categorize and prioritize security。
注在Symantec没有搜到此产品 http://www.symantec.com/business/index.jsp Rational Purify C/CJava 付费 IBM Provides memory leak and memory corruption detection for WindowsRuntime http://www-01.ibm.com/software/awdtools/purify/ PREfix microsoft 微软用的静态分析工具但暂时没有找到下载 现在好像在考虑发布中 Jtext Java 付费 parasoft 同时还有其他静态分析
代码的产品如:CTest... 详细请
查询官网 http://www.parasoft.com/jsp/cn/support.jsp flawfinder C/C
开源 用Python编写的c、c程序安全审核工具 可以检查潜在的安全风险。
http://www.dwheeler.com/flawfinder/ Static Code Analyzer C/CCJAVA 付费 Fortify http://www.fortify.com/ Klocwork Insight C/C Java 付费 Klocwork http://www.klocwork.com/products/insight.asp PolySpace Client/Server C/C、Ada语言 付费 MathWorks http://www.mathworks.cn/ rats C/C Python Perl PHP
代码进行安全审核的工具
开源 http://www.fortify.com/security-resources/rats.jsp LAPSE Java
开源 LAPSE stands for a Lightweight Analysis for Program Security in Eclipse. LAPSE is designed to help with the task of auditing Java J2EE applications for common types of security vulnerabilities found in Web applications. LAPSE was developed by Benjamin Livshits as part of the Griffin Software http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project Security Project. Fluid java
开源 We have explored properties including: race conditions and locking policies unique references and other programmer-significant aliasing properties effects appropriate typing realtime threading policies and single-threading policies. http://www.fluid.cs.cmu.edu:8080/Fluid Splint C
开源 University of Virginia Department of Computer Science 静态检测针对C语言的安全工具和漏洞检测。
http://www.splint.org/ cqual C/C
开源 马里兰大学 轻量级的静态扫描器在类Linux
系统下运行。
http://www.cs.umd.edu/jfoster/cqual/ MOPS C
开源 berkeley大学 MOPS is a tool for finding http://www.cs.berkeley.edu/daw/mops/ security bugs in C programs and for verifying conformance to rules of defensive programming BOON C
开源 berkeley大学 BOON is a tool for automatically finding buffer overrun vulnerabilities in C source code. Buffer overruns are one of the most common types of security holes and we hope that BOON will enable software developers and code auditors to improve the quality of security-critical programs. http://www.cs.berkeley.edu/daw/boon/ BLAST C
开源 The BLAST 2.0 Team BLAST is a software model checker for C programs. The goal of BLAST is to be able to check that software satisfies behavioral properties of the interfaces it uses. http://mtc.epfl.ch/software-tools/blast/ BLAST uses counterexample-driven automatic abstraction refinement to construct an abstract model which is model checked for safety properties. The abstraction is constructed on-the-fly and only to the required precision. SpikeWAMP Php
开源 for analyzing
PHP programs http://developer.spikesource.com/wiki/index.php/SpikeWAMP Pixy Php
开源 Finding XSS and SQLI vulnerabilities http://pixybox.seclab.tuwien.ac.at/pixy/ Mike Java
开源 Java source code security scanner built on top of Orizon. They are connected to OWASP. http://milk.sourceforge.net/download.html Smatch C
开源 http://smatch.sourceforge.net/ Oink C
开源 C Static Analysis Tools http://www.cubewano.org/oink Frama-C C
开源 static analyzers for the C language. http://frama-c.cea.fr/ RTL-check
开源 RTL-check is an extensible and http://rtlcheck.sourceforge.net/ powerful abstract interpretation framework for static analysis of programs from a safety and security perspective PMD Java
开源 PMD scans Java source code and looks for potential problems like: Possible bugs - empty try/catch/finally/ switch statements Dead code - unused local variables parameters and private methods Suboptimal code - wasteful String/StringBuffer usage Overcomplicated expressions - unnecessary if statements for loops that could be while loops Duplicate code - http://pmd.sourceforge.net/ copied/pasted code means copied/pasted bugs FindBugs Java
开源 马里兰大学 uses static analysis to look for bugs in Java code. 注意提供Eclipse插件。
http://findbugs.sourceforge.net/ ITS4 CC
开源 Cigital developed ITS4 to help automate source code review for security. http://www.cigital.com/its4/ QJ-Pro Java
开源 QJ-Pro is a comprehensive software inspection tool targeted towards the software developer. QJ-Pro checks: conformance to coding standards misuse of the
Java language best practice conformence code structure and potential bugs at the earliest stages http://qjpro.sourceforge.net/ of development. 注意提供各种IDE插件 Jint Java
开源 Jlint will check your Java code and find bugs inconsistencies and synchronization problems by doing data flow analysis and building the lock graph. http://artho.com/jlint/ Hammurapi Java
开源 code review system captures coding best practices and delivers them to developers fingertips. It also generates consolidated reports for lead developers architects and managers to monitor codebase quality and evolution. http://www.hammurapi.biz/hammurapi-biz/ef/xmenu/hammurapi-group/index.html DoctorJ Java
开源 Among what it detects: misspelled
words parameter http://www.incava.org/projects/java/doctorj/index.html and exception names: o missing o misordered o
misspelled Javadoc tags: o invalid o misordered o missing expected arguments o invalid arguments o missing descriptions undocumented classes methods fields parameters Dependency Finder Java
开源 Dependency Finder is a suite of tools for analyzing compiled Java code. At the core is a powerful dependency analysis application that extracts dependency http://depfind.sourceforge.net/ graphs and mines them for useful information. This application comes in many forms for your ease of use including command-line tools a Swing-based application a
web application ready to be deployed in an application server and a set of Ant tasks. Checkstyle Java
开源 Checkstyle is a development tool to help programmers write Java code that adheres to a coding standard. It automates the process of checking Java code to spare humans of this boring but important task. This makes it ideal for projects that want to enforce a coding http://checkstyle.sourceforge.net/ standard. 注意提供多种IDE的插件。
Classycle Java
开源 Classycles Analyser analyses the static class and package dependencies in Java applications or libraries. http://classycle.sourceforge.net/ JDepend Java
开源 JDepend traverses Java class file directories and generates design quality metrics for each Java package. JDepend allows you to automatically measure the quality of a design in terms of its extensibility reusability and maintainability to manage package dependencies effectively. http://www.clarkware.com/software/JDepend.html JCSC Java
开源 JCSC is a powerful tool to check source code against a highly definable http://jcsc.sourceforge.net/ coding standard and potential bad code. ...... 以下是直接提供
代码检查/相关帮助的厂商 Fortify: http://www.fortify.com/ ASPECT: http://www.aspectsecurity.com/ OWASP: http://www.owasp.org/index.php/Main_Page securitycompass: http://www.securitycompass.com/resources.shtml