1、静态代码分析、测试工具汇总静态代码扫描,借用一段网上的原文解释一下(这里叫静态检查):“静态测试包括代码检查、静态结构分析、代码质量度量等。它可以由人工进行,充分发挥人的逻辑思维优势,也可以借助软件工具自动进行。代码检查代码检查包括代码走查、桌面检查、代码审查等,主要检查代码和设计的一致性,代码对标准的遵循、可读性,代码的逻辑表达的正确性,代码结构的合理性等方面;可以发现违背程序编写标准的问题,程序中不安全、不明确和模糊的部分,找出程序中不可移植部分、违背程序编程风格的问题,包括变量检查、命名和类型审查、程序逻辑审查、程序语法检查和程序结构检查等内容。”。我看了一系列的静态代码扫描或者叫静态代
2、码分析工具后,总结对工具的看法:静态代码扫描工具,和编译器的某些功能其实是很相似的,他们也需要词法分析,语法分析,语意分析. 但和编译器不一样的是他们可以自定义各种各样的复杂的规则去对代码进行分析。以下将会列出的静态代码扫描工具,会由于实现方法,算法,分析的层次不同,功能上会差异很大。有的可以做 SQL 注入的检查,有的则不能(当然,由于时间问题还没有对规则进行研究,但要检查复杂的代码安全漏洞,是需要更高深分析算法的,所以有的东西应该不是设置规则库就可以检查到的,但在安全方面的检查,一定程度上也是可以通过设置规则进行检查的)。工具名 静态扫描语言开源/付费厂商 介绍 主页网址ounec5.0V
3、B.Net、C、C+和C#,还支持Java。付 费Ounce Labs http:/ PreventC/C+,C#,JAVA付费Coverity还有其他辅助工具:1.Coverity Thread Analyzer for Javahttp:/ Software Readiness Manager for Java3.Coverity Architecture Analyzerstake SmartRisk AnalyzerC/C+,Java付费Symantec Corporationstake SmartRisk Analyzer harnesses the power of static
4、analysis of binary executables (C, C+, and Java) to identify, categorize and prioritize security。注:在Symantec没有搜到此产品?!http:/ PurifyC/C+,Java付费 IBMProvides memory leak and memory corruption detection for Windows,Runtime?!http:/ microsoft微软用的静态分析工具,但暂时没有找到下载,现在好像在考虑发布中!Jtext Java 付费 parasoft同时还有其他静态分析代
5、码的产品,如:C+Test.详细请查询官网http:/ C/C+开源 用 Python编写的c、c+程序安全审核工具,可以检查潜在的安全风险。http:/ Code AnalyzerC/C+,C#,JAVA付费Fortify http:/ InsightC/C+ ,Java付费Klocwork http:/ Client/ServerC/C+、Ada语言付费MathWorks http:/ Python,Perl, PHP 代码进行安全审核的工具开源 http:/ Java 开源 LAPSE stands for a Lightweight Analysis for Program Secur
6、ity in Eclipse. LAPSE is designed to help with the task of auditing Java J2EE applications for common types of security vulnerabilities found in Web applications.LAPSE was developed by Benjamin Livshits as part of the Griffin Software Security Project.http:/www.owasp.org/index.php/Category:OWASP_LAP
7、SE_ProjectFluid java 开源 We have explored properties including:http:/www.fluid.cs.cmu.edu:8080/Fluid* race conditions and locking policies,* unique references and other programmer-significantaliasing properties,* effects,* appropriate typing,* realtime threading policies, and* single-threading polici
8、es.Splint C 开源University of Virginia,Department of ComputerScience静态检测针对 C 语言的安全工具和漏洞检测。http:/www.splint.org/cqual C/C+ 开源马里兰大学轻量级的静态扫描器,在类 Linux系统下运行。http:/www.cs.umd.edu/jfoster/cqual/MOPS C 开源berkeley 大学MOPS is a tool for finding security bugs in C programs and for verifying conformance to rules
9、of defensive programminghttp:/www.cs.berkeley.edu/daw/mops/BOON C 开源berkeley 大学BOON is a tool for automatically finding buffer overrun vulnerabilities in C source code. Buffer overruns are oneof the most common types of security holes, and we hope that BOON will enable http:/www.cs.berkeley.edu/daw/
10、boon/software developers and code auditorsto improve the quality of security-critical programs.BLAST C 开源The BLAST2.0 TeamBLAST is a software model checker for C programs. The goal of BLAST is to be able to check that softwaresatisfies behavioral properties of the interfaces it uses.BLAST uses count
11、erexample-driven automatic abstractionrefinement to construct an abstract model which is modelhttp:/mtc.epfl.ch/software-tools/blast/checked for safety properties. The abstraction is constructedon-the-fly, and only to the required precision.SpikeWAMP Php开源 for analyzing PHP programshttp:/ Php 开源 Fin
12、ding XSS and SQLI vulnerabilitieshttp:/pixybox.seclab.tuwien.ac.at/pixy/Mike Java 开源 Java source code security scanner built on top of Orizon.They are connected to OWASP.http:/ C 开源 http:/ C+ 开源 C+ Static Analysis Toolshttp:/www.cubewano.org/oinkFrama-C C开源 static analyzers for the C http:/frama-c.c
13、ea.fr/language.RTL-check 开源 RTL-check is an extensible and powerful abstract interpretationframework for static analysis of programs from a safety andsecurity perspectivehttp:/ Java 开源 PMD scans Java source code and looks for potential problems like:* Possible bugs - empty try/catch/finally/switch s
14、tatements* Dead code - unused local variables, parametersand http:/ methods* Suboptimal code - wasteful String/StringBuffer usage* Overcomplicated expressions - unnecessary if statements,for loops that could be while loops* Duplicate code - copied/pasted code means copied/pasted bugsFindBugs Java开源马
15、里兰大学uses static analysis to look for bugs in Java code.注意:提供Eclipse 插件。http:/ CC+ 开源 Cigital developed ITS4 to http:/ automate source codereview for security.QJ-Pro Java 开源 QJ-Pro is a comprehensive software inspection tool targeted towards the software developer.QJ-Pro checks:* conformance to codin
16、g standards,* misuse of the Java language,* best practice conformence* code structure and* potential bugs at the earliest stages of developmenhttp:/ IDE 插件!Jint Java 开源 Jlint will check your Java code and find bugs, inconsistenciesand synchronization problems by doing data flow analysis andbuilding
17、the lock graph.http:/ Java开源 code review system captures coding best practices and deliversthem to developers fingertips. It also generates consolidatedreports for lead developers, http:/www.hammurapi.biz/hammurapi-biz/ef/xmenu/hammurapi-group/index.htmlarchitects, and managers tomonitor codebase qu
18、ality and evolution.DoctorJ Java开源 Among what it detects:* misspelled words* parameter and exception names:o missingo misorderedo misspelled* Javadoc tags:o invalido misorderedo missing expected argumentso invalid argumentshttp:/www.incava.org/projects/java/doctorj/index.htmlo missing descriptions*
19、undocumented classes, methods, fields, parametersDependency FinderJava 开源 Dependency Finder is a suite of tools for analyzingcompiled Java code. At the core is a powerful dependencyanalysis application that extracts dependency graphs andmines them for useful information. This application comesin man
20、y forms for your ease of use, including command-line tools, a Swing-based http:/ a web application readyto be deployed in an application server, and a set of Anttasks.Checkstyle Java开源 Checkstyle is a development tool to help programmerswrite Java code that adheres to a coding standard.It automates
21、the process of checking Java code to sparehumans of this boring (but important) task. This makesit ideal for projects that want to enforce a coding http:/ 注意:提供多种 IDE 的插件。Classycle Java开源 Classycles Analyser analyses the static class and packagedependencies in Java applications or libraries.http:/ J
22、ava开源 JDepend traverses Java class file directories and generatesdesign quality metrics for each Java package. JDepend allows you to automatically measure the qualityof a design in terms of its extensibility, reusabilithttp:/ maintainability to manage package dependencies effectively.JCSC Java 开源 JCSC is a powerful tool to check source code against a highlydefinable coding standard and potential bad code.http:/ http:/ http:/ http:/www.owasp.org/index.php/Main_Pagesecuritycompass:http:/ http:/ http:/ http:/ http:/ http:/www.cs.cmu.edu/aldrich/courses/654/tools/
