静态分析、测试工具

1、静态代码分析、测试工具汇总静态代码扫描，借用一段网上的原文解释一下（这里叫静态检查广“静态测试包括代码检查、静态结构分析、代码质量度量等。它可以由人工进行，充分发挥人的逻辑思维优势， 也可以借助软件工具自动进行。代码检查代码检查包括代码走查、桌面检查、代码审查等， 主要检查代码和设计的一致性，代码对标准的遵循、可读性，代码的逻辑表达的正确性， 代码结构的合理性等方面；可以发现违背程序编写标准的问题，程序中不安全、不明确和 模糊的部分，找出程序中不可移植部分、违背程序编程风格的问题，包括变量检查、命名 和类型审查、程序逻辑审查、程序语法检查和程序结构检查等内容。我看了一系列的静态代码扫描或者叫静

2、态代码分析工具后，总结对工具的看法：静态代码 扫描工具，和编译器的某些功能其实是很相似的，他们也需要词法分析，语法分析，语意 分析但和编译器不一样的是他们可以自定义各种各样的复杂的规则去对代码进行分析。以下将会列出的静态代码扫描工具，会由于实现方法，算法，分析的层次不同，功能上会差异很大。有的可以做 sql注入的检查，有的则不能 （当然，由于时间问题还没有对规则进 行研究，但要检查复杂的代码安全漏洞，是需要更高深分析算法的，所以有的东西应该不 是设置规则库就可以检查到的，但在安全方面的检查，一定程度上也是可以通过设置规则 进行检查的）。工具名静态扫描语言 开源/）商介绍主 页 网 址ounec

3、5.0vb.net、c、 c+林口 c#, 还支持 java。付 费ounce labscoverity preventc/c+,c#,jav acoverity还后具他辅助工具：1.coverity thread analyzer for java 2.coverity softwarereadiness manager for java3.coverityarchitectureanalyzerstake smartrisk?analyzerc/c+,javasymantec corporationstake smartrisk? analyzer harnesses the power

4、of static analysis of binary executables (c, c+, and java) toidentify, categorize and prioritize security 。注：在symantec没有 搜到此产品？ ！rationalpurifyc/c+,javaibmprovides memory leak and memory corruption detection for windows, runtime?!pre似microsoft微软用的静态分析工 具，但暂时没肩找到 下载，现在好像在考虑发布 中！jtextjavaparasoft同时还有其

5、他静态分 析代码的产品， 如:c+test 详细请查询官网flawfinderc/c+开源用python编写的c、c+程序安全审核工具，可以检查潜在的安全 风险。static code analyzerc/c+,c#,jav afortifyklocworkinsightc/c+ ,javaklocworkpolyspacec/c+、adamathworksclient/serve r3 h = 旧口ratsc/c+, python, perl,php代码进行 安全审核的工 具开源lapsejava开源lapse stands for a lightweight analysis for pr

6、ogram security in eclipse. lapse is designed to help with the task of auditing java j2ee applications for common types of security vulnerabilities found in web applications.lapse was developed by benjamin livshits as part of the griffin software security project.fluidjava开源we have explored propertie

7、s including:* race conditions and locking policies,* unique references and other programmersignificant aliasingproperties, * effects, *appropriate typing,* realtime threading policies, and* singlethreading policies.splintc开源university ofvirginia, department of computer science静态检测针对c语百 的安全工具和漏洞检 测。e

8、qualc/c+开源马里兰大学轻量级的静态扫描 器,在英linux系统 下运行。mopsc开源berkeley 大学mops is a tool for finding security bugs in c programs and for verifying conformance to rules of defensive programmingboonc开源berkeley 大学boon is a tool for automatically finding buffer overrun vulnerabilities in c source code. buffer overruns

9、are one of the most common types of security holes, and we hope that boon will enable software developers and codeauditorsto improve the quality of security-critical programs.blastc开源the blast2.0 teamblast is a software model checker for c programs.the goal of blast is to be able to check that softw

10、are satisfies behavioral properties of the interfaces it uses. blast uses counterexample- driven automatic abstraction refinement to construct an abstract model which is model checked for safety properties. the abstraction is constructed on-the-fly, and only to the required precision.spikewampphp开源f

11、or analyzing php programspixyphp开源finding xss and sqli vulnerabilitiesmikejava开源java source code security scanner built on top of orizon.they are connected to owasp.smatchc开源oinkc+开源c+ static analysis toolsframa-cc开源static analyzers for the c language.rtl-check开源rtl-check is an extensible and powerf

12、ul abstract interpretation framework for static analysis of programs from a safety and security perspectivepmdjava开源pmd scans java source code and looks for potential problems like:* possible bugs - empty try/catch/finally/ switch statements* dead code-unused local variables, parameters and private

13、methods* suboptimal code - wasteful string/stringbuffer usage*overcomplicated expressions - unnecessary if statements, for loops that could be while loops* duplicatecode - copied/pasted code means copied/pasted bugsfindbugsjava开源马里兰大学uses static analysis to look for bugs in java code.注思：提供eclipse 插件

14、。its4cc+开源cigital developed its4 to help automate source code review for security.qj-projava开源qj-pro is a comprehensive software inspection tool targeted towards the software developer.qj-pro checks:*conformance to coding standards, * misuse of the java language, * best practice conformence* code st

15、ructure and* potential bugs at the earliest stages of development.注意：提供各种ide 插件！jintjava开源jlint will check your java code andhammurapijava开源doctorjjava开源find bugs, inconsistencies and synchronization problems by doing data flow analysis and building the lock graph.code review system captures coding

16、best practices and deliversthem to developers' fingertips. it also generates consolidated reports for lead developers, architects, and managers to monitor codebase quality and evolution.among what it detects:* misspelled words* parameter and exception names:o missingo misorderedo misspelled* jav

17、adoc tags:o invalido misordereddependencyfinderjava开源checkstylejava开源o missing expected argumentso invalid argumentso missing descriptions*undocumented classes, methods, fields, parametersdependency finder is a suite of tools for analyzing compiled java code. at the core is a powerful dependency ana

18、lysis application that extracts dependency graphs and mines them for useful information. this application comes in many forms for your ease of use, including commandline tools, a swingbased application, a web application ready to be deployed in an application server, and a set of ant tasks.checkstyle is a development tool to help programmerswrite java code that adheres to a coding standard. it automates the process of checking java code to spare humans of this boring (but important) task. this makes it ideal for projects that want to enforce a coding standard.注意：提供多种ide 的插件。cl