Static Code Analysis Tools - yenbohuang/techNotes GitHub Wiki
Survey in 2016/12/22
Scan Bugs
| ConQAT | FindBugs | PMD | SonarQube | Soot | |
|---|---|---|---|---|---|
| License | Apache | LGPL | BSD/Apache | LGPLv3 | LGPL |
| Code Analysis | Java | Java, Scala (by bytecode) | Java | Java, Python | Java, Scala (by bytecode) |
| Code Clone Detection | Java | X | Java, Python, Scala | X | X |
| Eclipse Plugin/Integration | Yes | Yes | Yes | Yes | Yes (outdated) |
| Jenkins Plugin | X | FindBugs | PMD | SonarQube | X |
| Maven Plugin | X | Yes | Yes | Yes | Yes (non-official) |
| Command-Line Interface | Yes | Yes | Yes | Yes | Yes |
| Pretty Report Generation | Yes | Yes | Yes | Yes | X |
| Web-Based Application | X | X | X | Yes | X |
| Standalone GUI Tool | Yes | Yes | X | X | X |
| Third-Party Integration | FindBugs, PMD | fb-contrib, Find security Bugs | X | FindBug, fb-contrib, Find security Bugs, PMD, checkstyle, Pylint | X |
| Trend Analysis | Yes | X | X | Yes | X |
| Commercial Support | Yes | X | X | Yes | X |
| Latest Update | v2015.2 | v3.0.1 (2015) | v5.5.2 (2016) | v6.1 (2016) | v2.5.0 (2012), nightly (2016) |
Python
| Pylint | MyPy | flake8 | |
|---|---|---|---|
| License | GPL | MIT | MIT |
| Code Analysis | Yes | Yes | Yes |
| Code Clone Detection | Yes | X | X |
| Eclipse Plugin/Integration | Yes | X | X |
| Jenkins Plugin | Violations | X | Warnings |
| Command-Line Interface | Yes | Yes | Yes |
| Pretty Report Generation | X | X | X |
| Web-Based Application | X | X | X |
| Standalone GUI Tool | X | X | X |
| Third-Party Integration | X | X | PyFlakes, pycodestyle |
| Trend Analysis | X | X | X |
| Commercial Support | Yes | X | X |
| Latest Update | v1.6.0 (2016) | v0.4.6 (2016) | v3.2.1 (2016) |
Scala
| Wart Remover | Scapegoat | Linter | |
|---|---|---|---|
| License | Apache | Apache | Apache |
| Code Analysis | Scala | Scala | Scala |
| Code Clone Detection | X | X | X |
| Eclipse Plugin/Integration | X | X | X |
| Jenkins Plugin | sbt | X | Warnings |
| SBT Plugin | sbt-wartremover | sbt-scapegoat | linter |
| Command-Line Interface | X | X | X |
| Pretty Report Generation | X | Yes | X |
| Web-Based Application | X | X | X |
| Standalone GUI Tool | X | X | X |
| Third-Party Integration | X | X | X |
| Trend Analysis | X | X | X |
| Commercial Support | X | X | X |
| Latest Update | v1.2.1 (2016) | v1.3.0 (2016) | v0.1.17 (2016) |
List of Tools
- https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
- https://www.owasp.org/index.php/Source_Code_Analysis_Tools
- https://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html
- https://pmd.github.io/pmd-5.5.2/overview/similar-projects.html
- http://www.scala-sbt.org/0.13/docs/Community-Plugins.html#Static+code+analysis+plugins
Reviews and Tutorials
Python
- http://blog.codacy.com/2016/01/08/review-of-python-static-analysis-tools/
- http://buildoutjenkins.readthedocs.io/en/latest/code-analysis.html
Scala
- http://blog.codacy.com/2015/10/02/review-of-scala-static-analysis-tools/
- http://www.47deg.com/blog/improve-your-scala-code-with-sbt
- https://queertypes.com/posts/33-scala-wart-remover.html
Jenkins Plugins
Supporting Multiple Languages
FindBugs
- http://findbugs.sourceforge.net/
- https://find-sec-bugs.github.io/
- http://fb-contrib.sourceforge.net/
SonarQube
- http://www.sonarqube.org/
- Architecture: http://docs.sonarqube.org/display/SONAR/Architecture+and+Integration
- Plugins: http://docs.sonarqube.org/display/PLUG/Plugin+Library
- Scanners: http://docs.sonarqube.org/display/SCAN/Analyzing+Source+Code#AnalyzingSourceCode-RunningAnalysis
- Eclipse Plugin: http://www.sonarlint.org/eclipse/index.html
OWASP Dependency-Check
- https://www.owasp.org/index.php/OWASP_Dependency_Check
- https://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin
- https://github.com/stevespringett/dependency-check-sonar-plugin
Others
- https://pmd.github.io/
- https://www.cqse.eu/en/products/conqat/overview/
- https://sable.github.io/soot/
Python Only
flake8
- https://pypi.python.org/pypi/flake8
- https://github.com/PyCQA/pyflakes
- https://pypi.python.org/pypi/pycodestyle