I'm particularly looking ones which detect vulnerabilities in C/C++ code. I've seen a bunch of proprietary tools but no open source ones.
Asked
Active
Viewed 6,036 times
3 Answers
7
David Wheeler of FlawFinder has a great list of (30) OSS/FS & (14) Proprietary static analysis tools:
Josh Brower
- 1,366
- 2
- 13
- 24
6
No.
"Good" in this case is mostly contradictory to "tools for scanning source code". Especially the free ones - not knocking opensource here, most of the commercial ones suck too.
The best (commercial) tool I've seen (and I've researched this quite a bit) - was Checkmarx by a wide margin. (Disclosure - though I don't work for them, I have worked with them in the past).
Lower down on the list would be IBM / Ounce (now called IBM Rational Appscan Source code Edition, or something like that...).
Further down is the "2nd tier" commercial tools, such as Klockworcks and such... Much, much further down on my list is the incumbent, Fortify (now owned by HP).
Note that all those are commercial, and quite expensive at that.
Lower down on the list are the free / opensource tools - simply because these do simple text searching, pretty much what you could do with e.g. grep.
In this list - RATS, ITS4, FlawFinder, some others... but they are pretty equivalent, not much logic in them, no compiling, etc.
If you were looking outside C and C++ - its not much different, except for some OWASP tools, e.g. O2 for .NET, LAPSE for Java...
AviD
- 72,138
- 22
- 136
- 218
5
Fortify released RATS: http://code.google.com/p/rough-auditing-tool-for-security/. You can try it, however, I am not very pleased with both commercial and open-source tool results. Probably commercial tools shows a bit better results. The problem is that today a lot of obvious bugs becomes extinct due to several reasons. Yes, there is still buggy and crappy software (and will always be), and such tools will find those bugs, but not those tricky. Most of work you still have to do manually.
Rory McCune
- 60,923
- 14
- 136
- 217