1、靜態代碼分析、測試工具匯總靜態代碼掃描，借用一段網上的原文解釋一下（這里叫靜態檢查廣“靜態測試包括代碼檢查、靜態結構分析、代碼質量度量等。它可以由人工進行，充分發揮人的邏輯思維優勢， 也可以借助軟件工具自動進行。代碼檢查代碼檢查包括代碼走查、桌面檢查、代碼審查等， 主要檢查代碼和設計的一致性，代碼對標準的遵循、可讀性，代碼的邏輯表達的正確性， 代碼結構的合理性等方面；可以發現違背程序編寫標準的問題，程序中不安全、不明確和 模糊的部分，找出程序中不可移植部分、違背程序編程風格的問題，包括變量檢查、命名 和類型審查、程序邏輯審查、程序語法檢查和程序結構檢查等內容。我看了一系列的靜態代碼掃描或者叫靜

2、態代碼分析工具后，總結對工具的看法：靜態代碼 掃描工具，和編譯器的某些功能其實是很相似的，他們也需要詞法分析，語法分析，語意 分析但和編譯器不一樣的是他們可以自定義各種各樣的復雜的規則去對代碼進行分析。以下將會列出的靜態代碼掃描工具，會由于實現方法，算法，分析的層次不同，功能上會差異很大。有的可以做 sql注入的檢查，有的則不能 （當然，由于時間問題還沒有對規則進 行研究，但要檢查復雜的代碼安全漏洞，是需要更高深分析算法的，所以有的東西應該不 是設置規則庫就可以檢查到的，但在安全方面的檢查，一定程度上也是可以通過設置規則 進行檢查的）。工具名靜態掃描語言 開源/）商介紹主 頁 網 址ounec

3、5.0vb.net、c、 c+林口 c#, 還支持 java。付 費ounce labscoverity preventc/c+,c#,jav acoverity還后具他輔助工具：1.coverity thread analyzer for java 2.coverity softwarereadiness manager for java3.coverityarchitectureanalyzerstake smartrisk?analyzerc/c+,javasymantec corporationstake smartrisk? analyzer harnesses the power

4、of static analysis of binary executables (c, c+, and java) toidentify, categorize and prioritize security 。注：在symantec沒有 搜到此產品？ ！rationalpurifyc/c+,javaibmprovides memory leak and memory corruption detection for windows, runtime?!pre似microsoft微軟用的靜態分析工 具，但暫時沒肩找到 下載，現在好像在考慮發布 中！jtextjavaparasoft同時還有其

5、他靜態分 析代碼的產品， 如:c+test 詳細請查詢官網flawfinderc/c+開源用python編寫的c、c+程序安全審核工具，可以檢查潛在的安全 風險。static code analyzerc/c+,c#,jav afortifyklocworkinsightc/c+ ,javaklocworkpolyspacec/c+、adamathworksclient/serve r3 h = 舊口ratsc/c+, python, perl,php代碼進行 安全審核的工 具開源lapsejava開源lapse stands for a lightweight analysis for pr

6、ogram security in eclipse. lapse is designed to help with the task of auditing java j2ee applications for common types of security vulnerabilities found in web applications.lapse was developed by benjamin livshits as part of the griffin software security project.fluidjava開源we have explored propertie

7、s including:* race conditions and locking policies,* unique references and other programmersignificant aliasingproperties, * effects, *appropriate typing,* realtime threading policies, and* singlethreading policies.splintc開源university ofvirginia, department of computer science靜態檢測針對c語百 的安全工具和漏洞檢 測。e

8、qualc/c+開源馬里蘭大學輕量級的靜態掃描 器,在英linux系統 下運行。mopsc開源berkeley 大學mops is a tool for finding security bugs in c programs and for verifying conformance to rules of defensive programmingboonc開源berkeley 大學boon is a tool for automatically finding buffer overrun vulnerabilities in c source code. buffer overruns

9、are one of the most common types of security holes, and we hope that boon will enable software developers and codeauditorsto improve the quality of security-critical programs.blastc開源the blast2.0 teamblast is a software model checker for c programs.the goal of blast is to be able to check that softw

10、are satisfies behavioral properties of the interfaces it uses. blast uses counterexample- driven automatic abstraction refinement to construct an abstract model which is model checked for safety properties. the abstraction is constructed on-the-fly, and only to the required precision.spikewampphp開源f

11、or analyzing php programspixyphp開源finding xss and sqli vulnerabilitiesmikejava開源java source code security scanner built on top of orizon.they are connected to owasp.smatchc開源oinkc+開源c+ static analysis toolsframa-cc開源static analyzers for the c language.rtl-check開源rtl-check is an extensible and powerf

12、ul abstract interpretation framework for static analysis of programs from a safety and security perspectivepmdjava開源pmd scans java source code and looks for potential problems like:* possible bugs - empty try/catch/finally/ switch statements* dead code-unused local variables, parameters and private

13、methods* suboptimal code - wasteful string/stringbuffer usage*overcomplicated expressions - unnecessary if statements, for loops that could be while loops* duplicatecode - copied/pasted code means copied/pasted bugsfindbugsjava開源馬里蘭大學uses static analysis to look for bugs in java code.注思：提供eclipse 插件

14、。its4cc+開源cigital developed its4 to help automate source code review for security.qj-projava開源qj-pro is a comprehensive software inspection tool targeted towards the software developer.qj-pro checks:*conformance to coding standards, * misuse of the java language, * best practice conformence* code st

15、ructure and* potential bugs at the earliest stages of development.注意：提供各種ide 插件！jintjava開源jlint will check your java code andhammurapijava開源doctorjjava開源find bugs, inconsistencies and synchronization problems by doing data flow analysis and building the lock graph.code review system captures coding

16、best practices and deliversthem to developers' fingertips. it also generates consolidated reports for lead developers, architects, and managers to monitor codebase quality and evolution.among what it detects:* misspelled words* parameter and exception names:o missingo misorderedo misspelled* jav

17、adoc tags:o invalido misordereddependencyfinderjava開源checkstylejava開源o missing expected argumentso invalid argumentso missing descriptions*undocumented classes, methods, fields, parametersdependency finder is a suite of tools for analyzing compiled java code. at the core is a powerful dependency ana

18、lysis application that extracts dependency graphs and mines them for useful information. this application comes in many forms for your ease of use, including commandline tools, a swingbased application, a web application ready to be deployed in an application server, and a set of ant tasks.checkstyle is a development tool to help programmerswrite java code that adheres to a coding standard. it automates the process of checking java code to spare humans of this boring (but important) task. this makes it ideal for projects that want to enforce a coding standard.注意：提供多種ide 的插件。cl