Top Free Tools for Static Code Analysis

This article will contain a list of popular tools for static code analysis. Readers will get acquainted with their distinguishing properties and useful features.

When a person needs a tool for static code analysis, he first remembers such commercial solutions as Fortify or Veracode. What about free programs? Paid tools are too expensive for small companies or freelance security specialists. For this reason, this article was assembled a list of popular free programs that perform a static code analysis.

Brakeman.

• Analysis subject: Ruby.
• Required components: Ruby and GEM. Installing components using the "GEM Install Brakeman" command.
• How to use the Tool: Team "Brakeman Application_path".
• Comment: This is the best program for static Ruby code analysis. It is focused on the analysis of the so-called "On Rails" applications.

Nodejsscan.

• Analysis subject: nodejs.
• Required components: Only Python is needed for the tool.
• How to use the tool: "Python nodejsscan.py -D" command.
• Comment: This scanner defines many false positives. It receives periodic updates from developers.

Rips.

• Analysis: PHP.
• Required components: Only PHP is needed for the tool.
• How to use the Tool: Rips is a web application written in PHP. The user needs to install Apache HTTP and run the program.
• Comment: This is a wonderful scanner. He is able to detect many possible problems. Unfortunately, his new version is not free, so if you wish to use this program, a person will have to purchase its paid version.

FindBugs.

• Analysis subject: java.
• Required components: Java SE is needed for the tool.
• How to use the Tool: You need to open the JAR application and select the folder for analyzing the source code.
• Comment: FindBugs is a general-purpose scanner. It is able to detect different errors and shortcomings in the code. In particular, the program has a built-in security module, which can find problems associated with vulnerability, such as the possibility of XSS and SQLI attacks.

Microsoft FXCOP.

• Analysis subject: .NET.
• Required components: You need .NET tool.
• How to use a tool: a person opens the application and selects the EXE or DLL files.
• Comment: This is a good scanner, he is able to detect most vulnerabilities. The program will analyze compiled files. If the user already has a code, he will need to compile it.

JShint.

• Analysis subject: javascript.
• Required components: You need .nodejs for the tool. To install it, the user enters the NPM Install -G JSHINT command.
• How to use a tool: "JSHINT Application_path" command.
• Comment: The scanner detects many errors. He is able to find a "bad code", which is often responsible for faulty work or false responses (LOL).

Codecrawler

• Analysis subject: C #.
• Required components: You need .NET tool.
• How to Use Tool: The user opens the application folder with the source code.
• Comment: The scanner detects a lot of false positives.

Yasca.

• Analysis subject: NET, Java, C / C ++, HTML, JavaScript, ASP, COLDFUCION, PHP, COBOL.
• Required components: MSI is needed for the tool.
• How to use the Tool: Team "Yasca.exe Application_path".
• Comment: This is a multilingual scanner. It detects a large number of false positives, and is also able to find inaccuracies in the code.

Visual Code Grepper.

• Analysis subject: C ++, C #, VB, PHP, Java and PL / SQL.
• Required components: MSI is needed for the tool.
• How to Use Tool: The user opens the application and selects the source code.
• Comment: This is a multilingual scanner. He is able to detect a lot of false positives, but less than the same Yasca.

Graudit (Only Linux)

• Analysis subject: ASP, JSP, PERL, PHP, Python.
• Required components: nothing needed - the user downloads the application and starts scanning.
• How to use the Tool: The Graudit Application_Path command.
• Comment: This scanner uses a database based on regular expressions. Its biggest advantage is that the application can be easily configured to search for custom problems. Using an existing default database, the user detects many false positives, although some real problems can not always be detected.

Code Warrior (Only Linux)

• Analysis subject: C, C #, PHP, Java, Ruby, ASP, JavaScript.
• Required components: The user downloads the program and compiles the code.
• How to use a tool: a person opens the application and selects the source code.
• Comment: Like Rips, this scanner is a web application. However, the user does not need Apache, it is enough to run the scanner itself, and the browser will automatically open. Then the person chooses the source code. The program is able to detect many problems and false positives.

The author of the translated article: Maxpower.

More interesting material on cisoclub.ru. Subscribe to us: Facebook | Vk | Twitter | Instagram | Telegram | Zen | Messenger | Icq new | YouTube | Pulse.