工具名 |
静态扫描语言
|
开源/付费 |
厂商 |
介绍 |
主页网址 |
ounec5.0 |
VB.Net、C、C++和C#,
还支持Java。 |
付 费 |
Ounce Labs |
\ |
http://www.ouncelabs.com/ |
Coverity Prevent |
C/C++,C#,JAVA |
付费 |
Coverity |
还有其他辅助工具:
1.Coverity Thread Analyzer for Java
2.Coverity Software Readiness Manager for Java
3.Coverity Architecture Analyzer |
http://www.coverity.com/index.html |
@stake SmartRisk™
Analyzer |
C/C++,Java |
付费 |
Symantec
Corporation |
@stake SmartRisk™ Analyzer harnesses the power of
static analysis of binary executables (C, C++, and Java) to
identify, categorize and prioritize security。
注:在Symantec没有搜到此产品?! |
http://www.symantec.com/business/index.jsp |
Rational Purify |
C/C++,Java |
付费 |
IBM |
Provides memory leak and memory corruption detection for
Windows,Runtime?! |
http://www-01.ibm.com/software/awdtools/purify/ |
PREfix |
\ |
\ |
microsoft |
微软用的静态分析工具,但暂时没有找到下载,
现在好像在考虑发布中! |
\ |
Jtext |
Java |
付费 |
parasoft |
同时还有其他静态分析代码的产品,如:C++Test...
详细请查询官网 |
http://www.parasoft.com/jsp/cn/support.jsp |
flawfinder |
C/C++ |
开源 |
\ |
用Python编写的c、c++程序安全审核工具,
可以检查潜在的安全风险。 |
http://www.dwheeler.com/flawfinder/ |
Static Code
Analyzer |
C/C++,C#,JAVA |
付费 |
Fortify |
\ |
http://www.fortify.com/ |
Klocwork Insight |
C/C++ ,Java |
付费 |
Klocwork |
\ |
http://www.klocwork.com/products/insight.asp |
PolySpace
Client/Server |
C/C++、Ada语言 |
付费 |
MathWorks |
\ |
http://www.mathworks.cn/ |
rats |
C/C++, Python,
Perl,
PHP代码进行安全审核的工具 |
开源 |
\ |
\ |
http://www.fortify.com/security-resources/rats.jsp |
LAPSE |
Java |
开源 |
\ |
LAPSE stands for a Lightweight Analysis for Program
Security in Eclipse. LAPSE is designed to help with
the task of auditing Java J2EE applications for common
types of security vulnerabilities found in Web applications.
LAPSE was developed by Benjamin Livshits as part of the
Griffin Software Security Project. |
http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project |
Fluid |
java |
开源 |
\ |
We have explored properties including:
* race conditions and locking policies,
* unique references and other programmer-significant
aliasing properties,
* effects,
* appropriate typing,
* realtime threading policies, and
* single-threading policies. |
http://www.fluid.cs.cmu.edu:8080/Fluid |
Splint |
C |
开源 |
University of
Virginia,
Department of
Computer
Science |
静态检测针对C语言的安全工具和漏洞检测。 |
http://www.splint.org/ |
cqual |
C/C++ |
开源 |
马里兰大学 |
轻量级的静态扫描器,在类Linux系统下运行。 |
http://www.cs.umd.edu/~jfoster/cqual/ |
MOPS |
C |
开源 |
berkeley大学 |
MOPS is a tool for finding security bugs in C programs
and for verifying conformance to rules of defensive programming |
http://www.cs.berkeley.edu/~daw/mops/ |
BOON |
C |
开源 |
berkeley大学 |
BOON is a tool for automatically finding buffer overrun
vulnerabilities in C source code. Buffer overruns are one
of the most common types of security holes, and we hope
that BOON will enable software developers and code auditors
to improve the quality of security-critical programs. |
http://www.cs.berkeley.edu/~daw/boon/ |
BLAST |
C |
开源 |
The BLAST
2.0 Team |
BLAST is a software model checker for C programs.
The goal of BLAST is to be able to check that software
satisfies behavioral properties of the interfaces it uses.
BLAST uses counterexample-driven automatic abstraction
refinement to construct an abstract model which is model
checked for safety properties. The abstraction is constructed
on-the-fly, and only to the required precision. |
http://mtc.epfl.ch/software-tools/blast/ |
SpikeWAMP |
Php |
开源 |
\ |
for analyzing PHP programs |
http://developer.spikesource.com/wiki/index.php/SpikeWAMP |
Pixy |
Php |
开源 |
\ |
Finding XSS and SQLI vulnerabilities |
http://pixybox.seclab.tuwien.ac.at/pixy/ |
Mike |
Java |
开源 |
\ |
Java source code security scanner built on top of Orizon.
They are connected to OWASP. |
http://milk.sourceforge.net/download.html |
Smatch |
C |
开源 |
\ |
\ |
http://smatch.sourceforge.net/ |
Oink |
C++ |
开源 |
\ |
C++ Static Analysis Tools |
http://www.cubewano.org/oink |
Frama-C |
C |
开源 |
\ |
static analyzers for the C language. |
http://frama-c.cea.fr/ |
RTL-check |
\ |
开源 |
\ |
RTL-check is an extensible and powerful abstract interpretation
framework for static analysis of programs from a safety and
security perspective |
http://rtlcheck.sourceforge.net/ |
PMD |
Java |
开源 |
\ |
PMD scans Java source code and looks for potential problems like:
* Possible bugs - empty try/catch/finally/
switch statements
* Dead code - unused local variables, parameters
and private methods
* Suboptimal code - wasteful String/StringBuffer usage
* Overcomplicated expressions - unnecessary if statements,
for loops that could be while loops
* Duplicate code - copied/pasted code means copied/pasted bugs |
http://pmd.sourceforge.net/ |
FindBugs |
Java |
开源 |
马里兰大学 |
uses static analysis to look for bugs in Java code.
注意:提供Eclipse插件。 |
http://findbugs.sourceforge.net/ |
ITS4 |
C\C++ |
开源 |
\ |
Cigital developed ITS4 to help automate source code
review for security. |
http://www.cigital.com/its4/ |
QJ-Pro |
Java |
开源 |
\ |
QJ-Pro is a comprehensive software inspection tool targeted
towards the software developer.
QJ-Pro checks:
* conformance to coding standards,
* misuse of the Java language,
* best practice conformence
* code structure and
* potential bugs at the earliest stages of development.
注意:提供各种IDE插件! |
http://qjpro.sourceforge.net/ |
Jint |
Java |
开源 |
\ |
Jlint will check your Java code and find bugs, inconsistencies
and synchronization problems by doing data flow analysis and
building the lock graph. |
http://artho.com/jlint/ |
Hammurapi |
Java |
开源 |
\ |
code review system captures coding best practices and delivers
them to developers' fingertips. It also generates consolidated
reports for lead developers, architects, and managers to
monitor codebase quality and evolution. |
http://www.hammurapi.biz/hammurapi-biz/ef/xmenu/hammurapi-group/index.html |
DoctorJ |
Java |
开源 |
\ |
Among what it detects:
* misspelled words
* parameter and exception names:
o missing
o misordered
o misspelled
* Javadoc tags:
o invalid
o misordered
o missing expected arguments
o invalid arguments
o missing descriptions
* undocumented classes, methods, fields,
parameters |
http://www.incava.org/projects/java/doctorj/index.html |
Dependency Finder |
Java |
开源 |
\ |
Dependency Finder is a suite of tools for analyzing
compiled Java code. At the core is a powerful dependency
analysis application that extracts dependency graphs and
mines them for useful information. This application comes
in many forms for your ease of use, including command-line
tools, a Swing-based application, a web application ready
to be deployed in an application server, and a set of Ant
tasks. |
http://depfind.sourceforge.net/ |
Checkstyle |
Java |
开源 |
\ |
Checkstyle is a development tool to help programmers
write Java code that adheres to a coding standard.
It automates the process of checking Java code to spare
humans of this boring (but important) task. This makes
it ideal for projects that want to enforce a coding standard.
注意:提供多种IDE的插件。 |
http://checkstyle.sourceforge.net/ |
Classycle |
Java |
开源 |
\ |
Classycle's Analyser analyses the static class and package
dependencies in Java applications or libraries. |
http://classycle.sourceforge.net/ |
JDepend |
Java |
开源 |
\ |
JDepend traverses Java class file directories and generates
design quality metrics for each Java package.
JDepend allows you to automatically measure the quality
of a design in terms of its extensibility, reusability,
and maintainability to manage package dependencies effectively. |
http://www.clarkware.com/software/JDepend.html |
JCSC |
Java |
开源 |
\ |
JCSC is a powerful tool to check source code against a highly
definable coding standard and potential bad code. |
http://jcsc.sourceforge.net/ |
相关推荐
Credo:Elixir语言的一个静态代码分析工具,专注于代码的一致性和教学。
描述了白盒测试工具,包括静态代码检测、内存分析、性能分析等的工具名称。
专业OA办公系统源码 开发工具:Visual Studio .NET 2005 + Server2005 项目描述:OA办公系统基于B/S架构设计。 包括文件管理、共享下载、消息管理、公文流传、通知管理、内部论坛、人力资源管理、资产管理 等。 ...
从pandas库的数据分析工具开始利用高性能工具对数据进行加载、清理、转换、合并以及重塑;利用matpIotlib创建散点图以及静态或交互式的可视化结果;利用pandas的groupby功能对数据集进行切片、切块和汇总操作;处理...
漏洞分析:对目标进行分析和审计,使用静态和动态分析工具、模糊测试(fuzzing)等技术来识别潜在的安全漏洞。 验证与复现:验证漏洞是否真实存在,并尝试复现漏洞以进一步确认其危害程度和可能性。 报告与修复:向...
计算机辅助静态分析 B.黑盒法 C.路径覆盖 D.边界值分析 4.软件生命周期中所花费用最多的阶段是( ) A.详细设计 B.软件编码 C.软件测试 D.软件维护 5.第一个体现结构化编程思想的程序设计语言是( ) A....
Rollup Rebase插件根据需要将静态资产从JavaScript代码复制到目标文件夹,并在其中调整引用以指向新位置。 它还尊重您CSS / SCSS文件中引用的资产。 特征 将资产文件引用从JavaScript复制到给定的输出文件夹中。 ...
专业OA办公系统源码 开发工具:Visual Studio .NET 2005 + Server2005 项目描述:OA办公系统基于B/S架构设计。 包括文件管理、共享下载、消息管理、公文流传、通知管理、内部论坛、人力资源管理、资产管理 等。 ...
OA系统源码,不容错过哦!!! 开发工具:Visual Studio .NET 2005 + Server2005 项目描述:OA办公系统基于B/S架构设计。 包括文件管理、共享下载、消息管理、公文流传、通知管理、内部论坛、人力资源管理、资产管理...
SARIF TC的目的是为静态分析工具定义标准输出格式,该格式称为静态分析结果交换格式(SARIF)。 支持SARIF标准草案的开发。 修改请求应通过发出。 静态分析工具是一种程序,它在不执行程序的情况下检查编程工件以...
开发工具:Visual Studio .NET 2005 + Server2005 项目描述:OA办公系统基于B/S架构设计。 包括文件管理、共享下载、消息管理、公文流传、通知管理、内部论坛、人力资源管理、资产管理 等。 文件管理:接收文件 传送...
开发工具:Visual Studio .NET 2005 + Server2005 项目描述:OA办公系统基于B/S架构设计。 包括文件管理、共享下载、消息管理、公文流传、通知管理、内部论坛、人力资源管理、资产管理 等。 文件管理:接收文件 传送...
开发工具:Visual Studio .NET 2005 + Server2005 项目描述:OA办公系统基于B/S架构设计。 包括文件管理、共享下载、消息管理、公文流传、通知管理、内部论坛、人力资源管理、资产管理 等。 文件管理:接收文件 传送...
甲板分析试剂盒前提是一个静态代码克隆检测系统(2008年论文),可在代码库中找到语义上相似的代码段“克隆”。 该工具包提供了一组方便的脚本,用于将两个基本代码合并成一个不同的代码库,然后过滤掉同源副本,...
开发工具:Visual Studio .NET 2005 + Server2005 项目描述:OA办公系统基于B/S架构设计。 包括文件管理、共享下载、消息管理、公文流传、通知管理、内部论坛、人力资源管理、资产管理 等。 文件管理:接收文件 传送...
Horusec是一个开源工具,可以执行静态代码分析,以在开发过程中识别安全漏洞。 当前,用于分析的语言是:C#,Java,Kotlin,Python,Ruby,Golang,Terraform,Javascript,Typescript,Kubernetes,PHP,C,HTML...