Versions Compared

Old Version 11

changes.mady.by.user Andrew M Boardman

Saved on

compared with

New Version 12

changes.mady.by.user Andrew M Boardman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • BLAST: BLAST is a software model checker for C programs (http://mtc.epfl.ch/software-tools/blast/)
  • BOON: BOON is a tool for automatically finding buffer overrun vulnerabilities in C source code (http://www.cs.berkeley.edu/~daw/boon/)
  • cadvise (hpux only)
  • calysto (work in progress by Domagoj Babic; already tried on krb5 code, found some problems; currently a service only, send email to developer)
  • ccfinder, ccfinderx (www.ccfinder.net; code clone finder; supports Java, C/C++, VB, C#; runs on Windows XP)
  • checkstyle (checkstyle.sourceforge.net; runs many checks on java code including coding conventions, code duplication)
  • codesonar (www.grammatech.com; commercial, free trial available; supports c/c++, runs on Windows, Linux and Solaris; does interprocedural, whole-program analysis)
  • coverity (current status as of early February: Kerberos team evaluating)
  • Eclipse metrics tools:
  • flawfinder: basic scanning, easy to set up, GPL -amb (http://www.dwheeler.com/flawfinder/, http://sourceforge.net/projects/flawfinder/)
  • fortify findbugs (java only)
  • fortify sca
  • its4 (www.cigital.com/its4; not supported; just matches on token sequences in un-preprocessed code)
  • klocwork insight, klocwork developer (www.klocwork.com; works on c, c++, java)
  • MOPS: a tool for finding security bugs in C programs and for verifying conformance to rules of defensive programming http://www.cs.berkeley.edu/~daw/mops/
  • oink (based on cqual) www.cubewano.org/oink
  • Pixy (http://pixybox.seclab.tuwien.ac.at/pixy/) checks PHP for XSS and SQL injection vulnerabilities.
  • pmd (java only)
  • polyspace (www.mathworks.com; supports C/C++, Ada for embedded systems)
  • PScan (format string problems mainly; flawfinder, RATS, and gcc can do similar things; server not responding 1/24)
  • pychecker (Python only)
  • rats (Rough Auditing Tool for Security; rough analysis intended as a starting point for manual analysis; http://www.fortifysoftware.com/security-resources/rats.jsp)
  • simian (similarity analyser; www.redhillconsulting.com.au/products/simian/overview.html; identifies duplication in c, c++, c#, java, html, ml, vb, text, etc; runs in .net 1.1 or java 1.4 or later; free for non-commercial or open source use)
  • skavenger: mostly for php (fancy grep replacement, really?  not interesting. -amb) (http://code.google.com/p/skavenger/)
  • SmartRisk Analyzer (gone? originally @stake, which was acquired by Symantec)
  • SMATCH: Smatch is C source checker but mainly focused checking the Linux kernel code (http://smatch.sourceforge.net/)
  • SourceAudit: C/C++; interesting on paper, at least; costs money?  -amb (http://www.sourceaudit.com/products_sa.php)
  • sparse (http://www.kernel.org/pub/software/devel/sparse/)
  • xrefactory (www.xref-tech.com; c and java refactoring tool and source browser; includes emacs support)
  • unpaste (finds parallel syntactic constructs that are sometimes duplicated or nearly identical code)
  • Veracode SecurityReview (binary code analysis service?)

...