This list of resources that might be useful for improving software security is provided for information and convenience only. As part of a Federally Funded Research and Development Center (FFRDC), the CERT Coordination Center cannot endorse any products, services, or organizations.

Static Source Code Analysis Tools

• Airac5 - Static Analyzer for Automatic Detection of Buffer Overrun Errors in C Programs
• BOON - Buffer Overrun detectiON from David Wagner, et al.
• C Code Analyzer
• Checkmarx CxSuite
• CIL (C Intermediate Language) - Not strictly a static analyzer, CIL compiles C programs into a simplified subset of C and assists with program analysis and source-to-source transformation.
• CodeSonar from GrammaTech
• Compass/ROSE - Compass is a tool for the checking of source code. Compass is based on the ROSE compiler infrastructure and demonstrates the use of ROSE to build many simple pattern detectors for analysis of C, C++, and Fortran source code. The CERT Secure Coding Initiative has to developed freely-available checkers for ROSE that enforce the CERT C Secure Coding rules.
• Coverity Prevent Software Quality System (SQS)
• CQUAL - A tool for adding type qualifiers to C, from University of Maryland
• FindBugs - a program to find bugs in Java code
• Flawfinder from David Wheeler
• Fortify Source Code Analysis (SCA)
• Frama-C (Framework for Modular Analysis of C) - Frama-C is a suite of tools dedicated to the analysis of the source code of software written in C.
• ITS4 from Cigital
• Jlint - a program to check Java code and find bugs, inconsistencies and synchronization problems by doing data flow analysis and building the lock graph
• Klocwork
• LDRA Testbed® - A static analysis tool that provides compliance testing for various coding standards (for example, CERT C, JSF++ AV, and MISRA C/C+), quality and complexity metrics, reliability/maintainability/testability, run-time error checking, data and control flow analysis, and mapping requirements to code (traceability).
• LLVM/Clang Static Analyzer - The LLVM/Clang static analyzer is a standalone tool that find bugs in C and Objective-C programs.
• MOPS - MOdelchecking Programs for Security properties from David Wagner, et al.
• OUNCE from Ounce Labs, Inc.
• Parasoft C++test supports static code analysis, code review, automated unit and component testing, coverage analysis, and regression testing for the C and C++ programming languages.
• Penjili - Static analysis tool from EADS Innovation Works. Based around an intermediary language called Newspeak. Newspeak is a simplified programming language, well-suited for the purpose of static analysis. C2Newspeak compiles C programs into Newspeak.
• PMD - a program to find several types of problems with Java code
• PScan - A limited problem scanner for C source files
• Splint (secure programming lint), formerly known as LCLint
• TBsecure® - An LDRA tool suite plug-in that identifies security vulnerabilities and enables implementation of The CERT C Secure Coding Standard version 1.0.
• Understand from Scientific Toolworks, Inc.
• Uno is a tool for analysis of C source code, by Gerard Holzmann. It is designed to detect Use of uninitialized variables, Null pointer dereferences, and Out-of-bounds array indexing.
• A list of static analysis and other testing tools maintained by Gerard Holzmann
• Another list of static analysis tools from the Software Assurance Metrics And Tool Evaluation (SAMATE) project at the National Institute of Standards and Technology (NIST)
• A list of testing tools, including model checkers and unit test generators maintained by Carnegie Mellon professor Jonathan Aldrich