Linked by Thom Holwerda on Tue 19th Jul 2005 19:23 UTC, submitted by Just_A_User
FreeBSD On Tuesday, code-analysis software maker Coverity announced that its automated bug finding tool had analyzed the community-built operating system FreeBSD and flagged 306 potential software flaws, or about one issue for every 4,000 lines of code. The low number of flaws found by the system underscores that FreeBSD's manual auditing by project members has reduced the vulnerabilities in the operating system, said Seth Hallem, CEO of Coverity.
Thread beginning with comment 6677
To read all comments associated with this story, please click here.
open-source static analysis tools
by on Wed 20th Jul 2005 08:37 UTC

Member since:

the development of world-class static analysis tools has been helped enormously by open source projects.

You mentioned splint and lint, could you point to any other open-source ones? Preferably those that check something else than merely C ;)

Reply Score: 0

butters Member since:
2005-07-08

Well, C/C++ are the primary target for most "real" static analysis because it's so easy to write incorrect code. Here's one for Java that seems to check mostly for inefficient code:

http://pmd.sourceforge.net/

This one is a simple C/C++ tool that checks for secure programming, buffer range checking, etc:

http://www.dwheeler.com/flawfinder/

NIST has a list of static source and bytecode checkers for various languages, but not all are open source:

http://samate.nist.gov/

There's PyChecker, JavaChecker, FindBugs and others on sourceforge.

There are slews of Lint-based checkers, both free and nonfree.

And if you maintain an open source project, chances are you can get your source analyzed for free by Coverity or other proprietary static analsis tools if you register on their websites.

Reply Parent Score: 1