Source Code Analysis Tools - Revision history

Jacqueline.king: Changed the description of Kiuwan and updated the link to the home page.

2019-12-20T02:51:13Z

Changed the description of Kiuwan and updated the link to the home page.

Wichers: /* Commercial Tools Of This Type */

2019-12-12T13:22:16Z

‎Commercial Tools Of This Type

Wichers: /* Open Source or Free Tools Of This Type */

2019-10-24T15:38:23Z

‎Open Source or Free Tools Of This Type

Koussa at 19:13, 21 October 2019

2019-10-21T19:13:35Z

Achim: /* Commercial Tools Of This Type */ xanitizer with scala

2019-10-16T10:25:29Z

‎Commercial Tools Of This Type: xanitizer with scala

RobK: /* Open Source or Free Tools Of This Type */

2019-08-09T01:46:07Z

‎Open Source or Free Tools Of This Type

Raphaelhagi: /* Commercial Tools Of This Type */ update Fortify URL

2019-08-05T17:46:23Z

‎Commercial Tools Of This Type: update Fortify URL

Wichers at 22:09, 3 June 2019

2019-06-03T22:09:42Z

Fabian: /* Open Source or Free Tools Of This Type */

2019-05-07T09:07:14Z

‎Open Source or Free Tools Of This Type

Fabian: /* Commercial Tools Of This Type */

2019-05-07T08:41:17Z

‎Commercial Tools Of This Type

@@ Line 91: / Line 91: @@
 * [http://www.juliasoft.com/solutions Julia] (JuliaSoft) - SaaS Java static analysis
 * [http://www.klocwork.com/capabilities/static-code-analysis KlocWork] (KlocWork)
-* [https://www.kiuwan.com/code-analysis/ Kiuwan] (an [http://www.optimyth.com Optimyth] company) - SaaS Software Quality & Security Analysis
+* [https://www.kiuwan.com/ Kiuwan] (a division of Idera, Inc.) provides an application security testing and analytics platform – including SAST and SCA solutions – that reduces risk and improves change management and DevOps processes.
 * [http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547 Parasoft Test] (Parasoft)
 * [https://pitss.com/products/pitss-con/ PITSS.CON] (PITTS)

@@ Line 102: / Line 102: @@
 * [https://www.whitehatsec.com/products/static-application-security-testing/ Sentinel Source] (Whitehat)
 * [https://www.synopsys.com/software-integrity/products/interactive-application-security-testing.html Seeker] (Synopsys) Seeker performs code security without actually doing static analysis. Seeker does Interactive Application Security Testing (IAST), correlating runtime code & data analysis with simulated attacks. It provides code level results without actually relying on static analysis.
 * [http://www.sourcepatrol.co.uk/ Source Patrol] (Pentest)
 * [https://www.defensecode.com/thunderscan.php Thunderscan SAST] (DefenseCode)

@@ Line 54: / Line 54: @@
 * [https://find-sec-bugs.github.io/ FindSecBugs] - A security specific plugin for SpotBugs that significantly improves SpotBugs's ability to find security vulnerabilities in Java programs. Works with the old FindBugs too,
 * [http://www.dwheeler.com/flawfinder/ Flawfinder] Flawfinder - Scans C and C++
 * [https://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/ Google CodeSearchDiggity] - Uses Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more.  ''Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.''
 * [https://github.com/wireghoul/graudit/ Graudit] - Scans multiple languages for various security flaws.
@@ Line 71: / Line 72: @@
 [https://docs.gitlab.com/ee/user/application_security/sast/index.html#supported-languages-and-frameworks GitLab has lashed a free SAST tool for a bunch of different languages natively into GitLab. So you might be able to use that, or at least identify a free SAST tool for the language you need from that list].
 ==Commercial Tools Of This Type==

@@ Line 94: / Line 94: @@
 * [https://pumascanpro.com/ Puma Scan Professional] - A .NET C# static source code analyzer that runs as a Visual Studio IDE extension, Azure DevOps extension, and Command Line (CLI) executable.
 * [http://www.viva64.com/en/ PVS-Studio] (PVS-Studio) - For C/C++, C#
-* [https://www.softwaresecured.com/reshift reshift] - A CI/CD tool that uses static code analysis to scan for vulnerabilities and uses machine learning to give a prediction on false positives. Supports Java with future support for NodeJS and JavaScript planned for sometime in 2019.
+* [https://www.reshiftsecurity.com reshift] - A CI/CD tool that uses static code analysis to scan for vulnerabilities and uses machine learning to give a prediction on false positives. Supports Java with future support for NodeJS and JavaScript planned for sometime in 2019.
 * [https://www.ripstech.com/ RIPS Code Analysis] (RIPS Technologies) - A SAST solution specialized for Java and PHP that detects unknown security vulnerabilities and code quality issues.
 * [https://www.synopsys.com/software-integrity/resources/datasheets/secureassist.html SecureAssist] (Synopsys) - Scans code for insecure coding and configurations automatically as an IDE plugin for Eclipse, IntelliJ, and Visual Studio etc. Supports (Java, .NET, PHP, and JavaScript)

@@ Line 102: / Line 102: @@
 * [https://www.defensecode.com/thunderscan.php Thunderscan SAST] (DefenseCode)
 * [http://www.veracode.com/products/binary-static-analysis-sast Veracode Static Analysis] (Veracode)
-* [http://www.xanitizer.net Xanitizer] - Scans Java for security vulnerabilities, mainly via taint analysis. Free for academic and open source projects (see [https://www.rigs-it.com/xanitizer-pricing/]).
+* [http://www.xanitizer.net Xanitizer] - Scans Java and Scala for security vulnerabilities, mainly via taint analysis. Free for academic and open source projects (see [https://www.rigs-it.com/xanitizer-pricing/]).
 ==More info==

@@ Line 50: / Line 50: @@
 * [http://brakemanscanner.org/ Brakeman] - Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications
 * [http://rubygems.org/gems/codesake-dawn Codesake Dawn] - Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino for Ruby on Rails applications. It also works on non-web applications written in Ruby
 * [http://findbugs.sourceforge.net/ FindBugs] - (Legacy - NOT Maintained - Use SpotBugs (see below) instead) - Find bugs (including a few security flaws) in Java programs
 * [https://find-sec-bugs.github.io/ FindSecBugs] - A security specific plugin for SpotBugs that significantly improves SpotBugs's ability to find security vulnerabilities in Java programs. Works with the old FindBugs too,
@@ Line 64: / Line 65: @@
 * [https://pyre-check.org/ Pyre] - A performant type-checker for Python 3, that also has [https://pyre-check.org/docs/static-analysis.html limited security/data flow analysis] capabilities.
 * [http://rips-scanner.sourceforge.net/ RIPS] - RIPS Open Source is a static source code analyzer for vulnerabilities in PHP web applications. Please see notes on the sourceforge.net site.
 * [http://www.sonarqube.org/ SonarQube] - Scans source code for more than 20 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by [http://www.sonarlint.org/ SonarLint].
 * [https://spotbugs.github.io/ SpotBugs] - This is the active fork replacement for FindBugs, which is not maintained anymore.

@@ Line 82: / Line 82: @@
 * [http://www.coverity.com/products/code-advisor/ Coverity Code Advisor] (Synopsys)
 * [https://www.checkmarx.com/technology/static-code-analysis-sca/ CxSAST] (Checkmarx)
-* [http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/ Fortify] (Micro Focus, Formally HP)
+* [https://www.microfocus.com/en-us/products/static-code-analysis-sast Fortify] (Micro Focus, Formally HP)
 * [https://hdivsecurity.com/interactive-application-security-testing-iast Hdiv Detection] (Hdiv Security) - Hdiv performs code security without actually doing static analysis. Hdiv does Interactive Application Security Testing (IAST), correlating runtime code & data analysis. It provides code-level results without actually relying on static analysis.
 * [http://www.juliasoft.com/solutions Julia] (JuliaSoft) - SaaS Java static analysis

@@ Line 56: / Line 56: @@
 * [https://github.com/wireghoul/graudit/ Graudit] - Scans multiple languages for various security flaws.
 * [https://lgtm.com/help/lgtm/about-lgtm LGTM] - A free for open source static analysis service that automatically monitors commits to publicly accessible code in: Bitbucket Cloud, GitHub, or GitLab. Supports C/C++, C#, COBOL (in beta), Java, JavaScript/TypeScript, Python
 * [http://pmd.sourceforge.net/ PMD] - PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)
 * [https://github.com/designsecurity/progpilot Progpilot] - Progpilot is a static analyzer tool for PHP that detects security vulnerabilities such as XSS and SQL Injection.
 * [https://pumascan.com/ Puma Scan] - Puma Scan is a .NET C# open source static source code analyzer that runs as an IDE plugin for Visual Studio and via MSBuild in CI pipelines.
-* [https://dotnet-security-guard.github.io/ .NET Security Guard] - Roslyn analyzers that aim to help security audits on .NET applications. It will find SQL injections, LDAP injections, XXE, cryptography weakness, XSS and more.
+* [https://pyre-check.org/ Pyre] - A performant type-checker for Python 3, that also has [https://pyre-check.org/docs/static-analysis.html limited security/data flow analysis] capabilities.
 * [http://rips-scanner.sourceforge.net/ RIPS] - RIPS Open Source is a static source code analyzer for vulnerabilities in PHP web applications. Please see notes on the sourceforge.net site.
 * [http://www.sonarqube.org/ SonarQube] - Scans source code for more than 20 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by [http://www.sonarlint.org/ SonarLint].
 * [https://spotbugs.github.io/ SpotBugs] - This is the active fork replacement for FindBugs, which is not maintained anymore.