10+ free tools for static code analysis

We had featured some free open source tools for UML and Code Review. In this article we will provide another set of useful tools for developers to perform static code analysis.


Static code analysis is the analysis of a code that is performed without actually executing program build. The analysis is performed by tools varying from those that only considers the behavior of individual statements and declarations, to those that include the complete source code of a program in their analysis. The analysis highlights possible coding errors (e.g., the lint tool), possible memory leaks etc. There are a number of free tools available for performing static code analysis for multiple languages. Here is the list of them:

Multi-language Support

1. RATS – Rough Auditing Tool for Security

RATS – Rough Auditing Tool for Security – is an open source tool developed and maintained by Secure Software security engineers.

RATS is a tool for scanning C, C++, Perl, PHP and Python source code and flagging common security related programming errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions. RATS scanning tool provides a security analyst with a list of potential trouble spots on which to focus, along with describing the problem, and potentially suggest remedies. It also provides a relative assessment of the potential severity of each problem, to better help an auditor prioritize. This tool also performs some basic analysis to try to rule out conditions that are obviously not problems.

2. Yasica

Yet Another Source Code Analyzer is a plugin-based framework for scanning arbitrary file types like C/C++, Java, JavaScript, ASP, PHP, HTML/CSS, ColdFusion, COBOL, and other file types. It integrates with other scanners, including FindBugs, JLint, PMD, and Pixy. Yasca is a command-line tool. Just point it at your code base and watch it go to work. The output is an HTML file containing all findings.

Java Support

1. Checkstyle

Checkstyle is a development tool to help programmers write Java code that adheres to a coding standard. It automates the process of checking Java code to spare humans of this boring (but important) task. This makes it ideal for projects that want to enforce a coding standard.

Checkstyle is highly configurable and can be made to support almost any coding standard. An example configuration file is supplied supporting the Sun Code Conventions. As well, other sample configuration files are supplied for other well known conventions. Checkstyle is most useful if you integrate it in your build process or your development environment

2. FindBugs

Its an open-source static bytecode analyzer for Java (based on Jakarta BCEL) from the University of Maryland. It uses static analysis to look for bugs in Java code FindBugs requires JRE (or JDK) 1.5.0 or later to run.  However, it can analyze programs compiled for any version of Java

3. PMD

PMD scans Java source code and looks for potential problems like:

  • Possible bugs – empty try/catch/finally/switch statements
  • Dead code – unused local variables, parameters and private methods
  • Suboptimal code – wasteful String/StringBuffer usage
  • Overcomplicated expressions – unnecessary if statements, for loops that could be while loops
  • Duplicate code – copied/pasted code means copied/pasted bugs

PMD is integrated with JDeveloper, Eclipse, JEdit, JBuilder, BlueJ, CodeGuide, NetBeans/Sun Java Studio Enterprise/Creator, IntelliJ IDEA, TextPad, Maven, Ant, Gel, JCreator, and Emacs.

4. Hammurapi

It aims to make development in Java language more robust. Hammurapi code review system captures coding best practices and delivers them to developers’ fingertips. It also generates consolidated reports for lead developers, architects, and managers to monitor codebase quality and evolution.

C Language support

1. Sparse

Sparse, the semantic parser, provides a compiler frontend capable of parsing most of ANSI C as well as many GCC extensions, and a collection of sample compiler backends, including a static analyzer also called “sparse”. Sparse provides a set of annotations designed to convey semantic information about types, such as what address space pointers point to, or what locks a function acquires or releases. Sparse is a tool designed to find possible coding faults in the Linux kernel. This static analysis tool differed from other such tools in that it was initially designed to flag constructs that were only likely to be of interest to kernel developers. Sparse contains built-in checks for known problematic and a set of annotations designed to convey semantic information about types, such as what address space pointers point to, or what locks a function acquires or releases.

2. Splint

Splint is an open source evolved version of Lint. Splint is a tool for statically checking C programs for security vulnerabilities and coding mistakes. With minimal effort, Splint can be used as a better lint. If additional effort is invested adding annotations to programs, Splint can perform stronger checking than can be done by any standard lint.

3. Uno

Uno is a simple tool for source code analysis.  It is designed to intercept primarily the three most common types of software defects:

  • Use of uninitialized variable,
  • Nil-pointer references, and
  • Out-of-bounds array indexing.

It allows for the specification and checking of a broad range of user-defined properties that can extend the checking power of the tool in an application driven way. Properties can be specified, for instance, for checking lock order disciplines, compliance with user-defined interrupt masking rules, rules stipulating that all memory allocated must be freed, etc.


BLAST is a software model checker for C programs.  The goal of BLAST is to be able to check that software satisfies behavioral properties of the interfaces it uses. BLAST uses counterexample-driven automatic abstraction refinement to construct an abstract model which is model checked for safety properties. The abstraction is constructed on-the-fly, and only to the required precision.

C++ Support

1. Cppcheck

Cppcheck is a tool for static C/C++ code analysis. This program tries to detect bugs that your C/C++ compiler don’t see. Most common errors it finds are memory leaks within a function range. It has found 21 confirmed and fixed bugs in the Linux kernel and many more from other open source projects. Cppcheck is free software released under the terms of the GNU General Public License. It is written in C++

Related Posts with Thumbnails


  1. […] This post was Twitted by jamessmith25 […]

  2. […] had covered Code Review Tools, Code Coverage tools for C/C++, Static Code Analysis Tools, Code Profilers for C/C++. Another must have design tool is a UML Modeler. Here we cover 7 Open […]

  3. Ashley says:

    Pretty good and helpful list. Thank you.

  4. Kazuko Rojo says:

    I’m glad I found this web page, I couldnt discover any knowledge on this matter prior to. I also run a site and if you’re ever interested in doing some guest writing for me you should feel free to let me know, im always look for people to check out my webpage. Please stop by and leave a comment sometime!

  5. Maintain up the excellent operate mate. This web site publish exhibits how nicely you realize and know this subject.

  6. The content on this publish is really 1 of the most beneficial material that I’ve ever occur across. I love your submit, I’ll appear back to examine for new posts.

  7. I’m grateful for you because of this good written content. You truly did make my day :

  8. Genuinely truly excellent web site article which has obtained me considering. I by no means looked at this out of your stage of look at.

  9. Thanks for this! I’ve been searching all over the web for the facts.

  10. Ownesiawn says:

    Mods, please move this to the correct section if I’ve posted it in the wrong one:
    It’s worth a share
    Beauty secrets are hard to obtain, find all of yours here: http://www.instantacnetreatment.com

    Forti Solutions
    Forti Solutions

  11. Bob says:


  12. Free CppCat for Students: http://www.viva64.com/en/b/0290/

    CppCat is a static code analyzer integrating into the Visual Studio
    2010-2013 environment. The analyzer is designed for regular use and
    allows detecting a large number of various errors and typos in programs
    written in C and C++. For the purpose of popularizing it, we’ve decided
    to launch a student-support program granting free licenses to every
    higher school student who will contact and ask us about that. You just
    need to send us a photo of your student card or transcript.

Leave a Reply

Your email address will not be published. Required fields are marked *