工具名称
语言
费用
描述
日期
ASTRÉE
|
C |
联系 |
undefined code constructs or run-time errors, e.g., out-of-bounds array indexing or arithmetic overflow. |
1 Mar 2007 |
BOON
|
C |
免费 |
integer range analysis determines if an array can be indexed outside its bounds |
15 Feb 2005 |
C Code Analyzer
|
C |
免费 |
out-of-bounds array indexing or arithmetic overflow. aims for no false positives |
20 Apr 2006 |
C++test
|
C++ |
Parasoft
|
“defects, poor constructs, potentially malicious code and other elements” |
4 Apr 2006 |
.TEST
|
C#, VB.NET, MC++ |
Jtest
|
Java |
WebKing
|
HTML |
CodeAssure
|
C, C++, Java |
Secure Software
|
unvalidated input, cryptographic problems, missed exceptions, etc. |
2005 |
CodeCenter
|
C |
CenterLine Systems
|
incorrect pointer values, illegal array indices, bad function arguments, type mismatches, and uninitialized variables |
28 Oct 2005 |
CodeScan |
.ASP PHP |
CodeScan Labs
|
… security holes and source code issues … |
10 Oct 2006 |
CodeSonar
|
C, C++ |
GrammaTech
|
null-pointer dereferences, divide-by-zeros, buffer over- and underruns |
21 Mar 2005 |
CQual
|
C |
免费 |
uses type qualifiers to perform a taint analysis, which detects format string vulnerabilities |
15 Feb 2005 |
Csur
|
C |
免费 |
cryptographic protocol-related vulnerabilities |
10 Apr 2006 |
DevInspect
|
C#, Visual Basic, JavaScript, VB Script |
SPI Dynamics
|
application vulnerabilities |
21 Dec 2004 |
DevPartner SecurityChecker
|
C#, Visual Basic |
Compuware
|
known and potential security vulnerabilities |
10 Oct 2006 |
Eau Claire
|
C |
未知 |
array bounds errors, null pointer dereferences, string functions |
15 Feb 2005 |
Flawfinder
|
C/C++ |
免费 |
uses of risky functions, buffer overflow (strcpy()), format string
([v][f]printf()), race conditions (access(), chown(), and mktemp()),
shell metacharacters (exec()), and poor random numbers (random()). |
2005 |
Fluid
|
Java |
联系 |
“analysis based verification” for attributes such as race conditions, thread policy, and object access with no false negatives |
28 Oct 2005 |
ITS4
|
C, C++ |
免费 |
potentially dangerous function calls, with risk analysis of some |
11 Feb 2005 |
Jlint
|
Java |
免费 |
bugs, inconsistencies and synchronization problems |
3 Feb 2006 |
K7
|
C, C++, and Java |
Klocwork
|
Access problems, buffer overflow, injection flaws, insecure storage, unvalidated input, etc. |
6 July 2005 |
LAPSE
|
Java |
免费 |
helps audit Java J2EE applications for common types of security vulnerabilities found in Web applications. |
19 Sep 2006 |
MILK
|
Java |
免费 |
Milk is a security source code assessment tool using Orizon as API.
Milk scans java and .NET source file in order to perform a security
code review trying to point out safe coding best practices misuse. |
19 Sep 2006 |
PHP-Sat
|
PHP |
免费 |
static analysis tool, XSS, etc. description
(http://ericbouwers.blogspot.com/
)
|
18 Sep 2006 |
PMD
|
Java |
免费 |
questionable constructs, dead code, duplicate code |
3 Feb 2006 |
PolySpace
|
Ada, C, C++ |
PolySpace Technologies
|
run-time errors, unreachable code |
25 Feb 2005 |
PREfix and PREfast
|
C, C++ |
Microsoft proprietary |
|
10 Feb 2006 |
Prevent
|
C, C++ |
Coverity
|
flaws and security vulnerabilities - reduces false positives while minimizing the likelihood of false negatives. |
11 Mar 2005 |
Prexis
|
C, C++, Java, JSP, J2EE, STRUTS, “and more” |
Ounce Labs
|
coding errors, design flaws, and policy violations |
7 Dec 2005 |
QA-C, QA-C++, QA-J,
QA-FORTRAN, QA-High-Integrity C |
C, C++, Java, FORTRAN |
Programming Research
|
out-of-bounds array indexing |
10 Dec 2004 |
RATS
|
C |
免费 |
potential security risks |
2005 |
Resource Standard Metrics
|
C, C++, C#, and Java |
M Squared Technologies
|
Scan for 50 readability or portability problems or questionable
constructs, e.g. different number of “new” and “delete” key words or an
assignment operator (=) in a conditional (if). |
10 Dec 2004 |
Smatch
|
C |
免费 |
simple scripts look for problems in simplified representation of code. primarily for Linux kernel code |
20 Apr 2006 |
SoftCheck Inspector
|
Java |
SofCheck
|
creates assertions for each module, tries to prove the system obeys assertions and the absence of runtime errors. |
8 Jun 2006 |
SCA
|
ASP.NET, C, C++, C# and other .NET languages, Java, JSP, PL/SQL, T-SQL, VB.NET, XML |
Fortify Software
|
security vulnerabilities, tainted data flow, etc. |
21 Apr 2006 |
SCARE
|
C, maybe any lanuage |
免费
|
The Source Code Analysis Risk
Evaluation project is a study to create a security complexity metric
that will analyze source code and provide a realistic and factual
representation of the potential of that source code to create a
problematic binary.
|
10 Dec 2007 |
Skavenger
|
php, but also used for any kind of source code file; |
免费 |
Skavenger is a source code auditing tool written in php, works in
the same way as egrep/sed with the possibility to parse more files at
one run, or even an entire directory. Also can take a series of regular
expressions from a file which to use simultaneously on the targeted
file. |
15 Dec 2007 |
SPARK tool set
|
SPARK (Ada subset) |
Praxis
|
ambiguous constructs, data- and information-flow errors, any
property expressible in first-order logic (Examiner, Simplifier, and
SPADE) |
29 Aug 2006 |
Splint
|
C |
免费 |
security vulnerabilities and coding mistakes. with annotations, it performs stronger checks |
2005 |
UNO
|
C |
免费 |
uninitialized variables, null-pointers, and out-of-bounds array
indexing and “allows for the specification and checking of a broad
range of user-defined properties”. aims for a very low false alarm rate. |
3 Feb 2006 |
Viva64<
|
C++ |
Viva64
|
finds problems in porting to 64-bit architecture, e.g. out-of-bounds indexing or arithmetic overflow. |
07 Feb 2007 |
xg++
|
C |
未知 |
kernel and device driver vulnerabilities in Linux and OpenBSD through range checking
(http://www.stanford.edu/~engler/sp-ieee-02.pdf
)
, etc. |
15 Feb 2005 |
orizon
|
Java |
免费 |
Orizon is a framework intended to provide tools and facilities to
test java sources for security flaws. The main goal is to detect common
threats as described in Owasp top 10 vulnerability document. |
07 May 2007 |
Pixy
|
Php |
免费(Free) |
Pixy is a Java program that performs automatic scans of PHP 4
source code, aimed at the detection of XSS and SQL injection
vulnerabilities. |
27 June 2007 |
相关推荐
人工智能技术在嵌入式代码审查中的应用与展望,是一个涉及软件工程、人工智能、机器学习、深度学习等多个领域的专业议题。本主题探讨了人工智能技术如何助力于解决嵌入式软件开发中代码审查环节面临的挑战,以及未来...
书中可能讨论了版本控制工具(如Git)、代码审查、开源社区的最佳实践等,这些都是集体编程中不可或缺的部分。通过有效的集体编程,开发者可以提高代码质量,减少错误,并加速项目进展。 文件名为“集体编程智慧”...
5. **代码审查**:让同事帮忙审查代码,有时他们会发现你忽略的错误。 综上所述,Debug编译工具是程序员的得力助手,它们使得程序调试变得更为系统化和高效。掌握好这些工具的使用,对于提升软件质量、缩短开发周期...
XML(Extensible Markup ...对于团队协作来说,统一的代码格式也是必不可少的,它有助于保持团队间的沟通顺畅,降低代码审查的难度。因此,掌握并合理利用XML、JSON、HTML的格式化工具,是每个IT从业者必备的技能之一。
3. **代码审查**:在团队协作中,Reflector可以用来检查代码质量,评估代码的可维护性和安全性。 4. **逆向工程**:虽然这可能涉及法律问题,但Reflector确实有能力揭示软件的工作方式,对于软件逆向工程有一定的...
通过对历史缺陷数据的分析,可以找出代码中频繁出现的错误模式,并将这些模式作为后续代码审查的重点。 结合这两种技术,代码缺陷检测方法可能的工作流程如下: 1. 首先,对目标代码进行程序切片,提取出与特定功能...
同时,当项目规模扩大,这些模板能保证代码的一致性,降低代码审查和维护的成本。 在实际开发中,我们还可以结合Eclipse的其他功能,如代码检查器(Code Style Validator)、重构工具等,进一步提升代码质量。例如...
2. **了解Pison Ivy的功能**:通过阅读源代码,可以了解到"Pison Ivy"的具体功能和工作原理,对于想要深入理解这个工具的人来说,这是个很好的起点。 3. **学习和改进**:对于那些希望提高shellcode编写技巧或对...
使用这样的工具对于团队协作和代码审查尤其有帮助,因为所有成员都能遵循统一的代码风格,减少因为格式问题引发的冲突。JSFormat的Release文件可能包含了编译后的可执行程序,用户可以直接下载并运行,无需安装额外...
4. **代码审查**:在没有源代码的情况下,反编译软件可以帮助评估代码质量。 然而,需要注意的是,反编译他人的代码可能存在版权和法律问题。除非获得原始作者的许可,否则应避免滥用反编译结果。此外,虽然反编译...
同时,对于企业而言,应该实施严格的代码审查和安全开发流程,以减少后门的存在可能性。 总的来说,软件后门程序是一个严重的安全问题,需要我们采取多方面的防范措施。了解后门的概念,掌握检测方法,并运用合适的...
它主要用于将已编译的.NET程序集(.dll或.exe)反编译为中级语言(Intermediate Language,简称IL),这是一种介于高级语言和机器代码之间的中间表示。IL类似于汇编语言,但它是.NET框架的组成部分,对于理解.NET...
3. 代码审查:AI技术可以用来自动审查代码,识别不符合编码规范的地方、潜在的安全风险或逻辑错误,为开发者提供改进建议。 4. 需求分析:通过分析自然语言表述的需求,AI可以帮助理解并转化成可执行的技术规范,...
在IT行业中,"防贴吧代码"通常指的是用来防止在贴吧平台上的恶意行为或者自动化操作的一系列编程技术。贴吧是百度公司推出的一个网络社区,用户可以在其中发表帖子、参与讨论,形成了丰富的兴趣交流平台。然而,随着...
2. **代码审查**:在维护或改进已有项目时,如果原始源代码丢失,反编译可以帮助恢复部分或全部代码,便于继续开发。 3. **安全评估**:在软件安全领域,反编译可以用来分析潜在的恶意代码,了解其工作原理,从而...
4. **代码审查**:评估代码质量,查找可能的安全漏洞或性能瓶颈。 压缩包中的文件名称列表提到了几个关键文件: - `Reflector.cfg`:这是Reflector的应用配置文件,可能包含了程序设置、默认行为等信息。 - `...
- **代码格式的导入导出**:这使得团队成员能统一代码格式,提升代码审查和协作效率。 3. **代码自动提示的设置** - **关闭DOC的自动提示**:有时候过多的提示信息可能干扰编码,关闭不必要的提示可减少干扰。 -...
10. 代码审查:Git 与代码审查工具(如GitHub的Pull Request或GitLab的Merge Request)结合,可以帮助团队进行代码审查,确保代码质量。 综上所述,Git 是一个功能强大且灵活的版本控制系统,其分布式特性、强大的...
9. 与其他工具的集成:Git与许多其他开发工具,如IDEs(如Visual Studio Code、IntelliJ IDEA)、持续集成系统(如Jenkins、Travis CI)以及代码审查工具(如GitHub、GitLab)有很好的集成。2.16.2版本可能会加强...
在编译时,我们可以通过添加特定的编译器标志来控制调试信息的生成,如GCC的`-g`选项,这将包含调试信息,使得GDB能够关联源代码和生成的机器代码: ```sh $ gcc -g your_program.c -o your_program ``` 6. `...