注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

_

_

 
 
 

日志

 
 

代码静态检查工具  

2013-11-22 03:19:15|  分类: 默认分类 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
代码静态检查工具汇总

静态代码扫描,借用一段网上的原文解释一下(这里叫静态检查):“静态测试包括代码检查、静态结构分析、代码质量度量等。它可以由人工进行,充分发挥人的逻辑思维优势,也可以借助软件工具自动进行。代码检查代码检查包括代码走查、桌面检查、代码审查等,主要检查代码和设计的一致性,代码对标准的遵循、可读性,代码的逻辑表达的正确性,代码结构的合理性等方面;可以发现违背程序编写标准的问题,程序中不安全、不明确和模糊的部分,找出程序中不可移植部分、违背程序编程风格的问题,包括变量检查、命名和类型审查、程序逻辑审查、程序语法检查和程序结构检查等内容。”。
我看了一系列的静态代码扫描或者叫静态代码分析工具后,总结对工具的看法:静态代码扫描工具,和编译器的某些功能其实是很相似的,他们也需要词法分析,语法分析,语意分析...但和编译器不一样的是他们可以自定义各种各样的复杂的规则去对代码进行分析。
以下将会列出的静态代码扫描工具,会由于实现方法,算法,分析的层次不同,功能上会差异很大。有的可以做SQL注入的检查,有的则不能(当然,由于时间问题还没有对规则进行研究,但要检查复杂的代码安全漏洞,是需要更高深分析算法的,所以有的东西应该不是设置规则库就可以检查到的,但在安全方面的检查,一定程度上也是可以通过设置规则进行检查的)。
以下我在网上搜集到的分析工具,我整理了以下挑了一些出来,这里只是一部分,另外一些可以到参考链接上看一下:

工具名
静态扫描语言
开源/付费
厂商
介绍
主页网址

ounec5.0
VB.Net、C、C++和C#,
还支持Java。
付 费
Ounce Labs
\
http://www.ouncelabs.com/

Coverity Prevent
C/C++,C#,JAVA
付费
Coverity
还有其他辅助工具:
1.Coverity Thread Analyzer for Java
2.Coverity Software Readiness Manager for Java
3.Coverity Architecture Analyzer
http://www.coverity.com/index.html

@stake SmartRisk?
Analyzer
C/C++,Java
付费
Symantec
Corporation
@stake SmartRisk? Analyzer harnesses the power of
static analysis of binary executables (C, C++, and Java) to
identify, categorize and prioritize security。
注:在Symantec没有搜到此产品?!
http://www.symantec.com/business/index.jsp

Rational Purify
C/C++,Java
付费
IBM
Provides memory leak and memory corruption detection for
Windows,Runtime?!
http://www-01.ibm.com/software/awdtools/purify/

PREfix
\
\
microsoft
微软用的静态分析工具,但暂时没有找到下载,
现在好像在考虑发布中!
\

Jtext
Java
付费
parasoft
同时还有其他静态分析代码的产品,如:C++Test...
详细请查询官网
http://www.parasoft.com/jsp/cn/support.jsp

flawfinder
C/C++
开源
\
用Python编写的c、c++程序安全审核工具,
可以检查潜在的安全风险。
http://www.dwheeler.com/flawfinder/

Static Code
Analyzer
C/C++,C#,JAVA
付费
Fortify
\
http://www.fortify.com/

Klocwork Insight
C/C++ ,Java
付费
Klocwork
\
http://www.klocwork.com/products/insight.asp

PolySpace
Client/Server
C/C++、Ada语言
付费
MathWorks
\
http://www.mathworks.cn/

rats
C/C++, Python,
Perl,
PHP代码进行安全审核的工具
开源
\
\
http://www.fortify.com/security-resources/rats.jsp

LAPSE
Java
开源
\
LAPSE stands for a Lightweight Analysis for Program
Security in Eclipse. LAPSE is designed to help with
the task of auditing Java J2EE applications for common
types of security vulnerabilities found in Web applications.
LAPSE was developed by Benjamin Livshits as part of the
Griffin Software Security Project.
http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project

Fluid
java
开源
\
We have explored properties including:
* race conditions and locking policies,
* unique references and other programmer-significant
aliasing properties,
* effects,
* appropriate typing,
* realtime threading policies, and
* single-threading policies.
http://www.fluid.cs.cmu.edu:8080/Fluid

Splint
C
开源
University of
Virginia,
Department of
Computer
Science
静态检测针对C语言的安全工具和漏洞检测。
http://www.splint.org/

cqual
C/C++
开源
马里兰大学
轻量级的静态扫描器,在类Linux系统下运行。
http://www.cs.umd.edu/~jfoster/cqual/

MOPS
C
开源
berkeley大学
MOPS is a tool for finding security bugs in C programs
and for verifying conformance to rules of defensive programming
http://www.cs.berkeley.edu/~daw/mops/

BOON
C
开源
berkeley大学
BOON is a tool for automatically finding buffer overrun
vulnerabilities in C source code. Buffer overruns are one
of the most common types of security holes, and we hope
that BOON will enable software developers and code auditors
to improve the quality of security-critical programs.
http://www.cs.berkeley.edu/~daw/boon/

BLAST
C
开源
The BLAST
2.0 Team
BLAST is a software model checker for C programs.
The goal of BLAST is to be able to check that software
satisfies behavioral properties of the interfaces it uses.
BLAST uses counterexample-driven automatic abstraction
refinement to construct an abstract model which is model
checked for safety properties. The abstraction is constructed
on-the-fly, and only to the required precision.
http://mtc.epfl.ch/software-tools/blast/

SpikeWAMP
Php
开源
\
for analyzing PHP programs
http://developer.spikesource.com/wiki/index.php/SpikeWAMP

Pixy
Php
开源
\
Finding XSS and SQLI vulnerabilities
http://pixybox.seclab.tuwien.ac.at/pixy/

Mike
Java
开源
\
Java source code security scanner built on top of Orizon.
They are connected to OWASP.
http://milk.sourceforge.net/download.html

Smatch
C
开源
\
\
http://smatch.sourceforge.net/

Oink
C++
开源
\
C++ Static Analysis Tools
http://www.cubewano.org/oink

Frama-C
C
开源
\
static analyzers for the C language.
http://frama-c.cea.fr/

RTL-check
\
开源
\
RTL-check is an extensible and powerful abstract interpretation
framework for static analysis of programs from a safety and
security perspective
http://rtlcheck.sourceforge.net/

PMD
Java
开源
\
PMD scans Java source code and looks for potential problems like:
* Possible bugs - empty try/catch/finally/
switch statements
* Dead code - unused local variables, parameters
and private methods
* Suboptimal code - wasteful String/StringBuffer usage
* Overcomplicated expressions - unnecessary if statements,
for loops that could be while loops
* Duplicate code - copied/pasted code means copied/pasted bugs
http://pmd.sourceforge.net/

FindBugs
Java
开源
马里兰大学
uses static analysis to look for bugs in Java code.
注意:提供Eclipse插件。
http://findbugs.sourceforge.net/

ITS4
C\C++
开源
\
Cigital developed ITS4 to help automate source code
review for security.
http://www.cigital.com/its4/

QJ-Pro
Java
开源
\
QJ-Pro is a comprehensive software inspection tool targeted
towards the software developer.
QJ-Pro checks:
* conformance to coding standards,
* misuse of the Java language,
* best practice conformence
* code structure and
* potential bugs at the earliest stages of development.
注意:提供各种IDE插件!
http://qjpro.sourceforge.net/

Jint
Java
开源
\
Jlint will check your Java code and find bugs, inconsistencies
and synchronization problems by doing data flow analysis and
building the lock graph.
http://artho.com/jlint/

Hammurapi
Java
开源
\
code review system captures coding best practices and delivers
them to developers' fingertips. It also generates consolidated
reports for lead developers, architects, and managers to
monitor codebase quality and evolution.
http://www.hammurapi.biz/hammurapi-biz/ef/xmenu/hammurapi-group/index.html

DoctorJ
Java
开源
\
Among what it detects:
* misspelled words
* parameter and exception names:
o missing
o misordered
o misspelled
* Javadoc tags:
o invalid
o misordered
o missing expected arguments
o invalid arguments
o missing descriptions
* undocumented classes, methods, fields,
parameters
http://www.incava.org/projects/java/doctorj/index.html

Dependency Finder
Java
开源
\
Dependency Finder is a suite of tools for analyzing
compiled Java code. At the core is a powerful dependency
analysis application that extracts dependency graphs and
mines them for useful information. This application comes
in many forms for your ease of use, including command-line
tools, a Swing-based application, a web application ready
to be deployed in an application server, and a set of Ant
tasks.
http://depfind.sourceforge.net/

Checkstyle
Java
开源
\
Checkstyle is a development tool to help programmers
write Java code that adheres to a coding standard.
It automates the process of checking Java code to spare
humans of this boring (but important) task. This makes
it ideal for projects that want to enforce a coding standard.
注意:提供多种IDE的插件。
http://checkstyle.sourceforge.net/

Classycle
Java
开源
\
Classycle's Analyser analyses the static class and package
dependencies in Java applications or libraries.
http://classycle.sourceforge.net/

JDepend
Java
开源
\
JDepend traverses Java class file directories and generates
design quality metrics for each Java package.
JDepend allows you to automatically measure the quality
of a design in terms of its extensibility, reusability,
and maintainability to manage package dependencies effectively.
http://www.clarkware.com/software/JDepend.html

JCSC
Java
开源
\
JCSC is a powerful tool to check source code against a highly
definable coding standard and potential bad code.
http://jcsc.sourceforge.net/

......
以下是直接提供代码检查/相关帮助的厂商:

Fortify:

http://www.fortify.com/

ASPECT:

http://www.aspectsecurity.com/

OWASP:

http://www.owasp.org/index.php/Main_Page

securitycompass:

http://www.securitycompass.com/resources.shtml
参考资料:
1.http://www.dwheeler.com/flawfinder/
2.http://www.java2s.com/Product/Java/Byte-Source-Code/Source-Analysis-Diagram.htm
3.http://www.softwarelist.cn/?fsid=53&cid=530&cpath=ABAN
4.http://www.hacker.com.cn/article/view_14804.html
5.http://www.cs.cmu.edu/~aldrich/courses/654/tools/
注:以上链接列举了大量相关工具

Source URL: http://www.pin5i.com/showtopic-22624.html

  评论这张
 
阅读(746)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017