1. 程式人生 > >【轉】開原始碼審計工具備忘

【轉】開原始碼審計工具備忘

開源和非商業公司
2.3.1.1 .NET (C#, VB.NET and all .NET compatible languages)
• Reflector.CodeMetrics — (an add-in for the essential Reflector) 
• CCMetrics 
• CRPlugin (plugin for DxCore) 
• FxCop — Free static analysis for Microsoft .NET programs that compile to CIL. Standalone and integrated in some Microsoft Visual Studio editions. From Microsoft. 
• Source Monitor 
• vil 
2.3.1.2 Java
• Bandera — analyzer for Java 
• Checkstyle — analyze Java and apply coding standard 
• Classycle — analyze Java class cycles and class and package dependencies (Layers) 
• FindBugs — an open-source static bytecode analyzer for Java (based on Jakarta BCEL). 
• Jlint — for Java 
• PMD (software) — a static ruleset based Java source code analyzer that identifies potential problems. 
• Soot — A Java program analysis and compiler optimization framework 
• Hammurapi — Customizable static code analysis tool for java (based on coding standards) that can also generate metrics report 
2.3.1.3 C
• CQual — A tool for adding type qualifiers in C. 
• SNav — Red Hat Source Navigator. 
• Sparse — a tool designed to find faults in the Linux kernel. 
• Splint — an open source evolved version of Lint (C language). 
• Frama-C — Frama-C is a suite of tools dedicated to the analysis of the source code of software written in C. 
• Deputy - Deputy is a C compiler that is capable of preventing common C programming errors, including out-of-bounds memory accesses as well as many other common type-safety errors. 
• CCured - CCured is a source-to-source translator for C. It analyzes the C program to determine the smallest number of run-time checks that must be inserted in the program to prevent all memory safety violations. 
• RATS - RATS is a tool for scanning C, C++, Perl, PHP and Python source code and flagging common security related programming errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions. 
• LLVM/Clang Static Analyzer - standalone tool that find bugs in C and Objective-C programs. 
• MOPS - MOPS is a tool for finding security bugs in C programs and for verifying conformance to rules of defensive programming. 
• BOON - BOON is a tool for automatically finding buffer overrun vulnerabilities in C source code. 
• BLAST - BLAST is a software model checker for C programs. 
2.3.1.4 C++
• Flawfinder — open source programming tool that examines C or C++ source code for security weaknesses. 
• Oink — collaboration of C++ static analysis tools, based on the research of CQual [1] 
• LDRA Testbed - A software analysis and testing tool suite for C++. 
• Dehydra - A scriptable static analysis tool based on GCC. Developed by Mozilla. 
• EDoc++ - Examines C++ code to identify problems with C++ exception propagation and usage. 
2.3.1.5 Fortran
• ftnchek — static analyzer for Fortran 77 programs 
• g95-xml — code parser toolkit for Fortran 95 
2.3.1.6 JavaScript
• JsLint - online analyzer for JavaScript 
2.3.1.7 Perl
• Perl::Critic - a static code analysis tool for Perl 
2.3.1.8 PHP
• Pixy — a PHP 4 source code scanner for detection of XSS and SQL injection vulnerabilities. 
• smarty-lint - a lint implementation for the popular templating engine, Smarty. 
2.3.1.9 Python
• PyChecker - The original static code analyser for Python. 
• pylint - A static code analyser for Python. Works as a plugin to PyDev for the Eclipse IDE. 
• Pyflakes - A lint-like tool for Python, whose primary advantage is being faster than PyChecker 
2.3.1.10 Visual Basic
• MZTools - MZTools 3.0 - Free Static Code Analysis & productivity enhancement tool for VB6, & VBA. 
2.3.1.11 Multiple languages
• RATS — Rough Auditing Tool for Security, which can scan C, C++, Perl, PHP and Python source code.