Automated Code Analysis

Overview

Automated code analysis is when code reviews other code. It can also be called static analysis, as most programs which do this check the source code without actually running the program (which is where the term static comes from).

Static vs. Dynamic

Static analysis involves checking a programs source code for any issues, without actually running the code.

Dynamic analysis are code checks that involve running the code (which has to be compiled first for non-interpreted languages).

Code Analysis Program Review

ClangStatic Analyser

Supported Languages C, C++, Objective-C
Static/Dynamic Static
License, Pricing BSD, Free
URL http://clang-analyzer.llvm.org/

Cppcheck

Supported Languages C, C++
Static/Dynamic Static
License, Pricing BSD
URL http://sourceforge.net/projects/cppcheck/

The results from Cppcheck can seem a little sparse when compared to other static analysis tools.

Flawfinder

Supported Languages C, C++
Static/Dynamic Static
License, Pricing GPL v2 (or greater)
URL http://www.dwheeler.com/flawfinder/

Flawfinder is written in Python and designed to run on Linux. Author still responds to bugs/feature requests, even though there was an 8 year haitus (2006-2014). It is very easy to use by simply typing:

Frama-C

Supported Languages C, C++
Static/Dynamic Static
License, Pricing Open-source, free
URL http://www.dwheeler.com/flawfinder/

Frama-C is built in a modular way that is plug-in centric. It is designed to that plugins are easy to write, easy to install, and so that the output of one can easily be the input of another (plugin chaining).

Frama-C supports deductive verification, in where it validates functions by the rules written in the comments above the function. These rules are written in the ANSI/ISO specification language.

PC Lint

Supported Languages C, C++
Static/Dynamic Static
License, Pricing Proprietary, US$385 for a single user license as of September 2015.
URL http://www.gimpel.com/html/pcl.htm

PCLint uses knowledge of certain well-known C/C++ library  functions to improve it’s error checking capabilities. May C/C++ library functions have certain pre and post-conditions which must be met (e.g. the fopen() args is never null, assert() never returns, e.t.c). Where possible, PC Lint will check that these are satisfied.