Garland SHARRATT : Cybersecurity Consulting: Automated Code Inspection Tools for C Code

I recently had to draw up a list of C code automated inspection tools for a client. It took me several hours to find and distill good reviews on the web so I thought I'd share it here for what's worth. If I wind up using (or trying to use) any of the tools on the client's code base, I'll report my experience here.

This is a list of tools that, based on seven reviews I found, look like good candidates to run. Since C has been around forever, some of the reviews are from as far back as 2009 and 2010.

Tool	# Recommendations	Type	Web page / Notes
OPEN SOURCE
Flawfinder	5	Open source	http://www.dwheeler.com/flawfinder/ https://sourceforge.net/projects/flawfinder/ Last update: 2014
Cppcheck	4	Open source	http://cppcheck.sourceforge.net/ https://sourceforge.net/projects/cppcheck/ Last update: 2016
RATS	3	Open source	https://code.google.com/archive/p/rough-auditing-tool-for-security/downloads Last update: 2013
YASCA	3	Open source & Commercial	http://www.scovetta.com/yasca.html https://sourceforge.net/projects/yasca/ Last update: 2014
COMMERCIAL
Coverity (Synopsys)	3	Commercial	http://www.synopsys.com/software/coverity/
Klocwork	2	Commercial	http://www.klocwork.com/
Fortify Static Code Analyzer (SCA) (HP)	1	Commercial	http://www8.hp.com/ca/en/software-solutions/static-code-analysis-sast/

. o O o .

Garland SHARRATT : Cybersecurity Consulting

Pages

2016-09-06

Automated Code Inspection Tools for C Code