Source Code Analysis Tools

Page dedicated to the analysis and comment of Source Code Audit tools:

Description
TBD

Important Selection Criteria

 * Requirement: Must support your language, but not usually a key factor once it does.


 * Types of Vulnerabilities it can detect (Out of the OWASP Top Ten?) (plus more?)
 * Does it require a fully buildable set of source?
 * Can it run against binaries instead of source?
 * Can it be integrated into the developer's IDE?

OWASP Tools Of This Type

 * OWASP_LAPSE_Project

Open Source or Free Tools Of This Type

 * Microsoft - FxCop: Tool that checks .NET managed code assemblies for conformance to the Microsoft .NET Framework Design Guidelines
 * Microsoft - PreFix
 * Microsoft - PreFast
 * SWAAT - Simplistic Beta Tool - Languages: Java, JSP, ASP .Net, and PHP
 * Secure Software - RATS - Scans C, C++, Perl, PHP and Python source code for security problems like buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions

Commercial Tools from OWASP Members Of This Type
These vendors have decided to support OWASP by becoming members. OWASP appreciates the support from these organizations, but cannnot endorse any commercial products or services.


 * Fortify - Source Code Analysis
 * Secure Software - CodeAssure

Other Well Known Commercial Tools Of This Type

 * Ounce Labs - Ounce
 * Coverity - Prevent

More Info

 * add comments from: http://lists.owasp.org/pipermail/owasp-dotnet/2006-August/000002.html
 * http://www.owasp.org/index.php/Appendix_A:_Testing_Tools