Source Code Analysis Tools - Java, JavaScript, .NET, PHP, Python, Ruby


C and C++ Source Code Analysis Tools (open source and commercial)


BLAST Berkeley Lazy Abstraction Software Verification Tool

BLAST is a software model checker for C programs. The goal of BLAST is to be able to check that software satisfies behavioral properties of the interfaces it uses. BLAST uses counterexample-driven automatic abstraction refinement to construct an abstract model which is model checked for safety properties. The abstraction is constructed on-the-fly, and only to the required precision.


Celerity is a powerful application for reading and maintaining C/C++ projects. It can process millions of source code lines. It supports standard C/C++ (and K&R style of sources as well). For each analyzed project, it produces a multifaceted cross-referenced database and shows the source files, include files, source and include files, indexes of lexical elements, index results, includes, include-by's, all macros, macros in a translation unit, all definitions, expandable definitions in a file, expandable definitions in a translation unit, references (function declarations and invocations), reference-by's, contents of per-directory definitions, construct hierarchy, diagnosis outputs, symbol searches, favorites, etc.


The goal of the Clang project is to create a new C, C++, Objective C and Objective C++ front-end for the LLVM compiler.

Coverity Integrity Center

Analyze source code for defects with Coverity Prevent to find and eliminate the root-cause of product delays or costly product recalls. Expose security flaws early in the lifecycle so security audit teams don’t slow you down with rework, and help the rest of your team improve the quality of their code early in the application lifecycle. Coverity supports C/C++/Java and C#.


cppcheclipse is an Eclipse plugin which integrates cppcheck with the CDT project


cppcheck is an open sourece static analysis tool for C/C++ code. It checks for: memory leaks, mismatching allocation-deallocation, buffer overrun, and many more. The goal is 0% false positives.


CppChecker is a smart and fast checker for C/C++ Files. It uses the outputs generated by gcc, PC-Lint or doxygen and generates markers. The markers are intuitively set, so that in most cases the marker corresponds to the location where the actual error or warning appears. Also a resolution is added - is it is known from JDT - in cases a solution was implemented or exists


CppClean attempts to find problems in C++ source that slow development particularly in large code bases. It is similar to lint; however, CppClean focuses on finding global inter-module problems rather than local problems similar to other static analysis tools.


Dynamic invariant detection runs a program, observes the values that the program computes, and then reports properties that were true over the observed executions. Daikon can detect properties in C, C++, Eiffel, IOA, Java, and Perl programs; in spreadsheet files; and in other data sources.


Frama-C stands for Framework for Modular Analysis of C programs. Frama-C is a set of interoperable program analyzers for C programs.

McCabe IQ

McCabe IQ Developers Edition objectively measures software quality through advanced static analysis and visualizes the architecture, highlighting the most complex areas of the code base to identify bugs and security vulnerabilities. McCabe IQ Test Team Edition provides comprehensive test / code coverage to focus, monitor, and document software testing processes. McCabe IQ Test Team Edition accurately assesses the thoroughness of your testing and aids in gauging the time and resources needed to ensure a well-tested application. McCabe IQ Enterprise Edition provides all the functionality of the Developers and Test Team Editions. In addition, it provides the robust enterprise reporting, advanced reengineering capabilities, change analysis, and secure web-enabled test data collection.


Neptuner is a codebase management suite. It puts together a set of tools to simplify and enable easier maintenance of source code. The tool-suite includes programs for: browsing, commenting/review, reformatting, enforcing coding standards, beautification, generating unit-test/boilerplate code, refactoring etc.


nsiqcppstyle is aiming to provide the extensible / easy use / highly maintainable coding style checker for C/C++ source code. Rules and analysis engine are seperated and users can develop own C/C++ coding style rule. Furthermore, there is customizable rule server(Google App Engine or dJango based) as well.

PVS-Studio Analyzer

PVS-Studio is a tool for detecting bugs and security weaknesses in the source code of programs, written in C, C++, C# and Java. It works under 64-bit systems in Windows, Linux and macOS environments, and can analyze source code intended for 32-bit, 64-bit and embedded ARM platforms. PVS-Studio performs static code analysis and generates a report that helps a programmer find and fix bugs. PVS-Studio performs a wide range of code checks, and it is also useful in finding misprints and Copy-Paste errors. PVS-Studio is integrated with Visual Studio 2010-2019 development environment.


Shiny is a lightning fast, fully documented & by-far-easiest-to-use C/C++/Lua profiler with no extensive surgery. Results are smoothed & shown in run-time as a call-tree or sorted-by-time.

SolidFX for C/C++

The Solid Fact Extractor (SolidFX) is a standalone, non-intrusive solution for static analysis of industry-size projects written in the C and C++ programming languages. SolidFX uses proprietary technology to analyze even the most complex C/C++ code bases efficiently and robustly. SourceFX offers predefined analysis scenarios and metrics to measure C/C++ code quality, maintainability, modularity, detect potential bugs and extract design from source code – all for coding faster, cleaner, better. The tool comes with an open API for executing static analysis queries of C and C++ code bases (syntax, semantics, call and dependency graphs, and static software metrics).

SolidSDD - Software Duplication Detector

The Software Duplication Detector (SolidSDD) is a standalone application for detecting and managing source code duplication (i.e., code clones) in software. It can be used to analyze large projects and detect code that has been cloned (e.g., via cut-n-paste operations) during development. The currently supported programming languages are C, C++, C# and Java. In addition to identifying the code clone fragments, SolidSDD offers an intuitive graphical interface for assessing the code duplication characteristics and the location of the duplicated fragments in the code stack. This interface enables developers, architects and software managers to better manage the process of refactoring by assessing the required effort and establishing refactoring priorities.

SolidSX - Software eXplorer

The Software Explorer (SolidSX) is a standalone Windows application that gives insight in large software systems. SolidSX creates high-quality visualizations that simultaneously shows the structure, dependencies, metrics on all types of source code elements (files, classes, methods, fields, etc.). By using hardware-accelerated graphics, SolidSX is able to display large amounts of information in a clear and concise manner and provides fast and easy exploration through large source codes. SolidSX extracts dependencies and metrics from Microsoft .NET assemblies. This means that SolidSX supports all of the .NET programming languages, such as C#, Visual Basic, and Visual C++ (managed). We plan to add support for the Java programming language in an upcoming version.


Sparse, the semantic parser, provides a compiler frontend capable of parsing most of ANSI C as well as many GCC extensions, and a collection of sample compiler backends, including a static analyzer also called "sparse".


Splint is a tool for statically checking C programs for security vulnerabilities and coding mistakes.


VectorCAST/C++ is an integrated software test solution that significantly reduces the time, effort, and cost associated with testing C/C++ software components necessary for validating safety- and mission-critical embedded systems.


XTRAN is a software engineering meta-tool whose powerful rules language can automate the manipulation of assemblers, 3GLs, 4GLs, XML, HTML, and proprietary, scripting, data base, and Domain Specific languages: * Analysis -- pulling information out of the code. * Re-engineering -- applying systematic changes to the code. * Translation -- moving the code to a different language, with the same functionality.


Yasca consists of two components: * a framework for conducting source code analyses, and * an implementation of that framework, leveraging custom plugins, FindBugs, PMD, and Jlint Yasca is a command-line tool. Just point it at your code base and watch it go to work. The output is an HTML file containing all findings.


Zoom is a low-overhead graphical and command-line profiler for Linux. A Zoom profile is system-wide, precise down to the instruction level, and captures backtraces. This lets you see exactly what was running, where time was spent, and how that code was called. Drill down into critical code to get detailed performance data. Zoom analyzes and annotates your code with specific tuning advice for many compilers and processors. Share what you find with colleagues or archive it for later review. Zoom saves profiles as a single, self-contained session file that can be emailed or attached to bug reports. Zoom also supports remote network profiling and scripting.