Source Code Analysis Tools - Java, JavaScript, .NET, PHP, Python, Ruby


Java Source Code Analysis Tools (open source and commercial)


Stan - Structure Analysis for Java

STAN encourages developers in visualizing their design, understanding code, measuring quality and reporting design flaws. STAN supports a set of carefully selected metrics, suitable to cover the most important aspects of structural quality. Special focus has been set on visual dependency analysis, a key to structure analysis. STAN provides its own perspective, showing various dependency graphs, ranking metric violations, generating HTML reports, etc.


The AgitarOne product family helps you work safer, better, and smarter as you develop and maintain your Java applications. AgitarOne JUnit Generator creates thorough JUnit tests on your code. This helps you find regressions and makes it safer and easier to improve your code to reduce the cost to maintain it. AgitarOne Agitator helps developers understand the behavior of their code as they write it. This helps you prevent bugs and prevent code complexity that can become tomorrow's maintenance headache.


Allmon is a generic system collecting and storing metrics used for performance and availability monitoring.


CallGraph is a view plugin for Eclipse that enables graphical exploration of call and class hierarchies. Leverages the internal platform Call Hierarchy and Search mechanisms and uses Zest to provide a searchable graphical representation of the caller/callee relations between methods (including constructors and internal classes) and sub/super-class relations between classes. Designed to help understand complex call and class relations in larger scale applications.


Checkstyle is a development tool to help programmers write Java code that adheres to a coding standard. It automates the process of checking Java code to spare humans of this boring (but important) task. This makes it ideal for projects that want to enforce a coding standard. Checkstyle is highly configurable and can be made to support almost any coding standard.


The program ckjm calculates Chidamber and Kemerer object-oriented metrics by processing the bytecode of compiled Java files.


Classycle's Analyser analyses the static class and package dependencies in Java applications or libraries. It is especially helpful for finding cyclic dependencies between classes or packages. Classycle's Dependency Checker searchs for unwanted class dependencies described in a dependency definition file. Dependency checking helps to monitor whether certain architectural constrains (e.g. in a layered architecture) are fulfilled or not.

CodePro AnalytiX

CodePro Analytix is a comprehensive set of software analysis tools composed of a collection of native Eclipse plugins. CodePro seamlessly integrates into any Eclipse based Java desktop development environment, adding static code analysis (with nearly 1,000 audit rules), metrics, automated test generation, JUnit test editing, and team collaboration functionality. Extensive security audit rules were recently added to enable developers to automatically detect and address security vulnerabilities as they are writing code, thus closing the opportunities for potential malicious users, and focusing on quality earlier in the software development lifecycle (SDLC). Seamless integration with Eclipse, IBM Rational, JBuilder and MyEclipse.


Dynamic invariant detection runs a program, observes the values that the program computes, and then reports properties that were true over the observed executions. Daikon can detect properties in C, C++, Eiffel, IOA, Java, and Perl programs; in spreadsheet files; and in other data sources.


FindBugs is a program which uses static analysis to look for bugs in Java code. FindBugs requires JRE (or JDK) 1.5.0 or later to run. However, it can analyze programs compiled for any version of Java, from 1.0 to 1.8.


Jensor is a light-weight, low-overhead Java profiler written entirely in Java. Jensor is built on ByteCode Instrumentation (BCI) technology. Jensor provides innovative analysis techniques that help to detect and eliminate bottlenecks in Java applications. From a functionality perspective Jensor captures data from running applications and provides offline analysis. It also has the capability to start and stop profiling from Jensor Analysis WorkBench (JAW). JAW is a Java swing-based client and provides GUI for analyzing data captured by Jensor. Jensor also provides rudimentary Security mechanisms by allowing only authorized users to start / stop and view profiling data.

Jensor Java Code Analysis Tool
Jensor Java Code Analysis Tool


JRipples helps programmers during software change. JRipples is based on the philosophy of "intelligent assistance", which requires close cooperation between the programmer and the tool. The tool analyzes the program, keeps track of the inconsistencies, and automatically marks the components to be visited by the programmer.

McCabe IQ

McCabe IQ Developers Edition objectively measures software quality through advanced static analysis and visualizes the architecture, highlighting the most complex areas of the code base to identify bugs and security vulnerabilities. McCabe IQ Test Team Edition provides comprehensive test / code coverage to focus, monitor, and document software testing processes. McCabe IQ Test Team Edition accurately assesses the thoroughness of your testing and aids in gauging the time and resources needed to ensure a well-tested application. McCabe IQ Enterprise Edition provides all the functionality of the Developers and Test Team Editions. In addition, it provides the robust enterprise reporting, advanced reengineering capabilities, change analysis, and secure web-enabled test data collection.


PMD scans Java source code and looks for potential problems like:
* Possible bugs - empty try/catch/finally/switch statements
* Dead code - unused local variables, parameters and private methods
* Suboptimal code - wasteful String/StringBuffer usage
* Overcomplicated expressions - unnecessary if statements, for loops that could be while loops
* Duplicate code - copied/pasted code means copied/pasted bugs


Prefix is a free Java and .NET dynamic source code analyzer. You can use Prefix every day while you are writing and testing your code to validate the behavior of your code, find hidden exceptions in your code, identify slow SQL queries and N+1 problems, review the performance of your code.

PVS-Studio Analyzer

PVS-Studio is a tool for detecting bugs and security weaknesses in the source code of programs, written in C, C++, C# and Java. It works under 64-bit systems in Windows, Linux and macOS environments, and can analyze source code intended for 32-bit, 64-bit and embedded ARM platforms. PVS-Studio performs static code analysis and generates a report that helps a programmer find and fix bugs. PVS-Studio performs a wide range of code checks, and it is also useful in finding misprints and Copy-Paste errors. PVS-Studio is integrated with Visual Studio 2010-2019 development environment.

SolidSDD - Software Duplication Detector

The Software Duplication Detector (SolidSDD) is a standalone application for detecting and managing source code duplication (i.e., code clones) in software. It can be used to analyze large projects and detect code that has been cloned (e.g., via cut-n-paste operations) during development. The currently supported programming languages are C, C++, C# and Java. In addition to identifying the code clone fragments, SolidSDD offers an intuitive graphical interface for assessing the code duplication characteristics and the location of the duplicated fragments in the code stack. This interface enables developers, architects and software managers to better manage the process of refactoring by assessing the required effort and establishing refactoring priorities.


Soot is a Java optimization framework. It provides four intermediate representations for analyzing and transforming Java bytecode. Soot can be used as a stand alone tool to optimize or inspect class files, as well as a framework to develop optimizations or transformations on Java bytecode.


Squale is a qualimetry platform that allows to analyze multi-language software applications in order to give a sharp and comprehensive picture of their quality.


Tattletale is a tool that can help you get an overview of the project you are working on or a product that you depend on.


Testability-explorer is a tool which analyzes java byte-codes and computes how difficult it will be to write unit-test. It attempts to help you quantitatively determine how hard your code is to test and, where to focus to make it more testable.


UCDetector (Unnecessary Code Detector - pronounced "You See Detector") is a eclipse PlugIn tool to find unnecessary (dead) public java code. For example public classes, methods or fields which have no references. UCDetector creates markers for the following problems, which appear in the eclipse problem view.


The goal of Usus is to provide Eclipse Plug-Ins that help to integrate common compiler and formatter settings in the Eclipse workspace, support Checkstyle, EclEmma and other tools, and apply some OO design metrics to analyse weak spots in the code.


Yasca consists of two components: a framework for conducting source code analyses, and an implementation of that framework, leveraging custom plugins, FindBugs, PMD, and Jlint