Best open source tools for Static code analysis

Blog Best open source tools for Static code analysis

1 ) Yet Another Static Code Analyzer (YASCA)

YASCA is a static code analysis tool that can analyze php,java,C/C++ and javascript code for security vulnerabilities and code quality issues.One of the main advantages of this tool is that it can integrate other tools and plugins in order to scan many programming languages.
YASCA runs through the command line and can generate the reports in HTML,XML and CSV formats.

Languages: Multi Language

Platforms: Windows and Linux

2) Pixy

Pixy is a static code analysis tool that runs in Java and can scan PHP4 code in order to identify XSS and SQL injection vulnerabilities. Pixy is considered one of the best tools for discovering SQL injection vulnerabilities in PHP code however it supports only PHP4 code.

Languages: PHP4

Platforms: Windows and Linux

3) AppCodeScan

AppCodeScan users regular expression string matching to identify dangerous functions and strings in the code.The vulnerabilities that this tool can discover includes XSS,SQL injections,poor validation and many more.The AppCodeScan is a GUI based tool and runs on the .NET framework.

Languages: Multi Language

Platform: Windows


Lapse is a Static code security scanner for Java 2EE applications that can discover common vulnerabilities.The vulnerabilities that can discover includes Cookie Poisoning,SQL Injection,XSS,XML Injection etc.LAPSE is a project of OWASP.

Languages: Java J2EE

Platforms:Windows,Linux and OSX

IDE: Eclipse


SWAAT scans the source code and tries to discover common vulnerabilities by using XML based signature files.SWAAT is a command line tool.

Languages: PHP,JSP and ASP.NET

Platforms: Windows,Linux,OSX

6) Microsoft Static Code Analyzer for SQL Injection

Microsoft static code analyzer is a tool that it can be used when reviewing .asp code for the discovery of SQL injection vulnerabilities.This tool have not been designed for ASP.NET code and it only scans ASP code.

Languages: ASP

Platforms: Windows

7) Microsoft Code Analysis Tool (CAT.NET)

CAT.NET is a binary static code analysis tool that can identify vulnerabilities like XSS,Xpath injection and SQL injection in applications that have been written in C#,Visual Basic.NET and J#.CAT.NET discover these vulnerabilities by checking the binary of the application and traces the data flow among its statements and methods.

Languages: C#,Visual Basic.NET and J#

Platform: Windows

IDE:Visual Studio


For Each Open source tool will have some limitation and need to involve more on false positive removal,report generation.The reason that Snappy Tick static code analysis tools exists is for helping to perform the task effectively and on the time-frame.However the use of such tools can make the source code review of an application more easier task .