Top Free Static Code Analysis Tools

Maxpower
Maxpower
Mar 5, 2018 · 4 min read

How many times, did you need an automatic static code analyzer? What was your first option? Some people often think in some commercial solutions like Fortify or Veracode, but what about the free options? The commercial options are too expensive, for small companies or for freelance security specialists. For that reason, we are going to enumerate the top of free static code analysis tools.

Brakeman

For: Ruby
Setup: Require Ruby and Gem. Install using “gem install Brakeman”.
How to use: “brakeman application_path”
Link: https://github.com/presidentbeef/brakeman
Comments: It the best scanner for Ruby. Its specialty is the “on rails” applications.

Brakeman — Ruby

NodeJsScan

For: NodeJs
Setup: It only requires python.
How to use: “python NodeJsScan.py -d <dir>”
Link: https://github.com/ajinabraham/NodeJsScan
Comments: This scanner has a minimum of false positive. It has periodic updates.

NodeJs Scan — NodeJs

RIPS

For: PHP
Setup: It requires PHP.
How to use: RIPS is a web application written in PHP, you have to install Apache HTTP and run the web application.
Link: https://sourceforge.net/projects/rips-scanner
Comments: This is great scanner. It finds a lot of possible issues. Sadly, the new version is not free, so the free version is not supported any more.

RIPS — PHP

Findbugs

For: Java
Setup: It requires Java SE.
How to use: Open the jar application, and select the source code folder.
Link: http://findbugs.sourceforge.net/
Comments: Findbugs is a general purpose scanner. It will find for bugs and bad practices. In particular, it has got a security module, which can find security issues like XSS, SQLi, etc.

Findbugs — Java

Microsoft FxCop

For: .Net
Setup: It requires .Net
How to use: Open the application, and select the exe or dll files.
Link: https://msdn.microsoft.com/en-us/library/bb429476(v=vs.80).aspx
Comments: This is a good scanner, it will find the most of the vulnerabilities. This scanner will analyze the compiled files. If you have the code, you need compiled it.

Microsoft FxCop — .Net

JsHint

For: JavaScript
Setup: It requires NodeJs. To install run “npm install -g jshint”.
How to use: “jshint application_path”
Link: http://jshint.com
Comments: It find a lot of false positives. It finds code bad practices, most of them are not false positives (LOL).

JsHint — JavaScript

CodeCrawler

For: C#
Setup: It requires .Net
How to use: Open the application folder with the source code.
Link: https://codecrawler.codeplex.com/
Comments: It finds a lot of false positives and fails several times (crash!).

CodeCrawler — C#

YASCA

For: .Net, Java, C/C++, HTML, JavaScript, ASP, ColdFusion, PHP, COBOL
Setup: Install the msi.
How to use: “yasca.exe application_path”
Link: http://www.scovetta.com/yasca.html
Comments: It is a multi-language scanner. It finds a lot of false positives. It finds some bad practices too.

Yasca — .Net, Java, C/C++, HTML, JavaScript, ASP, ColdFusion, PHP, COBOL

Visual Code Grepper

For: C++, C#, VB, PHP, Java and PL/SQL
Setup: Install the msi.
How to use: Open the application and select the source code.
Link: https://sourceforge.net/projects/visualcodegrepp/
Comments: It is a multi-language scanner too. It finds a lot of false positives, but less than YASCA.

Visual Code Grepper — C++, C#, VB, PHP, Java and PL/SQL

Graudit (Only Linux)

For: ASP, JSP, Perl, PHP, Python
Setup: Download and execute.
How to use: “graudit application_path”.
Link: https://github.com/wireghoul/graudit
Comments: This scanner uses a knowledge base based in regular expressions. The most advantage is that can be easily customize to find custom issues. Using the default base, I did not get good results, a lot of false positives web found, and many real issues were not identified.

Graudit — C++, C#, VB, PHP, Java and PL/SQL

Code Warrior (Only Linux)

For: C, C#, PHP, Java, Ruby, ASP, JavaScript
Setup: Download and compiled it using “make”.
How to use: Open the application and select the source code.
Link: https://github.com/CoolerVoid/codewarrior
Comments: Like RIPS this scanner is a web application. But we do not need Apache, only run the scanner, and the browser will be opened. Then we have to select the source code. In my opinion, and based in the results, this “multi” scanner is the best option. It find a lot of issues, and a low rate of false positives.

Code Warrior — C, C#, PHP, Java, Ruby, ASP, JavaScript

Maxpower

Written by

Maxpower

Pentester & Developer — Red LinkAR