The information in the automated detection sections on this wiki may be
- provided by the vendors
- determined by CERT by informally evaluating the analyzer
- determined by CERT by reviewing the vendor documentation
Where possible, we try to reference the exact version of the tool for which the results were obtained. Because these tools evolve continuously, this information can rapidly become dated and obsolete.
8 Comments
Ludwig Schreier
Hello,
I wonder if it would be helpful to add Eclipse IDE's integrated Code Analysis "Codan" to the list? The intention of the checker might slightly different (API, integration of checkers), but it still comes with a default (small) list of recommendations (Coding Style, Potential Programming Problems, Security Vulnerabilities, Syntax and Semantic Errors)
http://wiki.eclipse.org/CDT/designs/StaticAnalysis
https://drive.google.com/file/d/1UNayw6WbckeiBLb2psf0xsyGmFf9dApwoB2BbaipU0-8c-fu3bxzCz9eSt9Q/view
Kind regards
Ludwig Schreier
Another question.
PC-Lint a candidate in include in the list?
Regards
David Svoboda
Ludwig:
Most of the information in these Analyzers pages were entered by the vendors. They did not edit these pages; instead they added their checkers to each rule page for which they have a checker. As such, we would welcome data for Eclipse and PC-Lint if a volunteer were to manually add their mappings.
Note that Eclipse has several SA tools and compilers, such as its native Java compiler (which can be used as a SA tool).
Yozo TODA
I noticed SonarQube and Polyspace are not included in this list,
because those tool pages have no label "analyzer", I think.
Just forgetting to add the label, or intentional?
Will Snavely
Thank you for the note. This should be fixed now.
Brad Murray
The Analyzer sections would be even more useful if they included some indication of the coverage the rule set provides, especially if broken down by severity. Has anyone already done this work?
David Svoboda
These pages are scraped from the Secure Coding rule pages. Those pages occasionally have additional details about each tool & checker.
Robert Lee
I'd like to see the following analyzers added to the list
IAR C-STAT https://www.iar.com/iar-embedded-workbench/add-ons-and-integrations/c-stat-static-analysis/
Checkmarx https://www.checkmarx.com/