Checking computer code can be a long and tedious process, however, it is absolutely a necessary one to ensure that unforeseen bugs are not introduced or created with existing code. There are literally hundreds of tools for static code review available so it is key that you choose the right one to match your needs and requirements.

Secure Code Analysis

1. One of the better tools, from a security point of view, is Veracode. This tool is built on the SaaS model similar to SalesForce so you will be paying for it based on the number of users, however, because it is a SaaS product, it is also guaranteed to always be up to date with the latest vulnerabilities tracked and included.

2. Another good tool that focuses on security is HP Fortify SCA. Security related issues are presented in a ranked list with the most critical issues at the top. Care must be taken with Fortify however, as it sometimes is a bit too granular, and can present false positives.

Open Source Tools

1. Coverity Scan is an extremely good tool which is definitely one of the better choices for reviewing code written in any of the ‘C’ programming language flavors or Java flavors. It minimizes the false positives seen in other static code checkers and focuses on the “big” problems.

2. RIPS and Clang Static Analyzer are also good open source options, however, they are each a bit more specialized with RIPS focused on PHP and Clang utilizing the clang library.

Static Code Checker

1. An excellent tool that gives you lots of options for static analysis testing is Parasoft. Parasoft offers pattern based, flow based, and multivariate testing to start with; and while it is not open source, it is definitely worth the investment.

2. Another really good tool on the static side has to be CodeSonar. In addition to the static checks mentioned above, it also allows customizable checkpoints and has a module to detect security vulnerabilities as well. If you can only purchase one tool, this should be the one you are looking at.

Hopefully, this article will help you make your decision, but the key thing to keep in mind is that each of these tools are built for specific needs and requirements. You need to determine what your goal is and then pick the correct one for your needs. Take advantage of the trials on offer before making a final decision.

https://www.checkmarx.com/technology/static-code-analysis-sca/