[Java-project] Static code analyzer.

JIM BIRD jimbird at shaw.ca
Fri Oct 30 18:20:31 EDT 2009


Findbugs has only primitive security checks. I am not aware of any other open source solutions. Options for commercial static analysis tools include:
- Fortify: www.fortify.com
- IBM (now including technology from the Ounce Labs acquisition) the product portfolio is often being reorganized, IBM's static analysis tools are somewhere under the Rational brand or you can find the Ounce Labs technology directly at www.ouncelabs.com
- Coverity Prevent: www.coverity.com
- Klocwork - offers an inexpensive tool for individual Java developers, Solo: www.klocwork.com

----- Original Message -----
From: John Towell <jtowell at agiletechgroup.com>
Date: Friday, October 30, 2009 2:57 pm
Subject: [Java-project] Static code analyzer.
To: java-project at lists.owasp.org

> I was wondering if anyone knew of an up to date tool to analyze 
> static Java
> code for security concerns.  We are looking for something 
> similar to.
> 
> http://suif.stanford.edu/~livshits/work/lapse/
> 
> Although this project seems to have been abandoned, last time it 
> was touched
> looks to be 2006.   We would be interested in a 
> defined ruleset for
> Checkstyle/PMD/FindBugs as an alternative.  I have looked 
> at those tools and
> cannot find anything related to security.  Let me know if 
> you have any
> information in this area.
> 
> Thanks,
> 
> -John Towell
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/java-project/attachments/20091030/a6582a7e/attachment.html 


More information about the Java-project mailing list