What tools do you use for static code analysis? [closed]

问题

Closed. This question is opinion-based. It is not currently accepting answers.

---

Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.

Closed 5 years ago.

This question on Cyclomatic Complexity made me think more about static code analysis. Analyzing code complexity and consistency is occasionally useful, and I'd like to start doing it more. What tools do you recommend (per language) for such analysis? Wikipedia has a large list of tools, but which ones have people tried before?

Edit: As David points out, this is not a completely unasked question when it comes to C/UNIX based tools.

回答1:

I have been setting up a Hudson continuous integration (CI) build system for my Objective-C iPhone projects (iOS apps), and have compiled a varied list of tools that can be used to analyze my projects during a build:

• Clang static analyzer: free, up-to-date stand-alone tool that catches more issues than the version of Clang included with Xcode 4. Active project. -- visit http://clang-analyzer.llvm.org

• Doxygen: free documentation generation tool that also generates class dependency diagrams. Active project -- visit http://www.doxygen.nl

• HFCCA (header-free cyclomatic complexity analyzer): free Python script to calculate code complexity, but without header files and pre-processors. Supports output in XML format for Hudson/Jenkins builds. Active project. -- visit http://code.google.com/p/headerfile-free-cyclomatic-complexity-analyzer

• CLOC (count lines of code): free tool to count files, lines of code, comments, and blank lines. Supports diffing, so you can see the differences between builds. Active project. -- visit http://cloc.sourceforge.net

• SLOCcount (source lines of code count): a free tool to count lines of code and estimate the costs and time associated with a project. Does not appear to be active. -- visit http://sourceforge.net/projects/sloccount and http://www.dwheeler.com/sloccount

• AnalysisTool: free code analysis tool that measures code complexity and also generates dependency diagrams. Not active. Does not seem to work with Xcode 4, but I would love to get it working. -- visit http://www.karppinen.fi/analysistool

回答2:

For C and Objective-C, you can also use the LLVM/Clang Static Analyzer.

It's Open Source and under active development.

回答3:

For .Net we use NDepend. It is a great tool and can be integrated to the build (we use CCNet).

http://www.ndepend.com/

HTH.

回答4:

For C++, I use CppCheck. It seems to work fine.

回答5:

I use the PMD plugin for Eclipse a lot. It's pretty nice, and very configurable. CheckStyle is also good, if you're looking for more of a style enforcer.

回答6:

Checkstyle, Findbugs, and PMD all work pretty well in Java. I'm currently pretty happy with PMD running in NetBeans. It has a fairly simple GUI for managing what rules you want to run. It's also very easy to run the checker on one file, an entire package, or an entire project.

回答7:

Also see the question Choosing a static code analysis tool if you're looking for C/UNIX based tools.

回答8:

Obviously, the answer depends on the programming languages. UNO is good for C programs.

@Thomas Owens: I think you meant Splint.

回答9:

Lint is the only one I have used at a previous position. It wasn't bad, most of the things it suggested were good catches, some didn't make much sense. As long you don't have a process in place to ensure that there are no lint errors or warnings, then it is useful to perhaps catch some otherwise hidden bugs

回答10:

We use Coverity Prevent at Palm for C and C++ code analysis, and it's done a great job of uncovering some hidden bugs in our code. It also finds a lot of not likely to be hit problems, but it's easy to mark those as "will not fix" or "not a problem" in the code database that the tool generates. It is expensive, but the company occasionally does runs on open source projects and provides reports to the maintainers. They have a whitepaper about our use of the product on their site if you want to read more about our experience.

回答11:

My admins are really cheap, so can I only use really cheap tools:

1) CCCC (C / C++ Code Counter): Various results related to number of lines (vs. lines of comments, cyclomatic complexity, Information flow, ...) 2) Semian: Fastest code duplication finder I ever tried. 3) LOC Metrix: Not very usefull but can help to make a point.

回答12:

We use Programming Research's QAC for our C code. Works OK.

Recently we have been talking about checking out some of the more advanced and static/dynamic code analyzers like Coverity's Prevent or the analysis tool by GrammaTech.

They claim to not only do static analysis but also find runtime errors etc. One major selling point is supposed to be fewer false positives.

回答13:

The only time I've ever used one of those tools is Split (C programming language). I thought it was helpful, but I was by no means a power user and I think I barely scratched the surface of what it could do.

回答14:

I've used quite a few open-source and commercial static analysis tools across many languages and I find that the overall discussion fits under the umbrella of a concept known as technical debt (which this article goes into detail about).

However for a quick answer, here are my favorites per language:

• Java: Google CodePro Analytix & Checkstyle
• .NET: FxCop & StyleCop
• C/C++: McCabe IQ

来源：https://stackoverflow.com/questions/20788/what-tools-do-you-use-for-static-code-analysis