Welcome! If you saw my talk at PNSQC, here is the promised list of static analysis tools. Actually, a list of lists.
- Wikipedia has a great list, organized by language.
- Software TestingFAQs also has a large list, some of the entries are dated.
- If you write in C, this is your list of static analysis tools.
- The government is here to help; your search for static analysis tools.
My paper and talk described how our team introduced static analysis in a mature codebase. Our initial experience matched earlier attempts, where the tools identified thousands of issues. We had a hard time accepting those results, since the software was successful in the marketplace. Though not bug free, our customers were actually using the code and were satisfied with the quality. The paper describes how we effectively incorporated static analysis in our development workflow. Instead of worrying about the mountain of old issues, we designed the static analysis process to monitor the new code, to make sure we were not introducing more harm.
After a few months of seeing the value in keeping new code clean (and the value of the issues identified through static analysis), the team decided to spend the time to analyze the older issues. Now, the backlog is zero. If this sounds interesting, check out my paper and presentation on the PNSQC site.
Another team at Intuit, where I work, also used static analysis very effectively, in a very old (and large) code base. The code management practices is documented in Dr. Dobb’s.
This post shows a list of static analysis tools, and the paper describes the process to incorporate a tool in your workflow. In the future, I plan to break down the process in this blog instead of linking to the PDF of the paper.
Please leave a comment if you have any tools to add to the list.