SonarQube is an open source quality management platform, dedicated to continuously analyze and measure source code quality, from the portfolio to the method. Static code analysis is available in the "Community Edition" (free / open source) for:
- - SonarQube is the most popular Web-based, Windows, Mac & Linux alternative to Cppcheck.
- - SonarQube is the most popular Open Source & free alternative to Cppcheck.
PVS-Studio is a static analyzer that detects errors in source code of C, C++ and C# applications. The PVS-Studio tool is intended for developers of contemporary applications and it integrates into the Visual Studio 2005/2008/2010/2012/2013 environment.
- - PVS-Studio is the most popular commercial alternative to Cppcheck.
Coverity Scan Static Analysis allows to find and fix defects in your Java, C/C++ or C# open source project for free.
Flawfinder examines C/C++ source code and reports possible security weaknesses ("flaws'') sorted by risk level. It's very useful for quickly finding and removing at least some potential security problems before a program is widely released to the public.
Splint is a tool for statically checking C programs for security vulnerabilities and coding mistakes. With minimal effort, Splint can be used as a better lint. If additional effort is invested adding annotations to programs, Splint can perform stronger checking than can be done...Discontinued
Last version 3.1.2 is from August 2007.
EDoC++ is a C++ source analysis tool designed to identify problems associated with the use of exceptions in C++ code. Additionally EDoC++ can be used to generate detailed documentation
Apache Yetus is a collection of libraries and tools that enable contribution and release processes for software projects. Portions are used by a wide variety of Apache projects, including Apache Hadoop and Apache HBase.
Semgrep is a fast, open-source, static analysis tool that excels at expressing code standards — without complicated queries — and surfacing bugs early at editor, commit, and CI time. Precise rules look like the code you’re searching; no more traversing abstract syntax trees or...
VCG is an automated code security review tool that handles C/C++, Java, C#, VB and PL/SQL. It has a few features that should hopefully make it useful to anyone conducting code security reviews, particularly where time is at a premium: