Outils d'utilisateurs
code_scanners
Différences
Cette page vous donne les différences entre la révision choisie et la version actuelle de la page.
|
code_scanners [2019/10/11 06:43] M0N5T3R |
code_scanners [2023/11/10 10:50] (Version actuelle) M0N5T3R |
||
|---|---|---|---|
| Ligne 1: | Ligne 1: | ||
| - | 🛠 sonarqube https://www.sonarqube.org/ | + | FIXME **Le PAD pour proposer une amélioration à cette page :** https://pad.zenk-security.com/p/merci |
| - | 🛠 VisualCodeGrepper (VCG) - https://sourceforge.net/projects/visualcodegrepp/ | ||
| - | 🛠 Checkmarx https://www.checkmarx.com/ | + | ====== Code scanners ====== |
| - | 🛠 [AppChecker](https://npo-echelon.ru/en/solutions/appchecker.php) - static analysis tool for finding bugs, weaknesses and vulnerabilities in source code | + | 🛠 Semgrep - Semgrep accelerates your security journey by swiftly scanning code and package dependencies for known issues, software vulnerabilities, and detected secrets with unparalleled efficiency. |
| + | https://github.com/semgrep/semgrep | ||
| - | 🛠 [Code insight](https://github.com/console-helpers/code-insight) - A tool for analysing other project code bases. | + | 🛠 CodeQL - CodeQL is the analysis engine used by developers to automate security checks. C , C++, java, python .. https://codeql.github.com/ |
| - | 🛠 [Churn-PHP](https://github.com/bmitch/churn-php.git) - Discover files in need of refactoring. | ||
| - | 🛠 [Eir](https://github.com/Lixody/Eir) - A static vulnerability analysis tool written in C#. | + | 🛠ApplicationInspector - |
| + | Application Inspector is different from traditional static analysis tools in that it doesn't attempt to identify "good" or "bad" patterns; it simply reports what it finds against a set of over 400 rule patterns for feature detection including features that impact security such as the use of cryptography and more. This can be extremely helpful in reducing the time needed to determine what Open Source or other components do by examining the source directly rather than trusting to limited documentation or recommendations. | ||
| + | The tool supports scanning various programming languages including C, C++, C#, Java, JavaScript, HTML, Python, Objective-C, Go, Ruby, PowerShell and more and can scan projects with mixed language files. | ||
| + | https://github.com/microsoft/ApplicationInspector | ||
| - | 🛠 [Exakat](http://www.exakat.io/) - Smart static analysis. | + | 🛠 grep rough audit - source code auditing tool - The following databases are included: |
| + | actionscript, android, asp, c, dotnet, exec, fruit, ios, java, js, perl, php, python, rough, ruby, secrets, spsqli, sql, strings, xss, https://github.com/wireghoul/graudit | ||
| - | 🛠 [jscpd](https://github.com/kucherenko/jscpd) - Copy/paste detector for programming source code. | ||
| - | 🛠 [Mondrian](https://github.com/Trismegiste/Mondrian) - A code analysis tool using Graph Theory. | + | 🛠 VisualCodeGrepper (VCG) - https://sourceforge.net/projects/visualcodegrepp/ |
| - | 🛠 [noverify](https://github.com/VKCOM/noverify) - Pretty fast linter (code static analysis utility) for PHP. | ||
| - | 🛠 [Pfff](https://github.com/facebook/pfff) - Tools for code analysis, visualizations, or style-preserving source transformation. | + | |
| - | 🛠 [PHP Analysis](https://github.com/cwi-swat/php-analysis) - A library for analysing and modifying PHP Source Code in Rascal (PHP AiR). | + | 🛠 [Application Inspector](https://www.ptsecurity.com/ww-en/products/ai/) :copyright: - Commercial Static Code Analysis which generates exploits to verify vulnerabilities. Supports: Java (including JSP and JSF), C#, VB.Net, ASP.NET, Php, JavaScript, Objective-C, Swift, C\C++, SQL (PL/SQL. T-SQL. MySQL), HTML5 |
| - | 🛠 [PHParch](https://github.com/j6s/phparch.git) - PHPArch is a work in progress architectural testing library for PHP projects. | + | 🛠 [AppScan Source](https://www.hcltechsw.com/wps/portal/products/appscan/home) :copyright: - Commercial Static Code Analysis. Supports: Microsoft .NET Framework (C#, ASP.NET, VB.NET), ASP (JavaScript/VBScript), C/C++, COBOL, ColdFusion, JavaScript, JavaServer Pages (JSP), Java™ (including support for Android APIs), Perl, PHP, PL/SQL, T-SQL, Visual Basic 6 |
| - | + | 🛠 [APPscreener](https://appscreener.us) :copyright: - Static code analysis for binary and source code - Java/Scala, PHP, Javascript, C#, PL/SQL, Python, T-SQL, C/C++, ObjectiveC/Swift, Visual Basic 6.0, Ruby, Delphi, ABAP, HTML5 and Solidity | |
| - | 🛠 [PHP Assumption](https://github.com/rskuipers/php-assumptions.git) - Finds <a href="http://rskuipers.com/entry/from-assumptions-to-assertions">weak assumptions</a> in the code, suggest to turn them into stronger validations. | + | |
| + | 🛠 [ArchUnit](https://www.archunit.org/) - Unit test your Java or Kotlin architecture | ||
| + | |||
| + | 🛠 [Axivion Bauhaus Suite](https://www.axivion.com/en/products-services-9#products_bauhaussuite) :copyright: - Tracks down error-prone code locations, style violations, cloned or dead code, cyclic dependencies and more for C/C++, C#/.NET, Java and Ada 83/Ada 95 | ||
| + | |||
| + | 🛠 [Checkmarx CxSAST](https://www.checkmarx.com/products/static-application-security-testing/) :copyright: - Commercial Static Code Analysis which doesn't require pre-compilation. Supports: Android (Java), Apex and VisualForce, ASP, C#, C/C++, Go, Groovy, HTML5, Java, JavaScript, Node.js, Objective C, Perl, PhoneGap, PHP, Python, Ruby, Scala, Swift, VB.NET, VB6, VBScript | ||
| + | |||
| + | 🛠 [coala](https://coala.io/) - Language independent framework for creating code analysis - supports [over 60 languages](https://coala.io/languages) by default | ||
| + | |||
| + | 🛠 [Cobra](https://github.com/WhaleShark-Team/cobra) :A static code analysis system that automates the detecting vulnerabilities and security issue Supports C, C++,php. | ||
| - | 🛠 [PhpCodeAnalyzer](https://github.com/wapmorgan/PhpCodeAnalyzer.git) - Finds usage of non-built-in extensions. | + | 🛠 [codeburner](https://github.com/groupon/codeburner) - Provides a unified interface to sort and act on the issues it finds |
| + | 🛠 [CodeFactor](https://codefactor.io) :copyright: - Static Code Analysis for C#, C, C++, CoffeeScript, CSS, Groovy, GO, JAVA, JavaScript, Less, Python, Ruby, Scala, SCSS, TypeScript. | ||
| - | 🛠 [PHPCodeFixer](https://github.com/wapmorgan/PhpCodeFixer) - Finds usage of deprecated functions, variables and ini directives. | + | 🛠 [CodeIt.Right](https://submain.com/products/codeit.right.aspx) :copyright: - CodeIt.Right™ provides a fast, automated way to ensure that your source code adheres to (your) predefined design and style guidelines as well as best coding practices. Supported languages: C#, VB.NET. |
| - | 🛠 [php7mar](https://github.com/Alexia/php7mar) - PHP 7 Migration Assistant Report. | + | 🛠 [CodeScene](https://empear.com/) :copyright: - CodeScene prioritizes technical debt, finds social patterns and identifies hidden risks in your code. |
| - | 🛠 [phpcallgraph](http://phpcallgraph.sourceforge.net/) - Generate static call graphs. Such a graph visualizes the call dependencies among methods or functions of an application.. | + | 🛠 [cqc](https://github.com/xcatliu/cqc) - Check your code quality for js, jsx, vue, css, less, scss, sass and styl files. |
| - | 🛠 [PHPCPD](https://github.com/sebastianbergmann/phpcpd) - Spots copy/pasted code, and help enforcing DRY rule. | + | 🛠 [Coverity](https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html) :copyright: - Synopsys Coverity supports 20 languages and over 70 frameworks including Ruby on rails, Scala, PHP, Python, JavaScript, TypeScript, Java, Fortran, C, C++, C#, VB.NET. |
| - | 🛠 [Phan](https://github.com/etsy/phan) - The static analyzer by Rasmus, PHP Creator. | + | 🛠 [DeepSource](https://deepsource.io/) :copyright: - In-depth static analysis to monitor source code quality and security. Supports Python and Go and can detect 600+ types of issues in verticals of bug risks, security, anti-patterns, performance, documentation and style. Native integration with GitHub. |
| - | 🛠 [Phinder](https://github.com/sider/phinder.git) - PHP code piece finder | + | 🛠 [Depends](https://github.com/multilang-depends/depends) - Analyses the comprehensive dependencies of code elements for Java, C/C++, Ruby. |
| - | 🛠 [Phortress](https://github.com/lowjoel/phortress) - A PHP static code analyser for potential vulnerabilities. | + | 🛠 [DevSkim](https://github.com/microsoft/devskim) - Regex-based static analysis tool for Visual Studio, VS Code, and Sublime Text - C/C++, C#, PHP, ASP, Python, Ruby, Java, and others. |
| + | 🛠 [Fortify](https://software.microfocus.com/en-us/products/static-code-analysis-sast/overview) :copyright: A commercial static analysis platform that supports the scanning of C/C++, C#, VB.NET, VB6, ABAP/BSP, ActionScript, Apex, ASP.NET, Classic ASP, VB Script, Cobol, ColdFusion, HTML, Java, JS, JSP, MXML/Flex, Objective-C, PHP, PL/SQL, T-SQL, Python (2.6, 2.7), Ruby (1.9.3), Swift, Scala, VB, and XML. | ||
| - | 🛠 [PHP Code Static Analysis](https://github.com/joaaoleite/code-static-analysis) - PHP Code static analysis program made in nodeJS. | + | 🛠 [Goodcheck](https://github.com/sideci/goodcheck) - Regexp based customizable linter |
| - | 🛠 [PHP Inspection](https://plugins.jetbrains.com/plugin/7622?pr=idea) - Static analysis plugin for PHPStorm. | + | 🛠 [graudit](https://github.com/wireghoul/graudit) - Grep rough audit - source code auditing tool - C/C++, PHP, ASP, C#, Java, Perl, Python, Ruby |
| - | 🛠 [PHP Integrator](https://github.com/php-integrator) - Indexes PHP code and performs static analysis for Atom editor. | + | 🛠 [Hound CI](https://houndci.com/) - Comments on style violations in GitHub pull requests. Supports Coffeescript, Go, HAML, JavaScript, Ruby, SCSS and Swift. |
| - | 🛠 [Phlint](https://gitlab.com/phlint/phlint) - Phlint is a tool with an aim to help maintain quality of php code by analyzing code and pointing out potential code issues. | + | 🛠 [imhotep](https://github.com/justinabrahms/imhotep) - Comment on commits coming into your repository and check for syntactic errors and general lint warnings. |
| - | 🛠 [PHP lint](http://php.net/manual/en/features.commandline.options.php) - PHP itself, able to detect syntax error from command line. | + | 🛠 [Infer](https://github.com/facebook/infer) - A static analyzer for Java, C and Objective-C |
| - | 🛠 [PHPlint](http://www.icosaedro.it/phplint/) - A validator and documentator for PHP 5 programs. | + | 🛠 [Klocwork](http://www.klocwork.com/products-services/klocwork) :copyright: - Quality and Security Static analysis for C/C++, Java and C# |
| - | 🛠 [PHP-Parallel-Lint](https://github.com/JakubOnderka/PHP-Parallel-Lint) - A parallel php linting tool for PHP 5.3.3 or newer | + | 🛠 [Kiuwan](https://www.kiuwan.com/code-security-sast/) :copyright: - Identify and remediate cyber threats in a blazingly fast, collaborative environment, with seamless integration in your SDLC. Python, C\C++, Java, C#, PHP and more |
| - | 🛠 [PHP Magic Number Detector](https://github.com/povils/phpmnd) - PHP Magic Number Detector | + | 🛠 [oclint](https://github.com/oclint/oclint) - A static source code analysis tool to improve quality and reduce defects for C, C++ and Objective-C |
| - | 🛠 [PHP-malware-finder](https://github.com/nbs-system/php-malware-finder) - Detect potentially malicious PHP files | + | 🛠 [pfff](https://github.com/facebook/pfff) - Facebook's tools for code analysis, visualizations, or style-preserving source transformation for many languages |
| - | 🛠 [PHP Mess Detector](http://phpmd.org/) - Look for several potential problems within source code. | + | 🛠 [PMD](https://pmd.github.io/) - A source code analyzer for Java, Javascript, PLSQL, XML, XSL and others |
| - | 🛠 [PHP Reaper](https://github.com/emanuil/php-reaper.git) - Scan ADOdb code for SQL Injections. | + | 🛠 [Pronto](https://github.com/prontolabs/pronto) - Quick automated code review of your changes. Supports more than 40 runners for various languages, including Clang, Elixir, JavaSCript, PHP, Ruby and more |
| - | 🛠 [PHP SA](https://github.com/ovr/phpsa) - A development tool aimed at bringing complex analysis for PHP applications and libraries. | + | 🛠 [pre-commit](https://github.com/pre-commit/pre-commit) - A framework for managing and maintaining multi-language pre-commit hooks. |
| - | 🛠 [PHP Stan](https://github.com/phpstan/phpstan) - Focuses on finding errors in code without actually running it. | + | 🛠 [PT.PM](https://github.com/PositiveTechnologies/PT.PM) - An engine for searching patterns in the source code, based on Unified AST or UST. At present time C#, Java, PHP, PL/SQL, T-SQL, and JavaScript are supported. Patterns can be described within the code or using a DSL. |
| - | 🛠 [PHP Unlocker](http://emanuilslavov.com/php-unlocker/) - Detect potential, unintended DB table locks for PHP applications using ADOdb. Uses static analysis methods. | + | 🛠 [PVS-Studio](https://www.viva64.com/en/pvs-studio/) :copyright: - a ([conditionally free](https://www.viva64.com/en/b/0614/) for FOSS and individual developers) static analysis of C, C++, C# and Java code. For advertising purposes [you can propose a large FOSS project for analysis by PVS employees](https://github.com/viva64/pvs-studio-check-list). Supports CWE mapping, MISRA and CERT coding standards. |
| + | 🛠 [Reviewdog](https://github.com/haya14busa/reviewdog) - A tool for posting review comments from any linter in any code hosting service. | ||
| - | 🛠 [PHP testability](https://github.com/edsonmedina/php_testability) - Analyses and produces a report with testability issues of a php codebase. | + | 🛠 [Security Code Scan](https://security-code-scan.github.io/) - Security code analyzer for C# and VB.NET. Detects various security vulnerability patterns: SQLi, XSS, CSRF, XXE, Open Redirect, etc. |
| + | 🛠 [Semmle QL and LGTM](https://semmle.com/) :copyright: - Find security vulnerabilities, variants, and critical code quality issues using queries over source code. Automatic PR code review; free for public GitHub/Bitbucket repo: [LGTM.com](https://LGTM.com). | ||
| - | 🛠 [PHP vuln hunter](https://github.com/OneSourceCat/phpvulhunter) - Scan PHP vulnerabilities automatically using static analysis methods. | + | 🛠 [shipshape](https://github.com/google/shipshape) - Static program analysis platform that allows custom analyzers to plug in through a common interface |
| - | 🛠 [Progpilot](https://github.com/designsecurity/progpilot) - A static analysis tool for security purposes. | + | 🛠 [SonarQube](http://www.sonarqube.org/) - SonarQube is an open platform to manage code quality. |
| - | 🛠 [Psalm](https://getpsalm.org/) - A static analysis tool for finding errors in PHP applications. | + | 🛠 [STOKE](https://github.com/StanfordPL/stoke) - a programming-language agnostic stochastic optimizer for the x86_64 instruction set. It uses random search to explore the extremely high-dimensional space of all possible program transformations |
| - | 🛠 [psecio:parse](https://github.com/psecio/parse.git) - Parse : A PHP Security Scanner. | + | 🛠 [Synopsys](https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html) :copyright: - A commercial static analysis platform that allows for scanning of multiple languages (C/C++, Android, C#, Java, JS, PHP, Python, Node.JS, Ruby, Fortran, and Swift) |
| + | 🛠 [TscanCode](https://github.com/Tencent/TscanCode) - A fast and accurate static analysis solution for C/C++, C#, Lua codes provided by Tencent. Using GPLv3 license. | ||
| - | 🛠 [Side Channel Analyzer](https://github.com/olivo/side-channel-analyzer) - Search for side-channel vulnerable code. | + | 🛠 [Undebt](https://github.com/Yelp/undebt) - Language-independent tool for massive, automatic, programmable refactoring based on simple pattern definitions |
| - | 🛠 [TaintPHP](https://github.com/olivo/TaintPHP.git) - Static Taint Analyzer. | + | 🛠 [Veracode](http://www.veracode.com/products/static-analysis-sast/static-code-analysis) :copyright: - Find flaws in binaries and bytecode without requiring source. Support all major programming languages: Java, .NET, JavaScript, Swift, Objective-C, C, C++ and more. |
| - | 🛠 [Taint'em All](http://taint.spro.ink/) - A taint analysis tool for the PHP language, it makes use of Static Taint Analysis + Symbolic Execution. | + | 🛠 [WALA](http://wala.sourceforge.net/wiki/index.php/Main_Page) - static analysis capabilities for Java bytecode and related languages and for JavaScript |
| - | 🛠 [Tuli](https://github.com/ircmaxell/Tuli) - A static analysis engine. | + | 🛠 [WhiteHat Application Security Platform](https://www.whitehatsec.com/products/static-application-security-testing/) :copyright: - WhiteHat Scout (for Developers) combined with WhiteHat Sentinel Source (for Operations) supporting WhiteHat Top 40 and OWASP Top 10. Language support for: Java, C#(.NET), ASP.NET, PHP, JavaScript, Node.js, Objective-C, Android, HTML5, TypeScript. |
| - | 🛠 [Unused-scanner](https://github.com/Insolita/unused-scanner.git) - Detect unused composer dependencies | + | 🛠 [Wotan](https://github.com/fimbullinter/wotan) - Pluggable TypeScript and JavaScript linter |
| - | 🛠 [WAP](https://www.owasp.org/index.php/OWASP_WAP-Web_Application_Protection) - Tool to detect and correct input validation vulnerabilities in PHP (4.0 or higher) web applications and predicts false positives. | + | 🛠 [XCode](https://developer.apple.com/xcode/) :copyright: - XCode provides a pretty decent UI for [Clang's](http://clang-analyzer.llvm.org/xcode.html) static code analyzer (C/C++, Obj-C) |
| - | 🛠 [PHP VarDump Check](https://github.com/JakubOnderka/PHP-Var-Dump-Check) - PHP console application for finding forgotten variable dump. | ||
| - | 🛠 [17eyes](https://github.com/17eyes/17eyes) - PHP static analyzer written in Haskell. | ||
code_scanners.1570769026.txt.gz · Dernière modification: 2019/10/11 06:43 par M0N5T3R
Outils de la Page
Sauf mention contraire, le contenu de ce wiki est placé sous la licence suivante : CC Attribution-Share Alike 3.0 Unported
