Looking for:
jakstab/LICENSE at master · jkinder/jakstab · GitHub. |
Jakstab github free. tpetersonkth/AlternatingControlFlowReconstruction
Jakstab github free.“精”准把握静态分析|科恩二进制文件自动化静态漏洞检测工具正式开源
Latest commit. Create auto-merge. Git stats 1, commits. Failed to load latest commit information. Aug 9, Bump serde from 1. Jul 6, Jul 7, May 28, Add tags. Feb 20, Commit list. Jul 14, View code. What is Static Analysis? Static program analysis is the analysis of computer software that is performed without actually executing programs — Wikipedia The most important thing I have done as a programmer in recent years is to aggressively pursue static code analysis.
All other tools are Open Source. The icon links to the discussion issue. It uses random search to explore the extremely high-dimensional space of all possible program transformations. Awk gawk --lint — Warns about constructs that are dubious or nonportable to other awk implementations.
It is sound for floating-point computations, very fast, and exceptionally precise. Jenkins and Eclipse plugins are available. CBMC — Bounded model-checker for C programs, user-defined assertions, standard assertions, several coverage metric analyses.
You get more than 50 Qt related compiler warnings, ranging from unneeded memory allocations to misusage of API, including fix-its for automatic refactoring. CMetrics — Measures size and complexity for C files. CPAchecker — A tool for configurable software verification of C programs. The name CPAchecker was chosen to reflect that the tool is based on the CPA concepts and is used for checking software programs.
Frama-C — A sound and extensible static analyzer for C code. NET Analyzers — An organization for the development of analyzers diagnostics and code fixes using the. NET Compiler Platform. Infer — InferSharp also referred to as Infer is an interprocedural and scalable static code analyzer for C. Via the capabilities of Facebook's Infer, this tool detects null pointer dereferences and resource leaks.
Analyzers —. Clojure clj-kondo — A linter for Clojure code that sparks joy. It informs you about potential errors while you are typing. CoffeeScript coffeelint — A style checker that helps keep CoffeeScript code clean and consistent.
Crystal ameba — A static code analysis tool for Crystal. Reports code metrics, checks for anti-patterns and provides additional rules for Dart analyzer.
Like pedantic but stricter Linter for dart — Style linter for Dart. A Pro edition includes a command line tool for automation purposes. A free Lite version is available with limited reporting.
Includes a subset of Pascal Analyzer reporting capabilities and is available for Delphi versions and later. Dlang D-scanner — D-Scanner is a tool for analyzing D source code. Elixir credo — A static code analysis tool with a focus on code consistency and teaching. Dialyzer is a static analysis tool that identifies software discrepancies, such as definite type errors, code that has become dead or unreachable because of programming error, and unnecessary tests, in single Erlang modules or entire sets of applications.
The file and line number of a discrepancy is reported along with an indication of what the discrepancy is about. Dialyzer bases its analysis on the concept of success typings, which allows for sound warnings no false positives. Go aligncheck — Find inefficiently packed structs. This tool analyzes fmt. Use golangci-lint for new projects. It is capable of tracing the source of variables and function arguments to determine whether input sources are safe.
Reviewdog — A tool for posting review comments from any linter in any code hosting service. Drop-in replacement of golint. It allows you to analyze and transform source code with an intuitive DSL similar to sed, but for code. Groovy CodeNarc — A static analysis tool for Groovy source code, enabling monitoring and enforcement of many coding standards and best practices. Haskell brittany — Haskell source code formatter HLint — HLint is a tool for suggesting possible improvements to Haskell code.
Liquid Haskell — Liquid Haskell is a refinement type checker for Haskell programs. Stan — Stan is a command-line tool for analysing Haskell projects and outputting discovered vulnerabilities in a helpful way with possible solutions for detected problems. Weeder — A tool for detecting dead exports or package imports in Haskell code.
Haxe Haxe Checkstyle — A static analysis tool to help developers write Haxe code that adheres to a coding standard. Java Checker Framework — Pluggable type-checking for Java. Doop provides a large variety of analyses and also the surrounding scaffolding to run an analysis end-to-end fact generation, processing, statistics, etc. Error-prone — Catch common Java mistakes as compile-time errors. JBMC — Bounded model-checker for Java bytecode , verifies user-defined assertions, standard assertions, several coverage metric analyses.
NullAway — Type-based null-pointer checker with low build-time overhead; an Error Prone plugin. Soot — A framework for analyzing and transforming Java and Android applications. Spoon — Spoon is a metaprogramming library to analyze and transform Java source code incl Java 9, 10, 11, 12, 13, Can be integrated in Maven and Gradle.
A tool for static analysis to look for bugs in Java code. Violations Lib — Java library for parsing report files from static code analysis. Used by a bunch of Jenkins, Maven and Gradle plugins. Closure Compiler — A compiler tool to increase efficiency, reduce size, and provide code warnings in JavaScript files. It can also automatically fix many common errors. It features a UI with various dashboards about an application's security status. Polymer-analyzer — A static analysis framework for Web Components.
TypL — With TypL, you just write completely standard JS, and the tool figures out your types via powerful inferencing. Enforces strict and readable code. VeriFast — A tool for modular formal verification of correctness properties of single-threaded and multithreaded C and Java programs annotated with preconditions and postconditions written in separation logic. To express rich specifications, the programmer can define inductive datatypes, primitive recursive pure functions over these datatypes, and abstract separation logic predicates.
PHP churn-php — Helps discover good candidates for refactoring. Enlightn — A static and dynamic analysis tool for Laravel applications that provides recommendations to improve the performance, security and code reliability of Laravel apps. Contains automated checks. GrumPHP — Checks code on every commit. It is a wrapper around PHPStan. Parse — A Static Security Scanner. PHP Assumptions — Checks for weak assumptions.
Analysis of code quality and coding style as well as overview of code architecture and its complexity. PhpDeprecationDetector — Analyzer of PHP code to search issues with deprecated functionality in newer interpreter versions. It finds removed objects functions, variables, constants and ini-directives , deprecated functions functionality, and usage of forbidden names or tricks e.
PhpMetrics — Calculates and visualizes various code quality metrics. Progpilot — A static analysis tool for security purposes. Psalm — Static analysis tool for finding type errors in PHP applications. Tuli — A static analysis engine. It can be integrated with SonarQube. Perl Perl::Critic — Critique Perl source code for best-practices.
Python bandit — A tool to find common security issues in Python code. Black — The uncompromising Python code formatter. Bowler — Safe code refactoring for modern Python.
Bowler is a refactoring tool for manipulating Python at the syntax tree level. It enables safe, large scale code modifications while guaranteeing that the resulting code compiles and runs. It provides both a simple command line interface and a fluent API in Python for generating complex code modifications in code.
As a linter, it is a wrapper around pep8 , pydocstyle , flake8 , and pylint. Dlint — A tool for ensuring Python code is secure. It comes with bunch of pre-defined handlers which warns you about improvements and possible bugs.
Beside these handlers, you can write your own or use community ones. It can be extended to add additional rules and perform checks specific to particular functions. It adds automatic reviews to your pull requests.
It additionally includes pyreverse an UML diagram generator and symilar a similarities checker. Pysa — A tool based on Facebook's pyre-check to identify potential security issues in Python code identified with taint analysis.
It helps you to keep track of issues and metrics in your software projects, and can be easily extended to support new types of analyses. Ruby brakeman — A static analysis security vulnerability scanner for Ruby on Rails applications. It supports Sinatra, Padrino and Ruby on Rails frameworks. The higher the score, the more pain the code is in. Fukuzatsu — A tool for measuring code complexity in Ruby class files.
Its analysis generates scores based on cyclomatic complexity algorithms with no added "opinions". RuboCop — A Ruby static code analyzer, based on the community Ruby style guide. Rubrowser — Ruby classes interactive dependency graph generator. Sorbet — A fast, powerful type checker designed for Ruby. The translator or transpiler produces unsafe Rust code that closely mirrors the input C code.
It either prints out a "unused crates" line listing the crates, or it prints out a line saying that no crates were unused. It can be used either as a command line too, a Rust crate, or a Github action for CI. It checks for valid license information, duplicate crates, security vulnerabilities, and more. This is a wrapper around a more verbose compiler command. Dylint makes it easy for developers to maintain their own personal lint collections.
MIRAI — And abstract interpreter operating on Rust's mid-level intermediate language, and providing warnings based on taint analysis. Prusti — A static verifier for Rust, based on the Viper verification infrastructure. By default Prusti verifies absence of panics by proving that statements such as unreachable! It is capable of analyzing single Rust packages as well as all the packages on crates.
Rust Language Server — Supports functionality such as 'goto definition', symbol search, reformatting, and code completion, and enables renaming and refactorings. This works by embedding data about the dependency tree Cargo. RustViz — RustViz is a tool that generates visualizations from simple Rust programs to assist users in better understanding the Rust Lifetime and Borrowing mechanism. It generates SVG files with graphical indicators that integrate with mdbook to render visualizations of data-flow in Rust programs.
Prevents unexpected downtime caused by database migrations and encourages best practices around Postgres schemas and SQL. Scalastyle — Scalastyle examines your Scala code and indicates potential problems with it.
WartRemover — A flexible Scala code linting tool. Shell bashate — Code style enforcement for bash programs. The output format aims to follow pycodestyle pep8 default output format. Swift SwiftFormat — A library and command-line formatting tool for reformatting Swift code. SwiftLint — A tool to enforce Swift style and conventions. Tcl Frink — A Tcl formatting and static check program can prettify the program, minimise, obfuscate or just sanity check it.
Nagelfar — A static syntax checker for Tcl. The goal is to eliminate duplicative type declarations. With Zod, you declare a validator once and Zod will automatically infer the static TypeScript type. It is easy to compose simpler types into complex data structures. Performs lint code-quality checks. Automatically finds business logic flaws in dev like hardcoded secrets and logic bombs ShiftLeft Scan — Scan is a free open-source DevSecOps platform for detecting security issues in source code and dependencies.
Other Angular Angular ESLint — Linter for Angular projects Ansible kics — Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in your infrastructure-as-code.
Supports Azure via ARM. Binaries angr — Binary code analysis tool that also supports symbolic execution. It can also automatically fix many common errors. It features a UI with various dashboards about an application's security status. Polymer-analyzer — A static analysis framework for Web Components. TypL — With TypL, you just write completely standard JS, and the tool figures out your types via powerful inferencing. Enforces strict and readable code.
VeriFast — A tool for modular formal verification of correctness properties of single-threaded and multithreaded C and Java programs annotated with preconditions and postconditions written in separation logic. To express rich specifications, the programmer can define inductive datatypes, primitive recursive pure functions over these datatypes, and abstract separation logic predicates.
PHP churn-php — Helps discover good candidates for refactoring. Enlightn — A static and dynamic analysis tool for Laravel applications that provides recommendations to improve the performance, security and code reliability of Laravel apps. Contains automated checks. GrumPHP — Checks code on every commit. It is a wrapper around PHPStan. Parse — A Static Security Scanner.
PHP Assumptions — Checks for weak assumptions. Analysis of code quality and coding style as well as overview of code architecture and its complexity. PhpDeprecationDetector — Analyzer of PHP code to search issues with deprecated functionality in newer interpreter versions.
It finds removed objects functions, variables, constants and ini-directives , deprecated functions functionality, and usage of forbidden names or tricks e. PhpMetrics — Calculates and visualizes various code quality metrics. Progpilot — A static analysis tool for security purposes. Psalm — Static analysis tool for finding type errors in PHP applications. Tuli — A static analysis engine. It can be integrated with SonarQube.
Perl Perl::Critic — Critique Perl source code for best-practices. Python bandit — A tool to find common security issues in Python code. Black — The uncompromising Python code formatter. Bowler — Safe code refactoring for modern Python. Bowler is a refactoring tool for manipulating Python at the syntax tree level.
It enables safe, large scale code modifications while guaranteeing that the resulting code compiles and runs. It provides both a simple command line interface and a fluent API in Python for generating complex code modifications in code.
As a linter, it is a wrapper around pep8 , pydocstyle , flake8 , and pylint. Dlint — A tool for ensuring Python code is secure. It comes with bunch of pre-defined handlers which warns you about improvements and possible bugs. Beside these handlers, you can write your own or use community ones. It can be extended to add additional rules and perform checks specific to particular functions. It adds automatic reviews to your pull requests. It additionally includes pyreverse an UML diagram generator and symilar a similarities checker.
Pysa — A tool based on Facebook's pyre-check to identify potential security issues in Python code identified with taint analysis. It helps you to keep track of issues and metrics in your software projects, and can be easily extended to support new types of analyses.
Ruby brakeman — A static analysis security vulnerability scanner for Ruby on Rails applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.
The higher the score, the more pain the code is in. Fukuzatsu — A tool for measuring code complexity in Ruby class files. Its analysis generates scores based on cyclomatic complexity algorithms with no added "opinions".
RuboCop — A Ruby static code analyzer, based on the community Ruby style guide. Rubrowser — Ruby classes interactive dependency graph generator. Sorbet — A fast, powerful type checker designed for Ruby. The translator or transpiler produces unsafe Rust code that closely mirrors the input C code. It either prints out a "unused crates" line listing the crates, or it prints out a line saying that no crates were unused. It can be used either as a command line too, a Rust crate, or a Github action for CI.
It checks for valid license information, duplicate crates, security vulnerabilities, and more. This is a wrapper around a more verbose compiler command.
Dylint makes it easy for developers to maintain their own personal lint collections. MIRAI — And abstract interpreter operating on Rust's mid-level intermediate language, and providing warnings based on taint analysis. Prusti — A static verifier for Rust, based on the Viper verification infrastructure.
By default Prusti verifies absence of panics by proving that statements such as unreachable! It is capable of analyzing single Rust packages as well as all the packages on crates. Rust Language Server — Supports functionality such as 'goto definition', symbol search, reformatting, and code completion, and enables renaming and refactorings.
This works by embedding data about the dependency tree Cargo. RustViz — RustViz is a tool that generates visualizations from simple Rust programs to assist users in better understanding the Rust Lifetime and Borrowing mechanism. It generates SVG files with graphical indicators that integrate with mdbook to render visualizations of data-flow in Rust programs. Prevents unexpected downtime caused by database migrations and encourages best practices around Postgres schemas and SQL.
Scalastyle — Scalastyle examines your Scala code and indicates potential problems with it. WartRemover — A flexible Scala code linting tool. Shell bashate — Code style enforcement for bash programs. The output format aims to follow pycodestyle pep8 default output format. Swift SwiftFormat — A library and command-line formatting tool for reformatting Swift code. SwiftLint — A tool to enforce Swift style and conventions. Tcl Frink — A Tcl formatting and static check program can prettify the program, minimise, obfuscate or just sanity check it.
Nagelfar — A static syntax checker for Tcl. The goal is to eliminate duplicative type declarations. With Zod, you declare a validator once and Zod will automatically infer the static TypeScript type.
It is easy to compose simpler types into complex data structures. Performs lint code-quality checks. Automatically finds business logic flaws in dev like hardcoded secrets and logic bombs ShiftLeft Scan — Scan is a free open-source DevSecOps platform for detecting security issues in source code and dependencies. Other Angular Angular ESLint — Linter for Angular projects Ansible kics — Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in your infrastructure-as-code.
Supports Azure via ARM. Binaries angr — Binary code analysis tool that also supports symbolic execution. The tool is compatible with all architectures. Loading address: binbloom can parse a raw binary firmware and determine its loading address.
Endianness: binbloom can use heuristics to determine the endianness of a firmware. BinSkim — A binary static analysis tool that provides security and correctness results for Windows portable executables. Bloaty McBloatface will show you a size profile of the binary so you can understand what's taking up space inside. Bloaty performs a deep analysis of the binary. It will even disassemble the binary looking for references to anonymous data.
F cargo-bloat — Find out what takes most of the space in your executable. Jakstab — Jakstab is an Abstract Interpretation-based, integrated disassembly and static analysis framework for designing analyses on executables and recovering reliable control flow graphs. Break down and analyze document files. Manalyze — A static analyzer, which checks portable executables for malicious content. It translates "lifts" executable binaries from native machine code to LLVM bitcode, which is very useful for performing program analysis methods.
Twiggy — Analyzes a binary's call graph to profile code size. The goal is to slim down wasm binary size. VMware chap — chap analyzes un-instrumented ELF core files for leaks, memory growth, and corruption. It is sufficiently reliable that it can be used in automation to catch leaks before they are committed.
As an interactive tool, it helps explain memory growth, can identify some forms of corruption, and supplements a debugger by giving the status of various memory locations.
Supports own configurations to make style sheets beautiful and consistent. CSSLint — Does basic syntax checking and finds problematic patterns or signs of inefficiency.
Config Files dotenv-linter — Linting dotenv files like a charm. The main goal is to prevent misconfiguration and automate flaw detection.
Configuration Management ansible-lint — Checks playbooks for practices and behaviour that could potentially be improved. It is meant to be used for linting and testing pull requests. It automatically detects charts changed against the target branch. It is a non invasive tool that is run externally. Clusterlint does not alter the resource configurations. You define a list of rules that you would like to validate against your resources and kube-lint will evaluate those rules against them.
Puppet Lint — Check that your Puppet manifests conform to the style guide. Containers anchore — Discover, analyze, and certify container images. A service that analyzes Docker images and applies user-defined acceptance policies to allow automated container image validation and certification chart-testing — ct is the the tool for testing Helm charts.
Haskell Dockerfile Linter — A smarter Dockerfile linter that helps you build best practice Docker images. KubeLinter — KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.
Built on an open source stack, Sysdig provides Docker image scanning and created Falco, the open standard for runtime threat detection for containers, Kubernetes and cloud. It has some container image support, although is not a container specific tool.
Provides an online version. Code Climate — The open and extensible static analysis platform, for everyone. Increase velocity and reduce technical debt through quality code review by expert engineers backed by best-in-class automation. Standalone version of jsonlint. Kubernetes chart-testing — ct is the the tool for testing Helm charts.
Laravel Enlightn — A static and dynamic analysis tool for Laravel applications that provides recommendations to improve the performance, security and code reliability of Laravel apps. Markdown markdownlint — Node. Mobile Android Lint — Run static analysis on Android projects. FlowDroid — Static taint analysis tool for Android applications. It can be used for reverse engineering, binary analysis and vulnerability mining. It allows app owners and developers to secure each new version of a mobile app by integrating Oversecured into the development process.
An APK optimized by Redex should be smaller and faster. Nix deadnix — Scan Nix files for dead code unused variable bindings statix — Lints and suggestions for the Nix programming language. Packages lintian — Static analysis tool for Debian packages. Puppet metadata-json-lint — Tool to check the validity of Puppet metadata.
Rails dawnscanner — A static analysis security scanner for ruby written web applications. Gitleaks — A SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repos. Demonstrates remote code execution by presenting possible exploits.
The tool comes with over default searches that identify SQL injection, cross-site scripting XSS , insecure remote and local file includes, hard-coded passwords, etc.
Tsunami Security Scanner — A general purpose network security scanner with an extensible plugin system for detecting high severity RCE-like vulnerabilities with high confidence. Custom detectors for finding vulnerabilities e. Smart Contracts mythril — A symbolic execution framework with batteries included, can be used to find and exploit vulnerabilities in smart contracts automatically. It can be integrated with toolchains like Remix or VSCode or called from the command-line. Its goal is to provide a linting utility for Solidity code.
Support LibVCS4j — A Java library that allows existing tools to analyse the evolution of software systems by providing a common API for different version control systems and issue trackers. Template-Languages ember-template-lint — Linter for Ember or Handlebars templates.
Terraform kics — Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in your infrastructure-as-code. Translation dennis — A set of utilities for working with PO files to ease development and improve quality. Vetur — Vue tooling for VS Code, powered by vls vue language server. Vetur only has a "whole document formatter" and cannot format arbitrary ranges.
Webassembly Twiggy — Analyzes a binary's call graph to profile code size. It finds many errors that a simple spell checker cannot detect. Misspelled Words In Context — A spell-checker that groups possible misspellings and shows them in their contexts. License To the extent possible under law, Matthias Endler has waived all copyright and related or neighboring rights to this work. Title image Designed by Freepik. Sponsor this project. You signed in with another tab or window.
Reload to refresh your session.
Comments
Post a Comment