Automated Code Analysis

Article by:
Date Published:
Last Modified:


Automated code analysis is when code reviews other code. It can also be called static analysis, as most programs which do this check the source code without actually running the program (which is where the term static comes from).

Static vs. Dynamic

Static analysis involves checking a programs source code for any issues, without actually running the code.

Dynamic analysis are code checks that involve running the code (which has to be compiled first for non-interpreted languages).

Code Analysis Program Review

ClangStatic Analyser

Supported Languages C, C++, Objective-C
Static/Dynamic Static
License, Pricing BSD, Free
URL [](


Supported Languages C, C++
Static/Dynamic Static
License, Pricing BSD

The results from Cppcheck can seem a little sparse when compared to other static analysis tools.


Supported Languages C, C++
Static/Dynamic Static
License, Pricing GPL v2 (or greater)
URL [](

Flawfinder is written in Python and designed to run on Linux. Author still responds to bugs/feature requests, even though there was an 8 year haitus (2006-2014). It is very easy to use by simply typing:

flawfinder path/to/source/code


Supported Languages C, C++
Static/Dynamic Static
License, Pricing Open-source, free
URL [](

Frama-C is built in a modular way that is plug-in centric. It is designed to that plugins are easy to write, easy to install, and so that the output of one can easily be the input of another (plugin chaining).

Frama-C supports deductive verification, in where it validates functions by the rules written in the comments above the function. These rules are written in the ANSI/ISO specification language.

PC Lint

Supported Languages C, C++
Static/Dynamic Static
License, Pricing Proprietary, US$385 for a single user license as of September 2015.
URL [](

PCLint uses knowledge of certain well-known C/C++ library functions to improve it’s error checking capabilities. May C/C++ library functions have certain pre and post-conditions which must be met (e.g. the fopen() args is never null, assert() never returns, e.t.c). Where possible, PC Lint will check that these are satisfied.


Geoffrey Hunter

Dude making stuff.

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License .


comments powered by Disqus