14 projects
CodeQL
CodeQL is a semantic code analysis engine that helps developers and security researchers discover vulnerabilities across codebases. It treats code as data, allowing users to write queries to analyze codebases and find security weaknesses, bugs, and quality issues.
2,355
535
$88M
PMD
PMD is a static code analyzer that scans source code in various programming languages to detect potential bugs, dead code, suboptimal code, overcomplicated expressions, and security vulnerabilities. It supports multiple languages including Java, JavaScript, Salesforce.com Apex, PLSQL, Apache Velocity, XML, and XSL.
1,824
347
$18M
Error Prone
Error Prone is a static analysis tool that catches common programming mistakes in Java code at compile time. It integrates with the Java compiler to identify and prevent bugs that would otherwise manifest at runtime, helping developers write more reliable code.
1,457
339
$12M
Cppcheck
Cppcheck is a static analysis tool for C/C++ code that detects bugs, undefined behavior, and dangerous coding patterns. It performs analysis without actually executing the code, focusing on detecting memory leaks, buffer overflows, uninitialized variables, and other common programming errors.
1,116
153
$13M
Checker Framework
The Checker Framework is a pluggable type-checking system for Java that helps developers prevent bugs by detecting and verifying type constraints at compile time. It extends Java's type system to enable more precise compile-time verification of properties like null pointer safety, regex validity, and concurrency correctness.
642
137
$11M
Joern
Joern is a platform for code analysis that combines source code querying with graph database capabilities. It enables security researchers and developers to analyze source code for vulnerabilities and patterns by converting code into code property graphs that can be queried using a specialized query language.
502
85
$38M
Dialyxir
Dialyxir is a mix task that provides a simplified way to run Dialyzer in Elixir projects. It handles the Persistent Lookup Table (PLT) management and provides clearer error messages, making static analysis more accessible for Elixir developers.
480
204
$161K
FlowDroid
FlowDroid is a static taint analysis tool for Android applications that performs precise data flow tracking through both Android's lifecycle and Java's callbacks. It analyzes how sensitive data can flow through an app from sources to sinks, helping identify potential security vulnerabilities and privacy leaks.
406
52
$5.6M
ESBMC
The efficient SMT-based context-bounded model checker (ESBMC)
287
34
$27M
Ultimate
The Ultimate program analysis framework.
215
16
$343M
CPAchecker
CPAchecker is an open-source software verification tool that analyzes C programs through configurable program analysis. It implements a framework for different verification approaches like predicate abstraction, bounded model checking, and k-induction, enabling automatic verification of safety properties in source code.
173
3
$54M
JSpecify
JSpecify is a project that aims to standardize and improve Java nullness annotations, providing a specification and tooling for null-safety analysis in Java code. It defines a common vocabulary and semantics for expressing nullness contracts in Java programs.
132
54
$374K
jQAssistant
jQAssistant is a quality assurance tool that performs static code analysis by scanning Java applications and creating a Neo4j graph database of their structure. It enables users to write custom rules and queries to validate architecture and design, detect anti-patterns, and ensure compliance with coding standards.
123
22
$2.4M
Escope
Escope is a JavaScript scope analyzer that provides detailed information about variable scoping and references within ECMAScript code. It performs static analysis to determine variable declarations, references, and their relationships within different scopes.
102
51
$314K