Is there a Findbugs and / or PMD equivalent for C/C++?

Question

I was recently asked about alternatives to Coverity Prevent for a code base that includes both C/C++ and Java. Obviously, on the Java side, the free tools available include Findbugs (compiled code analysis) and PMD (static code analysis). They are very powerful, especially when you start investigating integration with IDEs (which, again, are free).

However, things are dicey when you start moving into the C/C++ realm with the various compilers, architectures, etc.

I have proposed a variety of tools for the Java side, including both Findbugs and PMD. What I am looking for is the best option for the C/C++ side when considered using the following metrics:

1. Price: free is better but can be beaten by better value. However, pricing models that charge per line of code are horrifying.
2. Feature set: how does this tool make my life better? In what ways does it detect my mistakes before I check them in, before we ship the code, etc.?
3. Usability: can I use the tool at my desk? Can I share the reports and / or findings? Can I integrate the tool with Fogbugz (which we use in my group)? Can I integrate the tool into CruiseControl (or the equivalent)?

The ultimate tool would be something that is as useful and usable as a combination of Findbugs and PMD with identical feature set, all for zero dollars per seat.

Answer 1

The two that come to mind are Splint for C and Cppcheck for C++.

If you want to look for more options, this function of these tools is "static code analysis". That might help you find more tools for C and/or C++. Also, you might be interested in the answer to the question "What open source C++ static analysis tools are available?"

Answer 2

C++ is a complicated enough language that the tooling for it (such as refactoring or static analysis tools) just isn't as good as Java or C#.

Gimpel Software's PC-lint is the closest thing to a standard bug-checking tool for C++ that I know of. It's commercial with a reasonable pricing model. I don't know how well it integrates with other tools.

The Clang open source project should eventually be able to do much of what you want (and looks really cool), but it's still in development.

Answer 3

PC-Lint is the way to go. Unlike most of the other tools, it has full inter-function and inter-module value tracking and supports all the hairy edges of template compilation/parsing as well. I bought a personal copy for myself about 9 years ago, just because it's so cheap. I ended up using it a lot in open source projects. PC-Lint doesn't license based on LOC, it doesn't phone home, and there's no license server. It's very much on the honor system and very no-nonsense. Over the 9 years, I have found some issues in it (and those have been few and far between), but they have almost always been fixed in a few weeks.

Open-source wise, there is SMatch, based on Coverity's meta-compilation analysis techniques, which the wine project uses quite heavily to great effect. PMD's cpd (copy paste detector) sub-tool works on C++, and is really fast. For cyclomatic complexity, there's pmccabe which is easily installable via apt-get (on Linux; on Windows, I compile the source under cygwin).

PC-Lint does require some configuration to get it working well, a day or two at the most. The other tools don't work as deeply, so you can just hit the ground running with a command like "find . -name .c | xargs pmccabe | sort -n | tail -n 20"

Answer 4

I've used Klocwork and Rational Software Analyzer in the past, and they both work well, though both are commercial/non-free.

Answer 5

I use flawfinder.py which scans for 160 dangerous functions in C/C++. http://www.dwheeler.com/flawfinder/

If you want a ruby port based on flawfinder then you can use vulnxpose.rb. https://github.com/nanotechz9l/Source-code-analyzer

Both of these tools scans C/C++ source code files for known vulnerabilities including buffer overflows, race conditions, weak crypto, chroot jail configs ... & more).

Rick