BugScan probably competes with the @Stake tool, and works on object code: http://www.hbgary.com/index.asp?G1=2&G2=1
Coverity's tool is absolutely *outstanding* on C code. They plan to have C++ support soon.
http://coverity.com/main.html
The Fortify tools (http://fortifysoftware.com) look good, from what I've seen in a demo.
And there's a new release of Flawfinder that just came out. It has documentation on how to integrate with vim and emacs, and has features to suppress more false positives. http://www.dwheeler.com/flawfinder/
- Jared
Kenneth R. van Wyk wrote:
Greetings all,
FYI, it looks like we're at the beginning of a new wave of software security tools. There's a few commercial products beginning to hit the market that take static src code scanning to a new level. See the link below for a LinuxWorld article that briefly (!) describes @stake's new SmartRisk Analyzer tool in addition to Fortify's Source Code Analysis suite. These appear to pick up where current static analysis tools (e.g., ITS4, Flawfinder) leave off.
Anyone here willing/able to share some _user_ level experiences with any of these tools? It'll be interesting to hear how they hold up in real software development environments.
http://www.linuxworld.com.au/nindex.php/id;1780700095;fp;2;fpid;1
Cheers,
Ken van Wyk
