java C/C++ 是否有 Findbugs 和/或 PMD 等价物?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1433632/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Is there a Findbugs and / or PMD equivalent for C/C++?
提问by Bob Cross
I was recently asked about alternatives to Coverity Preventfor a code base that includes both C/C++ and Java. Obviously, on the Java side, the free tools available include Findbugs (compiled code analysis) and PMD (static code analysis). They are very powerful, especially when you start investigating integration with IDEs (which, again, are free).
我最近被问及Coverity Prevent 的替代方案,用于包含 C/C++ 和 Java 的代码库。显然,在Java端,可用的免费工具包括Findbugs(编译代码分析)和PMD(静态代码分析)。它们非常强大,尤其是当您开始研究与 IDE(同样是免费的)的集成时。
However, things are dicey when you start moving into the C/C++ realm with the various compilers, architectures, etc.
但是,当您开始使用各种编译器、体系结构等进入 C/C++ 领域时,事情就变得很危险了。
I have proposed a variety of tools for the Java side, including both Findbugs and PMD. What I am looking for is the best option for the C/C++ side when considered using the following metrics:
我为Java端提出了多种工具,包括Findbugs和PMD。当考虑使用以下指标时,我正在寻找的是 C/C++ 方面的最佳选择:
- Price: free is better but can be beaten by better value. However, pricing models that charge per line of code are horrifying.
- Feature set: how does this tool make my life better? In what ways does it detect my mistakes before I check them in, before we ship the code, etc.?
- Usability: can I use the tool at my desk? Can I share the reports and / or findings? Can I integrate the tool with Fogbugz (which we use in my group)? Can I integrate the tool into CruiseControl (or the equivalent)?
- 价格:免费更好,但也有更好的价值。然而,每行代码收费的定价模型是可怕的。
- 功能集:这个工具如何让我的生活更美好?在我检查错误之前,在我们发送代码之前,它会以什么方式检测我的错误?
- 可用性:我可以在办公桌上使用该工具吗?我可以分享报告和/或调查结果吗?我可以将该工具与 Fogbugz(我们在我的小组中使用的)集成吗?我可以将该工具集成到 CruiseControl(或等效工具)中吗?
The ultimate tool would be something that is as useful and usable as a combination of Findbugs and PMD with identical feature set, all for zero dollars per seat.
最终的工具将是与 Findbugs 和 PMD 的组合具有相同功能集一样有用和可用的东西,每个席位都只需零美元。
采纳答案by Thomas Owens
The two that come to mind are Splintfor C and Cppcheckfor C++.
If you want to look for more options, this function of these tools is "static code analysis". That might help you find more tools for C and/or C++. Also, you might be interested in the answer to the question "What open source C++ static analysis tools are available?"
如果你想寻找更多的选择,这些工具的这个功能就是“静态代码分析”。这可能会帮助您找到更多用于 C 和/或 C++ 的工具。此外,您可能对“有哪些开源 C++ 静态分析工具可用?”这个问题的答案感兴趣。
回答by Josh Kelley
C++ is a complicated enough language that the tooling for it (such as refactoring or static analysis tools) just isn't as good as Java or C#.
C++ 是一种足够复杂的语言,它的工具(例如重构或静态分析工具)不如 Java 或 C#。
Gimpel Software's PC-lintis the closest thing to a standard bug-checking tool for C++ that I know of. It's commercial with a reasonable pricing model. I don't know how well it integrates with other tools.
Gimpel Software 的PC-lint是我所知道的最接近 C++ 标准错误检查工具的工具。它是商业化的,具有合理的定价模式。我不知道它与其他工具的集成度如何。
The Clangopen source project should eventually be able to do much of what you want (and looks reallycool), but it's still in development.
该锵开源项目最终应该能够做很多你想要的(而且看上去真的很COOL),但它仍处于开发阶段。
回答by Matt Hargett
PC-Lint is the way to go. Unlike most of the other tools, it has full inter-function and inter-module value tracking and supports all the hairy edges of template compilation/parsing as well. I bought a personal copy for myself about 9 years ago, just because it's so cheap. I ended up using it a lot in open source projects. PC-Lint doesn't license based on LOC, it doesn't phone home, and there's no license server. It's very much on the honor system and very no-nonsense. Over the 9 years, I have found some issues in it (and those have been few and far between), but they have almost always been fixed in a few weeks.
PC-Lint 是要走的路。与大多数其他工具不同,它具有完整的函数间和模块间值跟踪,并支持模板编译/解析的所有毛边。大约 9 年前,我为自己买了一本个人副本,只是因为它太便宜了。我最终在开源项目中大量使用它。PC-Lint 不基于 LOC 进行许可,不回电,也没有许可服务器。它非常注重荣誉系统,而且非常严肃。在这 9 年里,我发现了一些问题(而且这些问题很少见),但它们几乎总是在几周内得到解决。
Open-source wise, there is SMatch, based on Coverity's meta-compilation analysis techniques, which the wine project uses quite heavily to great effect. PMD's cpd (copy paste detector) sub-tool works on C++, and is really fast. For cyclomatic complexity, there's pmccabe which is easily installable via apt-get (on Linux; on Windows, I compile the source under cygwin).
开源方面,有基于 Coverity 的元编译分析技术的 SMatch,wine 项目大量使用它,效果很好。PMD 的 cpd(复制粘贴检测器)子工具适用于 C++,而且速度非常快。对于圈复杂度,可以通过 apt-get 轻松安装 pmccabe(在 Linux 上;在 Windows 上,我在 cygwin 下编译源代码)。
PC-Lint does require some configuration to get it working well, a day or two at the most. The other tools don't work as deeply, so you can just hit the ground running with a command like "find . -name .c| xargs pmccabe | sort -n | tail -n 20"
PC-Lint 确实需要一些配置才能使其正常运行,最多一两天。其他工具的作用不那么深,因此您可以直接使用“find . -name .c| xargs pmccabe | sort -n | tail -n 20”之类的命令开始运行
回答by nanotechz9l
I use flawfinder.py which scans for 160 dangerous functions in C/C++. http://www.dwheeler.com/flawfinder/
我使用ffectfinder.py 来扫描C/C++ 中的160 个危险函数。 http://www.dwheeler.com/flawfinder/
If you want a ruby port based on flawfinder then you can use vulnxpose.rb. https://github.com/nanotechz9l/Source-code-analyzer
如果你想要一个基于缺陷查找器的 ruby 端口,那么你可以使用 vulnxpose.rb。 https://github.com/nanotechz9l/Source-code-analyzer
Both of these tools scans C/C++ source code files for known vulnerabilities including buffer overflows, race conditions, weak crypto, chroot jail configs ... & more).
这两种工具都会扫描 C/C++ 源代码文件中的已知漏洞,包括缓冲区溢出、竞争条件、弱加密、chroot jail 配置......等)。
Rick
瑞克
回答by Harold L
I've used Klocworkand Rational Software Analyzerin the past, and they both work well, though both are commercial/non-free.
我过去使用过Klocwork和Rational Software Analyzer,它们都运行良好,尽管它们都是商业/非免费的。
