PHP Static Code Analysis Tools

by

Static Code Analysis (SCA) is the analysis of source code to evaluate the level of security provided by a particular application. It can be done in several ways, including manual review and building analysis tools.

Dynamic code analysis tools are used for analyzing PHP scripts in order to ensure there are no vulnerabilities in the source code that could be abused by hackers. Applications like WordPress, Magento, Drupal, both – panel-based Web applications and content management systems (CMS) suffer from memory leaks and other vulnerabilities if their source codes are not properly audited on a regular basis .

 Visual Expert

Visual Expert logo

Visual Expert is a unique static code analysis tool for SQL Server, Oracle, and PowerBuilder code.

Visual Expert toolbox offers 200+ features to reduce maintenance and avoid regressions when making modifications as mentioned below:

  • Code Review
  • CRUD Matrix
  • E/R Diagrams synchronized with code view.
  • Code Performance Analysis
  • Code exploration
  • Impact analysis
  • Source Code Documentation
  • Code Comparison

Clang Static Analyzer

This is an open-source tool that can be used to analyze a C, C++ code. It uses the clang library, hence forming a reusable component and can be used by multiple clients.

Website Link: Clang Static Analyzer

CppDepend

A very easy-to-use tool when compared to other static analysis tools. As the name suggests, this tool is used to analyze C/C++ codes. Supports different code quality metrics, provides the facility to monitor trends, has an add-in to integrate with Visual Studio, allows writing custom queries and comes with a very good diagnostic facility.

Website Link: CppDepend

Klocwork

Apart from finding semantics and syntax error, this tool also lets users detect vulnerabilities in the code. This tool is well integrated with many common IDE’s like Eclipse, Visual Studio, and Intellij IDEA. This can run in parallel to code creation, it does a line by line check and provides a feature for addressing the defects immediately.

Website Link: Klocwork

Cppcheck

Another free static analysis tool for C/C++. The good thing about this tool is its integration with several other development tools like Eclipse, Jenkins, CLion, Visual Studio and many more. Its installer can be found at sourceforge.net.

Website Link: Cppcheck

Helix QAC

Helix QAC is an excellent static analysis testing tool for C and C++ code from Perforce (formerly PRQA). The tool comes with a single installer and supports platforms like Windows 7, Linex Rhel 5 and Solaris 10. This gives very clear diagnostics which helps in identifying the root cause and quick defect fixes.

Website Link: Helix QAC

Goanna

Goanna Static Code Analysis Tool

A security static analysis tool for C/C++ and allows integration with Microsoft Visual Studio, Eclipse, Texas Instruments Code Composer and many more IDE’s.This can be run like a compiler and hence allows analyzing file-level details in addition to whole projects. Also, has excellent error reporting feature.

Website Link: Goanna

Polyspace

Polyspace bug-finder helps in finding defects for C/C++; this is integrated with Eclipse and also is compliant with coding rule standards like MISRA C, MISRA C++, and JSF++.

Website Link: Polyspace

Sourcemeter

A tool that helps in analyzing C/C++, Java, C#, RPG and Python codes. Another good thing about this tool is it allows integration with free static checker tools like cppcheck, PMD, FindBugs. Basic Version of this tool is free but it comes with fewer features. Based on the need, you can decide whether the free version satisfies the requirement or not.

Website Link: Sourcemeter

ConQAT

An excellent tool that can be used for clone detection supports multiple languages, allows integration with other static analysis tools, provides a dashboard that shows the details on the issues found and other quality metrics.

Website Link: ConQAT

Raxis

Raxis-Logo1

Raxis does one better than automated tools that often discover false findings that waste time and effort.

Raxis scopes an amount of time that works best for your company’s code and assigns a security-focused former developer to analyze your code for both general security and business-logic vulnerabilities.

Raxis communicates throughout to be sure your input is used within the code review, and they provide a report that details each finding with screenshots and remediation advice. A high-level summary that can be provided to management and a debriefing call are also included.=> Visit Raxis Information Security Website 

SonarQube

sonarqube

SonarQube is a household name in Code Quality and Code Security, empowering all developers to write cleaner and safer code.

With thousands of automated Static Code Analysis rules in more than 25 programming languages, while integrating directly with your DevOps platform, SonarQube is your teammate to enhance your development workflow and guide your teams.

SonarQube fits with your existing tools and proactively raises a hand when the quality or security of your codebase is at risk.=> Visit SonarQube Website

PVS-Studio

logo-pvs

PVS-Studio is a tool for detecting bugs and security weaknesses in the source code of programs, written in C, C++, C#, and Java. It works in Windows, Linux, and macOS environment.

It is possible to integrate it into Visual Studio, IntelliJ IDEA, and other widespread IDE. The results of the analysis can be imported into SonarQube.

Enter the #top40 promo code in the message field on the download page to get the PVS-Studio license for a month instead of 7 days.=> Visit PVS-Studio Website

reshift

reshift_just_logo

Reshift is a SaaS-based software platform that helps software development teams identify more vulnerabilities faster in their own code before deploying to production.

Reducing the cost and time of finding and fixing vulnerabilities, identifying the potential risk of data breaches, and helping software companies achieve compliance and regulatory requirements.=> Visit Reshift Website

Embold

Embold Logo

Embold is an intelligent software analytics platform that supports developers and teams in building higher quality software in less time, by speeding up code reviews.

It automatically prioritizes hotspots in the code and provides clear visualizations. With its multi-vector diagnostic technology, it analyses software from multiple lenses, including software design, and enables users to manage and improve their software quality transparently.

You can run Embold on the cloud, or for IntelliJ IDEA users, download a free plugin directly in your IDE.=> Visit Embold Website

SmartBear Collaborator

SmartBear Collaborator

SmartBear Collaborator is a code review tool that is suitable for remote as well as co-located teams. It has comprehensive review capabilities to review various documents like design, requirements, documentation, user stories, test plans, and source code.

It can be integrated with GitHub, GitLab, Bitbucket, Jira, Eclipse, Visual Studio, etc. For the proof of review, it offers the features of electronic signatures. It provides detailed reports. The tool can be used by businesses of any size.

SmartBear contains many more features like tracking & managing defects, customizing review templates, collaborating on software artifacts & documents, etc. It can be tried for free and the price starts at $554 per year for a 5 user pack.=> Visit SmartBear Collaborator Website

CodeScene Behavioral Code Analysis

CodeScene logo

CodeScene prioritizes technical debt and code quality issues based on how the organization actually works with the code. Hence, CodeScene limits the results to information that is relevant, actionable and translates directly into business value.

CodeScene also goes beyond traditional tools by measuring the organization and people’s side of your system to detect coordination bottlenecks in the software architecture, off-boarding risks, and knowledge gaps.

Finally, CodeScene integrates into your CI/CD pipeline to act as an extra team member that predicts delivery risks and offers context-aware quality gates to supervise the health of your code.=> Visit CodeScene Website

RIPS Technologies

RIPS code analysis

RIPS is the only code analysis solution that performs language-specific security analysis. It detects the most complex security vulnerabilities deeply nested within the source code that no other tools are able to find.

It supports major frameworks, SDLC integration, relevant industry standards, and can be deployed as self-hosted software or used as software-as-a-service. With its high accuracy and no false-positive noise, RIPS is the ideal choice for analyzing Java and PHP applications.=> Visit RIPS Technologies Website

Veracode

Veracode Static Code Analysis Tool

Veracode is a static analysis tool that is built on the SaaS model. This tool is mainly used to analyze the code from a security point of view.

This tool uses binary code/bytecode and hence ensures 100% test coverage. This tool proves to be a good choice if you want to write secure code.

Website Link: Veracode

Fortify Static Code Analyzer

microfocus

Fortify, a tool from HP which lets a developer build an error-free and secure code. This tool can be used by both development and security teams by working together to find and fix security-related issues. While scanning the code, it ranks the issues found and ensures the most critical ones are fixed first.

Website Link: Micro Focus Fortify Static Code Analyzer

Parasoft

Parasoft, no doubt one of the best tools for Static Analysis Testing. This is slightly different when compared to other static analysis tools because of its ability to support various types of static analysis techniques like Pattern Based, Flow-Based, Third Party Analysis, and Metrics and Multivariate analysis.

Another good thing about the tool is beside identifying defects it allows provides a feature that prevents defects.

Website Link: Parasoft

Honourable Mentions

  • PHPStan is the most commonly used tool and also one of the youngest. It has been rapidly adopted since it’s release in 2016. It’ll discover bugs in your code without running the code.
  • Pslam was also released in 2016 and has grown in popularity a little more slowly. It claims more features out of the box and has a focus is on type-related bugs.
  • Scrutinizer is the most popular commercial option in use by open-source projects and has been around longer then it’s open-source counterparts. It’s free for open-source projects but is only available as a hosted solution.
  • Phan isn’t used by many of the projects I reviewed but is popular and well supported. It was created at Etsy and appears to be the primary tool used by Wikipedia’s MediaWiki project. The advertised upside of using Phan is that it has a focus on minimizing false-positives. This makes it trivial to use but it might catch fewer issues compared to the other options.
  • PHP Mess Detector: This is an older static analysis tool which offers some different functionality. Besides identifying potential bugs it also can help identifying generally poor code. It’s very mature and may be more useful for targeted project analysis.
  • Sonarqube: Sonarqube is another commercial static analysis product. It’s community edition is good at detecting bugs, vulnerabilities, and generally for improving code quality. They also provides an IDE extension, Sonarlint which works well to supplement the CI offerings.
  • PHPStorm Code Inspections: The inspection tools built into PHPStorm are impressive and can identify many potential issues without any additional tooling.
  • PHP Inspections (EA Extended): This is a plugin for IntelliJ/PHPStorm which supplements the inspections built into PHPStorm.

Conclusion

Knowing all the threats that are out there is good, but knowing about them isn’t enough. You must also be able to find them. That’s why I’m happy to share the following post with you, which lists 94 different ways for you to detect vulnerabilities in your code. The list includes online tools, fuzzers, scanners and code analysis tools.

Leave a Comment