When talking about C++, DevOps, DevSecOps, Agile, speed, and the shift left approach (there’s a lot of talking), it seems that the landscape of static code analysis tools is one that should not be overlooked.
There is no denying that Static Code Analysis has many benefits as far as automation, security and speed go (so long, manual reviewing). And with the code inflation trend, tending to huge codebases (C++, people, C++) requires appropriate attention.
With all that said, some claim that static code analysis is not (yet) part of the hype. Despite the fact there are many (many) Static Code Analysis tools out there, some of which are dedicated solely to C++, there are plenty of devs that treat it as a ‘nice to have’, a luxury, instead of a must. Of course, it doesn’t help that running full static code analysis on the entire code base could be quite time-consuming, which is incentive enough to avoid doing it.
However, more and more devs are starting to realize that static code analysis has the potential to contribute to product quality, security and even time to market. The numbers don’t lie; this market is definitely growing. According to MarketWatch, while in 2019 the global Static Code Analysis Software market size was USD 643.2 million, it is estimated to reach USD 1739.4 million by the end of 2026. Quite an impressive growth curve that justifies examining the top C++ Static code analysis tools available… So, let’s jump right in.
1. Klocwork (Perforce)
Klocwork by Perforce is a leader when it comes to C++ static code analysis tools. There is a reason it’s an industry leader; it specializes in large codebases, which is a big plus. It has more than 1K checkers and it offers the possibility to create custom checkers. It considers false positives and false negatives (which some tools fail to do), and it is one of the few tools that provide differential analysis, which means you get the shortest possible analysis times for new and changed code. And… it’s not just another static analysis tool – it’s also a SAST (static application security testing) tool, so the security aspect is pretty much covered. Additionally, it integrates with many IDEs and CI/CD tools. Finally, we can’t just ignore the fact it has an amazing integration with Incredibuild to accelerate the execution of its analysis.
2. Cppcheck
Cppcheck is a popular, open-source, free, cross-platform static code analysis tool dedicated to C and C++. It is known for being easy to use and its simplicity is one of its pros. To get started with it you don’t have to do any adjustments or modifications, which is why it’s often recommended for beginners. It also has a reputation of reporting a relatively small number of false positives, or at least that’s the tool’s aspiration.
3. CppDepend (CoderGears)
CppDepend is a commercial static code analysis tool for C++. It can complement other static code analysis tools quite easily as it focuses on analyzing and visualizing the code base architecture (for example, whether it is layered correctly, dependencies-wise), rather than on revealing errors. Speaking of dependencies, its Dependency Graph feature is something to write home about, and so is its trend monitoring capabilities (what has been changed between builds). Like Klocwork, it also allows you to write custom rules.
4. Parasoft C/C++test
This popular commercial set of testing tools for C/C++, Parasoft C/C++test, targeting enterprise and embedded applications, includes a static code analysis tool (these industries are often required to obtain static code analysis tools for security reasons), as well as dynamic code analysis, unit test, code coverage, runtime analysis, and other functions. In the matter of static code analysis, this tool differs from other static code analysis tools in that it offers a rich set of techniques and rules (over 2,500 of them). In addition, Parasoft provides Qualification Kits and functional safety certifications. However, Parasoft’s true value, where it really shines, is being a comprehensive suite of tools that allow you to close the loop: analyze the code, prioritize the findings, and manage it (including assigning findings to team members). Most recently, Parasoft announced its support of IAR Systems’ build tools for Linux for Arm, which allows developers to configure fast and scalable CI/CD pipelines on Linux servers.
5. PVS Studio
PVS Studio… No list is complete without this commercial tool. Its specialty is detecting bugs that no one suspects; typos and copy-paste mistakes, for example. It can integrate with popular CI tools such as Jenkins, TeamCity, Azure DevOps, and more. In addition, it can integrate with SonarQube, a tool that some confuse with a static code analysis tool (whereas it’s more for detecting code smells). Another amazing thing about PVS Studio is its documentation – it has more than 700 pages of info. If you’re interested to learn about PVS Studio integration with Incredibuild, check out this blog post!
6. Coverity (Synopsys)
Coverity static analysis is well known. The solution locates errors and weaknesses as the code is being written, saving a lot of time and hassle. Additionally, it has a free cloud-based service, Coverity Scan, for the benefit of the open-source community. It’s considered very accurate and comprehensive, providing deeper analysis than many other tools, basing its checkers on analysis of over 10 billion lines of code!
7. Polyspace (MathWorks)
Polyspace is a static analysis tool that identifies and fixes, or proves the absence of, potential run-time errors (such as divide-by-zero) and checks if the source code follows code standards like MISRA C, MISRA C++, and JSF++. In addition, it highlights unproven checks that must be reviewed manually. It is commonly used in the embedded software arena (especially in transportation, such as automotive, aerospace, and railway transport, where safety is of the essence).
8. Flawfinder
Flawfinder is a free open-source tool developed by security expert David A. Wheeler. It focuses, not surprisingly, mainly on locating security flaws (hence the name), sorted by risk level (the riskiest first). It is pretty straightforward, simple and fast, which is why a lot of beginners use it.
9. Helix QAC (Perforce)
Helix QAC is yet another excellent code analysis tool by Perforce for C and C++ that is popular amongst “tightly regulated and safety-critical industries” such as automotive. It also automatically enforces coding standards, such as MISRA®, which ensures your code is compliant.
Use It Wisely
Any one of the tools mentioned here is sufficient on its own, but there are those who mix it up and use two or more tools combined. By combining various static code analysis tools they manage to reach optimal detection of faults. After all, that’s the bottom line, isn’t it? However, choosing not to choose has its downside. You might receive conflicting information and an increased number of false positives. Indeed, research shows that at times, a single tool performs better than the best combination of tools. I’m not saying that you shouldn’t combine, though. I’m just saying you should test the waters and see what works for you, may it be various tools or just one.
Also, if you’re thinking of code analysis tools and wondering which tool (or tools) fit you best, don’t forget about the performance issue I discussed above. Static code analysis can, and in many cases does, take a lot of time to process. You see, many developers choose to completely skip code analysis or not implement it frequently enough because it’s time-consuming and can yield the opposite effect on the required agile result.
Here at Incredibuild we are very acquainted with static code analysis tool performance (as well as dynamic code analysis). Why? It’s not because we just love static code analysis tools (although we do), or because we’ve used it (although we have); it’s because we can turbocharge it, making it run a whole lot faster. In the business of making things faster, code analysis tools are not neglected by us, so the time barrier I discussed above, that one that prevents some devs from entering the world of code analysis tools, and restricts others to only running code analysis over the weekend (after all it can take up to 20 hours to run it), is no longer a barrier. The best combo (in my opinion) of static code analysis tools is one that takes Incredibuild under consideration.