Comparison of tested SAST tools#
Tools#
Flawfinder#
- Flawfinder Website
- Languages
- C/C++
- Pricing
- Free
- GUI
- No
- OS
- Linux, Windows (Cygwin)
- Gitlab CI
- Yes (deprecated)
- Findings
- Does not detect out-of-bounds array indices
VisualCodeGrepper#
- VCG Website
- Languages
- C/C++, C#, Java, VB, PL/SQL, PHP, COBOL
- Pricing
- Free
- GUI
- Yes
- OS
- Windows
- Gitlab CI
- No
- Findings
- Does not detect out-of-bounds array indices
Cppcheck#
- Cppcheck Website
- Languages
- C/C++
- Pricing
- Free
- Premium available
- GUI
- Yes
- OS
- Linux, Windows (requires compiler)
- Gitlab CI
- Yes
- GitLab repo
- Findings
- Does detect specific out-of-bounds array indices
Semgrep#
- Semgrep Website
- Languages
- C/C++
- Pricing
- Free
- Premium available
- GUI
- Yes (Webapp)
- Only findings are uploaded, not code
- OS
- Linux, Windows (requires compiler)
- Gitlab CI
- Yes
- Findings
- Does not detect out-of-bounds array indices
Recommendation#
Either use only Cppcheck or Cppcheck in combination with semgrep in the CI pipeline. Naturally, the CI pipeline also includes a compilation stage after the SAST stage, which can potentially detect different errors that were not detected previously.