Clang Static Analyzer

Basic Information
Tool first release date
2003-12-08
Version release date
2013-06-17
Software cost
Free
Software license
University of Illinois/NCSA Open Source License
Process Integration
Deployment model
Standalone Server
Analysis inputs
Compilation along with all dependencies
Display results in IDE
XCode
Can schedule scans
API method to report results in SARIF format
API method to report results in XML/JSON/CSV format
Coverage
Supported programming languages
C, C++, Objective-C
Claimed Weakness Coverage
Claimed Weakness Coverage information hasn't been collected yet for this analyzer.
Really want it? Let us know.
Weakness Coverage
Claimed CWE coverage notes
TBD
Checker Customization
Can disable checkers
Can customize checker logic
First-class API to create new checkers
Speed & Scalability
Scan duration times courtesy of the
Apache HTTP v2.4.6
28 min 16 sec
Dovecot v2.2.6
49 min 20 sec
HTCondor v8.5.7
2 hr 16 min 44 sec
lighttpd v1.4.45
10 min 23 sec
MySQL v5.6.13
2 hr 47 min 38 sec
Nagios v4.0.0
13 min 34 sec
OpenSSL v1.0.1g
23 min 1 sec
postgresql v9.3.1
52 min 29 sec
R v3.3.1
38 min 52 sec
Suricata v1.4.5
14 min 37 sec
VLC v2.1.0
59 min 54 sec
Wireshark v2.2.0
1 hr 12 min 41 sec
Results Quality
Results Quality information hasn't been collected yet for this analyzer.
Really want it? Let us know.
NIST SATE V, Juliet v1.2
Total Tests
122,652
Precision
0.92
Recall
0.08
Accuracy
0.54
F1 Score
0.15
Discrimination Rate
0.07
8
100
 issues found


1 false positives
If there were 100 issues in a code base, would report 8 of them and miss the other 92. In addition, it would generate warnings for 1 issues that don’t really exist.
Reporting
Results suppression even after code changes
Support
Open source project health