SonarSource delivers what is probably the best static code analysis you can find for C. It uses the most advanced techniques (pattern matching, dataflow analysis) to analyze code and find Code Smells, Bugs, and Security Vulnerabilities. As with everything we develop at SonarSource, it was built on the principles of depth, accuracy, and speed.
SonarSource's C analysis has a great coverage of well-established quality standards. This capability is available in Eclipse CDT for developers (SonarLint) as well as throughout the development chain for automated code review with self-hosted SonarQube or cloud-based SonarCloud.
- Clang, GCC, MSVC, ARM, QNX compilers
- Intel compilers for Linux, macOS
- Compilers based wholly on GCC including Linaro GCC
- Wind River Diab and GCC
- IAR compilers for 8051, ARM, AVR32, AVR, Renesas RL78, Renesas RX, Renesas V850, Renesas H8, and Texas Instruments MSP430
- Texas Instruments compilers on Windows and macOS for ARM, C2000, C6000, C7000, MSP430, PRU
- C89, C99, C11, C18 standards
- GNU extensions
- Microsoft Windows, Linux and macOS for runtime environment
SonarSource's C analysis supports all the standard metrics implemented by SonarQube including Cognitive Complexity. Additionally, it supports the import of Microsoft Visual Studio and GCOV Coverage reports along with the import of CPPUnit unit reports.
SonarSource's C analysis doesn't yet provide the ability to write custom rules.
SonarSource's C analysis is officially registered as CWE Compatible