Sunday, August 26, 2007
Secure Coding Practices
The interesting thing is that they treat the notion of dead code detection almost as a second class citizen. Maybe the first action item should be for those vendors to figure out how to put into the same box, code coverage tools...
Listed below are several tools that can help (of course, we should assume open source and spell out when closed):
- http://hansel.sourceforge.net/ Instruments classes in ClassLoader, integrates with JavaUnit
- http://www.jcoverage.com/ Ant task, line and branch coverage
- http://cobertura.sourceforge.net/ Instruments class files, Ant tasks
- http://www.cenqua.com/clover/ Free for use on open source projects, integrates well with common Java IDEs
- NoUnit @ http://nounit.sourceforge.net/ - OpenSource (GNU)
- Quilt @ http://quilt.sourceforge.net/ - OpenSource, JavaUnit, Ant, instrumenting ClassLoader
- Gretel @ http://sourceforge.net/projects/gretel - [old version of Hansel?]
- The "Java Test Coverage Tool" @ http://www.semanticdesigns.com/Products/TestCoverage/JavaTestCoverage.html - ClosedSource, Instruments Source, displays results superimposed on browsable source. US$200 as of 8/1/2004.
- JBlanket (Software Information) @ http://csdl.ics.hawaii.edu/Tools/JBlanket/ - a tool for assessing and improving method coverage of unit test cases. It is integrated with JUnit and Ant.
MutationTesting: (which isn't really CodeCoverage, but it's related)
- JesTer @ http://jester.sourceforge.net/ - changes your code, and then runs your tests. (If arbitrary changes to the code don't break the tests, then is your code sufficiently tested?)
for .NET (DotNet):
- Clover.NET @ http://www.cenqua.com/clover.net/ - ClosedSource (but free for use on OpenSource projects), C# and VB.NET, statement, method and branch coverage, from command line, Visual Studio, and NAnt (preliminary mono support)
- NCover @ http://ncover.sourceforge.net/ - OpenSource, path coverage, NUnit, NAnt
- CoverageEye?.NET @ http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=881a36c6-6f45-4485-a94e-060130687151 - uses a COM component to leverage the .NET profiling API
- "DevPartner? Studio Professional Edition" @ http://www.compuware.com/products/devpartner/1563_ENG_HTML.htm - $$$
- "Perform Code Coverage Analysis with .NET to Ensure Thorough Application Testing", an MSDN article on building "A custom code coverage tool" @ http://msdn.microsoft.com/msdnmag/issues/04/04/CodeCoverageAnalysis/default.aspx
- "C# Test Coverage Tool" @ http://www.semanticdesigns.com/Products/TestCoverage/CSharpTestCoverage.html - ClosedSource. Instruments Source, displays results superimposed on browsable source. US$250 as of 8/1/2004.
- tcov = Sun Unix C profiler. See "tcov(1)" man page. It annotates (mangles) your source code to add instrumentation.
- gcov = GNU C/C++ equivalent of "tcov".
- Dynamic Code Coverage for Sun Solaris @ http://www.dynamic-memory.com/coverageanalysis.php
- "C Test Coverage Tool" @ http://www.semanticdesigns.com/Products/TestCoverage/CTestCoverage.html - ClosedSource. Instruments Source, displays results superimposed on browsable source. US$400 as of 8/1/2004. ANSI, Microsoft Visual6 C, and GNU C dialects all supported.
- "C++ Test Coverage Tool" @ http://www.semanticdesigns.com/Products/TestCoverage/CppTestCoverage.html - ClosedSource. Instruments Source, displays results superimposed on browsable source. US$500 as of 8/1/2004. ANSI and Microsoft Visual6 C++ dialects all supported.
Links to this post: