参考http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
本质上yasca是一个开源静态代码分析工具插件框架, 集成流行的多语言静态分析工具如findbugs/pmd/jlint/rats/cppcheck, 由于插件本身多样故可支持java ,c++等语言静态分析.
从 http://sourceforge.net/projects/yasca/files/ 下载yasca-2.1.zip以及其插件的压缩包.
解压yasca-2.1.zip放到 D:\tools\yasca-2.1,各个插件解压到当前目录.更详细的目录布局可见D:\tools\yasca-2.1\install.txt文件.
执行yasca自带的样例输出非php文件level=1的报告
D:\tools\yasca-2.1>yasca -i php -l 1 resources/test/
Yasca 2.1 - http://www.yasca.org/ - Michael V. Scovetta
Commercial support is now available for Yasca. Contact scovetta@users.sourceforge.net for more information.
Initializing components...
Using Static Analyzers located at [d:\tools\yasca-2.1\]
Starting scan. This may take a few minutes to complete...
Forking external process (antiC)...
External process completed...
Plugin "ClamAV" not installed. Download it at yasca.org.
Plugin "cppcheck" not installed. Download it at yasca.org.
Forking external process (FindBugs)...
External process completed...
Forking external process (FxCop)...
[E_WARNING] [ D:\tools\yasca-2.1\plugins\FxCop.php:68 ] DOMDocument::loadXML(): Start tag expected, '<' not fo
und in Entity, line: 1
FxCop did not return a valid XML document. Ignoring.
Plugin "javascriptlint" not installed. Download it at yasca.org.
Forking external process (JLint)...
External process completed...
Forking external process (PMD) for ./plugins/default/pmd/yasca-rules.xml...
External process completed...
Forking external process (PMD) for ./plugins/default/pmd/yasca.xml...
External process completed...
Forking external process (RATS)...
[E_WARNING] [ D:\tools\yasca-2.1\plugins\Rats.php:51 ] DOMDocument::loadXML(): Empty string supplied as input
RATS did not return a valid XML document. Ignoring.
Creating report...
Results have been written to C:\DOCUME~1\JIANZH~1.LIA\LOCALS~1\Temp\Yasca-Report-20091108110623.html
以上可以看到采用JLint,PMD,RATS分析代码. 比较遗憾rats出现windows异常.
检查结果可看到检测到SQL Injection,Cross-Site Scripting,Code Quality: Functions, Authentication价值较高的建议