Can static code analysis be compared with anti-malware software?

Question

1.00/5 (1 vote)

See more:

Is static code analysis comparable to anti-malware software, as both only find already known vulnerabilities or malware and the rest is supposed to be found by some voodoo heuristics?

What I have tried:

I have only thought about it so far.

Posted 16-Jan-22 5:10am

Atalanttore

Updated 16-Jan-22 6:45am

Add a Solution

2 solutions

Solution 2

There are analyzers for code security too, see: code-security-analyzers[^]
But the term "Static Analyzer" usually refers to code analysis tools for measuring code quality like these: best-open-source-c-static-analysis-tools[^]

Posted 16-Jan-22 6:45am

RickZeeland

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Accepted Answer · 2022-01-16T05:26:00

They do totally different things: anti-malware looks for signatures (sometimes using pattern analysis rather than fixed strings) of malicious activity.

Static code analysis is to do with checking that source code meets defined rules and guidelines (such as "all DB access must use parameterised queries" or "all methods must have a single point of exit").

They really aren't comparable.