Static code analysis is the analysis of computer software that is
performed without actually executing programs built from that software (analysis
performed on executing programs is known as dynamic analysis). In most cases the
analysis is performed on some version of the source code and in the other cases
some form of the object code. The term is usually applied to the analysis
performed by an automated tool, with human analysis being called program
understanding or program comprehension.
The sophistication of the analysis performed by tools varies from those that
only consider the behavior of individual statements and declarations, to those
that include the complete source code of a program in their analysis. Uses of
the information obtained from the analysis vary from highlighting possible
coding errors (e.g., the lint tool) to formal methods that mathematically prove
properties about a given program (e.g., its behavior matches that of its
specification).
Some people consider software metrics and reverse engineering to be forms of
static analysis.
A growing commercial use of static analysis is in the verification of
properties of software used in safety-critical computer systems and locating
potentially vulnerable code.
