Best 5 Static Analysis Tools for Delphi

 

From a bird's eye view, all analysis tools may appear the same. So it's easy to feel overwhelmed when searching for the best static code analysis tool to add to your workflow. 

 

Even expert engineers and architects often ask themselves the most popular question at this stage: "How do I choose a tool that fits my needs and grows with my organization?"

 

In this article, we'll compare 5 of the best static analysis tools for Delphi. 

 

First, we explore a set of static code analyzer properties that you should factor in when making decisions. We then cover a comparison of the best tools that meet these criteria. Lastly, we outline actionable steps you can follow to help you make the right decision for your project.

 

Properties to Look Out for in a Delphi Static Code Analyzer

 

The properties of a Delphi diagnostic tool can be classified into different categories, depending on how you view each property and what value it offers to your project. To keep things simple, we'll classify them into these two:

• High-level properties: These include basic information or questionnaire-type data that can be found on a tool's website or GitHub page, or inquired about during a consultation call with the corresponding personnel. 
• Low-level properties: These are properties that require testing or running benchmarks to get valuable insights. In other words, properties you can't take at face value, you'd want to see for yourself.

 

Let's dive deeper into these categories.

 

High-level Properties

 

Deployment Options: In what ways can the tool be set up and run? Does it run on-prem or in the cloud? Considering these options is critical as they impact your operational costs, security, and overall bottom line. 

 

While deploying on your premises gives complete control and privacy, you're responsible for maintenance, management, security, and basically all that's necessary to keep everything running.

 

Similarly, if you prefer the cloud, the tool/vendor is responsible for all aspects of maintenance, security, updates, and infrastructure. However, you must strictly vet the tool's security and data handling policies and also ensure they comply with your privacy and regulatory requirements.

 

Ultimately, it’s good practice to analyze existing workflows and ensure the deployment choice aligns with current and long-term goals.

 

 

Integration Capabilities: Google, via Communications of the ACM, cited "Not integrated in the developer's workflow" as a key reason why engineers ignore or don't use static analysis tools. 

 

As a developer, if you have to refer to a different system for a code analysis report and then come back to your development environment to identify the class or code line that matters, the process can quickly become tedious and unsustainable. 

 

You want your static code analysis tool to run where you work. For Delphi teams, this is typically in the IDE or from the command line, depending on your workflow. That said, a review of your existing pipeline will present a better picture of your requirements. 

 

 

Standards and Compliance: It's important that your Delphi static code analysis tool implements the standards and compliance that you require. There are various standards out there, a lot of which are specific to particular aspects of static code analysis, such as Common Weakness Enumeration (CWE), which is for security. 

 

The right tool not only indicates support, but it also provides reports showing exactly how it implements standards, simplifies compliance, and helps achieve your goal.

 

 

Coverage: Your static analyzer should be able to detect the issues or weaknesses that matter to you. For example, if you're interested in security vulnerabilities, you want to prioritize tools that offer Static Application Security Testing (SAST).

 

The best Delphi static code analysis tools can detect vulnerabilities related to code quality (including structure and logic), performance, and security. However, just because a tool provides a range of weaknesses and standards they can detect, doesn't always mean it does the job well. 

 

Low-level Properties

 

Result Quality: Results are only useful if they lead to the overall objective (for example, improved code quality and enhanced security). So, the first thing you want to consider at this stage is: can you trust the information the tool provides? 

 

A tool that generates false positives defeats the purpose of static code analysis, draining developer efficiency as time and effort are wasted identifying and flagging false positives rather than fixing actual vulnerabilities.

 

Also, you may require a GUI or a Web UI, particularly for teams, management, or stakeholders who aren't working with code. You want to be able to quickly view results and understand what they mean.

 

Ease of Use: The popular first thought for most regarding ease of use is how easy it is to set up and learn. However, for a Delphi static code analysis tool, it goes beyond that. It's more about how easy and quickly you can get from point A to point B. A being the initial setup and integration, and B, your overall objective.

 

Remember, static code analysis is supposed to make things easier, not complicate them. Ultimately, your tool should be easy to use for your developers and the people who manage your code. 

 

Other low-level capabilities to consider include scalability and support quality.

 

Static Analysis Tool Comparison

 

If you prefer a quick overview of each tool's strengths and weaknesses, below is a comparison table of the top static code analysis tools for Delphi:

 

Fig: Table

 

The next section is a detailed review of each tool.

 

1. DerScanner

DerScanner is one of the best Delphi static analysis tools for detecting security vulnerabilities and code quality issues in Delphi. It is essentially a Static Application Security Testing (SAST) framework that makes it easy for small and enterprise organizations to identify vulnerabilities, such as the Delphi code injection, early in the Software Development Lifecycle (SDLC).

 

DerScanner offers both on-premise and cloud options, and unlike other cloud vendors with forced cloud deployments and code privacy concerns, its cloud version provides on-premise level code privacy.

 

The tool is easy to use. Developers can analyze code using DerScanner within Delphi or invoke it from the command line in Continuous Integration (CI) environments. It also supports integration with almost any workflow. For example, you can employ DerScanner's SonarQube integration plugin to leverage both solutions. 

 

To ensure high-quality results, DerScanner offers AI-powered tools (DerTriage and DerCodeFix) that cut through the noise and automatically fix issues for you. DerTriage is an AI-driven triage solution that helps you prioritize vulnerabilities based on real-world context, reducing false positives by up to 90%. This level of precision enables developers to only focus on fixing high-impact issues, significantly accelerating time-to-remediation. 

 

DerCodeFix goes beyond detection to instant remediation. It generates production-ready code that automates fixes, providing detailed information behind each solution. This tool eliminates inefficiencies and boosts remediation quality while enhancing developer knowledge with best practices in the flow of work. With these AI tools, DerScanner cuts time-to-remediation from hours to seconds. 

 

If you prefer a more hands-on approach, DerScanner also features a Detailed Results section where you can assess more information about all the vulnerabilities found in your analysis. For each finding, you'll get the exact code line responsible for the error and actionable recommendations to help you address it.

 

Regarding standards and compliance, Derscanner is a Mitre-certified and CWE-compatible solution that provides support for industry-specific standards, including PCI DSS and HIPAA. DerScanner automatically maps all the findings in your analysis against all the security standards it supports. 

 

Pros:

• Enhanced result quality using AI-powered features to reduce false positives, enabling you to focus on actual vulnerabilities.
• Improved developer efficiency with streamlined processes and actionable recommendations to help you fix generated vulnerabilities, ensuring they don't appear continuously.
• Scalability due to DerScanner's ability to handle small and large code bases.
• Enhanced application security through comprehensive vulnerability and code quality checks.
• Uniquely supports source codes, binaries, and executables, making it a great option for analyzing legacy code. 
• Supports Customization of rules and checks 

Cons:

• Occasional false positives.

 

2. Pascal Analyzer

Pascal analyzer is a static source code analysis tool for identifying potential errors and anomalies in Delphi code. While it's primarily a standalone Windows program, it also offers a command-line tool, which you can integrate into your build process. 

 

The tool supports Delphi versions back to Delphi 1 and even Borland Pascal (BP7). This makes it a good option for analyzing legacy code. The static analysis performed by Pascal Analyzer provides you with comprehensive reporting that can help you document your source code and improve Delphi code quality. This tool currently generates over 53 reports, some of which contain sub-sections. Depending on your preference settings, you can double-click on an error entry and jump to the corresponding code line (source code) in Delphi. 

 

Pascal analyzer is easy to use and also checks for coding standard guidelines.

 

Pros:

• Improved application quality and reliability through comprehensive static source code analysis.
• Extensive reporting by combining standalone results and command-line automation.
• Responsive support, with most reviewers recording responses in under one business day.

Cons:

• Can generate false positives.

The free trial version includes limited reports

 

3. FixInsight

FixInsight is a static code analysis plugin that helps you identify code issues in real-time. It's easy to set up as it integrates seamlessly with Delphi and outputs warnings in the IDE's message window. FixInsight also provides a command-line tool (FixInsightCL.exe) for use in the build process or continuous integration.

 

The tool produces a list of warnings about potential issues, including null dereference and identical expressions, and gives you the opportunity to fix all issues. Just like the in-built compiler messages, double-clicking an error entry takes you to the exact line of code. FixInsight also checks for compliance with Delphi coding conventions.

 

Pros:

• Improved codebase and readability by ensuring developers adhere to Delphi coding conventions.
• Easy to set up with its seamless integration with the Delphi IDE.

Cons:

• Integration with build processes and continuous integration environments is only available in the Pro version.
• Can generate false positives

 

4. Pascal Expert

Pascal Expert is a subset of Pascal Analyzer, but as a Delphi IDE plugin that runs static analysis on the current project. It aims to give you a better understanding of your code, improve code quality, and maintain consistency. 

 

Since it runs within the IDE, it is easy to set up, and developers can quickly identify and fix issues at once. However, being a subset of the main tool also means that it performs a fraction of Pascal Analyzer's checks and yields fewer reports.

 

Pros:

• Configuration support that allows developers to exclude source or mark specific items to be excluded from analysis.
• Integrates with the Delphi IDE for faster analysis and early error detection.
• Responsive support, with most reviewers recording responses in under one business day.
• Improves Delphi code quality and maintains consistency.

Cons:

• Generates fewer reports compared to the Pascal Analyzer.
• Can produce false positives

 

5. SonarDelphi

SonarDelphi is an open-source, community-driven plugin that adds Delphi language support to SonarQube, another open-source static code analysis tool for detecting coding issues and improving code quality and security. 

 

Essentially, SonarDelphi provides Delphi teams with access to SonarQube's features and functionalities, such as automated code quality and security reviews and actionable code intelligence. It achieves this by adding more than 120 Delphi-specific rules to SonarQube to identify issues, such as name casing inconsistencies, uninitialized variables, redundant casts, platform-dependent casts, etc. 

 

SonarDelphi has been adopted by SonarQube, so it can integrate with SonarQube dashboards. It can also be integrated into existing workflows and used in the Delphi IDE via the DelphiLint plugin. 

 

Pros:

• Multiple integration options with support for any existing workflow and the DelphiLint plugin for IDE integration.
• Easy implementation of custom rules, as developers can create custom rules using the SonarQube UI templates.
• Free and open-source software

Cons:

• Setting up a SonarDelphi project can get complex and may require manual configuration and maintenance
• SonarDelphi can also produce false positives.
• Depending on your project size, configuring SonarQube can be resource-intensive.

 

How to Choose the Best Static Analysis Tools for Delphi

 

The following steps will guide you toward making the right decision for your organization.

 

1. Define your static analysis goals and objectives: The first step is to define a clear goal. What are you looking to achieve with static code analysis? Are you trying to reduce technical debt? Enhance application security? Maintain a faster time to market without sacrificing code quality and security? 

 

Whatever the goal is, define it. 

 

2. Generate a list of criteria each tool must possess to meet your needs: The properties discussed in this article are a good starting point. However, feel free to include yours based on the defined goal. 

 

3. Compile a list of Delphi static analyzers that align with your goals: Next, you want to compile a list of tools that seem like strong contenders. If the tools in the list above meet the criteria, include them in your list. The objective here is to create a list you can filter through.

 

4. Bonus: Look for a partner: A vendor who becomes a partner shares in your journey and enables you to scale as your business timeframe allows. When choosing a partner, look for a vendor with a proven track record of helping similar businesses achieve your predefined goals (both short-term and long-term).

 

Conclusion

The best static code analysis tools for Delphi are those that meet both short and long-term business needs. It's critical that you have a clear understanding of your organization's overall goal and keep that top of mind during your research. The only clear metric of success is how closely the result aligns with the predefined goal.

 

If ensuring secure application deployment and production is a critical objective, DerScanner's SAST not only reveals hidden vulnerabilities but also provides actionable remediation advice to fix them. It is the most advanced tool on this list. That said, for Delphi code health checks and maintaining consistent code, FixInsights or Pascal Analyzer could do the job.