The Parfait Static Code Analysis Framework -- Lessons Learnt

The Parfait static code analyser was conceived at Sun Labs, now Oracle Labs, in 2007. At the time, the project focused on the detection of defects in C/C++ code. Over the next five years, Parfait matured to include detection of vulnerabilities (not just defects) in C/C++ and JavaTM while meeting the performance and precision standards expected of a commercial tool: Parfait can analyse 39 of the most common defects in the C language over an operating system codebase of 11 million lines of C code in 1.5 hours with a false positive rate of 10%. Today, Parfait is maintained by Oracle as an internal product and is used by thousands of developers at Oracle worldwide.