The Parfait Static Code Analysis Framework -- Lessons Learnt
May 2016

The Parfait static code analyser was conceived at Sun Labs, now Oracle Labs, in 2007. At the time, the project focused on the detection of defects in C/C++ code. Over the next five years, Parfait matured to include detection of vulnerabilities (not just defects) in C/C++ and JavaTM while meeting the performance and precision standards expected of a commercial tool: Parfait can analyse 39 of the most common defects in the C language over an operating system codebase of 11 million lines of C code in 1.5 hours with a false positive rate of 10%. Today, Parfait is maintained by Oracle as an internal product and is used by thousands of developers at Oracle worldwide.

Authors: Cristina Cifuentes, Nathan Keynes, Kevin Gough, Diane Corney, Manuel Valdiviezo Basauri

Venue: Designing Code Analysis Frameworks (DECAF) workshop, co-located with ISSTA


Hardware and Software, Engineered to Work Together