Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Source Code Security Analysis Tool Test Plan



Hsiao-Ming M. Koo, Romain Gaucher, Charline Cleraux, Jenise Reyes Rodriguez


This document provides a set of metrics, including test suites and methods, to determine how well a particular source code security analysis tool conforms to the requirements specified in Source Code Security Analysis Tool Functional Specification Version 1.0 [SCA]. Each relevant programming language in [SCA] has a corresponding set of test suites. The test suites are intended to be used by tool developers and tool users alike to increase their level of confidence in product quality. Each test suite consists of test cases that are designed to evaluate against various requirements of [SCA], including mandatory features and optional features. Each test case contains test description, weakness contained in the test case, expected result and test code. The detailed information of the test case, such as start parameters, procedures for executing a test file and test file itself can be retrieved from the SAMATE Reference Dataset (SRD) As this document evolves, new versions will be posted to the web site at
Special Publication (NIST SP) - 500-270
Report Number


Source code security analysis tool, test plan, test methodology, test suite


Koo, H. , Gaucher, R. , Cleraux, C. and Reyes, J. (2011), Source Code Security Analysis Tool Test Plan, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], (Accessed May 29, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created October 4, 2011, Updated February 19, 2017