List of tools for static code analysis

Below are some notable tools for static code analysis.

[edit] Historical products

Splint — an open source evolved version of Lint.
Flawfinder — a open source programming tool that examines C or C++ source code looking for security weaknesses.
FindBugs — an open-source static bytecode analyzer for Java (based on Jakarta BCEL), either stand alone or as an Eclipse plug-in.
PMD (software) — a static ruleset based Java source code analyzer that identifies potential problems.
JavaChecker -- an open-source Java source code analyzer, based on TermWare technology, which provide set of predefined rules and framework for building own checker use pattern matching or abstract interptretation.

Axivion Bauhaus Suite - a tool for C, C++, Java and Ada code that comprises various analyses such as architecture checking, interface analyses, and clone detection.
Coverity — a commercial product, analyzes C, C++ and Java code.
Klocwork — provides security vulnerability and defect detection as well as architectural and build-over-build trend analysis for C, C++ and Java
Fortify Software — helps developers identify software security vulnerabilities in ASP.NET, C/C++, C#, Java, JSP, PL/SQL, T-SQL, VB.NET, XML and other languages.
FxCop - static analysis for Microsoft .NET programs based on IL. Standalone and integrated in some Microsoft Visual Studio editions. From Microsoft.
LDRA Testbed — a commercial product.
Swat4j — a model based, goal oriented source code auditing tool for Java. Comes as an Eclipse plug-in.
Understand — a commercial product, analyzes C,C++, Java, Ada, Fortran, Jovial, Delphi — reverse engineering of source, code navigation, and metrics tool.

Tools that use a formal methods approach to static analysis (e.g., using program assertions):

ESC/Java and ESC/Java2 — based on Java Modeling Language, an enriched version of Java.
SPARK Toolset including the SPARK Examiner — based on the SPARK programming language, a subset of Ada.

This list is incomplete; you can help by expanding it.