We use a suite of open source and commercial static analysis tools. The different tools find different kinds of bugs and some are tuned for lower false positive rates, at the expense of possibly missing some real problems.

我们使用一套开源和商业静态分析工具。不同的工具会发现不同类型的错误，并且有些工具会针对较低的误报率进行调整，但代价是可能会遗漏一些实际问题。

In my experience, Findbugs does a good job of finding real problems, especially if you focus on Correctness errors as their team suggests. Recently the developers of Findbugs have added some basic security vulnerability checks as well. Coverity has a low false positive rate especially if you don't turn on their experimental checkers, and Coverity Prevent includes a good tracking database for trend/cluster analysis. I am not convinced yet that their threading checkers (static or dynamic) work - at least they haven't found anything interesting for us. Klocwork Developer for Java returns higher false positives, but we find they have the strongest security checking of these tools. So it depends on whether your priority is quality checking (Findbugs, Coverity) or security vulnerability analysis (Klocwork, or Fortify). Some of our developers also use PMD to support source code reviews, as it helps with general code cleanup.

根据我的经验，Findbugs 在发现实际问题方面做得很好，尤其是当您按照他们的团队建议关注正确性错误时。最近 Findbugs 的开发人员也添加了一些基本的安全漏洞检查。Coverity 的误报率很低，尤其是当您不打开他们的实验检查器时，Coverity Prevent 包括一个用于趋势/集群分析的良好跟踪数据库。我还不相信他们的线程检查器（静态或动态）工作 - 至少他们没有发现任何对我们感兴趣的东西。Klocwork Developer for Java 会返回更高的误报，但我们发现他们对这些工具进行了最强大的安全检查。因此，这取决于您的优先事项是质量检查（Findbugs、Coverity）还是安全漏洞分析（Klocwork 或 Fortify）。

A recent project conducted with NIST called "SATE: Static Analysis Tool Exposition" reviewed a wide variety of different tools and their underlying approaches. https://samate.nist.gov/index.php/SATE.htmland other references to this project such as at OWASP. The general finding is that different tools have different strengths and weaknesses, so use more than one if you want to do a thorough job.

最近与 NIST 进行的一个名为“SATE：静态分析工具博览会”的项目了各种不同的工具及其基础方法。 https://samate.nist.gov/index.php/SATE.html以及对该项目的其他引用，例如在 OWASP。一般的发现是，不同的工具有不同的优势和劣势，因此如果您想完成一项彻底的工作，请使用多个工具。

I'll suggest you to try SONARan open source software quality management tool, dedicated to continuously analyze and measure source code quality. This soft take the result from code analysis tool, consolidate that results and give you access to an user friendly interface.

我建议您尝试SONAR一个开源软件质量管理工具，致力于持续分析和衡量源代码质量。这个软件从代码分析工具中获取结果，整合结果并让您访问用户友好的界面。

The one feature you will most certainly find in a commercialstatic analysis tool (and that you will not find easily in a freeware analysis tool, at least in 2008, at the time of the OP) is
Reporting: Measures software quality trendsover time

您肯定会在商业静态分析工具中找到的一个功能（并且您在免费软件分析工具中不会轻易找到，至少在 2008 年，在 OP 时）是
报告：随时间推移测量软件质量趋势

As explained in this question about code metrics, any static code analysis in itself in not always meaningful, because you could have:

正如这个关于代码度量的问题所解释的，任何静态代码分析本身并不总是有意义的，因为你可以：

• too many "defects" to fix
• too many categories of defect reported

• 太多的“缺陷”需要修复
• 报告的缺陷类别过多

You need the ability to do some triage, and you need to check if a particular defect is occurring less and less over time or not, in order to help you prioritize what to fix.

您需要能够进行一些分类，并且需要检查特定缺陷是否随着时间的推移越来越少发生，以帮助您确定要修复的优先级。

This is especially true on legacy project with thousands of classes: you do not fix defect on many files just like that, without having a goodreason. That reason can be deduced from a good reporting and trend analysis you will not find with freeware tools.

在具有数千个类的遗留项目中尤其如此：如果没有充分的理由，您不会像那样修复许多文件的缺陷。这个原因可以从免费软件工具中找不到的良好报告和趋势分析中推断出来。

Update: from 2012 (4 years later), Sonar (Now in 2018 named "SonarQube") "Historical Information" (aka "Time Machine") in its 4.x and 5.x series.
Note those project dashboards were droppedin SonarQube 6.1(Sept. 2016): see this thread.
Those dashboard would need to be re-created manually through a custom page.
SonarQube 6.5restores a bit of those dashboards with the Activity page, which gets (several predefined and one customisable) charts to display the evolution of a project.

更新：从2012年（4年后），声纳（现在在2018年命名为“ SonarQube”）的‘历史信息’（又名‘时间机器’）在其4.x和5.x系列。
请注意，这些项目仪表板已在SonarQube 6.1（2016 年 9 月）中删除：请参阅此线程。
这些仪表板需要通过自定义页面手动重新创建。
SonarQube 6.5使用 Activity 页面恢复了一些仪表板，该页面获取（几个预定义和一个可定制）图表来显示项目的演变。

I have not had direct experience with Findbugs or PMD but have met plenty of people who have compared them with Klocwork and Coverity.

我没有直接使用 Findbugs 或 PMD，但见过很多人将它们与 Klocwork 和 Coverity 进行比较。

My general take on the feedback has been:

我对反馈的总体看法是：

Findbugs and PMD are more "tool-ish". The type of thing you'd run on your desktop. It finds a wide range of potential problems but tends to be noisy, meaning false positives and "I don't care" varieties. It does find some good stuff. I've heard mixed feedback on its long term use. Some feel that the ROI on a free tool is infinite however there is a true cost to false positives.

Findbugs 和 PMD 更“工具化”。您将在桌面上运行的类型。它发现了范围广泛的潜在问题，但往往是嘈杂的，这意味着误报和“我不在乎”的品种。它确实找到了一些好东西。我听到了对其长期使用的不同反馈。有些人认为免费工具的投资回报率是无限的，但误报确实要付出代价。

Not surprisingly, Klocwork and Coverity, which cost money, tend to be more solution oriented that can also scales better to work with teams, has a more efficient, easier to use UI and tends to be less noisy. It seems their analysis is doing deeper inspection and therefore coming up with better results if you did a side by side comparison. When adopting a tool across a team, you'll have various levels of enthusiasm for using a tool and the noise factor is a big issue that prevents widespread adoption. Of course there are things like having support to back you up, etc.

毫不奇怪，Klocwork 和 Coverity 需要花钱，它们往往更面向解决方案，也可以更好地扩展以与团队合作，具有更高效、更易于使用的 UI，并且往往噪音更小。似乎他们的分析正在进行更深入的检查，因此如果您进行并排比较，则会得出更好的结果。在整个团队中采用一种工具时，您对使用工具的热情程度会有所不同，而噪音因素是阻碍广泛采用的一个大问题。当然，还有一些事情，比如有支持来支持你等等。

In general, because Findbugs and PMD are free, you see that as a first option. Many companies see value and choose Coverity or Klocwork for a longer term solution although I see also running Findbugs and PMD. They tend to find different things and so if your goal is to find and fix as much as possible, it's good to have a combination of both.

一般而言，由于 Findbugs 和 PMD 是免费的，因此您将其视为首选。许多公司看到了价值并选择 Coverity 或 Klocwork 作为长期解决方案，尽管我也看到运行 Findbugs 和 PMD。他们往往会找到不同的东西，因此如果您的目标是尽可能多地查找和修复，最好将两者结合起来。

Disclosure: I work for Code Integrity Solutions (codeintegritysolutions.com) which is a partner of Coverity.

披露：我为 Coverity 的合作伙伴 Code Integrity Solutions (codeintegritysolutions.com) 工作。

here's a list of commercial analysis tools : http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis#Java_2

这是商业分析工具的列表：http: //en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis#Java_2

coverity has several tools :
http://www.coverity.com/html/coverity-readiness-manager-java.html: this should be on par with findbugs and PMD but with better presentation

Coverity 有几个工具：
http://www.coverity.com/html/coverity-readiness-manager-java.html：这应该与 findbugs 和 PMD 相当，但具有更好的演示

prevent : http://www.coverity.com/html/prevent-for-java.html: low FALSE POSITIVES.

防止：http: //www.coverity.com/html/prevent-for-java.html：低假阳性。

thread analyzer : http://www.coverity.com/html/coverity-thread-analyzer-java.html: this is what is absent in most open source tools.

线程分析器：http: //www.coverity.com/html/coverity-thread-analyzer-java.html：这是大多数开源工具中所没有的。