If you aren't using anything today, I would start off with Findbugs and PMD. They are easy to install and use. Concentrate on reviewing and fixing correctness errors with Findbugs first - they recommend starting with High and Medium severity correctness errors as the checkers have very low false positives and you will get a good return on your time. Get developers to use PMD to cleanup the code, and the Findbugs plugin in Eclipse to review new code. Working incrementally will get the developers to understand and buy-in to the usefulness of these tools.

如果您今天不使用任何东西，我将从 Findbugs 和 PMD 开始。它们易于安装和使用。首先使用 Findbugs 专注于检查和修复正确性错误 - 他们建议从高和中等严重性正确性错误开始，因为检查器的误报率非常低，您将获得良好的时间回报。让开发人员使用 PMD 来清理代码，并使用 Eclipse 中的 Findbugs 插件来新代码。渐进式工作将使开发人员了解并认同这些工具的实用性。

Coverity's Java checkers are still weak compared to their C/C++ checkers. We use Findbugs, PMD, Coverity and Klocwork because they all have different strengths and we are paranoid. If you aren't paranoid, you could stick with open source tools and get a lot of value. Or if you need security checking: then Klocwork or especially Fortify should do a more thorough job for you.

与 C/C++ 检查器相比，Coverity 的 Java 检查器仍然很弱。我们使用 Findbugs、PMD、Coverity 和 Klocwork，因为它们都有不同的优势，我们很偏执。如果您不是偏执狂，您可以坚持使用开源工具并获得很多价值。或者，如果您需要安全检查：那么 Klocwork 或特别是 Fortify 应该为您做更彻底的工作。

I'll chip in with a somewhat relevant answer. I've used Klocwork for the both Java and C code. Klocwork is a close competitor of Coverity... cost-wise they are about the same ( look carefully, Klocwork looks cheaper until you actually buy what you need ), and feature-wise they fight back and forth.

我会提供一个有点相关的答案。我已经将 Klocwork 用于 Java 和 C 代码。Klocwork 是 Coverity 的竞争对手……在成本方面它们大致相同（仔细看，Klocwork 在您真正购买所需的东西之前看起来更便宜），并且在功能方面他们来回打架。

For C/C++, it's great. For Java.... well, it helped find a lot of resource leaks ( #$@^#ing Java developers seem to forget that resources like file handles aren't garbage collected ), but it doesn't seem to find many "critical" bugs. It's probably because the language itself does help protect against some of the more basic but hard to find errors ( array overflows, pointer corruption, etc ).

对于 C/C++，它很棒。对于 Java .... 好吧，它帮助找到了很多资源泄漏（#$@^#ing Java 开发人员似乎忘记了像文件句柄这样的资源不会被垃圾收集），但它似乎没有找到很多“关键”错误。这可能是因为语言本身确实有助于防止一些更基本但难以发现的错误（数组溢出、指针损坏等）。

Get Coverity in to run a demo, they are more than happy to. See what sort of things they find.

让 Coverity 运行演示，他们非常乐意。看看他们找到了什么样的东西。

I'll add a limited me-too to the preceding answers, somewhat restricted by the Coverity NDA I'm bound by. Coverity Prevent has an impressive public track record for finding bugs in open source C/C++ code, but their Java product is a lot newer. (Coverity has a press release on my former employer, so I can say that it did help find and fix lots of bugs in our C/C++ code, more than I'd found in all my previous career in bug hunting.) FindBugs does an impressive job on Java code, and you can't beat the price. But the big point has already been made: try out both of them on yourreal code before you buy. There's no substitute for reality, and the conventional wisdom in static analysis is that there's surprisingly little overlap in what the tools discover.

我也会在前面的答案中添加一个有限的我，这在某种程度上受到我所约束的 Coverity NDA 的限制。Coverity Prevent 在发现开源 C/C++ 代码中的错误方面有着令人印象深刻的公共记录，但他们的 Java 产品要更新很多。（Coverity 有一份关于我前雇主的新闻稿，所以我可以说它确实帮助发现和修复了我们 C/C++ 代码中的许多错误，比我在之前所有的错误搜寻职业中发现的更多。）FindBugs 确实如此在 Java 代码方面令人印象深刻的工作，而且您无法击败价格。但重要的一点已经提出：在购买之前，请在您的真实代码上试用它们。现实无可替代，静态分析中的传统观点是，这些工具发现的内容几乎没有重叠。

As others have said, the best way to decide is to try all these tools out.

正如其他人所说，最好的决定方法是尝试所有这些工具。

Coverity recently announced a hosted static-analysis-as-a-service product called Code Spotter (https://code-spotter.com/), currently in beta. It's using the same analysis engine as the Coverity enterprise product, but it is wrapped in a different (simplified) user interface. Since this is a hosted service, it is very easy to play with it to get a sense of the Coverity analysis capabilities.

Coverity 最近宣布了一种名为 Code Spotter ( https://code-spotter.com/)的托管静态分析即服务产品，目前处于测试阶段。它使用与 Coverity 企业产品相同的分析引擎，但包装在不同的（简化的）用户界面中。由于这是一项托管服务，因此很容易使用它来了解 Coverity 分析功能。

At the time of this writing, Code Spotter is Java-only, but other Coverity supported languages should be coming soon.

在撰写本文时，Code Spotter 仅支持 Java，但其他 Coverity 支持的语言应该很快就会推出。