LAPSE stands for a Lightweight Analysis for Program Security in Eclipse. LAPSE is designed to help with the task of auditing Java J2EE applications for common types of security vulnerabilities found in Web applications
This is the web page for FindBugs, a program which looks for bugsin Java code.
PMD scans Java source code and looks for potential problems like: Possible bugs - empty try/catch/finally/switch statements Dead code - unused local variables, parameters and private methods Suboptimal code - wasteful String/StringBuffer usage Overcom
(SWAAT) is a free static web application source code auditing tool
Stanford SecuriBench is a set of open source real-life programs to be used as a testing ground for static and dynamic security tools.
yet another static analysis tool for security
mediocre article comparing static analysis tools on a rather superficial level