Static Application Security Testing (SAST) / Source code analysis / Static code analysis

• SAST

Source code analysis tools, also referred to as Static Application Security Testing (SAST) Tools, are designed to analyze source code and/or compiled versions of code to help find security flaws.
Some tools are starting to move into the IDE. For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development life cycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself.

Strengths
    Scales well -- can be run on lots of software, and can be run repeatedly (as with nightly builds or continuous integration)
    Useful for things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, and so forth
    Output is good for developers -- highlights the precise source files, line numbers, and even subsections of lines that are affected

Weaknesses
    Many types of security vulnerabilities are very difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. However, tools of this type are getting better.
    High numbers of false positives.
    Frequently can't find configuration issues, since they are not represented in the code.
    Difficult to 'prove' that an identified security issue is an actual vulnerability.
    Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.

Important Selection Criteria
How accurate is it? False Positive/False Negative rates?
    Does the tool have an OWASP Benchmark score?

Open Source or Free Tools Of This Type
...

https://www.owasp.org/index.php/Source_Code_Analysis_Tools

• static application security testing (SAST)

WhiteHat Sentinel Source is our static application security testing (SAST) product. It is used for scanning source code of the most commonly-used programming languages, identifying vulnerabilities, and providing actionable vulnerability reports, as well as offering Software Composition Analysis and ready-to-implement code fixes for certain vulnerabilities. Scanning of binary files for certain languages is also available.WhiteHat offers three tiers of Static Application Security testing (SAST) products to help secure all stages of the DevOpsSec lifecycle.
https://www.whitehatsec.com/products/static-application-security-testing

• The OWASP SonarQube project aims to provide open source SAST using the existing open source solutions. SonarQube is one of the world’s most popular continuous code quality tools and it's actively used by many developers and companies.

This project aims to enable more security functionalities to SonarQube and use it as an SAST.
https://www.owasp.org/index.php/OWASP_SonarQube_Project

• SonarQube

SonarQube provides the capability to not only show health of an application but also to highlight issues newly introduced

https://www.sonarqube.org/

• OWASP Orizon is a source code security scanner designed to spot vulnerabilities in J2EE web applications, Android code and generally speaking in Java written source code. 

https://www.owasp.org/index.php/Category:OWASP_Orizon_Project

• The OWASP Lapse Project is LAPSE+: The Security Scanner for Java EE Applications. OWASP LAPSE Project is an initiative to make available to developers and auditors a tool for detecting vulnerabilities in Java EE Applications.

https://www.owasp.org/index.php/OWASP_LAPSE_Project

• OWASP WAP - Web Application Protection Project

WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives.
https://www.owasp.org/index.php/OWASP_WAP-Web_Application_Protection

• The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge. 

https://www.owasp.org/index.php/OWASP_O2_Platform

• Coverity Scan Static Analysis

Find and fix defects in your Java, C/C++, C#, JavaScript, Ruby, or Python open source project for free
https://scan.coverity.com/

• OWASP Dependency-Check

Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities.
Currently, Java and .NET are supported; additional experimental support has been added for Ruby, Node.js, Python, and limited support for C/C++ build systems (autoconf and cmake).
The tool can be part of a solution to the OWASP Top 10 2017 A9-Using Components with Known Vulnerabilities previously known as OWASP Top 10 2013 A9-Using Components with Known Vulnerabilities.
https://www.owasp.org/index.php/OWASP_Dependency_Check