I'm often asked what static code tools I like for Java. First, I've been nearly full-time in Ruby and Rails for a year now, so I may be out of date, but here's what I like.
Findbugs
Findbugs is the absolute best tool for static code analysis. But best is a nebulous and somewhat relative term. I prefer something with a very low noise to signal ratio, and Findbugs has that. Other tools (like PMD, see below) report a lot more information. So much in fact that real issues can get lost in the clutter.
Here's a quote for you... I've never run Findbugs on a production codebase and not found at least one legitimate bug. A real, not theoretical, issue.
Findbugs is free (open source even!) and the rule set can be edited with an XML file. They have an online (Java Web Start) version, Eclipse plugins, and more. It's an all around a great tool.
PMD
I don't like PMD as much because it has so much information in the reports. The good tends to lost in the false hits. However, after you've gotten your product in good enough shape that Findbugs runs cleanly, then PMD is your next step. You'll have to work a bit harder to find the good results, but it's worth the effort.
CPD
A real gem in the PMD toolbox is the invaluable Copy/Paste Detector (CPD). This tool will scan your entire codebase and point out every place where someone has lifted a bit of code.
The problem with the copied code is when you fix a bug in one spot, the fix is rarely copied around to all the pasted code. When you spot duplicate code with CPD, take a long hard look and see if you can't pull that code into a utility class. This won't catch everything that violates the DRY principal, but it's a good start.
UPDATE:
Tom Copeland sent me some extra CPD information. CPD also has a web-based launcher here so you can try out CPD without having to install the entire PMD suite. He also mentioned the PMD Applied book and said that chapter 5 goes into great detail on CPD.
Thanks Tom!
Code Coverage
You should be running a good code coverage tool to see what code your automated tests hit (or your manual tests for that matter). There are several great tools available, but I'm partial to Cobertura. It's a solid tool with great, easy to read reports. There are several other great tools available (Emma and Clover come to mind).
I'm not religious about my code coverage numbers... I don't think you need to set a code coverage number and make it a goal. I'm more concerned with using code coverage as a guide to direct my efforts.
Another tool inside Cobertura that you can use to direct those efforts is the Cyclomatic Complexity number. I've found it to have a direct correlation to code with bugs. The more complicated the code is, the more likely it is to have problems.
Continuous Integration
How often and from where should you be running these tools? Every time you touch the code of course. You don't want out of date reports do you? :)
Read Martin Fowler's classic article Continuous Integration, then go download the binary release of Cruise Control. The latest release has a nice Dashboard (see Jeffery Fredick's blog entry about the 2.7 release.)
I like to roll my static code tools into an Ant task and then run them from within Cruise Control. I publish the reports as part of the project's artifacts. This ensures things are always up to date, as well as providing a historical reference point I can revisit.
There are other popular CI tools available to you as well. These days Bamboo and Hudson are becoming more popular. This CI product matrix is a little out date, but a good starting point if you want the lay of the land.
Agitar
I've pointed you at a lot of open source tools... let me point you at one really big commercial offering. Agitar covers most of what I've listed above, and a lot more, including automated test generation. (Never let those automated tests replace a culture of great hand-crafted tests... use them to supplement, not replace.) Some companies just feel the need to have a commercial product in place. If you work there, check out the Agitar suite.
How Much?
If you put too many analysis tools and reports on a single page, developers tend to ignore them all. Pick one or two at first. This blog entry is a nice write up of one of my favorite strategies.
I hope this gives you a few options to check out. Just be sure not to overload the "customer" with too much information at one time. Start small and branch out.
Enjoy!
ps. Did I miss a tool or category? Drop me a line!