https://www.owasp.org/images/b/b7/OWASP_Top_10_2017_%E4%B8%AD%E6%96%87%E7%89%88v1.1.pdf
VCG is an automated code security review tool for C++, C#, VB, PHP, Java and PL/SQL which is intended to drastically speed up the code review process by identifying bad/insecure code.
https://sourceforge.net/projects/visualcodegrepp/?source=typ_redirect
Source Code Analysis Tools
https://www.owasp.org/index.php/Source_Code_Analysis_Tools