Adding to why static analysis tools are not used:

1. The false positives sometimes lead to ugly workarounds needed to quiet the message.

2. There's no standard, meaning different SA tools produce very different results, often contradictory.

A better approach is to improve the language. For example, the `(a < b < c)` is tripped by many static analyzers. In D, the grammar was changed so `a < b < c` is not valid. And the C/C++ committees should really deprecate `l` as a valid integer literal suffix :-)

Regarding 1., not just ugly workarounds, remember how Debian broke their OpenSSL PRNG for several years to silence warnings for analysis tools [1] – read the impact section and shiver if you had not heard of this one before. There are real world risks associated with spurious warnings.

[1]: https://github.com/g0tmi1k/debian-ssh