I have been using PMD and Findbug for my application but fortify managed to detect some of the security vulnerabilities in my application. I am wondering if there is other open-source software that does the similar job as Fortify?
If your focus is on security, you could benefit from additional security rules. Find Security Bugs is a set of detectors for FindBugs.
Disclaimer : I'm the author of the tool mention
Here is an exhaustive list of static analyzers maintained by the nist : http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html