@chrisstoecker Let me guess: The number of found "vulnerabilities" by this tool correlates with the lack of use of static code analysis and the number of disabled/ignored compiler warnings.

And I don't see any reason yet to assume that this tool exceeds the performance of already existing static code analysis tools like SonarQube, PMD or Findbugs/Spotbugs.