I'm looking for some C/C++ code analysis tools. Preferably for a Win32 platform, as our software is Win32/MFC. The tool should look for security issues like format string vulnerabilities and check code complexity, anything else would be a welcome bonus.

The tool should be free as in "management doesn't want to pay a single dollar" ( or euro in our case ).

There seems to be a ton of tools out there. FlawFinder looked nice, but has no Windows port and I'll look into RATS tomorrow. Do you use such tools and what have you experienced using them ? Does anyone have recommendations ?