SonarQube Community Edition is coming with rules dedicated to the security domain mainly for Java, C# and PHP. I let you heck the Vulnerability and Security Hotspots rules for each language directly on https://rules.sonarsource.com/java/type/Vulnerability.
We don’t provide yet a nice display of our coverage of OWASP Top 10, CERT, SANS Top 25 but by using the Tags available on each rule you can find what you are looking for. For example, here are the rules for Java related to OWASP Top 10
SQ Developer Edition is coming with a more advanced engine dedicated to the security domain and in particular it implements 6 rules for Java and C# (PHP should come later this year).
S3649: SQL queries should not be vulnerable to injection attacks
S2076: OS commands should not be vulnerable to injection attacks
S2091: XPath expressions should not be vulnerable to injection attacks
S2078: LDAP queries should not be vulnerable to injection attacks
S2631: Regular expressions should not be vulnerable to Denial of Service attacks
S2083: I/O function calls should not be vulnerable to path injection attacks
SonarCloud is having the features of the SQ Developer Edition, so you can try it for free on your open source projects.