Tokenization is the act of breaking source text into language elements such as operators, variable names, numbers, etc. Parsing reads sequences of tokens and build Abstract Syntax Trees, which is a particular program representation. Tokenization and parsing are necessary for static analysis, but hardly interesting, in the same way that ante-to-the-pot is necessary to playing poker but not the interesting part of the game in any way.

If you are building a static analyzer (you imply you expect to work on one implemented in C or C++), you will need fundamental knowledge of compiling (parsing not so much unless you are building a parser for the language to be statically analyzed), but certainly about program representations (ASTs, triples, control and data flow graphs, …), type and property inference, and limits on analysis accuracy (the cause of conservative analyses.
The program representations are fundamental because these are the data structures that most static analysers really process; its simply too hard to wring useful facts directly from program text. These concepts can be used to implement static analysis capabilities in any programming language to implement analysis type tools; there’s nothing special in implementing them in C or C++.

Run, don’t walk, to your nearest compiler class for the first part of this. If you don’t have it, you won’t be able to do anything effective in tool building. The second part you will more likely find in a graduate computer science class.

If you get past that basic knowledge issue, you will either decide to implement an analysis tool from scratch, or build on existing analysis tool infrastructure. Few people decide to build one from scratch; it takes a huge amount of work (years or decades) to build robust parsers, flow analyzers, etc. needed as foundations for any particular static analysis. Mostly people try to use some existing infrastructure.

There’s a huge list of candidates at: http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis

If you insist on processing C or C++ and building your own custom sophisticated analysis, you really, really need a tool that can handle real C and C++ code. There are IMHO a limited number of good candidates:

• GCC (and various graft ons such as Starynkevitch’s MELT, about which I know little)
• Clang (pretty spectacular toolset)
• DMS (and its C and C++ front ends) [my company’s tool]
• Open64 compiler infrastructure
• Rose compiler infrastructure (based on EDG’s industry-wide front end)

Each one of these are big systems and require a big investment to understand and begin to use. Don’t underrate the learning curve.

There are lots of other tools out there that sort of process C and C++, but “sort of” is pretty useless for static analysis purposes.

If you intend to simply use a static analysis tool, you can avoid learning most of the parsing and program representation questions; instead you’ll need to learn as much as you can about the specific analysis tool you intend to use. You’ll still be a lot better off with the compiler background above because you will understand what the tool does, why it does it, and why it produces the kinds of answers that it does (usually it produces answers that are unsatisfying in a lot of ways due to the conservative limits on analysis accuracy).

Lastly, you should be clear that you understand the difference between static analysis and dynamic analysis [using data collected at runtime to determine program properties]. Most end users couldn’t care less how you get information about their code, and each analysis approach has its strength and weaknesses.