Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

Secrets
ABAP
Apex
C
C++
CloudFormation
COBOL
C#
CSS
Docker
Flex
Go
HTML
Java
JavaScript
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML

C static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your C code

Tags

"memset" should not be used to delete sensitive data
Vulnerability
POSIX functions should not be called with arguments that trigger buffer overflows
Vulnerability
XML parsers should not be vulnerable to XXE attacks
Vulnerability
Function-like macros should not be invoked without all of their arguments
Bug
The address of an automatic object should not be assigned to another object that may persist after the first object has ceased to exist
Bug
"pthread_mutex_t" should be unlocked in the reverse order they were locked
Bug
"pthread_mutex_t" should be properly initialized and destroyed
Bug
"pthread_mutex_t" should not be consecutively locked or unlocked twice
Bug
Functions with "noreturn" attribute should not return
Bug
"memcmp" should only be called with pointers to trivially copyable types with no padding
Bug
Stack allocated memory and non-owned memory should not be freed
Bug
Closed resources should not be accessed
Bug
Dynamically allocated memory should be released
Bug
Freed memory should not be used
Bug
Memory locations should not be released more than once
Bug
Memory access should be explicitly bounded to prevent buffer overflows
Bug
Printf-style format strings should not lead to unexpected behavior at runtime
Bug
Recursion should not be infinite
Bug
Resources should be closed
Bug
Hard-coded credentials are security-sensitive
Security Hotspot
"goto" should jump to labels declared later in the same function
Code Smell
Only standard forms of the "defined" directive should be used
Code Smell
Switch labels should not be nested inside non-switch blocks
Code Smell
The right-hand operands of && and || should not contain side effects
Code Smell
Digraphs should not be used
Code Smell
Trigraphs should not be used
Code Smell
"case" ranges should cover multiple values
Code Smell
Array indices should be placed between brackets
Code Smell
Redundant pointer operator sequences should be removed
Code Smell
Non-reentrant POSIX functions should be replaced with their reentrant versions
Code Smell
"goto" statements should not be used to jump into blocks
Code Smell
Keywords introduced in later specifications should not be used as identifiers
Code Smell
Switch cases should end with an unconditional "break" statement
Code Smell
"switch" statements should not contain non-case labels
Code Smell
Control should not be transferred into a complex logic block using a "goto" or a "switch" statement
Code Smell
Accessing files should not introduce TOCTOU vulnerabilities
Vulnerability
Cipher algorithms should be robust
Vulnerability
Encryption algorithms should be used with secure mode and padding scheme
Vulnerability
Server hostnames should be verified during SSL/TLS connections
Vulnerability
Server certificates should be verified during SSL/TLS connections
Vulnerability
Cryptographic keys should be robust
Vulnerability
Weak SSL/TLS protocols should not be used
Vulnerability
Insecure functions should not be used
Vulnerability
"scanf()" and "fscanf()" format strings should specify a field width for the "%s" string placeholder
Vulnerability
Function exit paths should have appropriate return values
Bug
"volatile" should not be used to qualify objects for which the meaning is not defined
Bug
Relational and subtraction operators should not be used with pointers to different arrays
Bug
Arguments evaluation order should not be relied on
Bug
Parameter values should be appropriate
Bug
Zero should not be a possible denominator
Bug
Line-splicing should not be used in "//" comments
Bug
Pointers should not be cast to integral types
Bug
"sprintf" should not be used
Security Hotspot
Changing working directories without verifying the success is security-sensitive
Security Hotspot
Using "tmpnam", "tmpnam_s" or "tmpnam_r" is security-sensitive
Security Hotspot
Changing directories improperly when using "chroot" is security-sensitive
Security Hotspot
Using publicly writable directories is security-sensitive
Security Hotspot
Using clear-text protocols is security-sensitive
Security Hotspot
Expanding archive files without controlling resource consumption is security-sensitive
Security Hotspot
Using weak hashing algorithms is security-sensitive
Security Hotspot
Using pseudorandom number generators (PRNGs) is security-sensitive
Security Hotspot
"#undef" should be used with caution
Code Smell
Function names should be used either as a call with a parameter list or with the "&" operator
Code Smell
Functions should not be defined with a variable number of arguments
Code Smell
A cast shall not remove any const or volatile qualification from the type of a pointer or reference
Code Smell
Object and function types should be explicitly stated in their declarations and definitions
Code Smell
Functions should be declared explicitly
Code Smell
Appropriate arguments should be passed to UNIX/POSIX functions
Code Smell
Appropriate arguments should be passed to stream functions
Code Smell
Blocking functions should not be called inside critical sections
Code Smell
Return value of "setuid" family of functions should always be checked
Code Smell
Size of variable length arrays should be positive
Code Smell
Argument of "printf" should be a format string
Code Smell
"mktemp" family of functions templates should have at least six trailing "X"s
Code Smell
Logical operators should not be confused with bitwise operators
Code Smell
Header guards should be followed by according "#define" macro
Code Smell
"default" clauses should be first or last
Code Smell
A conditionally executed single line should be denoted by indentation
Code Smell
Conditionals should start on new lines
Code Smell
Cognitive Complexity of functions should not be too high
Code Smell
Control characters should not be used in literals
Code Smell
"restrict" should not be used
Code Smell
"static" should not be used for the size of an array parameter
Code Smell
The sign of an unsigned variable should not be tested
Code Smell
Pre-defined macros should not be defined, redefined or undefined
Code Smell
Control flow statements "if", "for", "while", "switch" and "try" should not be nested too deeply
Code Smell
Methods should not be empty
Code Smell
Account validity should be verified when authenticating users with PAM
Vulnerability
Lines starting with "#" should contain valid preprocessing directives
Bug
"#include" directives should be followed by either <filename> or "filename" sequences
Bug
Non-standard characters should not occur in header file names in "#include" directives
Bug
Non-empty statements should change control flow or have at least one side-effect
Bug
Unary minus should not be applied to an unsigned expression
Bug
Objects with integer type should not be converted to objects with pointer type
Bug
Variables should be initialized before use
Bug
String literals with different prefixes should not be concatenated
Bug
Only escape sequences defined in the ISO C standard should be used
Bug
"#pragma pack" should be used correctly
Bug
Enums should be consistent with the bit fields they initialize
Bug
User-defined types should not be passed as variadic arguments
Bug
Array values should not be replaced unconditionally
Bug
Integral operations should not overflow
Bug
"case" ranges should not be empty
Bug
All branches in a conditional structure should not have exactly the same implementation
Bug
Declaration specifiers should not be redundant
Bug
"sizeof" should not be called on pointers
Bug
Unary prefix operators should not be repeated
Bug
"=+" should not be used instead of "+="
Bug
Values of different "enum" types should not be compared
Bug
Conditionally executed code should be reachable
Bug
Null pointers should not be dereferenced
Bug
Single-bit named bit fields should not be of a signed type
Bug
Values should not be uselessly incremented
Bug
"sizeof(sizeof(...))" should not be used
Bug
Related "if/else if" statements should not have the same condition
Bug
Identical expressions should not be used on both sides of a binary operator
Bug
All code should be reachable
Bug
Loops with at most one iteration should be refactored
Bug
Variables should not be self-assigned
Bug
Setting capabilities is security-sensitive
Security Hotspot
Using "strncpy" or "wcsncpy" is security-sensitive
Security Hotspot
Using "strncat" or "wcsncat" is security-sensitive
Security Hotspot
Using "strcat" or "wcscat" is security-sensitive
Security Hotspot
Using "strlen" or "wcslen" is security-sensitive
Security Hotspot
Using "strcpy" or "wcscpy" is security-sensitive
Security Hotspot
Setting loose POSIX file permissions is security-sensitive
Security Hotspot
#include directives in a file should only be preceded by other preprocessor directives or comments
Code Smell
Loops should not have more than one "break" or "goto" statement
Code Smell
Unused type declarations should be removed
Code Smell
Comma operator should not be used
Code Smell
"bool" expressions should not be used as operands to built-in operators other than =, &&, ||, !, ==, !=, unary &, and the conditional operator
Code Smell
"enum" members other than the first one should not be explicitly initialized unless all members are explicitly initialized
Code Smell
If a function has internal linkage then all re-declarations shall include the static storage class specifer
Code Smell
Functions should not be declared at block scope
Code Smell
Bit fields should be declared with appropriate types
Code Smell
Size of bit fields should not exceed the size of their types
Code Smell
GNU attributes should be used correctly
Code Smell
Unevaluated operands should not have side effects
Code Smell
Size argument of memory functions should be consistent
Code Smell
Implicit casts should not lower precision
Code Smell
Appropriate size arguments should be passed to "strncat" and "strlcpy"
Code Smell
Keywords shall not be used as macros identifiers
Code Smell
Dereferenced null pointers should not be bound to references
Code Smell
"else" statements should be clearly matched with an "if"
Code Smell
Include directives should not rely on non-portable search strategy
Code Smell
"#include" paths should be portable
Code Smell
"#import" should not be used
Code Smell
Atomic types should be used instead of "volatile" types
Code Smell
"switch" statements should cover all cases
Code Smell
Methods returns should not be invariant
Code Smell
Printf-style format strings should be used correctly
Code Smell
Conditional operators should not be nested
Code Smell
Multiline blocks should be enclosed in curly braces
Code Smell
Increment should not be used to set boolean variables to 'true'
Code Smell
Boolean expressions should not be gratuitous
Code Smell
Parameters should be passed in the correct order
Code Smell
Obsolete POSIX functions should not be used
Code Smell
Two branches in a conditional structure should not have exactly the same implementation
Code Smell
Unused assignments should be removed
Code Smell
Structures should not have too many fields
Code Smell
"switch" statements should not have too many "case" clauses
Code Smell
Sections of code should not be commented out
Code Smell
Deprecated K&R syntax should not be used for function definition
Code Smell
Unused function parameters should be removed
Code Smell
Unused functions and methods should be removed
Code Smell
Track uses of "FIXME" tags
Code Smell
Deprecated attributes should include explanations
Code Smell
Assignments should not be made from within sub-expressions
Code Smell
Variables should not be shadowed
Code Smell
Redundant pairs of parentheses should be removed
Code Smell
Nested blocks of code should not be left empty
Code Smell
Functions should not have too many parameters
Code Smell
Collapsible "if" statements should be merged
Code Smell
Unused labels should be removed
Code Smell
The "sizeof" and "alignof" operator should not be used with operands of a "void" type
Bug
"nonnull" pointers should not be set to null
Bug
"for" loop counters should not have essentially floating type
Bug
Line continuation characters '\' should not be followed by trailing whitespace
Bug
Using hardcoded IP addresses is security-sensitive
Security Hotspot
Pointer and reference parameters should be "const" if the corresponding object is not modified
Code Smell
The three expressions of a "for" statement should only be concerned with loop control
Code Smell
Literal suffix "L" for long integers shall be upper case
Code Smell
Multicharacter literals should not be used
Code Smell
Loop variables should be declared in the minimal possible scope
Code Smell
Macros should not be used as replacement to "typdef" and "using"
Code Smell
"^" should not be confused with exponentiation
Code Smell
Pointer and reference local variables should be "const" if the corresponding object is not modified
Code Smell
Format strings should comply with ISO standards
Code Smell
Functions which do not return should be declared as "noreturn"
Code Smell
Macros should not be redefined
Code Smell
"#include_next" should not be used
Code Smell
String literals should not be concatenated implicitly
Code Smell
Types and variables should be declared in separate statements
Code Smell
Jump statements should not be redundant
Code Smell
Empty "case" clauses that fall through to the "default" should be omitted
Code Smell
Forward declarations should not be redundant
Code Smell
Declarations should not be empty
Code Smell
Redundant casts should not be used
Code Smell
Code annotated as deprecated should not be used
Code Smell
"#pragma warning (default: ...)" should not be used
Code Smell
Init-declarator-lists and member-declarator-lists should consist of single init-declarators and member-declarators respectively
Code Smell
Unused local variables should be removed
Code Smell
"switch" statements should have at least 3 "case" clauses
Code Smell
A "while" loop should be used instead of a "for" loop
Code Smell
Nested code blocks should not be used
Code Smell
Empty statements should be removed
Code Smell
"/*" and "//" should not be used within comments
Code Smell
Track uses of "TODO" tags
Code Smell
Deprecated code should be removed
Code Smell
Reserved identifiers and functions in the C standard library should not be defined or declared
Code Smell
Bit fields should not be used
Code Smell
Track lack of copyright and license headers
Code Smell
Octal values should not be used
Code Smell
"abort", "exit", "getenv" and "system" from <stdlib.h> should not be used
Bug
"atof", "atoi" and "atol" from <stdlib.h> should not be used
Bug
"<signal.h>" should not be used
Bug
Dynamic heap memory allocation should not be used
Bug
"<time.h>" should not be used
Code Smell
"<stdio.h>" should not be used in production code
Code Smell
"offsetof" macro should not be used
Code Smell
"errno" should not be used
Code Smell
"setjmp" and "longjmp" should not be used
Code Smell
Function-like macros should not be used
Code Smell
Macros should not be #define'd or #undef'd within a block
Code Smell
Unions should not be used
Code Smell
Object declarations should contain no more than 2 levels of pointer indirection
Code Smell
Functions without parameters should be declared with parameter type "void"
Code Smell
Recursion should not be used
Code Smell
Constants of unsigned type should have a "U" suffix
Code Smell
Octal and hexadecimal escape sequences should be terminated
Code Smell
Flexible array members should not be declared
Code Smell
Preprocessor directives should not be indented
Code Smell
"switch" statements should not be nested
Code Smell
Cyclomatic Complexity of functions should not be too high
Code Smell
"switch" statements should have "default" clauses
Code Smell
"if ... else if" constructs should end with "else" clauses
Code Smell
"typedef" should be used for function pointers
Code Smell
Control structures should use curly braces
Code Smell
Expressions should not be too complex
Code Smell
Macros used in preprocessor directives should be defined before use
Bug
The number of arguments passed to a function should match the number of parameters
Bug
Evaluation of the operand to the sizeof operator shall not contain side effects
Bug
Bitwise operators should not be applied to signed operands
Bug
Boolean operations should not have numeric operands, and vice versa
Bug
Pointer conversions should be restricted to a safe subset
Bug
Function pointers should not be converted to any other type
Bug
Results of ~ and << operations on operands of underlying types unsigned char and unsigned short should immediately be cast to the operand's underlying type
Bug
The "<stdlib.h>" functions "bsearch" and "qsort" should not be used
Bug
Floating point numbers should not be tested for equality
Bug
There shall be at most one occurrence of the # or ## operators in a single macro definition
Code Smell
Parameters in a function prototype should be named
Code Smell
"goto" statement should not be used
Code Smell
Increment (++) and decrement (--) operators should not be used in a method call or mixed with other operators in an expression
Code Smell
"enum" values should not be used as operands to built-in operators other than [ ], =, ==, !=, unary &, and the relational operators <, <=, >, >=
Code Smell
Operands of "&&" and "||" should be primary (C) or postfix (C++) expressions
Code Smell
Limited dependence should be placed on operator precedence
Code Smell
The value of a complex expression should only be cast to a type that is narrower and of the same signedness as the underlying type of the expression
Code Smell
Braces should be used to indicate and match the structure in the non-zero initialization of arrays and structures
Code Smell
Array declarations should include an explicit size specification
Code Smell
"typedef" names should be unique identifiers
Code Smell
Identifiers should not be longer than 31 characters
Code Smell
All uses of the #pragma directive should be documented
Code Smell
Assembly language should be encapsulated and isolated
Code Smell
Functions that are not used in a project should be removed
Code Smell
Track parsing failures
Code Smell
Files should not be too complex
Code Smell
The ternary operator should not be used
Code Smell
Functions/methods should not have too many lines
Code Smell
Track uses of "NOSONAR" comments
Code Smell
"for" loop stop conditions should be invariant
Code Smell
Statements should be on separate lines
Code Smell
"switch case" clauses should not have too many lines of code
Code Smell
Functions should not contain too many return statements
Code Smell
Magic numbers should not be used
Code Smell
Files should not have too many lines of code
Code Smell
Lines should not be too long
Code Smell
Function parameters' initial values should not be ignored
Bug
Preprocessor operators "#" and "##" should not be used
Code Smell
Structure and union types should be complete at the end of a translation unit
Code Smell
Switch statement conditions should not have essentially boolean type
Code Smell
"continue" should not be used
Code Smell
Tests of non-Boolean values against zero should be explicit
Code Smell
Signed and unsigned types should not be mixed in expressions
Code Smell
typedefs that indicate size and signedness should be used in place of the basic types
Code Smell
Appropriate char types should be used for character and integer values
Code Smell
Source code should only use /* ... */ style comments
Code Smell
GNU extensions should not be used
Code Smell
Methods should not return constants
Code Smell
Label names should comply with a naming convention
Code Smell
Enumeration values should comply with a naming convention
Code Smell
Enumeration names should comply with a naming convention
Code Smell
Comment styles "//" and "/* ... */" should not be mixed within a file
Code Smell
"union" names should comply with a naming convention
Code Smell
Constants should come first in equality tests
Code Smell
Type specifiers should be listed in a standard order
Code Smell
Track "TODO" and "FIXME" comments that do not contain a reference to a person
Code Smell
The prefix increment/decrement form should be used
Code Smell
"struct" names should comply with a naming convention
Code Smell
File names should comply with a naming convention
Code Smell
Macro names should comply with a naming convention
Code Smell
Comments should not be located at the end of lines of code
Code Smell
break statements should not be used except for switch cases
Code Smell
Local variable and function parameter names should comply with a naming convention
Code Smell
Field names should comply with a naming convention
Code Smell
Lines should not end with trailing whitespaces
Code Smell
Files should contain an empty newline at the end
Code Smell
Tabulation characters should not be used
Code Smell
A function should have a single point of exit at the end of the function
Code Smell
Function names should comply with a naming convention
Code Smell
Track comments matching a regular expression
Code Smell
Track instances of the "#error" preprocessor directive being reached
Code Smell

Encryption algorithms should be used with secure mode and padding scheme

Vulnerability

CriticalSonarSource default severity
click to learn more

cwe
privacy
cert

Why is this an issue?

Encryption algorithms should use secure modes and padding schemes where appropriate to guarantee data confidentiality and integrity.

For block cipher encryption algorithms (like AES):
- The ECB (Electronic Codebook) cipher mode doesn’t provide serious message confidentiality: under a given key any given plaintext block always gets encrypted to the same ciphertext block. This mode should never be used.
- The CBC (Cipher Block Chaining) mode by itself provides only data confidentiality. This cipher mode is also vulnerable to padding oracle attacks when used with padding. Using CBC along with Message Authentication Code can provide data integrity and should prevent such attacks. In practice the implementation has many pitfalls and it’s recommended to avoid CBC with padding completely.
- The GCM (Galois Counter Mode) mode which works internally with zero/no padding scheme, is recommended, as it is designed to provide both data authenticity (integrity) and confidentiality. Other similar modes are CCM, CWC, EAX, IAPM and OCB.
For RSA encryption algorithm, the recommended padding scheme is OAEP.

Noncompliant code example

botan

#include <botan/cipher_mode.h>
#include <botan/pubkey.h>
#include <botan/rsa.h>

// Example for a symmetric cipher: AES
Botan::Cipher_Mode::create("AES-256/ECB", Botan::ENCRYPTION);       // Noncompliant
Botan::Cipher_Mode::create("AES-256/CBC/PKCS7", Botan::ENCRYPTION); // Noncompliant

// Example for a asymmetric cipher: RSA
std::unique_ptr<Botan::RandomNumberGenerator> rng(new Botan::AutoSeeded_RNG);
Botan::RSA_PrivateKey rsaKey(*rng.get(), 2048);

Botan::PK_Encryptor_EME(rsaKey, *rng.get(), "PKCS1v15"); // Noncompliant

crypto++

#include <cryptopp/aes.h>
#include <cryptopp/modes.h>
#include <cryptopp/rsa.h>

// Example for a symmetric cipher: AES
CryptoPP::ECB_Mode<CryptoPP::AES>::Encryption(); // Noncompliant
CryptoPP::CBC_Mode<CryptoPP::AES>::Encryption(); // Noncompliant

// Example for a asymmetric cipher: RSA
CryptoPP::RSAES<CryptoPP::PKCS1v15>::Encryptor(); // Noncompliant

OpenSSL

#include <openssl/evp.h>
#include <openssl/rsa.h>

// Example for a symmetric cipher: AES
EVP_aes_128_ecb(); // Noncompliant
EVP_aes_128_cbc(); // Noncompliant

// Example for a asymmetric cipher: RSA
RSA_public_decrypt(flen, from, to, key, RSA_PKCS1_PADDING); // Noncompliant
RSA_public_decrypt(flen, from, to, key, RSA_SSLV23_PADDING); // Noncompliant
RSA_public_decrypt(flen, from, to, key, RSA_NO_PADDING); // Noncompliant

Compliant solution

botan

#include <botan/cipher_mode.h>
#include <botan/pubkey.h>
#include <botan/rsa.h>

// AES symmetric cipher is recommended to be used with GCM mode
Botan::Cipher_Mode::create("AES-256/GCM", Botan::ENCRYPTION);  // Compliant

// RSA asymmetric cipher is recommended to be used with OAEP padding
std::unique_ptr<Botan::RandomNumberGenerator> rng(new Botan::AutoSeeded_RNG);
Botan::RSA_PrivateKey rsaKey(*rng.get(), 2048);

Botan::PK_Encryptor_EME(rsaKey, *rng.get(), "OAEP"); // Compliant

crypto++

#include <cryptopp/gcm.h>

// AES symmetric cipher is recommended to be used with GCM mode
CryptoPP::GCM<CryptoPP::AES>::Encryption(); // Compliant

// RSA asymmetric cipher is recommended to be used with OAEP padding
CryptoPP::RSAES<CryptoPP::OAEP<CryptoPP::SHA1>>::Encryptor(); // Compliant

OpenSSL

#include <openssl/evp.h>

// AES symmetric cipher is recommended to be used with GCM mode
EVP_aes_128_gcm() // Compliant

// RSA asymmetric cipher is recommended be used with OAEP padding
RSA_public_decrypt(flen, from, to, key, RSA_PKCS1_OAEP_PADDING); // Compliant

Resources

OWASP Top 10 2021 Category A2 - Cryptographic Failures
OWASP Top 10 2017 Category A6 - Security Misconfiguration
MITRE, CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
SANS Top 25 - Porous Defenses

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Developer
Edition

© 2008-2023 SonarSource S.A., Switzerland. All content is copyright protected. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, and SONARCLOUD are trademarks of SonarSource S.A. All other trademarks and copyrights are the property of their respective owners. All rights are expressly reserved.
Privacy Policy

In-IDE

SaaS

Self-Hosted