SonarSource Rules
  • Products

    In-IDE

    Code Quality and Security in your IDE with SonarQube Ide

    IDE extension that lets you fix coding issues before they exist!

    Discover SonarQube for IDE

    SaaS

    Code Quality and Security in the cloud with SonarQube Cloud

    Setup is effortless and analysis is automatic for most languages

    Discover SonarQube Cloud

    Self-Hosted

    Code Quality and Security Self-Hosted with SonarQube Server

    Fast, accurate analysis; enterprise scalability

    Discover SonarQube Server
  • SecretsSecrets
  • ABAPABAP
  • AnsibleAnsible
  • ApexApex
  • AzureResourceManagerAzureResourceManager
  • CC
  • C#C#
  • C++C++
  • CloudFormationCloudFormation
  • COBOLCOBOL
  • CSSCSS
  • DartDart
  • DockerDocker
  • FlexFlex
  • GitHub ActionsGitHub Actions
  • GoGo
  • HTMLHTML
  • JavaJava
  • JavaScriptJavaScript
  • JSONJSON
  • JCLJCL
  • KotlinKotlin
  • KubernetesKubernetes
  • Objective CObjective C
  • PHPPHP
  • PL/IPL/I
  • PL/SQLPL/SQL
  • PythonPython
  • RPGRPG
  • RubyRuby
  • RustRust
  • ScalaScala
  • SwiftSwift
  • TerraformTerraform
  • TextText
  • TypeScriptTypeScript
  • T-SQLT-SQL
  • VB.NETVB.NET
  • VB6VB6
  • XMLXML
  • YAMLYAML
C

C static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your C code

  • All rules 315
  • Vulnerability13
  • Bug76
  • Security Hotspot19
  • Code Smell207

  • Quick Fix 19
 
Tags
    Impact
      Clean code attribute
        1. Accessing files should not introduce TOCTOU vulnerabilities

           Vulnerability
        2. Account validity should be verified when authenticating users with PAM

           Vulnerability
        3. "memset" should not be used to delete sensitive data

           Vulnerability
        4. POSIX functions should not be called with arguments that trigger buffer overflows

           Vulnerability
        5. Cipher algorithms should be robust

           Vulnerability
        6. Encryption algorithms should be used with secure mode and padding scheme

           Vulnerability
        7. Server hostnames should be verified during SSL/TLS connections

           Vulnerability
        8. Server certificates should be verified during SSL/TLS connections

           Vulnerability
        9. Cryptographic keys should be robust

           Vulnerability
        10. Weak SSL/TLS protocols should not be used

           Vulnerability
        11. XML parsers should not be vulnerable to XXE attacks

           Vulnerability
        12. Insecure functions should not be used

           Vulnerability
        13. "scanf()" and "fscanf()" format strings should specify a field width for the "%s" string placeholder

           Vulnerability

        Accessing files should not introduce TOCTOU vulnerabilities

        intentionality - logical
        security
        Vulnerability
        • cwe
        • cert

        When an application manipulates files, "Time-Of-Check to Time-Of-Use" can occur when a file-checking operation is disconnected from the actual operation it is bound to.

        For example, such a vulnerability occurs when a file existence check is performed strictly before a file creation operation.

        Why is this an issue?

        How can I fix it?

        More Info

        Race conditions can happen when file operations and their associated pre-checks are disconnected. Indeed, while the application assumes that the checked file property will not change before performing the operation, there is a chance that changes are applied to the file.

        Especially, a concurrent process, which an attacker can control, could modify a file right after a check is performed and before the actual use. This file can be deleted, created, altered, or see its permissions changed depending on the use case.

        What is the potential impact?

        The impact of a successfully exploited race condition is dependent on the business logic of the vulnerable application. The consequences will vary depending on what check is performed and how the file is used.

        In general, attackers use such attacks to escalate privileges, execute arbitrary code, or perform a denial of service.

        Arbitrary code execution

        Executable or script file integrity and authenticity checks can be bypassed when exploiting a TOCTOU vulnerability. In such a scenario, attackers would change an executable file content between when its integrity is checked and when the application executes it.

        This attack would allow attackers to trick the application into executing malicious, arbitrary code. They would then be granted the same privilege levels as the application itself, which can be particularly severe when it runs with administration privileges.

        Privileges escalation

        When the attacker is a local user on the same server as the running application, the same attack is possible with extended probability. In such a case, attackers can exploit the reading and writing to configuration files, the creation of local network resources, or the use of temporary files to achieve the same code execution purpose.

        However, in that case, the attack is only meaningful when the application is running with high or otherwise interesting privileges. Attackers exploiting a TOCTOU vulnerability that way would achieve horizontal or vertical privilege escalation.

        Denial of service

        When the application expects some file properties to be set at the operation time, it will often face unexpected errors when those properties have actually changed. This might be the case when writing to a file where newly set permissions forbid that operation or when reading from a deleted file.

        When such errors are faced, the application might unexpectedly stop, which can affect its availability. Depending on the application and hosting architectures, the interruption can be temporary or permanent, partial or complete.

          Available In:
        • SonarQube IdeCatch issues on the fly,
          in your IDE
        • SonarQube CloudDetect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories
        • SonarQube ServerAnalyze code in your
          on-premise CI
          Developer Edition
          Available Since
          9.1

        © 2008-2025 SonarSource SA. All rights reserved.

        Privacy Policy | Cookie Policy | Terms of Use