SonarSource Rules
  • Products

    In-IDE

    Code Quality and Security in your IDE with SonarQube Ide

    IDE extension that lets you fix coding issues before they exist!

    Discover SonarQube for IDE

    SaaS

    Code Quality and Security in the cloud with SonarQube Cloud

    Setup is effortless and analysis is automatic for most languages

    Discover SonarQube Cloud

    Self-Hosted

    Code Quality and Security Self-Hosted with SonarQube Server

    Fast, accurate analysis; enterprise scalability

    Discover SonarQube Server
  • SecretsSecrets
  • ABAPABAP
  • AnsibleAnsible
  • ApexApex
  • AzureResourceManagerAzureResourceManager
  • CC
  • C#C#
  • C++C++
  • CloudFormationCloudFormation
  • COBOLCOBOL
  • CSSCSS
  • DartDart
  • DockerDocker
  • FlexFlex
  • GitHub ActionsGitHub Actions
  • GoGo
  • HTMLHTML
  • JavaJava
  • JavaScriptJavaScript
  • JSONJSON
  • JCLJCL
  • KotlinKotlin
  • KubernetesKubernetes
  • Objective CObjective C
  • PHPPHP
  • PL/IPL/I
  • PL/SQLPL/SQL
  • PythonPython
  • RPGRPG
  • RubyRuby
  • RustRust
  • ScalaScala
  • ShellShell
  • SwiftSwift
  • TerraformTerraform
  • TextText
  • TypeScriptTypeScript
  • T-SQLT-SQL
  • VB.NETVB.NET
  • VB6VB6
  • XMLXML
  • YAMLYAML
C#

C# static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your C# code

  • All rules 494
  • Vulnerability47
  • Bug88
  • Security Hotspot24
  • Code Smell335

  • Quick Fix 61
 
Tags
    Impact
      Clean code attribute
        1. Parameter names should match base declaration and other partial definitions

           Code Smell
        2. "goto" statement should not be used

           Code Smell
        3. Increment (++) and decrement (--) operators should not be used in a method call or mixed with other operators in an expression

           Code Smell
        4. Literal suffixes should be upper case

           Code Smell
        5. XSLT Transformations should not be vulnerable to injection attacks

           Vulnerability
        6. Locks should be released within the same method

           Bug
        7. A write lock should not be released when a read lock has been acquired and vice versa

           Bug
        8. First/Single should be used instead of FirstOrDefault/SingleOrDefault on collections that are known to be non-empty

           Code Smell
        9. Server-side requests should not be vulnerable to traversing attacks

           Vulnerability
        10. Content Security Policies should be restrictive

           Vulnerability
        11. Actions that return a value should be annotated with ProducesResponseTypeAttribute containing the return type

           Code Smell
        12. ModelState.IsValid should be called in controller actions

           Code Smell
        13. Awaitable method should be used

           Code Smell
        14. REST API actions should be annotated with an HTTP verb attribute

           Code Smell
        15. Value type property used as input in a controller action should be nullable, required or annotated with the JsonRequiredAttribute to avoid under-posting.

           Code Smell
        16. You should pool HTTP connections with HttpClientFactory

           Code Smell
        17. API Controllers should derive from ControllerBase instead of Controller

           Code Smell
        18. Controllers should not have mixed responsibilities

           Code Smell
        19. A Route attribute should be added to the controller when a route template is specified at the action level

           Code Smell
        20. Use model binding instead of reading raw request data

           Code Smell
        21. ASP.NET controller actions should not have a route template starting with "/"

           Code Smell
        22. Backslash should be avoided in route templates

           Bug
        23. Parameters with SupplyParameterFromQuery attribute should be used only in routable components

           Code Smell
        24. Using lambda expressions in loops should be avoided in Blazor markup section

           Code Smell
        25. Component parameter type should match the route parameter type constraint

           Bug
        26. [JSInvokable] attribute should only be used on public methods

           Bug
        27. Blazor query parameter type should be supported

           Bug
        28. JWT secret keys should not be disclosed

           Vulnerability
        29. Stack traces should not be disclosed

           Vulnerability
        30. Loop boundaries should not be vulnerable to injection attacks

           Vulnerability
        31. Use PascalCase for named placeholders

           Code Smell
        32. Message template placeholders should be unique

           Bug
        33. "Trace.WriteLineIf" should not be used with "TraceSwitch" levels

           Code Smell
        34. Log message template should be syntactically correct

           Bug
        35. Log message template placeholders should be in the right order

           Code Smell
        36. Generic logger injection should match enclosing type

           Code Smell
        37. "Trace.Write" and "Trace.WriteLine" should not be used

           Code Smell
        38. Logger field or property name should comply with a naming convention

           Code Smell
        39. Logging arguments should be passed to the correct parameter

           Code Smell
        40. Logging in a catch clause should pass the caught exception as a parameter.

           Code Smell
        41. The code block contains too many logging calls

           Code Smell
        42. Connection strings should not be vulnerable to injections attacks

           Vulnerability
        43. Using unsafe code blocks is security-sensitive

           Security Hotspot
        44. Memory allocations should not be vulnerable to Denial of Service attacks

           Vulnerability
        45. "string.Create" should be used instead of "FormattableString"

           Code Smell
        46. "Contains" should be used instead of "Any" for simple equality checks

           Code Smell
        47. "First" and "Last" properties of "LinkedList" should be used instead of the "First()" and "Last()" extension methods

           Code Smell
        48. The lambda parameter should be used instead of capturing arguments in "ConcurrentDictionary" methods

           Code Smell
        49. "StartsWith" and "EndsWith" overloads that take a "char" should be used instead of the ones that take a "string"

           Code Smell
        50. "Min/Max" properties of "Set" types should be used instead of the "Enumerable" extension methods

           Code Smell
        51. Prefer indexing instead of "Enumerable" methods on types implementing "IList"

           Code Smell
        52. The collection should be filtered before sorting by using "Where" before "OrderBy"

           Code Smell
        53. Collection-specific "Exists" method should be used instead of the "Any" extension

           Code Smell
        54. The collection-specific "TrueForAll" method should be used instead of the "All" extension

           Code Smell
        55. "Find" method should be used instead of the "FirstOrDefault" extension

           Code Smell
        56. Use the "UnixEpoch" field instead of creating "DateTime" instances that point to the beginning of the Unix epoch

           Code Smell
        57. Don't hardcode the format when turning dates and times to strings

           Code Smell
        58. Use a format provider when parsing date and time

           Code Smell
        59. Use "TimeZoneInfo.FindSystemTimeZoneById" without converting the timezones with "TimezoneConverter"

           Code Smell
        60. Use "DateTimeOffset" instead of "DateTime"

           Code Smell
        61. Use UTC when recording DateTime instants

           Code Smell
        62. Always set the "DateTimeKind" when creating new "DateTime" instances

           Code Smell
        63. Avoid using "DateTime.Now" for benchmarking or timing operations

           Code Smell
        64. Accessing files should not lead to filesystem oracle attacks

           Vulnerability
        65. Environment variables should not be defined from untrusted input

           Vulnerability
        66. "ExcludeFromCodeCoverage" attributes should include a justification

           Code Smell
        67. Blocks should not be synchronized on local variables

           Bug
        68. Not specifying a timeout for regular expressions is security-sensitive

           Security Hotspot
        69. Interfaces for durable entities should satisfy the restrictions

           Code Smell
        70. Azure Functions should log all failures

           Code Smell
        71. Calls to "async" methods should not be blocking in Azure Functions

           Code Smell
        72. Azure Functions should use Structured Error Handling

           Code Smell
        73. Client instances should not be recreated on each Azure Function invocation

           Code Smell
        74. Azure Functions should be stateless

           Code Smell
        75. Hard-coded secrets are security-sensitive

           Security Hotspot
        76. XML operations should not be vulnerable to injection attacks

           Vulnerability
        77. XML signatures should be validated securely

           Vulnerability
        78. Use a testable date/time provider

           Code Smell
        79. Constructing arguments of system commands from user input is security-sensitive

           Security Hotspot
        80. Applications should not create session cookies from untrusted input

           Vulnerability
        81. Reflection should not be vulnerable to injection attacks

           Vulnerability
        82. Extracting archives should not lead to zip slip vulnerabilities

           Vulnerability
        83. OS commands should not be vulnerable to argument injection attacks

           Vulnerability
        84. Regular expressions should be syntactically valid

           Bug
        85. Types allowed to be deserialized should be restricted

           Vulnerability
        86. Deserializing objects without performing data validation is security-sensitive

           Security Hotspot
        87. Disabling ASP.NET "Request Validation" feature is security-sensitive

           Security Hotspot
        88. Allowing requests with excessive content length is security-sensitive

           Security Hotspot
        89. JWT should be signed and verified with strong cipher algorithms

           Vulnerability
        90. Cipher algorithms should be robust

           Vulnerability
        91. Encryption algorithms should be used with secure mode and padding scheme

           Vulnerability
        92. Insecure temporary file creation methods should not be used

           Vulnerability
        93. Using publicly writable directories is security-sensitive

           Security Hotspot
        94. Passwords should not be stored in plaintext or with a fast hashing algorithm

           Vulnerability
        95. Dynamic code execution should not be vulnerable to injection attacks

           Vulnerability
        96. Using clear-text protocols is security-sensitive

           Security Hotspot
        97. NoSQL operations should not be vulnerable to injection attacks

           Vulnerability
        98. HTTP request redirections should not be open to forging attacks

           Vulnerability
        99. Logging should not be vulnerable to injection attacks

           Vulnerability
        100. Server-side requests should not be vulnerable to forging attacks

           Vulnerability
        101. Deserialization should not be vulnerable to injection attacks

           Vulnerability
        102. Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks

           Vulnerability
        103. Having a permissive Cross-Origin Resource Sharing policy is security-sensitive

           Security Hotspot
        104. Expanding archive files without controlling resource consumption is security-sensitive

           Security Hotspot
        105. "ValueTask" should be consumed correctly

           Code Smell
        106. Server certificates should be verified during SSL/TLS connections

           Vulnerability
        107. Configuring loggers is security-sensitive

           Security Hotspot
        108. Using weak hashing algorithms is security-sensitive

           Security Hotspot
        109. Comments should not be empty

           Code Smell
        110. Start index should be used instead of calling Substring

           Code Smell
        111. Non-async "Task/Task<T>" methods should not return null

           Bug
        112. Calls to delegate's method "BeginInvoke" should be paired with calls to "EndInvoke"

           Bug
        113. "new Guid()" should not be used

           Code Smell
        114. "DebuggerDisplayAttribute" strings should reference existing members

           Code Smell
        115. "default" clauses should be first or last

           Code Smell
        116. Delivering code in production with debug features activated is security-sensitive

           Security Hotspot
        117. Disabling CSRF protections is security-sensitive

           Security Hotspot
        118. Unread "private" fields should be removed

           Code Smell
        119. Calls to "async" methods should not be blocking

           Code Smell
        120. Parameter validation in "async"/"await" methods should be wrapped

           Code Smell
        121. Parameter validation in yielding methods should be wrapped

           Code Smell
        122. LDAP connections should be authenticated

           Vulnerability
        123. "PartCreationPolicyAttribute" should be used with "ExportAttribute"

           Bug
        124. Cryptographic keys should be robust

           Vulnerability
        125. Weak SSL/TLS protocols should not be used

           Vulnerability
        126. Secure random number generators should not output predictable values

           Vulnerability
        127. "Shared" parts should not be created with "new"

           Bug
        128. Getters and setters should access the expected fields

           Bug
        129. Methods should be named according to their synchronicities

           Code Smell
        130. "ConstructorArgument" parameters should exist in constructors

           Bug
        131. Extensions should be in separate namespaces

           Code Smell
        132. Extension methods should not extend "object"

           Code Smell
        133. Events should have proper arguments

           Code Smell
        134. "P/Invoke" methods should not be visible

           Code Smell
        135. Serialization constructors should be secured

           Vulnerability
        136. Members should not have conflicting transparency annotations

           Vulnerability
        137. Windows Forms entry points should be marked with STAThread

           Bug
        138. Null checks should not be combined with "is" operator checks

           Code Smell
        139. Native methods should be wrapped

           Code Smell
        140. Classes should implement their "ExportAttribute" interfaces

           Bug
        141. Empty collections should not be accessed or iterated

           Bug
        142. Methods should not have identical implementations

           Code Smell
        143. Collection elements should not be replaced unconditionally

           Bug
        144. Method overloads should be grouped together

           Code Smell
        145. Non-flags enums should not be marked with "FlagsAttribute"

           Code Smell
        146. Operator overloads should have named alternatives

           Code Smell
        147. "params" should be used instead of "varargs"

           Code Smell
        148. Non-abstract attributes should be sealed

           Code Smell
        149. Property names should not match get methods

           Code Smell
        150. Overloads with a "StringComparison" parameter should be used

           Code Smell
        151. Locales should be set for data types

           Code Smell
        152. Overloads with a "CultureInfo" or an "IFormatProvider" parameter should be used

           Code Smell
        153. Literals should not be passed as localized parameters

           Code Smell
        154. Types should not extend outdated base types

           Code Smell
        155. Operators should be overloaded consistently

           Code Smell
        156. Properties should be preferred

           Code Smell
        157. Generics should be used when appropriate

           Code Smell
        158. Type names should not match namespaces

           Code Smell
        159. Strings should be normalized to uppercase

           Code Smell
        160. Interface methods should be callable by derived types

           Code Smell
        161. Searching OS commands in PATH is security-sensitive

           Security Hotspot
        162. Classes implementing "IEquatable<T>" should be sealed

           Code Smell
        163. Exceptions should provide standard constructors

           Code Smell
        164. Assemblies should be marked with "NeutralResourcesLanguageAttribute"

           Code Smell
        165. Child class fields should not differ from parent class fields only by capitalization

           Code Smell
        166. Interfaces should not be empty

           Code Smell
        167. Enumerations should have "Int32" storage

           Code Smell
        168. Base class methods should not be hidden

           Code Smell
        169. All type parameters should be used in the parameter list to enable type inference

           Code Smell
        170. Method signatures should not contain nested generic types

           Code Smell
        171. Enumeration members should not be named "Reserved"

           Code Smell
        172. Inherited member visibility should not be decreased

           Code Smell
        173. "System.Uri" arguments should be used instead of strings

           Code Smell
        174. Collection properties should be readonly

           Code Smell
        175. Disposable types should declare finalizers

           Code Smell
        176. Pointers to unmanaged memory should not be visible

           Code Smell
        177. Threads should not lock on objects with weak identity

           Code Smell
        178. String URI overloads should call "System.Uri" overloads

           Code Smell
        179. URI properties should not be strings

           Code Smell
        180. URI return values should not be strings

           Code Smell
        181. URI Parameters should not be strings

           Code Smell
        182. Custom attributes should be marked with "System.AttributeUsageAttribute"

           Code Smell
        183. Assemblies should explicitly specify COM visibility

           Code Smell
        184. Assemblies should be marked as CLS compliant

           Code Smell
        185. Exceptions should not be created without being thrown

           Bug
        186. Collection sizes and array length comparisons should make sense

           Bug
        187. A conditionally executed single line should be denoted by indentation

           Code Smell
        188. Conditionals should start on new lines

           Code Smell
        189. "GC.SuppressFinalize" should not be called

           Code Smell
        190. Multidimensional arrays should not be used

           Code Smell
        191. Objects should not be disposed more than once

           Code Smell
        192. "static" fields should be initialized inline

           Code Smell
        193. "static readonly" constants should be "const" instead

           Code Smell
        194. "Generic.List" instances should not be part of public APIs

           Code Smell
        195. Calculations should not overflow

           Bug
        196. Number patterns should be regular

           Code Smell
        197. Parameter names used into ArgumentException constructors should match an existing one

           Code Smell
        198. Serialization event handlers should be implemented correctly

           Bug
        199. Deserialization methods should be provided for "OptionalField" members

           Bug
        200. "ISerializable" should be implemented correctly

           Code Smell
        201. All branches in a conditional structure should not have exactly the same implementation

           Bug
        202. Collections should implement the generic interface

           Code Smell
        203. Generic event handlers should be used

           Code Smell
        204. Event Handlers should have the correct signature

           Code Smell
        205. Assemblies should have version information

           Code Smell
        206. Types should be defined in named namespaces

           Bug
        207. "Assembly.GetExecutingAssembly" should not be called

           Code Smell
        208. Arguments of public methods should be validated against null

           Code Smell
        209. Value types should implement "IEquatable<T>"

           Code Smell
        210. Classes that provide "Equals(<T>)" should implement "IEquatable<T>"

           Code Smell
        211. "Thread.Resume" and "Thread.Suspend" should not be used

           Bug
        212. Mutable, non-private fields should not be "readonly"

           Bug
        213. "Assembly.Load" should be used

           Code Smell
        214. "CoSetProxyBlanket" and "CoInitializeSecurity" should not be used

           Vulnerability
        215. "IDisposable" should be implemented correctly

           Code Smell
        216. Finalizers should not be empty

           Code Smell
        217. Arrays should not be created for params parameters

           Code Smell
        218. Exceptions should not be thrown from unexpected methods

           Code Smell
        219. Strings or integral types should be used for indexers

           Code Smell
        220. "operator==" should not be overloaded on reference types

           Code Smell
        221. "out" and "ref" parameters should not be used

           Code Smell
        222. Parameter names should not duplicate the names of their methods

           Code Smell
        223. Exception types should be "public"

           Code Smell
        224. "SafeHandle.DangerousGetHandle" should not be called

           Bug
        225. Cognitive Complexity of methods should not be too high

           Code Smell
        226. Track use of "NotImplementedException"

           Code Smell
        227. Empty nullable value should not be accessed

           Bug
        228. Database queries should not be vulnerable to injection attacks

           Vulnerability
        229. Jump statements should not be redundant

           Code Smell
        230. Nullable type comparison should not be redundant

           Bug
        231. Member initializer values should not be redundant

           Code Smell
        232. Methods with "Pure" attribute should return a value

           Bug
        233. "params" should not be introduced on overrides

           Code Smell
        234. One-way "OperationContract" methods should have "void" return type

           Bug
        235. "ServiceContract" and "OperationContract" attributes should be used together

           Code Smell
        236. Empty "default" clauses should be removed

           Code Smell
        237. Optional parameters should be passed to "base" calls

           Bug
        238. Type inheritance should not be recursive

           Bug
        239. Unassigned members should be removed

           Code Smell
        240. Empty "case" clauses that fall through to the "default" should be omitted

           Code Smell
        241. Composite format strings should be used correctly

           Code Smell
        242. "string.ToCharArray()" and "ReadOnlySpan<T>.ToArray()" should not be called redundantly

           Bug
        243. Classes should not have only "private" constructors

           Bug
        244. "[DefaultValue]" should not be used when "[DefaultParameterValue]" is meant

           Code Smell
        245. Parameters with "[DefaultParameterValue]" attributes should also be marked "[Optional]"

           Code Smell
        246. Right operands of shift operators should be integers

           Bug
        247. "[Optional]" should not be used on "ref" or "out" parameters

           Code Smell
        248. Exceptions should not be explicitly rethrown

           Code Smell
        249. Interfaces should not simply inherit from base interfaces with colliding members

           Code Smell
        250. Type should not be examined on "System.Type" instances

           Code Smell
        251. "abstract" classes should not have "public" constructors

           Code Smell
        252. Redundant property names should be omitted in anonymous classes

           Code Smell
        253. Variables should not be checked against the values they're about to be assigned

           Code Smell
        254. Test method signatures should be correct

           Code Smell
        255. "[ExpectedException]" should not be used

           Code Smell
        256. Method overloads with default parameter values should not overlap

           Code Smell
        257. Loggers should be named for their enclosing types

           Code Smell
        258. Assertion arguments should be passed in the correct order

           Code Smell
        259. Methods should not return constants

           Code Smell
        260. "private" methods called only by inner classes should be moved to those classes

           Code Smell
        261. "base.Equals" should not be used to check for reference equality in "Equals" if "base" is not "object"

           Bug
        262. Attribute, EventArgs, and Exception type names should end with the type being extended

           Code Smell
        263. "this" should not be exposed from constructors

           Code Smell
        264. Date and time should not be used as a type for primary keys

           Bug
        265. Ternary operators should not be nested

           Code Smell
        266. Unchanged variables should be marked as "const"

           Code Smell
        267. Expressions used in "Debug.Assert" should not produce side effects

           Bug
        268. Caller information parameters should come at the end of the parameter list

           Bug
        269. Creating cookies without the "HttpOnly" flag is security-sensitive

           Security Hotspot
        270. Cipher Block Chaining IVs should be unpredictable

           Vulnerability
        271. Loops should be simplified with "LINQ" expressions

           Code Smell
        272. Non-flags enums should not be used in bitwise operations

           Code Smell
        273. Events should be invoked

           Code Smell
        274. Static fields should appear in the order they must be initialized

           Bug
        275. "params" should be used on overrides

           Code Smell
        276. Namespaces should not be empty

           Code Smell
        277. Non-derived "private" classes and records should be "sealed"

           Code Smell
        278. Declarations and initializations should be as concise as possible

           Code Smell
        279. "string.IsNullOrEmpty" should be used

           Code Smell
        280. Default parameter values should not be passed as arguments

           Code Smell
        281. Constructor and destructor declarations should not be redundant

           Code Smell
        282. Implementations should be provided for "partial" methods

           Code Smell
        283. Classes directly extending "object" should not call "base" in "GetHashCode" or "Equals"

           Bug
        284. Duplicate casts should not be made

           Code Smell
        285. Generic type parameters should be co/contravariant when possible

           Code Smell
        286. Anonymous delegates should not be used to unsubscribe from Events

           Bug
        287. Method parameters should be declared with base types

           Code Smell
        288. Methods should not return values that are never used

           Code Smell
        289. The simplest possible condition syntax should be used

           Code Smell
        290. "value" contextual keyword should be used

           Code Smell
        291. Caller information arguments should not be provided explicitly

           Code Smell
        292. Redundant parentheses should not be used

           Code Smell
        293. "GC.SuppressFinalize" should not be invoked for types without destructors

           Code Smell
        294. Method calls should not resolve ambiguously to overloads with "params"

           Code Smell
        295. Inner class members should not shadow outer class "static" or type members

           Code Smell
        296. "Explicit" conversions of "foreach" loops should not be used

           Code Smell
        297. "ConfigureAwait(false)" should be used

           Code Smell
        298. "interface" instances should not be cast to concrete types

           Code Smell
        299. Delegates should not be subtracted

           Bug
        300. Multiple "OrderBy" calls should not be used

           Code Smell
        301. "async" methods should not return "void"

           Bug
        302. "StringBuilder" data should be used

           Code Smell
        303. "is" should not be used with "this"

           Code Smell
        304. Types should not have members with visibility set higher than the type's visibility

           Code Smell
        305. Members should not be initialized to default values

           Code Smell
        306. Reflection should not be used to increase accessibility of classes, methods, or fields

           Code Smell
        307. Static fields should not be updated in constructors

           Code Smell
        308. "ThreadStatic" should not be used on non-static fields

           Bug
        309. "IDisposables" created in a "using" statement should not be returned

           Bug
        310. "ThreadStatic" fields should not be initialized

           Bug
        311. "Object.ReferenceEquals" should not be used for value types

           Bug
        312. LINQ expressions should be simplified

           Code Smell
        313. Assertions should be complete

           Code Smell
        314. Generic parameters not constrained to reference types should not be compared to "null"

           Bug
        315. Methods named "Dispose" should implement "IDisposable.Dispose"

           Code Smell
        316. Classes should "Dispose" of members from the classes' own "Dispose" methods

           Bug
        317. Property assignments should not be made for "readonly" fields not constrained to reference types

           Bug
        318. Fields that are only assigned in the constructor should be "readonly"

           Code Smell
        319. Classes with "IDisposable" members should implement "IDisposable"

           Bug
        320. "IDisposables" should be disposed

           Bug
        321. "Thread.Sleep" should not be used in tests

           Code Smell
        322. SQL keywords should be delimited by whitespace

           Bug
        323. Doubled prefix operators "!!" and "~~" should not be used

           Bug
        324. Sequential tests should not check the same condition

           Code Smell
        325. Non-existent operators like "=+" should not be used

           Bug
        326. XML parsers should not be vulnerable to XXE attacks

           Vulnerability
        327. Static fields should not be used in generic types

           Code Smell
        328. "catch" clauses should do more than rethrow

           Code Smell
        329. Literal boolean values should not be used in assertions

           Code Smell
        330. Tests should include assertions

           Code Smell
        331. Instance members should not write to "static" fields

           Code Smell
        332. "IndexOf" checks should not be for positive numbers

           Code Smell
        333. "NaN" should not be used in comparisons

           Bug
        334. Multiline blocks should be enclosed in curly braces

           Code Smell
        335. The length returned from a stream read should be checked

           Bug
        336. Regular expressions should not be vulnerable to Denial of Service attacks

           Vulnerability
        337. Logging templates should be constant

           Code Smell
        338. Setting loose file permissions is security-sensitive

           Security Hotspot
        339. Boolean expressions should not be gratuitous

           Code Smell
        340. Conditionally executed code should be reachable

           Bug
        341. Shared resources should not be used for locking

           Bug
        342. Generic exceptions should not be ignored

           Code Smell
        343. Whitespace and control characters in string literals should be explicit

           Code Smell
        344. Blocks should be synchronized on read-only fields

           Bug
        345. Unnecessary bit operations should not be performed

           Code Smell
        346. Types and methods should not have too many generic parameters

           Code Smell
        347. Child class fields should not shadow parent class fields

           Code Smell
        348. Mutable fields should not be "public static"

           Code Smell
        349. Write-only properties should not be used

           Code Smell
        350. Exceptions should not be thrown from property getters

           Code Smell
        351. Public methods should not have multidimensional array parameters

           Code Smell
        352. Properties should not make collection or array copies

           Code Smell
        353. Optional parameters should not be used

           Code Smell
        354. Fields should be private

           Code Smell
        355. Flags enumerations zero-value members should be named "None"

           Code Smell
        356. Flags enumerations should explicitly initialize all their members

           Bug
        357. Enumeration type names should not have "Flags" or "Enum" suffixes

           Code Smell
        358. Enumeration types should comply with a naming convention

           Code Smell
        359. Public constant members should not be used

           Code Smell
        360. Redundant modifiers should not be used

           Code Smell
        361. Array covariance should not be used

           Code Smell
        362. "GetHashCode" should not reference mutable fields

           Bug
        363. "try" statements with identical "catch" and/or "finally" blocks should be merged

           Code Smell
        364. Unused type parameters should be removed

           Code Smell
        365. Methods and properties that don't access instance data should be static

           Code Smell
        366. "async" and "await" should not be used as identifiers

           Code Smell
        367. "nameof" should be used

           Code Smell
        368. Trivial properties should be auto-implemented

           Code Smell
        369. Overflow checking should not be disabled for "Enumerable.Sum"

           Code Smell
        370. Field-like events should not be virtual

           Code Smell
        371. Composite format strings should not lead to unexpected behavior at runtime

           Bug
        372. Null pointers should not be dereferenced

           Bug
        373. Using non-standard cryptographic algorithms is security-sensitive

           Security Hotspot
        374. For-loop conditions should be true at least once

           Bug
        375. A "for" loop update clause should move the counter in the right direction

           Bug
        376. Using pseudorandom number generators (PRNGs) is security-sensitive

           Security Hotspot
        377. Arguments should be passed in the same order as the method parameters

           Code Smell
        378. "ToString()" method should not return null

           Bug
        379. Non-constant static fields should not be visible

           Code Smell
        380. Locks should be released on all paths

           Bug
        381. "Exception" should not be caught

           Code Smell
        382. Runtime type checking should be simplified

           Code Smell
        383. Methods without side effects should not have their return values ignored

           Bug
        384. Unnecessary mathematical comparisons should not be made

           Code Smell
        385. Modulus results should not be checked for direct equality

           Code Smell
        386. Loops and recursions should not be infinite

           Bug
        387. Test classes should contain at least one test case

           Code Smell
        388. Results of integer division should not be assigned to floating point variables

           Bug
        389. Integral numbers should not be shifted by zero or more than their number of bits-1

           Bug
        390. Short-circuit logic should be used in boolean contexts

           Code Smell
        391. Classes named like "Exception" should extend "Exception" or a subclass

           Code Smell
        392. "sealed" classes should not have "protected" members

           Code Smell
        393. Underscores should be used to make large numbers readable

           Code Smell
        394. Exceptions should be either logged or rethrown but not both

           Code Smell
        395. Values should not be uselessly incremented

           Bug
        396. A secure password should be used when connecting to a database

           Vulnerability
        397. Collections should not be passed as arguments to their own methods

           Bug
        398. Classes should not be empty

           Code Smell
        399. Creating cookies without the "secure" flag is security-sensitive

           Security Hotspot
        400. XPath expressions should not be vulnerable to injection attacks

           Vulnerability
        401. I/O function calls should not be vulnerable to path injection attacks

           Vulnerability
        402. LDAP queries should not be vulnerable to injection attacks

           Vulnerability
        403. Formatting SQL queries is security-sensitive

           Security Hotspot
        404. OS commands should not be vulnerable to command injection attacks

           Vulnerability
        405. Hard-coded credentials are security-sensitive

           Security Hotspot
        406. Password hashing functions should use an unpredictable salt

           Vulnerability
        407. "for" loop increment clauses should modify the loops' counters

           Code Smell
        408. Invalid casts should be avoided

           Code Smell
        409. Boolean checks should not be inverted

           Code Smell
        410. Inheritance list should not be redundant

           Code Smell
        411. Redundant casts should not be used

           Code Smell
        412. Two branches in a conditional structure should not have exactly the same implementation

           Code Smell
        413. Related "if/else if" statements should not have the same condition

           Bug
        414. "ToString()" calls should not be redundant

           Code Smell
        415. Unused assignments should be removed

           Code Smell
        416. Objects should not be created to be dropped immediately without being used

           Bug
        417. "switch" statements should not be nested

           Code Smell
        418. Identical expressions should not be used on both sides of operators

           Bug
        419. Loops with at most one iteration should be refactored

           Bug
        420. Constructors should only call non-overridable methods

           Code Smell
        421. "==" should not be used when "Equals" is overridden

           Code Smell
        422. NullReferenceException should not be caught

           Code Smell
        423. An abstract class should have both abstract and concrete methods

           Code Smell
        424. Multiple variables should not be declared on the same line

           Code Smell
        425. Variables should not be self-assigned

           Bug
        426. Strings should not be concatenated using '+' in a loop

           Code Smell
        427. Tests should not be ignored

           Code Smell
        428. Methods and properties should not be too complex

           Code Smell
        429. Unused local variables should be removed

           Code Smell
        430. "switch" statements with many "case" clauses should have only one statement

           Code Smell
        431. Track lack of copyright and license headers

           Code Smell
        432. Private fields only used as local variables in methods should become local variables

           Code Smell
        433. Culture should be specified for "string" operations

           Code Smell
        434. Functions should not have too many lines of code

           Code Smell
        435. Control flow statements "if", "switch", "for", "foreach", "while", "do" and "try" should not be nested too deeply

           Code Smell
        436. Using hardcoded IP addresses is security-sensitive

           Security Hotspot
        437. Logger fields should be "private static readonly"

           Code Smell
        438. "switch/Select" statements should contain a "default/Case Else" clauses

           Code Smell
        439. Track uses of in-source issue suppressions

           Code Smell
        440. "switch" statements should have at least 3 "case" clauses

           Code Smell
        441. "for" loop stop conditions should be invariant

           Code Smell
        442. A "while" loop should be used instead of a "for" loop

           Code Smell
        443. "if ... else if" constructs should end with "else" clauses

           Code Smell
        444. Sections of code should not be commented out

           Code Smell
        445. Floating point numbers should not be tested for equality

           Bug
        446. break statements should not be used except for switch cases

           Code Smell
        447. Method parameters, caught exceptions and foreach variables' initial values should not be ignored

           Bug
        448. Statements should be on separate lines

           Code Smell
        449. "GC.Collect" should not be called

           Code Smell
        450. "Equals" and the comparison operators should be overridden when implementing "IComparable"

           Code Smell
        451. Control structures should use curly braces

           Code Smell
        452. "Equals(Object)" and "GetHashCode()" should be overridden in pairs

           Bug
        453. Classes should not be coupled to too many other classes

           Code Smell
        454. Nested code blocks should not be used

           Code Smell
        455. String literals should not be duplicated

           Code Smell
        456. Methods should not be empty

           Code Smell
        457. Overriding members should do more than simply call the same member in the base class

           Code Smell
        458. Unused method parameters should be removed

           Code Smell
        459. Empty arrays and collections should be returned instead of null

           Code Smell
        460. Exceptions should not be thrown in finally blocks

           Code Smell
        461. "Any()" should be used to test for emptiness

           Code Smell
        462. "switch case" clauses should not have too many lines of code

           Code Smell
        463. Exit methods should not be called

           Code Smell
        464. Unused private types or members should be removed

           Code Smell
        465. Track uses of "TODO" tags

           Code Smell
        466. Track uses of "FIXME" tags

           Code Smell
        467. Deprecated code should be removed

           Code Smell
        468. Files should end with a newline

           Code Smell
        469. Unnecessary "using" should be removed

           Code Smell
        470. Boolean literals should not be redundant

           Code Smell
        471. "Obsolete" attributes should include explanations

           Code Smell
        472. Assignments should not be made from within sub-expressions

           Code Smell
        473. General or reserved exceptions should never be thrown

           Code Smell
        474. Utility classes should not have public constructors

           Code Smell
        475. Local variables should not shadow class fields or properties

           Code Smell
        476. Empty statements should be removed

           Code Smell
        477. Redundant pairs of parentheses should be removed

           Code Smell
        478. A close curly brace should be located at the beginning of a line

           Code Smell
        479. Fields should not have public accessibility

           Code Smell
        480. Inheritance tree of classes should not be too deep

           Code Smell
        481. Magic numbers should not be used

           Code Smell
        482. Nested blocks of code should not be left empty

           Code Smell
        483. URIs should not be hardcoded

           Code Smell
        484. Methods should not have too many parameters

           Code Smell
        485. Expressions should not be too complex

           Code Smell
        486. Mergeable "if" statements should be combined

           Code Smell
        487. Standard outputs should not be used directly to log anything

           Code Smell
        488. Tabulation characters should not be used

           Code Smell
        489. Finalizers should not throw exceptions

           Bug
        490. Files should not have too many lines of code

           Code Smell
        491. Lines should not be too long

           Code Smell
        492. Types should be named in PascalCase

           Code Smell
        493. Method overrides should not change parameter defaults

           Code Smell
        494. Methods and properties should be named in PascalCase

           Code Smell

        OS commands should not be vulnerable to command injection attacks

        intentionality - complete
        security
        Vulnerability
        • cwe
        • injection

        Why is this an issue?

        How can I fix it?

        More Info

        OS command injections occur when applications build command lines from untrusted data before executing them with a system shell.
        In that case, an attacker can tamper with the command line construction and force the execution of unexpected commands. This can lead to the compromise of the underlying operating system.

        What is the potential impact?

        An attacker exploiting an OS command injection vulnerability will be able to execute arbitrary commands on the underlying operating system.

        The impact depends on the access control measures taken on the target system OS. In the worst-case scenario, the process runs with root privileges, and therefore any OS commands or programs may be affected.

        Below are some real-world scenarios that illustrate some impacts of an attacker exploiting the vulnerability.

        Denial of service and data leaks

        In this scenario, the attack aims to disrupt the organization’s activities and profit from data leaks.

        An attacker could, for example:

        • download the internal server’s data, most likely to sell it
        • modify data, send malware
        • stop services or exhaust resources (with fork bombs for example)

        This threat is particularly insidious if the attacked organization does not maintain a disaster recovery plan (DRP).

        Root privilege escalation and pivot

        In this scenario, the attacker can do everything described in the previous section. The difference is that the attacker also manages to elevate their privileges to an administrative level and attacks other servers.

        Here, the impact depends on how much the target company focuses on its Defense In Depth. For example, the entire infrastructure can be compromised by a combination of OS injections and misconfiguration of:

        • Docker or Kubernetes clusters
        • cloud services
        • network firewalls and routing
        • OS access control
          Available In:
        • SonarQube CloudDetect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories
        • SonarQube ServerAnalyze code in your
          on-premise CI
          Developer Edition
          Available Since
          9.1

        © 2008-2025 SonarSource SA. All rights reserved.

        Privacy Policy | Cookie Policy | Terms of Use