Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

C# static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your C# code

Filtered: 17 rules found

symbolic-execution

Impact

Clean code attribute

Null pointers should not be dereferenced

intentionality - logical

reliability

Bug

Why is this an issue?

How can I fix it?

More Info

Accessing a null value will always throw a NullReferenceException most likely causing an abrupt program termination.

Such termination might expose sensitive information that a malicious third party could exploit to, for instance, bypass security measures.

Exceptions

In the following cases, the rule does not raise:

Extensions Methods

Calls to extension methods can still operate on null values.

using System;
using System.Text.RegularExpressions;

public static class Program
{
    public static string RemoveVowels(this string value)
    {
        if (value == null)
        {
            return null;
        }
        return Regex.Replace(value, "[aeoui]*","", RegexOptions.IgnoreCase);
    }

    public static void Main()
    {
        Console.WriteLine(((string?)null).RemoveVowels());  // Compliant: 'RemoveVowels' is an extension method
    }
}

Unreachable code

Unreachable code is not executed, thus null values will never be accessed.

public void Method()
{
    object o = null;
    if (false)
    {
        o.ToString();    // Compliant: code is unreachable
    }
}

Validated value by analysis attributes

Nullable analysis attributes enable the developer to annotate methods with information about the null-state of its arguments. Thus, potential null values validated by one of the following attributes will not raise:

It is important to note those attributes are only available starting .NET Core 3. As a workaround, it is possible to define those attributes manually in a custom class:

using System;

public sealed class NotNullAttribute : Attribute { } // The alternative name 'ValidatedNotNullAttribute' is also supported

public static class Guard
{
    public static void NotNull<T>([NotNull] T value, string name) where T : class
    {
        if (value == null)
        {
            throw new ArgumentNullException(name);
        }
    }
}

public static class Utils
{
    public static string Normalize(string value)
    {
        Guard.NotNull(value, nameof(value)); // Will throw if value is null
        return value.ToUpper(); // Compliant: value is known to be not null here.
    }
}

Validated value by Debug.Assert

A value validated with Debug.Assert to not be null is safe to access.

using System.Diagnostics;

public void Method(object myObject)
{
    Debug.Assert(myObject != null);
    myObject.ToString(); // Compliant: 'myObject' is known to be not null here.
}

Validated value by IDE-specific attributes

Like with null-analysis-attribute, potential null values validated by one of the following IDE-specific attributes will not raise

Visual Studio

ValidatedNotNullAttribute (The attribute is interpreted the same as the NotNullAttribute)

JetBrains Rider

NotNullAttribute

TerminatesProgramAttribute

using System;
using JetBrains.Annotations;

public class Utils
{
    [TerminatesProgram]
    public void TerminateProgram()
    {
        Environment.FailFast("A catastrophic failure has occurred.")
    }

    public void TerminatesProgramIsRespected()
    {
        object myObject = null;
        TerminateProgram();
        myObject.ToString(); // Compliant: unreachable
    }
}

Null forgiving operator

Expression marked with the null forgiving operator

public void Method()
{
    object o = null;
    o!.ToString();    // Compliant: the null forgiving operator suppresses the nullable warning
}

Available In:

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

Developer Edition
Available Since
9.1

In-IDE

SaaS

Self-Hosted