Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

Secrets
ABAP
Ansible
Apex
AzureResourceManager
C
C#
C++
CloudFormation
COBOL
CSS
Dart
Docker
Flex
Go
HTML
Java
JavaScript
JSON
JCL
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Rust
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML
YAML

C# static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your C# code

Tags

Impact

Clean code attribute

Locks should be released within the same method
Bug
A write lock should not be released when a read lock has been acquired and vice versa
Bug
Backslash should be avoided in route templates
Bug
Component parameter type should match the route parameter type constraint
Bug
[JSInvokable] attribute should only be used on public methods
Bug
Blazor query parameter type should be supported
Bug
Message template placeholders should be unique
Bug
Log message template should be syntactically correct
Bug
Blocks should not be synchronized on local variables
Bug
Regular expressions should be syntactically valid
Bug
Non-async "Task/Task<T>" methods should not return null
Bug
Calls to delegate's method "BeginInvoke" should be paired with calls to "EndInvoke"
Bug
"PartCreationPolicyAttribute" should be used with "ExportAttribute"
Bug
"Shared" parts should not be created with "new"
Bug
Getters and setters should access the expected fields
Bug
"ConstructorArgument" parameters should exist in constructors
Bug
Windows Forms entry points should be marked with STAThread
Bug
Classes should implement their "ExportAttribute" interfaces
Bug
Empty collections should not be accessed or iterated
Bug
Collection elements should not be replaced unconditionally
Bug
Exceptions should not be created without being thrown
Bug
Collection sizes and array length comparisons should make sense
Bug
Calculations should not overflow
Bug
Serialization event handlers should be implemented correctly
Bug
Deserialization methods should be provided for "OptionalField" members
Bug
All branches in a conditional structure should not have exactly the same implementation
Bug
Types should be defined in named namespaces
Bug
"Thread.Resume" and "Thread.Suspend" should not be used
Bug
Mutable, non-private fields should not be "readonly"
Bug
"SafeHandle.DangerousGetHandle" should not be called
Bug
Empty nullable value should not be accessed
Bug
Nullable type comparison should not be redundant
Bug
Methods with "Pure" attribute should return a value
Bug
One-way "OperationContract" methods should have "void" return type
Bug
Optional parameters should be passed to "base" calls
Bug
Type inheritance should not be recursive
Bug
"string.ToCharArray()" and "ReadOnlySpan<T>.ToArray()" should not be called redundantly
Bug
Classes should not have only "private" constructors
Bug
Right operands of shift operators should be integers
Bug
"base.Equals" should not be used to check for reference equality in "Equals" if "base" is not "object"
Bug
Date and time should not be used as a type for primary keys
Bug
Expressions used in "Debug.Assert" should not produce side effects
Bug
Caller information parameters should come at the end of the parameter list
Bug
Static fields should appear in the order they must be initialized
Bug
Classes directly extending "object" should not call "base" in "GetHashCode" or "Equals"
Bug
Anonymous delegates should not be used to unsubscribe from Events
Bug
Delegates should not be subtracted
Bug
"async" methods should not return "void"
Bug
"ThreadStatic" should not be used on non-static fields
Bug
"IDisposables" created in a "using" statement should not be returned
Bug
"ThreadStatic" fields should not be initialized
Bug
"Object.ReferenceEquals" should not be used for value types
Bug
Generic parameters not constrained to reference types should not be compared to "null"
Bug
Classes should "Dispose" of members from the classes' own "Dispose" methods
Bug
Property assignments should not be made for "readonly" fields not constrained to reference types
Bug
Classes with "IDisposable" members should implement "IDisposable"
Bug
"IDisposables" should be disposed
Bug
SQL keywords should be delimited by whitespace
Bug
Doubled prefix operators "!!" and "~~" should not be used
Bug
Non-existent operators like "=+" should not be used
Bug
"NaN" should not be used in comparisons
Bug
The length returned from a stream read should be checked
Bug
Conditionally executed code should be reachable
Bug
Shared resources should not be used for locking
Bug
Blocks should be synchronized on read-only fields
Bug
Flags enumerations should explicitly initialize all their members
Bug
"GetHashCode" should not reference mutable fields
Bug
Composite format strings should not lead to unexpected behavior at runtime
Bug
Null pointers should not be dereferenced
Bug
For-loop conditions should be true at least once
Bug
A "for" loop update clause should move the counter in the right direction
Bug
"ToString()" method should not return null
Bug
Locks should be released on all paths
Bug
Methods without side effects should not have their return values ignored
Bug
Loops and recursions should not be infinite
Bug
Results of integer division should not be assigned to floating point variables
Bug
Integral numbers should not be shifted by zero or more than their number of bits-1
Bug
Values should not be uselessly incremented
Bug
Collections should not be passed as arguments to their own methods
Bug
Related "if/else if" statements should not have the same condition
Bug
Objects should not be created to be dropped immediately without being used
Bug
Identical expressions should not be used on both sides of operators
Bug
Loops with at most one iteration should be refactored
Bug
Variables should not be self-assigned
Bug
Floating point numbers should not be tested for equality
Bug
Method parameters, caught exceptions and foreach variables' initial values should not be ignored
Bug
"Equals(Object)" and "GetHashCode()" should be overridden in pairs
Bug
Finalizers should not throw exceptions
Bug

Null pointers should not be dereferenced

intentionality - logical

reliability

Bug

cwe
symbolic-execution

Why is this an issue?

How can I fix it?

More Info

Accessing a null value will always throw a NullReferenceException most likely causing an abrupt program termination.

Such termination might expose sensitive information that a malicious third party could exploit to, for instance, bypass security measures.

Exceptions

In the following cases, the rule does not raise:

Extensions Methods

Calls to extension methods can still operate on null values.

using System;
using System.Text.RegularExpressions;

public static class Program
{
    public static string RemoveVowels(this string value)
    {
        if (value == null)
        {
            return null;
        }
        return Regex.Replace(value, "[aeoui]*","", RegexOptions.IgnoreCase);
    }

    public static void Main()
    {
        Console.WriteLine(((string?)null).RemoveVowels());  // Compliant: 'RemoveVowels' is an extension method
    }
}

Unreachable code

Unreachable code is not executed, thus null values will never be accessed.

public void Method()
{
    object o = null;
    if (false)
    {
        o.ToString();    // Compliant: code is unreachable
    }
}

Validated value by analysis attributes

Nullable analysis attributes enable the developer to annotate methods with information about the null-state of its arguments. Thus, potential null values validated by one of the following attributes will not raise:

NotNullAttribute
NotNullWhenAttribute
DoesNotReturnAttribute
DoesNotReturnIfAttribute

It is important to note those attributes are only available starting .NET Core 3. As a workaround, it is possible to define those attributes manually in a custom class:

using System;

public sealed class NotNullAttribute : Attribute { } // The alternative name 'ValidatedNotNullAttribute' is also supported

public static class Guard
{
    public static void NotNull<T>([NotNull] T value, string name) where T : class
    {
        if (value == null)
        {
            throw new ArgumentNullException(name);
        }
    }
}

public static class Utils
{
    public static string Normalize(string value)
    {
        Guard.NotNull(value, nameof(value)); // Will throw if value is null
        return value.ToUpper(); // Compliant: value is known to be not null here.
    }
}

Validated value by Debug.Assert

A value validated with Debug.Assert to not be null is safe to access.

using System.Diagnostics;

public void Method(object myObject)
{
    Debug.Assert(myObject != null);
    myObject.ToString(); // Compliant: 'myObject' is known to be not null here.
}

Validated value by IDE-specific attributes

Like with null-analysis-attribute, potential null values validated by one of the following IDE-specific attributes will not raise

Visual Studio

ValidatedNotNullAttribute (The attribute is interpreted the same as the NotNullAttribute)

JetBrains Rider

NotNullAttribute

TerminatesProgramAttribute

using System;
using JetBrains.Annotations;

public class Utils
{
    [TerminatesProgram]
    public void TerminateProgram()
    {
        Environment.FailFast("A catastrophic failure has occurred.")
    }

    public void TerminatesProgramIsRespected()
    {
        object myObject = null;
        TerminateProgram();
        myObject.ToString(); // Compliant: unreachable
    }
}

Null forgiving operator

Expression marked with the null forgiving operator

public void Method()
{
    object o = null;
    o!.ToString();    // Compliant: the null forgiving operator suppresses the nullable warning
}

Available In:

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

Developer Edition
Available Since
9.1

In-IDE

SaaS

Self-Hosted