SonarSource Rules
  • Products

    In-IDE

    Code Quality and Security in your IDE with SonarQube Ide

    IDE extension that lets you fix coding issues before they exist!

    Discover SonarQube for IDE

    SaaS

    Code Quality and Security in the cloud with SonarQube Cloud

    Setup is effortless and analysis is automatic for most languages

    Discover SonarQube Cloud

    Self-Hosted

    Code Quality and Security Self-Hosted with SonarQube Server

    Fast, accurate analysis; enterprise scalability

    Discover SonarQube Server
  • SecretsSecrets
  • ABAPABAP
  • AnsibleAnsible
  • ApexApex
  • AzureResourceManagerAzureResourceManager
  • CC
  • C#C#
  • C++C++
  • CloudFormationCloudFormation
  • COBOLCOBOL
  • CSSCSS
  • DartDart
  • DockerDocker
  • FlexFlex
  • GitHub ActionsGitHub Actions
  • GoGo
  • HTMLHTML
  • JavaJava
  • JavaScriptJavaScript
  • JSONJSON
  • JCLJCL
  • KotlinKotlin
  • KubernetesKubernetes
  • Objective CObjective C
  • PHPPHP
  • PL/IPL/I
  • PL/SQLPL/SQL
  • PythonPython
  • RPGRPG
  • RubyRuby
  • RustRust
  • ScalaScala
  • ShellShell
  • SwiftSwift
  • TerraformTerraform
  • TextText
  • TypeScriptTypeScript
  • T-SQLT-SQL
  • VB.NETVB.NET
  • VB6VB6
  • XMLXML
  • YAMLYAML
Dart

Dart static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your DART code

  • All rules 126
  • Vulnerability4
  • Bug15
  • Security Hotspot8
  • Code Smell99
 
Tags
    Impact
      Clean code attribute
        1. Pubspec urls should be secure

           Vulnerability
        2. Cipher algorithms should be robust

           Vulnerability
        3. Encryption algorithms should be used with secure mode and padding scheme

           Vulnerability
        4. Server certificates should be verified during SSL/TLS connections

           Vulnerability

        Pubspec urls should be secure

        intentionality - complete
        security
        Vulnerability
        • cwe

        Why is this an issue?

        How can I fix it?

        More Info

        Transport Layer Security (TLS) provides a secure channel between systems communicating over the internet by encrypting the data sent between them. TLS can be used with http and git URI schemes to build secure https and git+https channels respectively.

        These secure protocols are essential for the confidentiality and the integrity of the communication performed when supply chain operations are performed, such as dart pub get, flutter pub get, dart pub upgrade, etc.

        In the pubspec.yaml file, which is a file used by several Dart/Flutter commands, there’s a possibility to specify URIs in various attributes: homepage, repository, issue_tracker, dependency repositories, etc.

        It is important that secure schemes are used in all these URIs. The protocol used in the https scheme provide an additional layer of security by encrypting the transferred data and verifying the server’s identity.

        It is generally recommended not to use http or git URIs that will be used by Dart/Flutter commands to gather external data during any stage of the application build.

        What is the potential impact

        Man-in-the-middle (MitM) attacks

        An attacker can intercept the communication between the client and server, allowing them to modify the data being transmitted.

        Supply chain attacks

        Without the verification provided by HTTPS certificates, attackers could redirect package requests to malicious servers that mimic legitimate package repositories.

        For example, an attacker could inject malicious code into a Dart package being downloaded, which could compromise the security of the application being built.

        This can cause further security breaches inside the organization, but will also affect clients if the malicious code gets added to any products, as a part of a production dependency or as code generated by a tampered development dependency.

        Distributing code that (unintentionally) contains backdoors or malware can lead to widespread security vulnerabilities, reputational damage, and potential legal liabilities.

        Credetials exposure

        Sensitive information, such as API keys or user credentials used to interact with the remote repository of Dart/Flutter packages, could be exposed during transmission. This could lead to unauthorized access to the application or its data.

          Available In:
        • SonarQube CloudDetect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories
        • SonarQube ServerAnalyze code in your
          on-premise CI
          Developer Edition
          Available Since
          10.8

        © 2008-2025 SonarSource SA. All rights reserved.

        Privacy Policy | Cookie Policy | Terms of Use