SonarSource Rules
  • Products

    In-IDE

    Code Quality and Security in your IDE with SonarQube Ide

    IDE extension that lets you fix coding issues before they exist!

    Discover SonarQube for IDE

    SaaS

    Code Quality and Security in the cloud with SonarQube Cloud

    Setup is effortless and analysis is automatic for most languages

    Discover SonarQube Cloud

    Self-Hosted

    Code Quality and Security Self-Hosted with SonarQube Server

    Fast, accurate analysis; enterprise scalability

    Discover SonarQube Server
  • SecretsSecrets
  • ABAPABAP
  • AnsibleAnsible
  • ApexApex
  • AzureResourceManagerAzureResourceManager
  • CC
  • C#C#
  • C++C++
  • CloudFormationCloudFormation
  • COBOLCOBOL
  • CSSCSS
  • DartDart
  • DockerDocker
  • FlexFlex
  • GitHub ActionsGitHub Actions
  • GoGo
  • HTMLHTML
  • JavaJava
  • JavaScriptJavaScript
  • JSONJSON
  • JCLJCL
  • KotlinKotlin
  • KubernetesKubernetes
  • Objective CObjective C
  • PHPPHP
  • PL/IPL/I
  • PL/SQLPL/SQL
  • PythonPython
  • RPGRPG
  • RubyRuby
  • RustRust
  • ScalaScala
  • SwiftSwift
  • TerraformTerraform
  • TextText
  • TypeScriptTypeScript
  • T-SQLT-SQL
  • VB.NETVB.NET
  • VB6VB6
  • XMLXML
  • YAMLYAML
Go

Go static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your GO code

  • All rules 70
  • Vulnerability20
  • Bug7
  • Security Hotspot14
  • Code Smell29
 
Tags
    Impact
      Clean code attribute
        1. Credentials should not be hard-coded

           Vulnerability
        2. Hard-coded secrets are security-sensitive

           Security Hotspot
        3. Constructing arguments of system commands from user input is security-sensitive

           Security Hotspot
        4. Extracting archives should not lead to zip slip vulnerabilities

           Vulnerability
        5. JWT should be signed and verified with strong cipher algorithms

           Vulnerability
        6. Cipher algorithms should be robust

           Vulnerability
        7. Encryption algorithms should be used with secure mode and padding scheme

           Vulnerability
        8. Server hostnames should be verified during SSL/TLS connections

           Vulnerability
        9. Insecure temporary file creation methods should not be used

           Vulnerability
        10. Using publicly writable directories is security-sensitive

           Security Hotspot
        11. Passwords should not be stored in plaintext or with a fast hashing algorithm

           Vulnerability
        12. Using clear-text protocols is security-sensitive

           Security Hotspot
        13. HTTP request redirections should not be open to forging attacks

           Vulnerability
        14. Logging should not be vulnerable to injection attacks

           Vulnerability
        15. Server-side requests should not be vulnerable to forging attacks

           Vulnerability
        16. Server certificates should be verified during SSL/TLS connections

           Vulnerability
        17. Using weak hashing algorithms is security-sensitive

           Security Hotspot
        18. Multi-line comments should not be empty

           Code Smell
        19. Delivering code in production with debug features activated is security-sensitive

           Security Hotspot
        20. Cryptographic keys should be robust

           Vulnerability
        21. Weak SSL/TLS protocols should not be used

           Vulnerability
        22. Functions should not have identical implementations

           Code Smell
        23. Searching OS commands in PATH is security-sensitive

           Security Hotspot
        24. All branches in a conditional structure should not have exactly the same implementation

           Bug
        25. Cognitive Complexity of functions should not be too high

           Code Smell
        26. Database queries should not be vulnerable to injection attacks

           Vulnerability
        27. Creating cookies without the "HttpOnly" flag is security-sensitive

           Security Hotspot
        28. Cipher Block Chaining IVs should be unpredictable

           Vulnerability
        29. Non-existent operators like "=+" should not be used

           Bug
        30. Setting loose POSIX file permissions is security-sensitive

           Security Hotspot
        31. Go parser failure

           Code Smell
        32. Using pseudorandom number generators (PRNGs) is security-sensitive

           Security Hotspot
        33. Creating cookies without the "secure" flag is security-sensitive

           Security Hotspot
        34. XPath expressions should not be vulnerable to injection attacks

           Vulnerability
        35. I/O function calls should not be vulnerable to path injection attacks

           Vulnerability
        36. Formatting SQL queries is security-sensitive

           Security Hotspot
        37. OS commands should not be vulnerable to command injection attacks

           Vulnerability
        38. Hard-coded credentials are security-sensitive

           Security Hotspot
        39. Password hashing functions should use an unpredictable salt

           Vulnerability
        40. Boolean checks should not be inverted

           Code Smell
        41. Two branches in a conditional structure should not have exactly the same implementation

           Code Smell
        42. Related "if/else if" statements should not have the same condition

           Bug
        43. "switch" statements should not be nested

           Code Smell
        44. Identical expressions should not be used on both sides of a binary operator

           Bug
        45. All code should be reachable

           Bug
        46. Variables should not be self-assigned

           Bug
        47. "switch" statements should not have too many "case" clauses

           Code Smell
        48. Track lack of copyright and license headers

           Code Smell
        49. Functions and methods should not have too many lines

           Code Smell
        50. Control flow statements "if", "for" and "switch" should not be nested too deeply

           Code Smell
        51. Octal values should not be used

           Code Smell
        52. Using hardcoded IP addresses is security-sensitive

           Security Hotspot
        53. "switch" statements should have "default" clauses

           Code Smell
        54. "if ... else if" constructs should end with "else" clauses

           Code Smell
        55. Statements should be on separate lines

           Code Smell
        56. String literals should not be duplicated

           Code Smell
        57. Functions should not be empty

           Code Smell
        58. Local variable and function parameter names should comply with a naming convention

           Code Smell
        59. "switch case" clauses should not have too many lines

           Code Smell
        60. Useless "if(true) {...}" and "if(false){...}" blocks should be removed

           Bug
        61. Track uses of "TODO" tags

           Code Smell
        62. Track uses of "FIXME" tags

           Code Smell
        63. Boolean literals should not be redundant

           Code Smell
        64. Redundant pairs of parentheses should be removed

           Code Smell
        65. Nested blocks of code should not be left empty

           Code Smell
        66. Functions should not have too many parameters

           Code Smell
        67. Expressions should not be too complex

           Code Smell
        68. Files should not have too many lines of code

           Code Smell
        69. Lines should not be too long

           Code Smell
        70. Function names should comply with a naming convention

           Code Smell

        Using hardcoded IP addresses is security-sensitive

        responsibility - trustworthy
        security
        Security Hotspot

          Hardcoding IP addresses is security-sensitive. It has led in the past to the following vulnerabilities:

          • CVE-2006-5901
          • CVE-2005-3725

          Today’s services have an ever-changing architecture due to their scaling and redundancy needs. It is a mistake to think that a service will always have the same IP address. When it does change, the hardcoded IP will have to be modified too. This will have an impact on the product development, delivery, and deployment:

          • The developers will have to do a rapid fix every time this happens, instead of having an operation team change a configuration file.
          • It misleads to use the same address in every environment (dev, sys, qa, prod).

          Last but not least it has an effect on application security. Attackers might be able to decompile the code and thereby discover a potentially sensitive address. They can perform a Denial of Service attack on the service, try to get access to the system, or try to spoof the IP address to bypass security checks. Such attacks can always be possible, but in the case of a hardcoded IP address solving the issue will take more time, which will increase an attack’s impact.

          Ask Yourself Whether

          The disclosed IP address is sensitive, e.g.:

          • Can give information to an attacker about the network topology.
          • It’s a personal (assigned to an identifiable person) IP address.

          There is a risk if you answered yes to any of these questions.

          Recommended Secure Coding Practices

          Don’t hard-code the IP address in the source code, instead make it configurable with environment variables, configuration files, or a similar approach. Alternatively, if confidentially is not required a domain name can be used since it allows to change the destination quickly without having to rebuild the software.

          Sensitive Code Example

          var (
            ip   = "192.168.12.42"
            port = 3333
          )
          
          SocketClient(ip, port)
          

          Compliant Solution

          config, err := ReadConfig("properties.ini")
          
          ip := config["ip"]
          port := config["ip"]
          
          SocketClient(ip, port)
          

          Exceptions

          No issue is reported for the following cases because they are not considered sensitive:

          • Loopback addresses 127.0.0.0/8 in CIDR notation (from 127.0.0.0 to 127.255.255.255)
          • Broadcast address 255.255.255.255
          • Non-routable address 0.0.0.0
          • Strings of the form 2.5.<number>.<number> as they often match Object Identifiers (OID)
          • Addresses in the ranges 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, reserved for documentation purposes by RFC 5737
          • Addresses in the range 2001:db8::/32, reserved for documentation purposes by RFC 3849

          See

          • OWASP - Top 10 2021 Category A1 - Broken Access Control
          • OWASP - Top 10 2017 Category A3 - Sensitive Data Exposure
            Available In:
          • SonarQube IdeCatch issues on the fly,
            in your IDE
          • SonarQube CloudDetect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories
          • SonarQube Community BuildAnalyze code in your
            on-premise CI
            Available Since
            9.1
          • SonarQube ServerAnalyze code in your
            on-premise CI
            Developer Edition
            Available Since
            9.1

          © 2008-2025 SonarSource SA. All rights reserved.

          Privacy Policy | Cookie Policy | Terms of Use