Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

Secrets
ABAP
Ansible
Apex
AzureResourceManager
C
C#
C++
CloudFormation
COBOL
CSS
Dart
Docker
Flex
Go
HTML
Java
JavaScript
JCL
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Rust
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML

Go static code analysis

Unique rules to find Bugs, Security Hotspots, and Code Smells in your GO code

Tags

Impact

Clean code attribute

Credentials should not be hard-coded
Vulnerability
Hard-coded secrets are security-sensitive
Security Hotspot
JWT should be signed and verified with strong cipher algorithms
Vulnerability
Cipher algorithms should be robust
Vulnerability
Encryption algorithms should be used with secure mode and padding scheme
Vulnerability
Server hostnames should be verified during SSL/TLS connections
Vulnerability
Insecure temporary file creation methods should not be used
Vulnerability
Using publicly writable directories is security-sensitive
Security Hotspot
Passwords should not be stored in plaintext or with a fast hashing algorithm
Vulnerability
Using clear-text protocols is security-sensitive
Security Hotspot
Server certificates should be verified during SSL/TLS connections
Vulnerability
Using weak hashing algorithms is security-sensitive
Security Hotspot
Multi-line comments should not be empty
Code Smell
Delivering code in production with debug features activated is security-sensitive
Security Hotspot
Cryptographic keys should be robust
Vulnerability
Weak SSL/TLS protocols should not be used
Vulnerability
Functions should not have identical implementations
Code Smell
Searching OS commands in PATH is security-sensitive
Security Hotspot
All branches in a conditional structure should not have exactly the same implementation
Bug
Cognitive Complexity of functions should not be too high
Code Smell
Creating cookies without the "HttpOnly" flag is security-sensitive
Security Hotspot
Cipher Block Chaining IVs should be unpredictable
Vulnerability
Non-existent operators like "=+" should not be used
Bug
Setting loose POSIX file permissions is security-sensitive
Security Hotspot
Go parser failure
Code Smell
Using pseudorandom number generators (PRNGs) is security-sensitive
Security Hotspot
Creating cookies without the "secure" flag is security-sensitive
Security Hotspot
Formatting SQL queries is security-sensitive
Security Hotspot
Hard-coded credentials are security-sensitive
Security Hotspot
Password hashing functions should use an unpredictable salt
Vulnerability
Boolean checks should not be inverted
Code Smell
Two branches in a conditional structure should not have exactly the same implementation
Code Smell
Related "if/else if" statements should not have the same condition
Bug
"switch" statements should not be nested
Code Smell
Identical expressions should not be used on both sides of a binary operator
Bug
All code should be reachable
Bug
Variables should not be self-assigned
Bug
"switch" statements should not have too many "case" clauses
Code Smell
Track lack of copyright and license headers
Code Smell
Functions and methods should not have too many lines
Code Smell
Control flow statements "if", "for" and "switch" should not be nested too deeply
Code Smell
Octal values should not be used
Code Smell
Using hardcoded IP addresses is security-sensitive
Security Hotspot
"switch" statements should have "default" clauses
Code Smell
"if ... else if" constructs should end with "else" clauses
Code Smell
Statements should be on separate lines
Code Smell
String literals should not be duplicated
Code Smell
Functions should not be empty
Code Smell
Local variable and function parameter names should comply with a naming convention
Code Smell
"switch case" clauses should not have too many lines
Code Smell
Useless "if(true) {...}" and "if(false){...}" blocks should be removed
Bug
Track uses of "TODO" tags
Code Smell
Track uses of "FIXME" tags
Code Smell
Boolean literals should not be redundant
Code Smell
Redundant pairs of parentheses should be removed
Code Smell
Nested blocks of code should not be left empty
Code Smell
Functions should not have too many parameters
Code Smell
Expressions should not be too complex
Code Smell
Files should not have too many lines of code
Code Smell
Lines should not be too long
Code Smell
Function names should comply with a naming convention
Code Smell

Passwords should not be stored in plaintext or with a fast hashing algorithm

responsibility - trustworthy

security

Vulnerability

cwe
spring

The improper storage of passwords poses a significant security risk to software applications. This vulnerability arises when passwords are stored in plaintext or with a fast hashing algorithm. To exploit this vulnerability, an attacker typically requires access to the stored passwords.

Why is this an issue?

How can I fix it?

More Info

Attackers who would get access to the stored passwords could reuse them without further attacks or with little additional effort.
Obtaining the plaintext passwords, they could then gain unauthorized access to user accounts, potentially leading to various malicious activities.

What is the potential impact?

Plaintext or weakly hashed password storage poses a significant security risk to software applications.

Unauthorized Access

When passwords are stored in plaintext or with weak hashing algorithms, an attacker who gains access to the password database can easily retrieve and use the passwords to gain unauthorized access to user accounts. This can lead to various malicious activities, such as unauthorized data access, identity theft, or even financial fraud.

Credential Reuse

Many users tend to reuse passwords across multiple platforms. If an attacker obtains plaintext or weakly hashed passwords, they can potentially use these credentials to gain unauthorized access to other accounts held by the same user. This can have far-reaching consequences, as sensitive personal information or critical systems may be compromised.

Regulatory Compliance

Many industries and jurisdictions have specific regulations and standards to protect user data and ensure its confidentiality. Storing passwords in plaintext or with weak hashing algorithms can lead to non-compliance with these regulations, potentially resulting in legal consequences, financial penalties, and damage to the reputation of the software application and its developers.

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

© 2008-2025 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Sonar helps developers write Clean Code.
Privacy Policy | Cookie Policy | Terms of Use

In-IDE

SaaS

Self-Hosted