Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

Secrets
ABAP
Apex
C
C++
CloudFormation
COBOL
C#
CSS
Docker
Flex
Go
HTML
Java
JavaScript
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML

PL/SQL static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your PL/SQL code

Tags

Inserts should include values for non-null columns
Bug
Variables should be declared only once in a scope
Bug
Size should be specified for string variables
Bug
Predefined exceptions should not be overridden
Bug
"NOT NULL" variables should be initialized
Bug
"NCHAR" and "NVARCHAR2" size should not be specified in bytes
Bug
"END LOOP" should be followed by a semicolon
Bug
Constraints should not be applied to types that cannot be constrained
Bug
Improper constraint forms should not be used
Bug
Scale should not be specified for float types
Bug
Constant declarations should contain initialization assignments
Bug
"RAISE_APPLICATION_ERROR" should only be used with error codes from -20,000 to -20,999
Bug
"FETCH ... BULK COLLECT INTO" should not be used without a "LIMIT" clause
Bug
Anchored types should not be constrained
Bug
"DELETE" and "UPDATE" statements should contain "WHERE" clauses
Bug
"FORALL" statements should use the "SAVE EXCEPTIONS" clause
Bug
Pipelined functions should have at least one "PIPE ROW" statement and not return an expression (PLS-00633)
Bug
GOTO should not be used to jump backwards
Code Smell
Quoted identifiers should not be used
Code Smell
Loop start and end labels should match
Code Smell
Block start and end labels should match
Code Smell
Cipher algorithms should be robust
Vulnerability
"COMMIT" should not be used inside a loop
Bug
Individual "WHERE" clause conditions should not be unconditionally true or false
Bug
Nullable subqueries should not be used in "NOT IN" conditions
Bug
"COMMIT" and "ROLLBACK" should not be called from non-autonomous transaction triggers
Bug
Positional and named arguments should not be mixed in invocations
Bug
Functions should end with "RETURN" statements
Bug
Collections should not be iterated in "FOR" loops
Bug
Using weak hashing algorithms is security-sensitive
Security Hotspot
Dynamically executing code is security-sensitive
Security Hotspot
SQL "JOIN" conditions should involve all joined tables
Code Smell
"SELECT" statements used as argument of "EXISTS" statements should be selective
Code Smell
"LIKE" clauses should not be used without wildcards
Code Smell
Weak "REF CURSOR" types should not be used
Code Smell
Whitespace and control characters in string literals should be explicit
Code Smell
Blocks containing "EXECUTE IMMEDIATE" should trap all exceptions
Code Smell
"EXCEPTION_INIT -20,NNN" calls should be centralized
Code Smell
"CREATE OR REPLACE" should be used instead of "CREATE"
Code Smell
Block labels should appear on the same lines as "END"
Code Smell
"LOOP ... END LOOP;" constructs should be avoided
Code Smell
"IF" statements should not be nested too deeply
Code Smell
"CASE" statements should end with "ELSE" clauses
Code Smell
String literals should not be duplicated
Code Smell
Constant names should comply with a naming convention
Code Smell
Output parameters should be assigned
Bug
"ROWNUM" should not be used at the same query level as "ORDER BY"
Bug
All branches in a conditional structure should not have exactly the same implementation
Bug
Strings should only be moved to variables or columns which are large enough to hold them
Bug
"WHERE" clause conditions should not be contradictory
Bug
Unary prefix operators should not be repeated
Bug
DML events clauses should not include multiple "OF" clauses
Bug
"PACKAGE BODY" initialization sections should not contain "RETURN" statements
Bug
"NULL" should not be compared directly
Bug
"MLSLABEL" should not be used
Bug
"VARCHAR2" and "NVARCHAR2" should be used
Bug
Related "IF/ELSIF" statements and "WHEN" clauses in a "CASE" should not have the same condition
Bug
Identical expressions should not be used on both sides of a binary operator
Bug
All code should be reachable
Bug
Loops with at most one iteration should be refactored
Bug
Variables and columns should not be self-assigned
Bug
"IF" statement conditions should not evaluate unconditionally to "TRUE" or to "FALSE"
Bug
The "result_cache" hint should be avoided
Bug
"GOTO" statements should not be used
Code Smell
"TO_NUMBER" should be used with a format model
Code Smell
Labels should not be reused in inner scopes
Code Smell
"FUNCTIONS" should not have "OUT" parameters
Code Smell
Variables should be nullable
Code Smell
"VARCHAR2" should be used
Code Smell
Native SQL joins should be used
Code Smell
"FORALL" should be used
Code Smell
"FETCH ... BULK COLLECT INTO" should be used
Code Smell
Column aliases should be defined using "AS"
Code Smell
Procedures and functions should be encapsulated in packages
Code Smell
Procedures should have parameters
Code Smell
"EXECUTE IMMEDIATE" should be used instead of DBMS_SQL procedure calls
Code Smell
"NATURAL JOIN" queries should not be used
Code Smell
"END" statements of labeled loops should be labeled
Code Smell
In labeled loops "EXIT" should exit the label
Code Smell
"EXIT WHEN" should be used rather than "IF ... THEN EXIT; END IF;"
Code Smell
"FOR" loop end conditions should not be hard-coded
Code Smell
Large item lists should not be used with "IN" clauses
Code Smell
"GOTO" should not be used within loops
Code Smell
"FULL OUTER JOINS" should be used with caution
Code Smell
"CASE" should be used rather than "DECODE"
Code Smell
"CROSS JOIN" queries should not be used
Code Smell
"END" statements of labeled blocks should be labeled
Code Smell
Two branches in a conditional structure should not have exactly the same implementation
Code Smell
Unused assignments should be removed
Code Smell
"LIKE" clauses should not start with wildcard characters
Code Smell
Column names should be used in a SQL "ORDER BY" clause
Code Smell
Procedures and functions should be documented
Code Smell
SQL statements should not join too many tables
Code Smell
Function and procedure names should comply with a naming convention
Code Smell
Columns to be read with a "SELECT" statement should be clearly defined
Code Smell
"CASE" structures should not have too many "WHEN" clauses
Code Smell
Deprecated LONG and LONG RAW datatypes should no longer be used
Code Smell
Sections of code should not be commented out
Code Smell
Unused procedure and function parameters should be removed
Code Smell
SQL EXISTS subqueries should not be used
Code Smell
Track uses of "FIXME" tags
Code Smell
Variables should not be shadowed
Code Smell
Redundant pairs of parentheses should be removed
Code Smell
Functions and procedures should not have too many parameters
Code Smell
Collapsible "if" statements should be merged
Code Smell
Unused labels should be removed
Code Smell
Compound triggers should define at least two triggers
Code Smell
"EXIT" should not be used in loops
Code Smell
Jump statements should not be redundant
Code Smell
"EXCEPTION WHEN ... THEN" clauses should do more than "RAISE"
Code Smell
Single line comments should start with "--"
Code Smell
An "ORDER BY" direction should be specified explicitly
Code Smell
Oracle's join operator (+) should not be used
Code Smell
"cursor%NOTFOUND" should be used instead of "NOT cursor%FOUND"
Code Smell
Object attributes should comply with a naming convention
Code Smell
Record fields should comply with a naming convention
Code Smell
Cursors should follow a naming convention
Code Smell
Types should follow a naming convention
Code Smell
Cursor parameters should follow a naming convention
Code Smell
Exceptions should follow a naming convention
Code Smell
Exceptions should not be ignored
Code Smell
Variables should not be initialized with "NULL"
Code Smell
Boolean checks should not be inverted
Code Smell
Unused local variables should be removed
Code Smell
Package names should comply with a naming convention
Code Smell
Variables should comply with a naming convention
Code Smell
Return of boolean expressions should not be wrapped into an "if-then-else" statement
Code Smell
Boolean literals should not be redundant
Code Smell
Comments should not be nested
Code Smell
"DBMS_UTILITY.FORMAT_ERROR_STACK" and "FORMAT_ERROR_BACKTRACE" should be used together
Code Smell
Procedures should not contain "RETURN" statements
Code Smell
Track uses of "TODO" tags
Code Smell
Neither DES (Data Encryption Standard) nor DESede (3DES) should be used
Vulnerability
"SYNCHRONIZE" should not be used
Bug
Global public variables should not be defined
Code Smell
A primary key should be specified during table creation
Code Smell
Track lack of copyright and license headers
Code Smell
SHA-1 and Message-Digest hash algorithms should not be used in secure contexts
Vulnerability
Sensitive "SYS" owned functions should not be used
Vulnerability
"FORMS_DDL('COMMIT')" and "FORMS_DDL('ROLLBACK')" should not be used
Bug
"DBMS_OUTPUT.PUT_LINE" should not be used
Code Smell
"WHEN OTHERS" should not be the only exception handler
Code Smell
"INSERT" statements should explicitly list the columns to be set
Code Smell
"%TYPE" and "%ROWTYPE" should not be used in package specification
Code Smell
Functions and procedures should not be too complex
Code Smell
"IF ... ELSEIF" constructs should end with "ELSE" clauses
Code Smell
"WHEN OTHERS" clauses should be used for exception handling
Code Smell
Features deprecated in Oracle 18 should not be used
Code Smell
"CREATE_TIMER" should not be used
Code Smell
"TO_DATE" and "TO_TIMESTAMP" should be used with a datetime format model
Code Smell
Features deprecated in Oracle 12 should not be used
Code Smell
Tables should be aliased
Code Smell
"SIMPLE_INTEGER" should be used instead of "PLS_INTEGER"
Code Smell
Queries should not "SELECT" too many columns
Code Smell
"ROWID" and "UROWID" data types should not be used
Code Smell
"RETURN" should not be used from within a loop
Code Smell
"NUMBER" variables should be declared with precision
Code Smell
Nested subqueries should be avoided
Code Smell
Nested loops should be labeled
Code Smell
Nested blocks should be labeled
Code Smell
"RESULT_CACHE" should not be used
Code Smell
Columns should be aliased
Code Smell
Track parsing failures
Code Smell
Files should not be too complex
Code Smell
Function and procedure parameters should comply with a naming convention
Code Smell
Magic literals should not be used
Code Smell
"UNION" should be used with caution
Code Smell
"GROUP BY" should not be used in SQL "SELECT" statements
Code Smell
Track breaches of an XPath rule
Code Smell
Track uses of "NOSONAR" comments
Code Smell
Track comments matching a regular expression
Code Smell
Statements should be on separate lines
Code Smell
"WHEN" clauses should not have too many lines
Code Smell
Magic numbers should not be used
Code Smell
Files should not have too many lines of code
Code Smell
Lines should not be too long
Code Smell
Explicitly opened cursors should be closed
Bug
Identifiers should be written in lower case
Code Smell
"PLS_INTEGER" types should be used
Code Smell
Reserved words should be written in upper case
Code Smell
Parameter "IN" mode should be specified explicitly
Code Smell
Lines in a multiline comment should start with "*"
Code Smell
CASE should be used for sequences of simple tests
Code Smell
SQL tables should be joined with the "JOIN" keyword
Code Smell
Constraint names should comply with a naming convention
Code Smell
Reserved words should be written in lower case
Code Smell
Comments should not be located at the end of lines of code
Code Smell
Lines should not end with trailing whitespaces
Code Smell
The "RELIES_ON" clause should not be used
Code Smell

Cipher algorithms should be robust

Vulnerability

CriticalSonarSource default severity
click to learn more

cwe
privacy

Why is this an issue?

Strong cipher algorithms are cryptographic systems resistant to cryptanalysis, they are not vulnerable to well-known attacks like brute force attacks for example.

A general recommendation is to only use cipher algorithms intensively tested and promoted by the cryptographic community.

More specifically for block cipher, it’s not recommended to use algorithm with a block size inferior than 128 bits.

Noncompliant code example

PLS_INTEGER := DBMS_CRYPTO.ENCRYPT_DES
                           + DBMS_CRYPTO.CHAIN_CBC
                           + DBMS_CRYPTO.PAD_PKCS5;

Compliant solution

PLS_INTEGER := DBMS_CRYPTO.ENCRYPT_AES256
                           + DBMS_CRYPTO.CHAIN_CBC
                           + DBMS_CRYPTO.PAD_PKCS5;

Resources

OWASP Top 10 2021 Category A2 - Cryptographic Failures
OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
MITRE, CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
SANS Top 25 - Porous Defenses

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Developer
Edition

© 2008-2023 SonarSource S.A., Switzerland. All content is copyright protected. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, and SONARCLOUD are trademarks of SonarSource S.A. All other trademarks and copyrights are the property of their respective owners. All rights are expressly reserved.
Privacy Policy

In-IDE

SaaS

Self-Hosted