Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

Secrets
ABAP
Ansible
Apex
AzureResourceManager
C
C#
C++
CloudFormation
COBOL
CSS
Dart
Docker
Flex
Go
HTML
Java
JavaScript
JCL
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML

T-SQL static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your T-SQL code

Tags

Impact

Clean code attribute

"DELETE" and "UPDATE" statements should contain "WHERE" clauses
Bug
Hard-coded credentials are security-sensitive
Security Hotspot
The number of variables in a FETCH statement should match the number of columns in the cursor
Bug
"CASE" input expressions should be invariant
Bug
Nullable subqueries should not be used in "NOT IN" conditions
Bug
Using weak hashing algorithms is security-sensitive
Security Hotspot
Dynamically executing code is security-sensitive
Security Hotspot
"ANSI_WARNINGS" and "ARITHABORT" options should not be set to OFF
Code Smell
"SELECT" statements used as argument of "EXISTS" statements should be selective
Code Smell
Size should be specified for "varchar" variables and parameters
Code Smell
Conditionally executed code should be denoted by either indentation or BEGIN...END block
Code Smell
Conditionals should start on new lines
Code Smell
"INSERT" statements should explicitly list the columns to be set
Code Smell
Output parameters should be assigned
Bug
Queries that use "TOP" should have an "ORDER BY"
Bug
All branches in a conditional structure should not have exactly the same implementation
Bug
"WHERE" clause conditions should not be contradictory
Bug
Unary prefix operators should not be repeated
Bug
"NULL" should not be compared directly
Bug
Related "IF"/"ELSE IF" statements and "WHEN" clauses in a "CASE" should not have the same condition
Bug
Identical expressions should not be used on both sides of a binary operator
Bug
All code should be reachable
Bug
Loops with at most one iteration should be refactored
Bug
Variables should not be self-assigned
Bug
"GOTO" statements should not be used
Code Smell
Deprecated system tables and views should not be used
Code Smell
"ANSI_NULLS", "ANSI_PADDING" and "CONCAT_NULL_YIELDS_NULL" should not be configured
Code Smell
"@@IDENTITY" should not be used
Code Smell
"COALESCE", "IIF", and "CASE" input expressions should not contain subqueries
Code Smell
"CHECK" or "NOCHECK" should be specified explicitly when constraints are activated
Code Smell
Deprecated features should not be used
Code Smell
Ternary operators should not be nested
Code Smell
Multiline blocks should be enclosed in BEGIN...END blocks
Code Smell
Two branches in a conditional structure should not have exactly the same implementation
Code Smell
"LIKE" clauses should not start with wildcard characters
Code Smell
Column names should be used in an "ORDER BY" clause
Code Smell
Queries should not join too many tables
Code Smell
Function and procedure names should comply with a naming convention
Code Smell
Columns to be read with a "SELECT" statement should be clearly defined
Code Smell
"CASE" expressions should not have too many "WHEN" clauses
Code Smell
Sections of code should not be commented out
Code Smell
Unused procedure and function parameters should be removed
Code Smell
Track uses of "FIXME" tags
Code Smell
Redundant pairs of parentheses should be removed
Code Smell
Functions and procedures should not have too many parameters
Code Smell
Mergeable "if" statements should be combined
Code Smell
Unused labels should be removed
Code Smell
Using hardcoded IP addresses is security-sensitive
Security Hotspot
Column references should not have more than two-parts
Code Smell
Triggers should not "PRINT", "SELECT", or "FETCH"
Code Smell
"LIKE" clauses should not be used without wildcards
Code Smell
Jump statements should not be redundant
Code Smell
"CATCH" clauses should do more than rethrow
Code Smell
Boolean checks should not be inverted
Code Smell
Multiple variables should not be declared on the same line
Code Smell
Unused local variables should be removed
Code Smell
Local variable and parameter names should comply with a naming convention
Code Smell
Empty statements should be removed
Code Smell
Track uses of "TODO" tags
Code Smell
A primary key should be specified during table creation
Code Smell
Track lack of copyright and license headers
Code Smell
SHA-1 and Message-Digest hash algorithms should not be used in secure contexts
Vulnerability
"NOCOUNT" should be activated on "PROCEDURE" and "TRIGGER" definitions
Code Smell
Control flow statements "IF", "WHILE" and "TRY" should not be nested too deeply
Code Smell
"CASE" expressions should end with "ELSE" clauses
Code Smell
"IF ... ELSEIF" constructs should end with "ELSE" clauses
Code Smell
Control structures should use BEGIN...END blocks
Code Smell
String literals should not be duplicated
Code Smell
Expressions should not be too complex
Code Smell
"WHERE" clauses should not contain redundant conditions
Bug
Track lack of SQL Server session configuration
Code Smell
Duplicate values should not be passed as arguments
Code Smell
Track parsing failures
Code Smell
Functions and stored procedure should not have too many lines of code
Code Smell
Track uses of "NOSONAR" comments
Code Smell
Statements should be on separate lines
Code Smell
"WHEN" clauses should not have too many lines of code
Code Smell
Files should not have too many lines of code
Code Smell
Lines should not be too long
Code Smell
Reserved keywords should not be used as identifiers or object names
Code Smell
Non-standard comparison operators should not be used
Code Smell
Tabulation characters should not be used
Code Smell

Nullable subqueries should not be used in "NOT IN" conditions

intentionality - complete

reliability

Bug

CriticalSonarSource default severity
click to learn more

Why is this an issue?

A WHERE clause condition that uses NOT IN with a subquery will have unexpected results if that subquery returns NULL. On the other hand, NOT EXISTS subqueries work reliably under the same conditions.

This rule raises an issue when NOT IN is used with a subquery. This rule doesn’t check if the selected column is a nullable column because the rules engine has no information about the table definition. It’s up to the developer to review manually if the column is nullable.

Noncompliant code example

SELECT *
FROM my_table
WHERE my_column NOT IN (SELECT nullable_column FROM another_table)  -- Noncompliant; "nullable_column" may contain 'NULL' value and the whole SELECT query will return nothing

Compliant solution

SELECT *
FROM my_table
WHERE NOT EXISTS (SELECT 1 FROM another_table WHERE nullable_column = my_table.my_column)

SELECT *
FROM my_table
WHERE my_column NOT IN (SELECT nullable_column FROM another_table WHERE nullable_column IS NOT NULL)

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Developer
Edition

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Sonar helps developers write Clean Code.
Privacy Policy | Cookie Policy

In-IDE

SaaS

Self-Hosted