Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

Secrets
ABAP
Ansible
Apex
AzureResourceManager
C
C#
C++
CloudFormation
COBOL
CSS
Dart
Docker
Flex
Go
HTML
Java
JavaScript
JCL
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML

VB.NET static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your VB.NET code

Tags

Impact

Clean code attribute

Classes should implement their "ExportAttribute" interfaces
Bug
"Thread.Resume" and "Thread.Suspend" should not be used
Bug
"SafeHandle.DangerousGetHandle" should not be called
Bug
Type inheritance should not be recursive
Bug
Finalize method should not throw exceptions
Bug
Hard-coded credentials are security-sensitive
Security Hotspot
Unnecessary bit operations should not be performed
Code Smell
Public methods should not have multidimensional array parameters
Code Smell
Short-circuit logic should be used in boolean contexts
Code Smell
JWT should be signed and verified with strong cipher algorithms
Vulnerability
Cipher algorithms should be robust
Vulnerability
Encryption algorithms should be used with secure mode and padding scheme
Vulnerability
Insecure temporary file creation methods should not be used
Vulnerability
Server certificates should be verified during SSL/TLS connections
Vulnerability
Weak SSL/TLS protocols should not be used
Vulnerability
Cipher Block Chaining IVs should be unpredictable
Vulnerability
Password hashing functions should use an unpredictable salt
Vulnerability
Regular expressions should be syntactically valid
Bug
Non-async "Task/Task<T>" methods should not return null
Bug
Calls to delegate's method "BeginInvoke" should be paired with calls to "EndInvoke"
Bug
"Shared" parts should not be created with "new"
Bug
Property procedures should access the expected fields
Bug
Right operands of shift operators should be integers
Bug
Shared resources should not be used for locking
Bug
Locks should be released on all paths
Bug
Using publicly writable directories is security-sensitive
Security Hotspot
Expanding archive files without controlling resource consumption is security-sensitive
Security Hotspot
Using weak hashing algorithms is security-sensitive
Security Hotspot
Using non-standard cryptographic algorithms is security-sensitive
Security Hotspot
Parameter names should match base declaration
Code Smell
"Option Explicit" should be enabled
Code Smell
Threads should not lock on objects with weak identity
Code Smell
Assemblies should have version information
Code Smell
Exception types should be "Public"
Code Smell
Cognitive Complexity of methods should not be too high
Code Smell
"IndexOf" checks should not be for positive numbers
Code Smell
Properties should not make collection or array copies
Code Smell
Flags enumerations zero-value members should be named "None"
Code Smell
"Do" loops should not be used without a "While" or "Until" condition
Code Smell
The "&" operator should be used to concatenate strings
Code Smell
Methods should not be empty
Code Smell
Exceptions should not be thrown in finally blocks
Code Smell
Types allowed to be deserialized should be restricted
Vulnerability
Locks should be released within the same method
Bug
A write lock should not be released when a read lock has been acquired and vice versa
Bug
Backslash should be avoided in route templates
Bug
"PartCreationPolicyAttribute" should be used with "ExportAttribute"
Bug
"ConstructorArgument" parameters should exist in constructors
Bug
Windows Forms entry points should be marked with STAThread
Bug
Map values should not be replaced unconditionally
Bug
Collection sizes and array length comparisons should make sense
Bug
Calculations should not overflow
Bug
Serialization event handlers should be implemented correctly
Bug
Deserialization methods should be provided for "OptionalField" members
Bug
All branches in a conditional structure should not have exactly the same implementation
Bug
Types should be defined in named namespaces
Bug
Empty nullable value should not be accessed
Bug
Methods with "Pure" attribute should return a value
Bug
One-way "OperationContract" methods should have "void" return type
Bug
Optional parameters should be passed to "base" calls
Bug
Classes should not have only "private" constructors
Bug
'Not' boolean operator should not be repeated
Bug
Non-existent operators like "=+" should not be used
Bug
Conditionally executed code should be reachable
Bug
Null pointers should not be dereferenced
Bug
"ToString()" method should not return Nothing
Bug
Related "If/ElseIf" statements should not have the same condition
Bug
Identical expressions should not be used on both sides of a binary operator
Bug
Loops with at most one iteration should be refactored
Bug
Variables should not be self-assigned
Bug
Not specifying a timeout for regular expressions is security-sensitive
Security Hotspot
Disabling ASP.NET "Request Validation" feature is security-sensitive
Security Hotspot
Allowing requests with excessive content length is security-sensitive
Security Hotspot
Setting loose POSIX file permissions is security-sensitive
Security Hotspot
Formatting SQL queries is security-sensitive
Security Hotspot
"GoTo" statements should not be used
Code Smell
First/Single should be used instead of FirstOrDefault/SingleOrDefault on collections that are known to be non-empty
Code Smell
ASP.NET controller actions should not have a route template starting with "/"
Code Smell
Use a format provider when parsing date and time
Code Smell
Use "TimeZoneInfo.FindSystemTimeZoneById" without converting the timezones with "TimezoneConverter"
Code Smell
Always set the "DateTimeKind" when creating new "DateTime" instances
Code Smell
Avoid using "DateTime.Now" for benchmarking or timing operations
Code Smell
"Option Strict" should be enabled
Code Smell
"Return" statements should be used instead of assigning values to function names
Code Smell
"new Guid()" should not be used
Code Smell
"DebuggerDisplayAttribute" strings should reference existing members
Code Smell
Methods should not have identical implementations
Code Smell
Objects should not be disposed more than once
Code Smell
"[ExpectedException]" should not be used
Code Smell
"Exit" statements should not be used
Code Smell
If operators should not be nested
Code Smell
"StringBuilder" data should be used
Code Smell
Reflection should not be used to increase accessibility of classes, methods, or fields
Code Smell
"Thread.Sleep" should not be used in tests
Code Smell
Boolean expressions should not be gratuitous
Code Smell
Write-only properties should not be used
Code Smell
Exceptions should not be thrown from property getters
Code Smell
"On Error" statements should not be used
Code Smell
"IsNot" should be used instead of "Not ... Is ..."
Code Smell
Indexed properties with more than one parameter should not be used
Code Smell
Arguments should be passed in the same order as the procedure parameters
Code Smell
Classes named like "Exception" should extend "Exception" or a subclass
Code Smell
Invalid casts should be avoided
Code Smell
Two branches in a conditional structure should not have exactly the same implementation
Code Smell
Method parameters should follow a naming convention
Code Smell
Functions and procedures should comply with a naming convention
Code Smell
"Select Case" statement with many "Case" clauses should have only one statement
Code Smell
Unused procedure parameters should be removed
Code Smell
Track uses of "FIXME" tags
Code Smell
"Obsolete" attributes should include explanations
Code Smell
General or reserved exceptions should never be thrown
Code Smell
Redundant pairs of parentheses should be removed
Code Smell
Nested blocks of code should not be left empty
Code Smell
Procedures should not have too many parameters
Code Smell
Mergeable "if" statements should be combined
Code Smell
Empty collections should not be accessed or iterated
Bug
Date and time should not be used as a type for primary keys
Bug
Flags enumerations should explicitly initialize all their members
Bug
Delivering code in production with debug features activated is security-sensitive
Security Hotspot
Searching OS commands in PATH is security-sensitive
Security Hotspot
Using hardcoded IP addresses is security-sensitive
Security Hotspot
"Contains" should be used instead of "Any" for simple equality checks
Code Smell
"First" and "Last" properties of "LinkedList" should be used instead of the "First()" and "Last()" extension methods
Code Smell
The lambda parameter should be used instead of capturing arguments in "ConcurrentDictionary" methods
Code Smell
"StartsWith" and "EndsWith" overloads that take a "char" should be used instead of the ones that take a "string"
Code Smell
"Min/Max" properties of "Set" types should be used instead of the "Enumerable" extension methods
Code Smell
Prefer indexing instead of "Enumerable" methods on types implementing "IList"
Code Smell
The collection should be filtered before sorting by using "Where" before "OrderBy"
Code Smell
Use the "UnixEpoch" field instead of creating "DateTime" instances that point to the beginning of the Unix epoch
Code Smell
Comments should not be empty
Code Smell
Null checks should not be combined with "TypeOf Is" operator checks
Code Smell
Method overloads should be grouped together
Code Smell
Arrays should not be created for ParamArray parameters
Code Smell
"Exit Select" statements should not be used redundantly
Code Smell
"catch" clauses should do more than rethrow
Code Smell
"With" statements should be used for a series of calls to the same object
Code Smell
Array literals should be used instead of array creation expressions
Code Smell
Event names should not have "Before" or "After" as a prefix or suffix
Code Smell
Event handlers should comply with a naming convention
Code Smell
Enumeration type names should not have "Flags" or "Enum" suffixes
Code Smell
Enumeration types should comply with a naming convention
Code Smell
Namespace names should comply with a naming convention
Code Smell
Classes should not be empty
Code Smell
Boolean checks should not be inverted
Code Smell
Strings should not be concatenated using "+" or "&" in a loop
Code Smell
Unused local variables should be removed
Code Smell
Array designators "()" should be on the type, not the variable
Code Smell
String literals should not be duplicated
Code Smell
Local variable names should comply with a naming convention
Code Smell
"Any()" should be used to test for emptiness
Code Smell
Interface names should comply with a naming convention
Code Smell
Boolean literals should not be redundant
Code Smell
URIs should not be hardcoded
Code Smell
Class names should comply with a naming convention
Code Smell
Track uses of "TODO" tags
Code Smell
Deprecated code should be removed
Code Smell
"CoSetProxyBlanket" and "CoInitializeSecurity" should not be used
Vulnerability
Child class fields should not shadow parent class fields
Code Smell
Track lack of copyright and license headers
Code Smell
"End" statements should not be used
Code Smell
Configuring loggers is security-sensitive
Security Hotspot
Child class fields should not differ from parent class fields only by capitalization
Code Smell
"IIf" should not be used
Code Smell
Signed types should be preferred to unsigned ones
Code Smell
Optional parameters should not be used
Code Smell
Public constant members should not be used
Code Smell
"NameOf" should be used
Code Smell
"Select Case" statements should not be nested
Code Smell
Functions, procedures and properties should not be too complex
Code Smell
Control flow statements "If", "For", "For Each", "Do", "While", "Select" and "Try" should not be nested too deeply
Code Smell
"Select" statements should end with a "Case Else" clause
Code Smell
"If ... ElseIf" constructs should end with "Else" clauses
Code Smell
Expressions should not be too complex
Code Smell
Use "DateTimeOffset" instead of "DateTime"
Code Smell
Use UTC when recording DateTime instants
Code Smell
Use a testable date/time provider
Code Smell
Assemblies should explicitly specify COM visibility
Code Smell
Assemblies should be marked as CLS compliant
Code Smell
Arguments of public methods should be validated against Nothing
Code Smell
Value types should implement "IEquatable<T>"
Code Smell
Fields should be private
Code Smell
Procedures should not have too many lines of code
Code Smell
Statements should be on separate lines
Code Smell
"Select...Case" clauses should not have too many lines of code
Code Smell
Files should not have too many lines of code
Code Smell
Lines should not be too long
Code Smell
Method parameters and caught exceptions should not be reassigned
Bug
Collection-specific "Exists" method should be used instead of the "Any" extension
Code Smell
The collection-specific "TrueForAll" method should be used instead of the "All" extension
Code Smell
"Find" method should be used instead of the "FirstOrDefault" extension
Code Smell
Don't hardcode the format when turning dates and times to strings
Code Smell
"ExcludeFromCodeCoverage" attributes should include a justification
Code Smell
Extension methods should not extend "Object"
Code Smell
Non-abstract attributes should be sealed
Code Smell
"ByVal" should not be used
Code Smell
Arrays should be initialized using the "... = {}" syntax
Code Smell
Generic type parameter names should comply with a naming convention
Code Smell
Non-private "Shared ReadOnly" fields should comply with a naming convention
Code Smell
Non-private fields should comply with a naming convention
Code Smell
Non-private constants should comply with a naming convention
Code Smell
Properties should comply with a naming convention
Code Smell
"Private" fields should comply with a naming convention
Code Smell
"Private Shared ReadOnly" fields should comply with a naming convention
Code Smell
Private constants should comply with a naming convention
Code Smell
Line continuations should not be used
Code Smell
Events should comply with a naming convention
Code Smell
Enumeration values should comply with a naming convention
Code Smell
Multiple variables should not be declared on the same line
Code Smell
Comments should not be located at the end of lines of code
Code Smell
"Select" statements should have at least 3 "Case" clauses
Code Smell
Generic type parameter names should comply with a naming convention
Code Smell
Tabulation characters should not be used
Code Smell

Setting loose POSIX file permissions is security-sensitive

consistency - conventional

security

Security Hotspot

MajorSonarSource default severity
click to learn more

In Unix, "others" class refers to all users except the owner of the file and the members of the group assigned to this file.

In Windows, "Everyone" group is similar and includes all members of the Authenticated Users group as well as the built-in Guest account, and several other built-in security accounts.

Granting permissions to these groups can lead to unintended access to files.

Ask Yourself Whether

The application is designed to be run on a multi-user environment.
Corresponding files and directories may contain confidential information.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

The most restrictive possible permissions should be assigned to files and directories.

Sensitive Code Example

.Net Framework:

Dim unsafeAccessRule = new FileSystemAccessRule("Everyone", FileSystemRights.FullControl, AccessControlType.Allow)

Dim fileSecurity = File.GetAccessControl("path")
fileSecurity.AddAccessRule(unsafeAccessRule) ' Sensitive
fileSecurity.SetAccessRule(unsafeAccessRule) ' Sensitive
File.SetAccessControl("fileName", fileSecurity)

.Net / .Net Core

Dim fileInfo = new FileInfo("path")
Dim fileSecurity = fileInfo.GetAccessControl()

fileSecurity.AddAccessRule(new FileSystemAccessRule("Everyone", FileSystemRights.Write, AccessControlType.Allow)) ' Sensitive
fileInfo.SetAccessControl(fileSecurity)

.Net / .Net Core using Mono.Posix.NETStandard

Dim fileSystemEntry = UnixFileSystemInfo.GetFileSystemEntry("path")
fileSystemEntry.FileAccessPermissions = FileAccessPermissions.OtherReadWriteExecute ' Sensitive

Compliant Solution

.Net Framework

Dim safeAccessRule = new FileSystemAccessRule("Everyone", FileSystemRights.FullControl, AccessControlType.Deny)

Dim fileSecurity = File.GetAccessControl("path")
fileSecurity.AddAccessRule(safeAccessRule)
File.SetAccessControl("path", fileSecurity)

.Net / .Net Core

Dim safeAccessRule = new FileSystemAccessRule("Everyone", FileSystemRights.FullControl, AccessControlType.Deny)

Dim fileInfo = new FileInfo("path")
Dim fileSecurity = fileInfo.GetAccessControl()
fileSecurity.SetAccessRule(safeAccessRule)
fileInfo.SetAccessControl(fileSecurity)

.Net / .Net Core using Mono.Posix.NETStandard

Dim fs = UnixFileSystemInfo.GetFileSystemEntry("path")
fs.FileAccessPermissions = FileAccessPermissions.UserExecute

See

OWASP - Top 10 2021 Category A1 - Broken Access Control
OWASP - Top 10 2021 Category A4 - Insecure Design
OWASP - Top 10 2017 Category A5 - Broken Access Control
OWASP File Permission
CWE - CWE-732 - Incorrect Permission Assignment for Critical Resource
CWE - CWE-266 - Incorrect Privilege Assignment
STIG Viewer - Application Security and Development: V-222430 - The application must execute without excessive account permissions.

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Sonar helps developers write Clean Code.
Privacy Policy | Cookie Policy

In-IDE

SaaS

Self-Hosted