Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

Secrets
ABAP
Apex
C
C++
CloudFormation
COBOL
C#
CSS
Docker
Flex
Go
HTML
Java
JavaScript
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML

VB.NET static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your VB.NET code

Tags

"CoSetProxyBlanket" and "CoInitializeSecurity" should not be used
Vulnerability
Classes should implement their "ExportAttribute" interfaces
Bug
Neither "Thread.Resume" nor "Thread.Suspend" should be used
Bug
"SafeHandle.DangerousGetHandle" should not be called
Bug
Type inheritance should not be recursive
Bug
Finalizers should not throw exceptions
Bug
Hard-coded credentials are security-sensitive
Security Hotspot
Silly bit operations should not be performed
Code Smell
Child class fields should not shadow parent class fields
Code Smell
Public methods should not have multidimensional array parameters
Code Smell
Short-circuit logic should be used in boolean contexts
Code Smell
JWT should be signed and verified with strong cipher algorithms
Vulnerability
Cipher algorithms should be robust
Vulnerability
Encryption algorithms should be used with secure mode and padding scheme
Vulnerability
Insecure temporary file creation methods should not be used
Vulnerability
Server certificates should be verified during SSL/TLS connections
Vulnerability
Weak SSL/TLS protocols should not be used
Vulnerability
Regular expressions should be syntactically valid
Bug
Non-async "Task/Task<T>" methods should not return null
Bug
Calls to delegate's method "BeginInvoke" should be paired with calls to "EndInvoke"
Bug
"Shared" parts should not be created with "new"
Bug
Getters and setters should access the expected fields
Bug
Right operands of shift operators should be integers
Bug
Shared resources should not be used for locking
Bug
Locks should be released on all paths
Bug
Using publicly writable directories is security-sensitive
Security Hotspot
Expanding archive files without controlling resource consumption is security-sensitive
Security Hotspot
Configuring loggers is security-sensitive
Security Hotspot
Using weak hashing algorithms is security-sensitive
Security Hotspot
Using non-standard cryptographic algorithms is security-sensitive
Security Hotspot
Parameter names should match base declaration
Code Smell
"Option Explicit" should be enabled
Code Smell
Threads should not lock on objects with weak identity
Code Smell
Assemblies should have version information
Code Smell
Exception types should be "Public"
Code Smell
Cognitive Complexity of functions should not be too high
Code Smell
"IndexOf" checks should not be for positive numbers
Code Smell
Properties should not make collection or array copies
Code Smell
Flags enumerations zero-value members should be named "None"
Code Smell
"Do" loops should not be used without a "While" or "Until" condition
Code Smell
The "&" operator should be used to concatenate strings
Code Smell
Methods should not be empty
Code Smell
Exceptions should not be thrown in finally blocks
Code Smell
"PartCreationPolicyAttribute" should be used with "ExportAttribute"
Bug
"ConstructorArgument" parameters should exist in constructors
Bug
Windows Forms entry points should be marked with STAThread
Bug
Map values should not be replaced unconditionally
Bug
Collection sizes and array length comparisons should make sense
Bug
Calculations should not overflow
Bug
Serialization event handlers should be implemented correctly
Bug
Deserialization methods should be provided for "OptionalField" members
Bug
All branches in a conditional structure should not have exactly the same implementation
Bug
Types should be defined in named namespaces
Bug
Empty nullable value should not be accessed
Bug
Methods with "Pure" attribute should return a value
Bug
One-way "OperationContract" methods should have "void" return type
Bug
Optional parameters should be passed to "base" calls
Bug
Classes should not have only "private" constructors
Bug
'Not' boolean operator should not be repeated
Bug
"=+" should not be used instead of "+="
Bug
Null pointers should not be dereferenced
Bug
"ToString()" method should not return Nothing
Bug
Related "If/ElseIf" statements should not have the same condition
Bug
Identical expressions should not be used on both sides of a binary operator
Bug
Loops with at most one iteration should be refactored
Bug
Variables should not be self-assigned
Bug
Not specifying a timeout for regular expressions is security-sensitive
Security Hotspot
Disabling ASP.NET "Request Validation" feature is security-sensitive
Security Hotspot
Allowing requests with excessive content length is security-sensitive
Security Hotspot
Setting loose POSIX file permissions is security-sensitive
Security Hotspot
Formatting SQL queries is security-sensitive
Security Hotspot
"GoTo" statements should not be used
Code Smell
"Option Strict" should be enabled
Code Smell
"Return" statements should be used instead of assigning values to function names
Code Smell
"new Guid()" should not be used
Code Smell
"DebuggerDisplayAttribute" strings should reference existing members
Code Smell
Methods should not have identical implementations
Code Smell
"Exit" statements should not be used
Code Smell
If operators should not be nested
Code Smell
"StringBuilder" data should be used
Code Smell
Reflection should not be used to increase accessibility of classes, methods, or fields
Code Smell
Write-only properties should not be used
Code Smell
Exceptions should not be thrown from property getters
Code Smell
"On Error" statements should not be used
Code Smell
"IsNot" should be used instead of "Not ... Is ..."
Code Smell
Indexed properties with more than one parameter should not be used
Code Smell
Parameters should be passed in the correct order
Code Smell
Classes named like "Exception" should extend "Exception" or a subclass
Code Smell
Two branches in a conditional structure should not have exactly the same implementation
Code Smell
Method parameters should follow a naming convention
Code Smell
Functions and procedures should comply with a naming convention
Code Smell
"Select Case" statements should not have too many "Case" clauses
Code Smell
Unused procedure parameters should be removed
Code Smell
Track uses of "FIXME" tags
Code Smell
"Obsolete" attributes should include explanations
Code Smell
General exceptions should never be thrown
Code Smell
Redundant pairs of parentheses should be removed
Code Smell
Nested blocks of code should not be left empty
Code Smell
Procedures should not have too many parameters
Code Smell
Collapsible "if" statements should be merged
Code Smell
Flags enumerations should explicitly initialize all their members
Bug
Delivering code in production with debug features activated is security-sensitive
Security Hotspot
Searching OS commands in PATH is security-sensitive
Security Hotspot
Using hardcoded IP addresses is security-sensitive
Security Hotspot
"Contains" should be used instead of "Any" for simple equality checks
Code Smell
"First" and "Last" properties of "LinkedList" should be used instead of the "First()" and "Last()" extension methods
Code Smell
The lambda parameter should be used instead of capturing arguments in "ConcurrentDictionary" methods
Code Smell
"StartsWith" and "EndsWith" overloads that take a "char" should be used instead of the ones that take a "string"
Code Smell
"Min/Max" properties of "Set" types should be used instead of the "Enumerable" extension methods
Code Smell
Prefer indexing instead of "Enumerable" methods on types implementing "IList"
Code Smell
The collection should be filtered before sorting by using "Where" before "OrderBy"
Code Smell
Collection-specific "Exists" method should be used instead of the "Any" extension
Code Smell
The collection-specific "TrueForAll" method should be used instead of the "All" extension
Code Smell
"Find" method should be used instead of the "FirstOrDefault" extension
Code Smell
Comments should not be empty
Code Smell
Null checks should not be used with "TypeOf Is"
Code Smell
Method overloads should be grouped together
Code Smell
Arrays should not be created for ParamArray parameters
Code Smell
VB.Net: "Exit Select" statements should not be used redundantly
Code Smell
"catch" clauses should do more than rethrow
Code Smell
"With" statements should be used for a series of calls to the same object
Code Smell
Array literals should be used instead of array creation expressions
Code Smell
Event names should not have "Before" or "After" as a prefix or suffix
Code Smell
Event handlers should comply with a naming convention
Code Smell
Enumeration type names should not have "Flags" or "Enum" suffixes
Code Smell
Enumeration types should comply with a naming convention
Code Smell
Namespace names should comply with a naming convention
Code Smell
Classes should not be empty
Code Smell
Boolean checks should not be inverted
Code Smell
Strings should not be concatenated using "+" or "&" in a loop
Code Smell
Unused local variables should be removed
Code Smell
Array designators "()" should be on the type, not the variable
Code Smell
Local variable names should comply with a naming convention
Code Smell
"Any()" should be used to test for emptiness
Code Smell
Interface names should comply with a naming convention
Code Smell
Boolean literals should not be redundant
Code Smell
URIs should not be hardcoded
Code Smell
Class names should comply with a naming convention
Code Smell
Track uses of "TODO" tags
Code Smell
Deprecated code should be removed
Code Smell
Track lack of copyright and license headers
Code Smell
"End" statements should not be used
Code Smell
Reading the Standard Input is security-sensitive
Security Hotspot
Using command line arguments is security-sensitive
Security Hotspot
Using Sockets is security-sensitive
Security Hotspot
Encrypting data is security-sensitive
Security Hotspot
Using regular expressions is security-sensitive
Security Hotspot
Child class fields should not differ from parent class fields only by capitalization
Code Smell
"IIf" should not be used
Code Smell
Signed types should be preferred to unsigned ones
Code Smell
Optional parameters should not be used
Code Smell
Public constant members should not be used
Code Smell
"NameOf" should be used
Code Smell
"Select Case" statements should not be nested
Code Smell
Functions, procedures and properties should not be too complex
Code Smell
Control flow statements "If", "For", "For Each", "Do", "While", "Select" and "Try" should not be nested too deeply
Code Smell
"Select" statements should end with a "Case Else" clause
Code Smell
"If ... ElseIf" constructs should end with "Else" clauses
Code Smell
Expressions should not be too complex
Code Smell
Use a testable date/time provider
Code Smell
Assemblies should explicitly specify COM visibility
Code Smell
Assemblies should be marked as CLS compliant
Code Smell
Arguments of public methods should be validated against Nothing
Code Smell
Value types should implement "IEquatable<T>"
Code Smell
"[ExpectedException]" should not be used
Code Smell
Fields should be private
Code Smell
Procedures should not have too many lines of code
Code Smell
Statements should be on separate lines
Code Smell
"Select...Case" clauses should not have too many lines of code
Code Smell
Files should not have too many lines of code
Code Smell
Lines should not be too long
Code Smell
Method parameters and caught exceptions should not be reassigned
Bug
Controlling permissions is security-sensitive
Security Hotspot
Writing cookies is security-sensitive
Security Hotspot
"ExcludeFromCodeCoverage" attributes should include a justification
Code Smell
Extension methods should not extend "Object"
Code Smell
Non-abstract attributes should be sealed
Code Smell
"ByVal" should not be used
Code Smell
Arrays should be initialized using the "... = {}" syntax
Code Smell
Generic type parameter names should comply with a naming convention
Code Smell
Non-private "Shared ReadOnly" fields should comply with a naming convention
Code Smell
Non-private fields should comply with a naming convention
Code Smell
Non-private constants should comply with a naming convention
Code Smell
Properties should comply with a naming convention
Code Smell
"Private" fields should comply with a naming convention
Code Smell
"Private Shared ReadOnly" fields should comply with a naming convention
Code Smell
Private constants should comply with a naming convention
Code Smell
Line continuations should not be used
Code Smell
Indexed properties should be named "Item"
Code Smell
Events should comply with a naming convention
Code Smell
Enumeration values should comply with a naming convention
Code Smell
Multiple variables should not be declared on the same line
Code Smell
Comments should not be located at the end of lines of code
Code Smell
"Select" statements should have at least 3 "Case" clauses
Code Smell
String literals should not be duplicated
Code Smell
Tabulation characters should not be used
Code Smell

Using regular expressions is security-sensitive

Security Hotspot

CriticalSonarSource default severity
click to learn more

Using regular expressions is security-sensitive. It has led in the past to the following vulnerabilities:

CVE-2017-16021
CVE-2018-13863

Evaluating regular expressions against input strings is potentially an extremely CPU-intensive task. Specially crafted regular expressions such as (a+)+s will take several seconds to evaluate the input string aaaaaaaaaaaaaaaaaaaaaaaaaaaaabs. The problem is that with every additional a character added to the input, the time required to evaluate the regex doubles. However, the equivalent regular expression, a+s (without grouping) is efficiently evaluated in milliseconds and scales linearly with the input size.

Evaluating such regular expressions opens the door to Regular expression Denial of Service (ReDoS) attacks. In the context of a web application, attackers can force the web server to spend all of its resources evaluating regular expressions thereby making the service inaccessible to genuine users.

This rule flags any execution of a hardcoded regular expression which has at least 3 characters and at least two instances of any of the following characters: *+{.

Example: (a+)*

Ask Yourself Whether

the executed regular expression is sensitive and a user can provide a string which will be analyzed by this regular expression.
your regular expression engine performance decrease with specially crafted inputs and regular expressions.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Check whether your regular expression engine (the algorithm executing your regular expression) has any known vulnerabilities. Search for vulnerability reports mentioning the one engine you’re are using.

If the regular expression is vulnerable to ReDos attacks, mitigate the risk by using a "match timeout" to limit the time spent running the regular expression.

Remember also that a ReDos attack is possible if a user-provided regular expression is executed. This rule won’t detect this kind of injection.

Sensitive Code Example

Imports System
Imports System.Collections.Generic
Imports System.Linq
Imports System.Runtime.Serialization
Imports System.Text.RegularExpressions
Imports System.Web

Namespace N
    Public Class RegularExpression
        Private Sub Foo(ByVal pattern As String, ByVal options As RegexOptions, ByVal matchTimeout As TimeSpan,
                        ByVal input As String, ByVal replacement As String, ByVal evaluator As MatchEvaluator)
            ' All the following instantiations are Sensitive. Validate the regular expression and matched input.
            Dim r As Regex = New System.Text.RegularExpressions.Regex("(a+)+b")
            r = New System.Text.RegularExpressions.Regex("(a+)+b", options)
            r = New System.Text.RegularExpressions.Regex("(a+)+b", options, matchTimeout)

            ' All the following static methods are Sensitive.
            System.Text.RegularExpressions.Regex.IsMatch(input, "(a+)+b")
            System.Text.RegularExpressions.Regex.IsMatch(input, "(a+)+b", options)
            System.Text.RegularExpressions.Regex.IsMatch(input, "(a+)+b", options, matchTimeout)

            System.Text.RegularExpressions.Regex.Match(input, "(a+)+b")
            System.Text.RegularExpressions.Regex.Match(input, "(a+)+b", options)
            System.Text.RegularExpressions.Regex.Match(input, "(a+)+b", options, matchTimeout)

            System.Text.RegularExpressions.Regex.Matches(input, "(a+)+b")
            System.Text.RegularExpressions.Regex.Matches(input, "(a+)+b", options)
            System.Text.RegularExpressions.Regex.Matches(input, "(a+)+b", options, matchTimeout)

            System.Text.RegularExpressions.Regex.Replace(input, "(a+)+b", evaluator)
            System.Text.RegularExpressions.Regex.Replace(input, "(a+)+b", evaluator, options)
            System.Text.RegularExpressions.Regex.Replace(input, "(a+)+b", evaluator, options, matchTimeout)
            System.Text.RegularExpressions.Regex.Replace(input, "(a+)+b", replacement)
            System.Text.RegularExpressions.Regex.Replace(input, "(a+)+b", replacement, options)
            System.Text.RegularExpressions.Regex.Replace(input, "(a+)+b", replacement, options, matchTimeout)

            System.Text.RegularExpressions.Regex.Split(input, "(a+)+b")
            System.Text.RegularExpressions.Regex.Split(input, "(a+)+b", options)
            System.Text.RegularExpressions.Regex.Split(input, "(a+)+b", options, matchTimeout)
        End Sub
    End Class
End Namespace

Exceptions

Some corner-case regular expressions will not raise an issue even though they might be vulnerable. For example: (a|aa)+, (a|a?)+.

It is a good idea to test your regular expression if it has the same pattern on both side of a "|".

See

OWASP Top 10 2017 Category A1 - Injection
MITRE, CWE-624 - Executable Regular Expression Error
OWASP Regular expression Denial of Service - ReDoS

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

© 2008-2023 SonarSource S.A., Switzerland. All content is copyright protected. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, and SONARCLOUD are trademarks of SonarSource S.A. All other trademarks and copyrights are the property of their respective owners. All rights are expressly reserved.
Privacy Policy

In-IDE

SaaS

Self-Hosted