This version of the SonarQube documentation is no longer maintained. It relates to a version of SonarQube that is not active.

Security-related rules

The SonarQube quality model is applied to an automated code review and analysis based on four types of rules.

The four rule types included in the SonarQube quality model are:

  • Reliability (bug)

  • Maintainability (code smell)

  • Security (vulnerability)

  • Security Hotspot

Security-related rules include Security rules and Security Hotspot rules. They are divided into two types: security-injection and security-configuration rules.

Security is a lively world where new types of attacks and vulnerabilities appear very often, so we welcome any suggestions for new security rules. You can read the Adding coding rules page to see how to develop a new rule or propose a new one on our Community forum.

Security-injection rules

Security-injection rules are used to detect injection vulnerabilities. An injection vulnerability (also known as injection flaw or taint vulnerability) occurs when the inputs handled by your application are controlled by a user (potentially an attacker) and not validated or sanitized. When this occurs, the flow from sources (user-controlled inputs) to sinks (sensitive functions) will be presented. Common types include SQL Injection, Deserialization, and Command Injection vulnerabilities.

To show the flow of tainted issues, SonarQube Server uses well-known taint analysis technology on source code which allows, for example, the detection of:

  • Security-injection rules are supported only by SonarQube Server and Cloud. SonarQube for IDE pulls the injection vulnerabilities raised by these products during a project analysis.

  • With SonarQube Server’s Security engine custom configuration, it’s possible to extend the taint analysis of security-injection rules by configuring new sources, sanitizers, validators and sinks within the homemade frameworks that you use.

Security-configuration rules

The security-configuration rules are used to raise a security issue when:

  • A sensitive function is called with a wrong parameter (invalid cryptographic algorithm or TLS version).

  • A check (for example, a check_permissions() kind of function) is not done or is not in the correct order. This problem is likely to appear often when the program is executed.

Examples:

    • CWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flag

    • CWE-297: Improper Validation of Certificate with Host Mismatch

    • CWE-327: Use of a Broken or Risky Cryptographic Algorithm

Differences between security issues (vulnerabilities) and hotspots

Security hotspots have been introduced for security protections that have no direct impact on the overall application’s security. With hotspots, we want to help developers understand information security risks, threats, impacts, root causes of security issues, and the choice of relevant software protections. In short, we really want to educate developers and help them develop secure, ethical, and privacy-friendly applications.

For more information about hotspots and vulnerabilities, see the Managing Security Hotspots page.

Security standards covered

Our security rules are classified according to well-established security standards such as:

OWASP Top 10 security standards covered by Sonar for version 2021

Category

Python

JS/TS

Java

C#

C/C++

PHP

Kotlin

A01:Broken Access Control

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

A02: Cryptographic Failures

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

A03: Injection

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

A04: Insecure Design

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

A05: Security Misconfiguration

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

A06: Vulnerable and Outdated Components

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

A07: Identification and Authentication Failures

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

A08: Software and Data Integrity Failures

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

A09: Security Logging and Monitoring Failures

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

A10: Server-Side Request Forgery

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

OWASP Mobile Top 10 security standards covered by Sonar for version 2024

Standard

Java

Kotlin

Dart

Swift

M1: Improper Credential Usage

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

M2: Inadequate Supply Chain Security

Checkmark icon

Checkmark icon

Checkmark icon

M3: Insecure Authentication/Authorization

Checkmark icon

Checkmark icon

M4: Insufficient Input/Output Validation

Checkmark icon

Checkmark icon

M5: Insecure Communication

Checkmark icon

Checkmark icon

Checkmark icon

M6: Inadequate Privacy Controls

Checkmark icon

Checkmark icon

M7: Insufficient Binary Protections

Checkmark icon

M8: Security Misconfiguration

Checkmark icon

Checkmark icon

Checkmark icon

M9: Insecure Data Storage

Checkmark icon

Checkmark icon

Checkmark icon

M10: Insufficient Cryptography

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE Top 25 security standards covered by Sonar for version 2024

Category

Python

JS/TS

Java

C#

C/C++

PHP

Kotlin

CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-787 Out-of-bounds Write

Checkmark icon

CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-352 Cross-Site Request Forgery (CSRF)

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-125 Out-of-bounds Read

Checkmark icon

CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-416 Use After Free

Checkmark icon

CWE-862 Missing Authorization

CWE-434 Unrestricted Upload of File with Dangerous Type

Checkmark icon

CWE-94 Improper Control of Generation of Code (‘Code Injection’)

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-20 Improper Input Validation

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-77 Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-287 Improper Authentication

Checkmark icon

Checkmark icon

CWE-269 Improper Privilege Management

Checkmark icon

Checkmark icon

CWE-502 Deserialization of Untrusted Data

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-863 Incorrect Authorization

CWE-918 Server-Side Request Forgery (SSRF)

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

Checkmark icon

CWE-476 NULL Pointer Dereference

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-798 Use of Hard-coded Credentials

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-190 Integer Overflow or Wraparound

Checkmark icon

Checkmark icon

Checkmark icon

CWE-400 Uncontrolled Resource Consumption

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

Checkmark icon

CWE-306 Missing Authentication for Critical Function

You can search for a rule on rules.sonarsource.com. The standards to which a rule relates will be listed in the See section at the bottom of the rule description. Some detailed examples of Java vulnerabilities are listed here:

Last updated

Was this helpful?