# Security-related rules The four rule types included in the SonarQube quality model are: * Reliability (bug) * Maintainability (code smell) * Security (vulnerability) * Security Hotspot Security-related rules include Security rules and Security Hotspot rules. They are divided into two types: security-injection and security-configuration rules. {% hint style="info" %} Security is a lively world where new types of attacks and vulnerabilities appear very often, so we welcome any suggestions for new security rules. You can read the [Adding coding rules](/sonarqube-server/2025.5/extension-guide/adding-coding-rules.md) page to see how to develop a new rule or propose a new one on our [Community forum](https://community.sonarsource.com/c/suggestions/rules/13). {% endhint %} ## Security-injection rules Security-injection rules are used to detect injection vulnerabilities. An injection vulnerability (also known as injection flaw or taint vulnerability) occurs when the inputs handled by your application are controlled by a user (potentially an attacker) and not validated or sanitized. When this occurs, the flow from sources (user-controlled inputs) to sinks (sensitive functions) will be presented. Common types include SQL Injection, Deserialization, and Command Injection vulnerabilities. To show the flow of tainted issues, SonarQube Server uses well-known taint analysis technology on source code which allows, for example, the detection of: * [CWE-89](https://cwe.mitre.org/data/definitions/89.html): SQL Injection * [CWE-79](https://cwe.mitre.org/data/definitions/79.html): Cross-site Scripting * [CWE-94](https://cwe.mitre.org/data/definitions/94.html): Code Injection {% hint style="info" %} * Security-injection rules are supported only by SonarQube Server and Cloud. SonarQube for IDE pulls the injection vulnerabilities raised by these products during a project analysis. * With SonarQube Server’s Security engine custom configuration, it’s possible to extend the taint analysis of security-injection rules by configuring new sources, sanitizers, validators and sinks within the homemade frameworks that you use. {% endhint %} ## Security-configuration rules The security-configuration rules are used to raise a security issue when: * A sensitive function is called with a wrong parameter (invalid cryptographic algorithm or TLS version). * A check (for example, a check\_permissions() kind of function) is not done or is not in the correct order.\ This problem is likely to appear often when the program is executed. Examples: * [CWE-1004](https://cwe.mitre.org/data/definitions/1004.html): Sensitive Cookie Without ‘HttpOnly’ Flag * [CWE-297](https://cwe.mitre.org/data/definitions/297.html): Improper Validation of Certificate with Host Mismatch * [CWE-327](https://cwe.mitre.org/data/definitions/327.html): Use of a Broken or Risky Cryptographic Algorithm ## Differences between security issues (vulnerabilities) and hotspots Security hotspots have been introduced for security protections that have no direct impact on the overall application’s security. With hotspots, we want to help developers understand information security risks, threats, impacts, root causes of security issues, and the choice of relevant software protections. In short, we really want to educate developers and help them develop secure, ethical, and privacy-friendly applications. For more information about hotspots and vulnerabilities, see the [Managing Security Hotspots](/sonarqube-server/2025.5/user-guide/security-hotspots.md) page. ## Security standards covered Our security rules are classified according to well-established security standards such as: * [OWASP Top 10](https://owasp.org/Top10/) (versions 2021 and 2017)
OWASP Top 10 security standards covered by Sonar for version 2021 | | | | | | | | | | ----------------------------------------------- | ---------------------------------------------- | ---------------------------------------------- | ---------------------------------------------- | ---------------------------------------------- | ---------------------------------------------- | ---------------------------------------------- | ---------------------------------------------- | | **Category** | **Python** | **JS/TS** | **Java** | **C#** | **C/C++** | **PHP** | **Kotlin** | | A01:Broken Access Control | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | | A02: Cryptographic Failures | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | | A03: Injection | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | | A04: Insecure Design | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | | A05: Security Misconfiguration | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | | A06: Vulnerable and Outdated Components | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


|


| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | | A07: Identification and Authentication Failures | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | | A08: Software and Data Integrity Failures | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


| | A09: Security Logging and Monitoring Failures | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


| | A10: Server-Side Request Forgery | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


|
* [OWASP Mobile Top 10 2024](https://owasp.org/www-project-mobile-top-10/)
OWASP Mobile Top 10 security standards covered by Sonar for version 2024 | **Standard** | **Java** | **Kotlin** | **Dart** | **Swift** | | ----------------------------------------- | ---------------------------------------------- | ---------------------------------------------- | ---------------------------------------------- | ---------------------------------------------- | | M1: Improper Credential Usage | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | | M2: Inadequate Supply Chain Security | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


| | M3: Insecure Authentication/Authorization | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


| | M4: Insufficient Input/Output Validation | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


|


| | M5: Insecure Communication | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


| | M6: Inadequate Privacy Controls | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


| | M7: Insufficient Binary Protections |


| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


| | M8: Security Misconfiguration | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


| | M9: Insecure Data Storage | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


| | M10: Insufficient Cryptography | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |
* [CWE Top 25](https://cwe.mitre.org/top25/archive/2023/2023_top25_list.html) (versions 2024, 2023, 2022, and 2021)
CWE Top 25 security standards covered by Sonar for version 2024 | **Category** | **Python** | **JS/TS** | **Java** | **C#** | **C/C++** | **PHP** | **Kotlin** | | ----------------------------------------------------------------------------------------------------------- | ---------------------------------------------- | ---------------------------------------------- | ---------------------------------------------- | ---------------------------------------------- | ---------------------------------------------- | ---------------------------------------------- | ---------------------------------------------- | |

CWE-79 Improper Neutralization of Input During
Web Page Generation (‘Cross-site Scripting’)

| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | | CWE-787 Out-of-bounds Write |


|


|


|


| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


|


| |

CWE-89 Improper Neutralization of Special Elements
used in an SQL Command (‘SQL Injection’)

| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | | CWE-352 Cross-Site Request Forgery (CSRF) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


| |

CWE-22 Improper Limitation of a Pathname to
a Restricted Directory (‘Path Traversal’)

| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | | CWE-125 Out-of-bounds Read |


|


|


|


| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


|


| |

CWE-78 Improper Neutralization of Special Elements
used in an OS Command (‘OS Command Injection’)

| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | | CWE-416 Use After Free |


|


|


|


| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


|


| | CWE-862 Missing Authorization |


|


|


|


|


|


|


| |

CWE-434 Unrestricted Upload of File with Dangerous
Type

|


| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


|


|


|


|


| |

CWE-94 Improper Control of Generation of Code
(‘Code Injection’)

| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | | CWE-20 Improper Input Validation | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | |

CWE-77 Improper Neutralization of Special Elements
used in a Command (‘Command Injection’)

| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


| | CWE-287 Improper Authentication |


|


| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


|


|


| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | | CWE-269 Improper Privilege Management | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


|


|


|


|


| | CWE-502 Deserialization of Untrusted Data | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | |

CWE-200 Exposure of Sensitive Information to
an Unauthorized Actor

| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | | CWE-863 Incorrect Authorization |


|


|


|


|


|


|


| | CWE-918 Server-Side Request Forgery (SSRF) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | |

CWE-119 Improper Restriction of Operations
within the Bounds of a Memory Buffer

|


|


|


|


| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


|


| | CWE-476 NULL Pointer Dereference | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


|


| | CWE-798 Use of Hard-coded Credentials | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | | CWE-190 Integer Overflow or Wraparound |


|


| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


|


| | CWE-400 Uncontrolled Resource Consumption | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) |


| ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | ![Checkmark icon](/files/27xvh48B6LorrJqZmJJb) | | CWE-306 Missing Authentication for Critical Function |


|


|


|


|


|


|


|
* [OWASP ASVS 4.0 Level 1, 2, 3](https://owasp.org/www-project-application-security-verification-standard/) * [PCI DSS](https://www.pcisecuritystandards.org/) (versions 4.0 and 3.2.1) * [CASA](https://appdefensealliance.dev/casa) * [STIG](https://public.cyber.mil/stigs/) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.sonarsource.com/sonarqube-server/2025.5/user-guide/rules/security-related-rules.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.