Start Free
Latest | User guide | Understanding rules | Security-related rules

Security-related rules

On this page

The SonarQube quality model is applied to an automated code review and analysis based on the following types of rules: 

  • Reliability (Bug)
  • Maintainability (Code Smell)
  • Security (Vulnerability) 
  • Security Hotspot

Security-related rules include Security rules and Security Hotspot rules. They are divided into two types: security-injection and security-configuration rules.

Security-injection rules

Security-injection rules are used to detect injection vulnerabilities. An injection vulnerability (also known as injection flaw or taint vulnerability) occurs when the inputs handled by your application are controlled by a user (potentially an attacker) and not validated or sanitized. When this occurs, the flow from sources (user-controlled inputs) to sinks (sensitive functions) will be presented. Common types include SQL InjectionDeserialization, and Command Injection vulnerabilities. 

To show the flow of tainted issues, SonarQube Server uses well-known taint analysis technology on source code which allows, for example, the detection of:

Security-configuration rules

The security-configuration rules are used to raise a security issue when:

  • A sensitive function is called with a wrong parameter (invalid cryptographic algorithm or TLS version).
  • A check (for example, a check_permissions() kind of function) is not done or is not in the correct order.
    This problem is likely to appear often when the program is executed.

Examples:

    • CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag
    • CWE-297: Improper Validation of Certificate with Host Mismatch
    • CWE-327: Use of a Broken or Risky Cryptographic Algorithm

Differences between security issues (vulnerabilities) and hotspots

Security hotspots have been introduced for security protections that have no direct impact on the overall application's security. With hotspots, we want to help developers understand information security risks, threats, impacts, root causes of security issues, and the choice of relevant software protections. In short, we really want to educate developers and help them develop secure, ethical, and privacy-friendly applications.

For more information about hotspots and vulnerabilities, see the Security hotspots page.

Security standards covered

Our security rules are classified according to well-established security standards such as:

OWASP Top 10 security standards covered by Sonar for version 2021
CategoryPythonJS/TSJavaC#C/C++PHPKotlin
A01:Broken Access Control
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
A02: Cryptographic Failures 
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
A03: Injection
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
Checkmark icon
A04: Insecure Design
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
A05: Security Misconfiguration
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
A06: Vulnerable and Outdated Components
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon


Checkmark icon
A07: Identification and Authentication Failures
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
A08: Software and Data Integrity Failures
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon

A09: Security Logging and Monitoring Failures
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon

A10: Server-Side Request Forgery
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon

OWASP Mobile Top 10 security standards covered by Sonar for version 2024
StandardJavaKotlinDartSwift
M1: Improper Credential Usage
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
M2: Inadequate Supply Chain Security
Checkmark icon
Checkmark icon
Checkmark icon

M3: Insecure Authentication/Authorization
Checkmark icon
Checkmark icon


M4: Insufficient Input/Output Validation
Checkmark icon
Checkmark icon


M5: Insecure Communication
Checkmark icon
Checkmark icon
Checkmark icon

M6: Inadequate Privacy Controls
Checkmark icon
Checkmark icon


M7: Insufficient Binary Protections
Checkmark icon


M8: Security Misconfiguration
Checkmark icon
Checkmark icon
Checkmark icon

M9: Insecure Data Storage
Checkmark icon
Checkmark icon
Checkmark icon

M10: Insufficient Cryptography
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
  • CWE Top 25 (versions 2024, 2023, 2022, and 2021)
CWE Top 25 security standards covered by Sonar for version 2024
CategoryPythonJS/TSJavaC#C/C++PHPKotlin
CWE-79 Improper Neutralization of Input During
Web Page Generation ('Cross-site Scripting')
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
Checkmark icon
CWE-787 Out-of-bounds Write



Checkmark icon


CWE-89 Improper Neutralization of Special Elements
used in an SQL Command ('SQL Injection')
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
Checkmark icon
CWE-352 Cross-Site Request Forgery (CSRF)
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon

CWE-22 Improper Limitation of a Pathname to
a Restricted Directory ('Path Traversal')
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
Checkmark icon
CWE-125 Out-of-bounds Read



Checkmark icon


CWE-78 Improper Neutralization of Special Elements
used in an OS Command ('OS Command Injection')
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
Checkmark icon
CWE-416 Use After Free



Checkmark icon


CWE-862 Missing Authorization






CWE-434 Unrestricted Upload of File with Dangerous
Type

Checkmark icon





CWE-94 Improper Control of Generation of Code
('Code Injection')
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
Checkmark icon
CWE-20 Improper Input Validation
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
Checkmark icon
CWE-77 Improper Neutralization of Special Elements
used in a Command ('Command Injection')
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon

CWE-287 Improper Authentication

Checkmark icon



Checkmark icon
CWE-269 Improper Privilege Management
Checkmark icon
Checkmark icon





CWE-502 Deserialization of Untrusted Data
Checkmark icon

Checkmark icon
Checkmark icon

Checkmark icon
Checkmark icon
CWE-200 Exposure of Sensitive Information to
an Unauthorized Actor
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
CWE-863 Incorrect Authorization






CWE-918 Server-Side Request Forgery (SSRF)
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
Checkmark icon
CWE-119 Improper Restriction of Operations
within the Bounds of a Memory Buffer




Checkmark icon


CWE-476 NULL Pointer Dereference
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon


CWE-798 Use of Hard-coded Credentials
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
CWE-190 Integer Overflow or Wraparound

Checkmark icon
Checkmark icon
Checkmark icon


CWE-400 Uncontrolled Resource Consumption
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
Checkmark icon
CWE-306 Missing Authentication for Critical Function






You can search for a rule on rules.sonarsource.com. The standards to which a rule relates will be listed in the See section at the bottom of the rule description. Some detailed examples of Java vulnerabilities are listed here:


Was this page helpful?

© 2008-2025 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License