# Security-related rules The four rule types included in the SonarQube quality model are: * Reliability (bug) * Maintainability (code smell) * Security (vulnerability) * Security Hotspot Security-related rules include Security rules and Security Hotspot rules. They are divided into two types: security-injection and security-configuration rules. {% hint style="info" %} Security is a lively world where new types of attacks and vulnerabilities appear very often, so we welcome any suggestions for new security rules. You can read the [adding-coding-rules](https://docs.sonarsource.com/sonarqube-server/extension-guide/adding-coding-rules "mention") page to see how to develop a new rule or propose a new one on our [Community forum](https://community.sonarsource.com/c/suggestions/rules/13). {% endhint %} ## Security-injection rules Security-injection rules are used to detect injection vulnerabilities. An injection vulnerability (also known as injection flaw or taint vulnerability) occurs when the inputs handled by your application are controlled by a user (potentially an attacker) and not validated or sanitized. When this occurs, the flow from sources (user-controlled inputs) to sinks (sensitive functions) will be presented. Common types include SQL Injection, Deserialization, and Command Injection vulnerabilities. To show the flow of tainted issues, SonarQube Server uses well-known taint analysis technology on source code which allows, for example, the detection of: * [CWE-89](https://cwe.mitre.org/data/definitions/89.html): SQL Injection * [CWE-79](https://cwe.mitre.org/data/definitions/79.html): Cross-site Scripting * [CWE-94](https://cwe.mitre.org/data/definitions/94.html): Code Injection {% hint style="info" %} * Security-injection rules are supported only by SonarQube Server and Cloud. SonarQube for IDE pulls the injection vulnerabilities raised by these products during a project analysis. * With SonarQube Server’s Security engine custom configuration, it’s possible to extend the taint analysis of security-injection rules by configuring new sources, sanitizers, validators and sinks within the homemade frameworks that you use. {% endhint %} ## Security-configuration rules The security-configuration rules are used to raise a security issue when: * A sensitive function is called with a wrong parameter (invalid cryptographic algorithm or TLS version). * A check (for example, a check\_permissions() kind of function) is not done or is not in the correct order.\ This problem is likely to appear often when the program is executed. Examples: * [CWE-1004](https://cwe.mitre.org/data/definitions/1004.html): Sensitive Cookie Without ‘HttpOnly’ Flag * [CWE-297](https://cwe.mitre.org/data/definitions/297.html): Improper Validation of Certificate with Host Mismatch * [CWE-327](https://cwe.mitre.org/data/definitions/327.html): Use of a Broken or Risky Cryptographic Algorithm ## Differences between security issues (vulnerabilities) and hotspots Security hotspots have been introduced for security protections that have no direct impact on the overall application’s security. With hotspots, we want to help developers understand information security risks, threats, impacts, root causes of security issues, and the choice of relevant software protections. In short, we really want to educate developers and help them develop secure, ethical, and privacy-friendly applications. For more information about hotspots and vulnerabilities, see the [security-hotspots](https://docs.sonarsource.com/sonarqube-server/user-guide/security-hotspots "mention") page. ## Security standards covered Our security rules are classified according to well-established security standards such as: * [OWASP Top 10](https://owasp.org/Top10/) (2025, 2021, 2017)

OWASP Top 10 security standards covered by Sonar for version 2025

Category	Python	JS/TS	Java	C#	C/C++	PHP	Kotlin	Go
A01:Broken Access Control
A02: Security Misconfiguration
A03: Software Supply Chain Failures
A04: Cryptographic Failures
A05: Injection
A06: Insecure design
A07: Authentication Failures
A08: Software and Data Integrity Failures
A09: Logging and Alerting Failures
A10: Mishandling of Exceptional Conditions

* [OWASP Mobile Top 10 2024](https://owasp.org/www-project-mobile-top-10/)

OWASP Mobile Top 10 security standards covered by Sonar for version 2024

Standard	Java	Kotlin	Dart	Swift
M1: Improper Credential Usage
M2: Inadequate Supply Chain Security
M3: Insecure Authentication/Authorization
M4: Insufficient Input/Output Validation
M5: Insecure Communication
M6: Inadequate Privacy Controls
M7: Insufficient Binary Protections
M8: Security Misconfiguration
M9: Insecure Data Storage
M10: Insufficient Cryptography

* [CWE Top 25](https://cwe.mitre.org/top25/archive/2024/2024_cwe_top25.html) (2024, 2023, 2022, and 2021)

CWE Top 25 security standards covered by Sonar for version 2024

Category	Python	JS/TS	Java	C#	C/C++	PHP	Kotlin
CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CWE-787 Out-of-bounds Write
CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
CWE-352 Cross-Site Request Forgery (CSRF)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CWE-125 Out-of-bounds Read
CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
CWE-416 Use After Free
CWE-862 Missing Authorization
CWE-434 Unrestricted Upload of File with Dangerous Type
CWE-94 Improper Control of Generation of Code (‘Code Injection’)
CWE-20 Improper Input Validation
CWE-77 Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
CWE-287 Improper Authentication
CWE-269 Improper Privilege Management
CWE-502 Deserialization of Untrusted Data
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-863 Incorrect Authorization
CWE-918 Server-Side Request Forgery (SSRF)
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-476 NULL Pointer Dereference
CWE-798 Use of Hard-coded Credentials
CWE-190 Integer Overflow or Wraparound
CWE-400 Uncontrolled Resource Consumption
CWE-306 Missing Authentication for Critical Function

* [CASA](https://appdefensealliance.dev/casa) * [OWASP ASVS](https://owasp.org/www-project-application-security-verification-standard/) (5.0 and 4.0, levels 1, 2, 3) * [OWASP MASVS](https://mas.owasp.org/MASVS/) * [OWASP Top 10 for LLM Applications](https://owasp.org/www-project-top-10-for-large-language-model-applications/) (2025) * [PCI DSS](https://www.pcisecuritystandards.org/) (4.0 and 3.2) * [STIG ASD](https://www.cyber.mil/stigs/) (6 and 5)