Page tree

Skip to end of metadata
Go to start of metadata

The following rules are supported for .NET Core projects:

  • BD.API.EQNULL - Make sure implementation of Object.Equals(Object) properly handles null values
  • BD.API.EQREFL - Make sure implementation of Object.Equals(Object) is reflexive
  • BD.CO.ITMOD - Do not modify collection while iterating over it
  • BD.EXCEPT.AN - Avoid ArgumentNullException
  • BD.EXCEPT.NR - Avoid NullReferenceException
  • BD.PB.ARRAY - Avoid accessing arrays out of bounds
  • BD.PB.CC - Avoid conditions that always evaluate to the same value
  • BD.PB.DEREF - Avoid dereferencing before checking for null
  • BD.PB.DISP - Do not use disposed resources
  • BD.PB.EVIPT - Ensure that invoke parameter type correspond to delegate definition
  • BD.PB.FIN - Do not use managed resources in finalizers
  • BD.PB.POVR - Avoid overwriting method parameters before each use
  • BD.PB.SBONE - Ensure proper usage of StringBuilder objects
  • BD.PB.STRNULL - Do not append null value to strings
  • BD.PB.SWITCH - Avoid switch with unreachable branches
  • BD.PB.UGHC - Do not base equality on the equality of hash codes
  • BD.PB.VOVR - Avoid unused values
  • BD.PB.ZERO - Avoid division by zero
  • BD.RES.LEAKS - Ensure resources are deallocated
  • BD.SECURITY.CUSTOM - Prevent security vulnerability (custom rule)
  • BD.SECURITY.SENS - Prevent exposure of sensitive data
  • BD.SECURITY.TDCMD - Protect against command injection
  • BD.SECURITY.TDFNAMES - Protect against file name injection
  • BD.SECURITY.TDINPUT - Exclude unsanitized user input from format strings
  • BD.SECURITY.TDLDAP - Protect against LDAP injection
  • BD.SECURITY.TDLOG - Protect against log forging
  • BD.SECURITY.TDNET - Protect against network resource injection
  • BD.SECURITY.TDRESP - Protect against HTTP response splitting
  • BD.SECURITY.TDSQL - Protect against SQL query injection
  • BD.SECURITY.TDSQLC - Protect against SQL connection injection
  • BD.SECURITY.TDXSS - Protect against XSS vulnerabilities
  • BD.TRS.DIFCS - Variable should be used in context of single critical section
  • BD.TRS.MUTEX - Do not abandon unreleased mutexes
  • BD.TRS.ORDER - Do not acquire locks in different order
  • BRM.HBCM - Avoid hiding methods from base classes

  • BRM.HBCP - Avoid hiding properties from base classes

  • BRM.LINUPPERCASE - Use 'L' instead of 'l' to express 'long' integer constants
  • BRM.SFH - Always provide appropriate file header (copyright information, etc.)
  • BRM.SFT - Use spaces for tabs/indentation
  • CDD.DUPC - Avoid code duplication
  • CDD.DUPM - Avoid method duplication
  • CDD.DUPS - Avoid string literal duplication
  • CDD.DUPT - Avoid types duplication
  • CS.BRM.AIBA - Avoid 'is' before 'as'
  • CS.BRM.BEB - Avoid block statements with empty bodies.
  • CS.BRM.CCB - Always enclose if and else bodies with curly braces
  • CS.BRM.CPEB - Avoid checked, unchecked, fixed and unsafe statements with empty bodies
  • CS.BRM.ES - Use string.Empty for empty strings
  • CS.BRM.ETK - Use keyword 'this' explicitly when accessing capitalized members
  • CS.BRM.ICB - Always enclose iteration statements bodies with curly braces.
  • CS.BRM.IDOU - Avoid increment/decrement operators inside other expressions
  • CS.BRM.IEB - Avoid initialization statements with empty bodies
  • CS.BRM.KFATNC - Keep file and type names consistent
  • CS.BRM.RFINE - Do not use large if-clause with small else-clause that returns.
  • CS.BRM.SWDEFLAST - Place 'default' as the last case of the 'switch' statement
  • CS.BRM.UCB - Always enclose using statement body with curly braces.
  • CS.BRM.UCO - Use null-coalescing operator ('??') instead conditional operator ('?')
  • CS.CDD.DUPU - Avoid duplicate using statements
  • CS.CMUG.PRU.FSPP - Follow standard pattern for property accessors.
  • CS.EU.VZS - Ensure that each enum has member with value 0
  • CS.INTER.ITT - String literals should be internationalized
  • CS.MLC - Avoid using very large methods
  • CS.NG.VAR.PNCFV - Follow proper naming convention for method variables and consts.
  • CS.OOM.MI - Keep Maintainability Index above specified value.
  • CS.PB.ANIL - Avoid non-iterable loops.
  • CS.PB.AWC - Avoid assignment within a condition.
  • CS.PB.BITBOOL - Do not use bitwise operators on bool operands
  • CS.PB.CCA - Avoid confusing assignments to constructor arguments.
  • CS.PB.CEB - Avoid conditional statements with empty bodies
  • CS.PB.CNFA - Check for 'null' when using 'as' operator
  • CS.PB.DEFSWITCH - Provide 'default:' for each 'switch' statement
  • CS.PB.EEB - Avoid try, catch, finally and using statements with empty bodies.
  • CS.PB.FPLI - Do not use floating point variables as loop indices.
  • CS.PB.IDNE - Avoid increment and decrement statements which have no effect
  • CS.PB.IEB - Avoid iteration statements with empty bodies
  • CS.PB.IVFLC - Use initializer variable in a condition of 'for' loop
  • CS.PB.IVFLI - Use initializer variable in 'for' loop iterator section
  • CS.PB.MCO - Review '?:' operator for potential misuse
  • CS.PB.NACC - Avoid inaccessible classes and structs
  • CS.PB.NSIVFLB - Do not modify 'for' loop initializer variable in 'for' loop body
  • CS.PB.NSIVFLN - Do not increment or decrement on the same variable over multiple nested 'for' loop statements
  • CS.PB.PUO - Avoid using the unary + operator
  • CS.PB.USC.CC - Avoid unreachable code in condition
  • CS.PB.USC.UC - Avoid unreachable code
  • CS.PB.VTNV - Do not compare value types to null
  • CS.PB.WIBS - Avoid wrong indentation of blockless statements
  • CS.PE.VFFP - Verify FileDialog filter pattern.
  • CS.PFEL - Use foreach loops instead of for loops
  • CS.PROTC - Prefer readonly to const
  • CS.SC - Cast only simple expressions
  • CS.SEC.AUK - Avoid 'unsafe' keyword
  • CS.SERIAL.IIDC - Implement IDeserializationCallback for classes with NonSerialized fields.
  • CS.SERIAL.UIS - Use the standard pattern while implementing ISerializable.
  • CS.TRS.LCB - Always enclose lock statement body with curly braces.
  • CS.TRS.LEB - Avoid lock statements with empty bodies.
  • CS.USO - Put using statements in alphabetical order
  • CWE.120.AUK - Avoid 'unsafe' keyword
  • CWE.131.AUK - Avoid 'unsafe' keyword
  • CWE.190.AIWIL - Avoid indexer wraparound in loops
  • CWE.191.AIWIL - Avoid indexer wraparound in loops
  • CWE.209.SENS - Prevent exposure of sensitive data
  • CWE.22.TDFNAMES - Protect against file name injection
  • CWE.250.AUEP - Avoid using elevated privileges
  • CWE.285.TDSQL - Protect against SQL query injection
  • CWE.327.ACCA - Avoid using custom cryptographic algorithms
  • CWE.329.ACCA - Avoid using custom cryptographic algorithms
  • CWE.352.TDRESP - Protect against HTTP response splitting
  • CWE.362.DIFCS - Variable should be used in context of single critical section
  • CWE.369.ZERO - Avoid division by zero
  • CWE.391.LGE - Ensure all exceptions are either logged with a standard logger or rethrown
  • CWE.396.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException'
  • CWE.397.NTSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException'
  • CWE.401.DDFODB - In 'Dispose(bool)' use input parameter to check if it is actually disposing
  • CWE.416.DISP - Do not use disposed resources
  • CWE.416.FIN - Do not use managed resources in finalizers
  • CWE.434.TDFNAMES - Protect against file name injection
  • CWE.476.CNFA - Check for 'null' when using 'as' operator
  • CWE.476.DEREF - Avoid dereferencing before checking for null
  • CWE.476.NR - Avoid NullReferenceException
  • CWE.480.PUO - Avoid using the unary + operator
  • CWE.481.AWC - Avoid assignment within a condition
  • CWE.502.IIDC - Implement IDeserializationCallback for classes with NonSerialized fields
  • CWE.502.UIS - Use the standard pattern while implementing ISerializable
  • CWE.546.TODO - Ensure that comments do not contain task tags
  • CWE.554.CUSTOM - Prevent security vulnerability (custom rule)
  • CWE.563.POVR - Avoid overwriting method parameters before each use
  • CWE.563.VOVR - Avoid unused values
  • CWE.570.CC - Avoid conditions that always evaluate to the same value
  • CWE.571.CC - Avoid conditions that always evaluate to the same value
  • CWE.595.REVT - Do not use ReferenceEquals() on value types
  • CWE.601.TDNET - Protect against network resource injection
  • CWE.611.PDTDP - Prevent DTD processing
  • CWE.662.DIFCS - Variable should be used in context of single critical section
  • CWE.676.APDM - Avoid using potentially dangerous methods
  • CWE.77.TDCMD - Protect against command injection
  • CWE.770.LEAKS - Ensure resources are deallocated
  • CWE.776.PDTDP - Prevent DTD processing
  • CWE.78.TDCMD - Protect against command injection
  • CWE.780.UOWR - Use OAEP with RSA algorithm encryption
  • CWE.79.TDRESP - Protect against network resource injection
  • CWE.79.TDXSS - Protect against XSS vulnerabilities
  • CWE.80.TDRESP - Protect against HTTP response splitting
  • CWE.833.ORDER - Do not acquire locks in different order
  • CWE.862.UAA - Use authorization attributes on pages and controllers
  • CWE.88.TDCMD - Protect against command injection
  • CWE.89.TDSQL - Protect against SQL query injection
  • CWE.89.TDSQLC - Protect against SQL connection injection
  • CWE.90.TDLDAP - Protect against LDAP injection
  • CWE.99.TDFNAMES - Protect against file name injection
  • CWE.99.TDNET - Protect against network resource injection
  • EXCEPT.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException'
  • EXCEPT.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException'
  • IFD.DDFODB - In 'Dispose(bool)' use input parameter to check if it is actually disposing
  • IFD.IDDR - Implement IDisposable in types which are using disposable resources
  • INTER.RI - Make sure that all string's from *.resx files are internationalized
  • OPU.CPTEQ - Compare parameter type of Equals(Object) method

  • OPU.REVT - Do not use ReferenceEquals() on value types

  • OWASP2017.A1.TDCMD - Protect against command injection

  • OWASP2017.A1.TDFNAMES - Protect against file name injection

  • OWASP2017.A1.TDLDAP - Protect against LDAP injection

  • OWASP2017.A1.TDNET - Protect against network resource injection

  • OWASP2017.A1.TDSQL - Protect against SQL query injection

  • OWASP2017.A1.TDSQLC - Protect against SQL connection injection

  • OWASP2017.A3.ACCA - Avoid using custom cryptographic algorithms

  • OWASP2017.A3.UOWR - Use OAEP with RSA algorithm encryption

  • OWASP2017.A4.PDTDP - Prevent DTD processing

  • OWASP2017.A5.AUEP - Avoid using elevated privileges

  • OWASP2017.A5.TDFNAMES - Protect against file name injection

  • OWASP2017.A5.TDSQL - Protect against SQL query injection

  • OWASP2017.A5.UAA - Use authorization attributes on pages and controllers

  • OWASP2017.A6.CUSTOM - Prevent security vulnerability (custom rule)

  • OWASP2017.A6.LGE - Ensure all exceptions are either logged with a standard logger or rethrown

  • OWASP2017.A6.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException'

  • OWASP2017.A6.NTSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException'

  • OWASP2017.A6.SENS - Prevent exposure of sensitive data

  • OWASP2017.A7.TDRESP - Protect against HTTP response splitting

  • OWASP2017.A7.TDXSS - Protect against XSS vulnerabilities

  • OWASP2017.A8.IIDC - Implement IDeserializationCallback for classes with NonSerialized fields

  • OWASP2017.A8.UIS - Use the standard pattern while implementing ISerializable

  • PB.DNCF - Do not compare floating-point types for equality

  • PB.II.TODO - Ensure that comments do not contain task tags

  • PB.INOE - Use String.IsNullOrEmpty to check if a string is null or empty
  • PB.STATICFLD - Do not write to static fields from non-static methods
  • PB.THROWFIN - Avoid 'throw' statements in 'finally' blocks.
  • SEC.ACCA - Avoid using custom cryptographic algorithms

  • SEC.ACWNS - There should be no classes without namespace

  • SEC.AIWIL - Avoid indexer wraparound in loops

  • SEC.APDM - Avoid using potentially dangerous methods

  • SEC.AUEP - Avoid using elevated privileges

  • SEC.LGE - Ensure all exceptions are either logged with a standard logger or rethrown.
  • SEC.UOWR - Use OAEP with RSA algorithm encryption

  • SEC.WEB.UAA - Use authorization attributes on pages and controllers

  • SEC.XXE.PDTDP - Prevent DTD processing

  • SERIAL.XML.SOAFAP - Make sure that type of serialized field/property is compatible with type used in XmlElementAttribute
  • VB.BRM.ES - Use string.Empty for empty strings
  • VB.BRM.PNPT - Use preferred names for primitive types
  • VB.PB.DEFSWITCH - Provide 'Case Else' for each 'Select Case' statement
  • No labels