The following rules can be enabled in CQA mode:

  • BRM.CMT.MSC - Members should be commented
  • BRM.CMT.TSC - Types should be commented
  • BRM.HBCM - Avoid hiding methods from base classes
  • BRM.HBCP - Avoid hiding properties from base classes
  • CS.BRM.AIBA - Avoid 'is' before 'as'
  • CS.BRM.BEB - Avoid block statements with empty bodies.
  • CS.BRM.CCB - Always enclose if and else bodies with curly braces
  • CS.BRM.CPEB - Avoid checked, unchecked, fixed and unsafe statements with empty bodies.
  • CS.BRM.ES - Use string.Empty for empty strings
  • CS.BRM.ETK - Use keyword 'this' explicitly when accessing capitalized members
  • CS.BRM.ICB - Always enclose iteration statements bodies with curly braces.
  • CS.BRM.IDOU - Avoid increment/decrement operators inside other expressions.
  • CS.BRM.IEB - Avoid initialization statements with empty bodies.
  • CS.BRM.KFATNC - Keep file and type names consistent
  • CS.BRM.SCHR - Avoid using the Strings.Chr() and Strings.ChrW() methods in C# code.
  • CS.BRM.SWDEFLAST - Place 'default' as the last case of the 'switch' statement
  • CS.BRM.UCB - Always enclose using statement body with curly braces.
  • CS.CDD.DUPU - Avoid duplicate using statements
  • CS.EU.VZS - Ensure that each enum has member with value 0
  • CS.INTER.ITT - String literals should be internationalized
  • CS.NG.VAR.PNCFV - Follow proper naming convention for method variables and consts.
  • CS.PB.ANIL - Avoid non-iterable loops.
  • CS.PB.AWC - Avoid assignment within a condition.
  • CS.PB.BITBOOL - Do not use bitwise operators on bool operands.
  • CS.PB.CCA - Avoid confusing assignments to constructor arguments.
  • CS.PB.CEB - Avoid conditional statements with empty bodies.
  • CS.PB.CNFA - Check for 'null' when using 'as' operator
  • CS.PB.DEFSWITCH - Provide 'default:' for each 'switch' statement.
  • CS.PB.EEB - Avoid try, catch, finally and using statements with empty bodies.
  • CS.PB.FPLI - Do not use floating point variables as loop indices.
  • CS.PB.IDNE - Avoid increment and decrement statements which have no effect
  • CS.PB.IEB - Avoid iteration statements with empty bodies.
  • CS.PB.IVFLC - Use initializer variable in a condition of 'for' loop
  • CS.PB.IVFLI - Use initializer variable in 'for' loop iterator section.
  • CS.PB.MCO - Review '?:' operator for potential misuse.
  • CS.PB.NACC - Avoid inaccessible classes and structs.
  • CS.PB.NSIVFLB - Do not modify 'for' loop initializer variable in 'for' loop body.
  • CS.PB.NSIVFLN - Do not increment or decrement on the same variable over multiple nested 'for' loop statements.
  • CS.PB.PUO - Avoid using the unary + operator
  • CS.PB.USC.CC - Avoid unreachable code in condition
  • CS.PB.USC.UC - Avoid unreachable code
  • CS.PB.VTNV - Do not compare value types to null
  • CS.PB.WIBS - Avoid wrong indentation of blockless statements
  • CS.SEC.AUK - Avoid 'unsafe' keyword.
  • CS.SEC.RSFSS - Do not re-create string from SecureString.
  • CS.SEC.SSFP - Use SecureString instead of String for password.
  • CS.TRS.LCB - Always enclose lock statement body with curly braces.
  • CS.TRS.LEB - Avoid lock statements with empty bodies.
  • CT.ECLSII - Avoid explicit conversions of integrals to integrals of smaller size if the conversion may cause data truncation
  • CT.ECLTS - Avoid explicit conversions between data types if the conversion may cause data loss or unexpected results
  • CWE.120.AUK - Avoid 'unsafe' keyword.
  • CWE.131.AUK - Avoid 'unsafe' keyword.
  • CWE.190.AIWIL - Avoid indexer wraparound in loops.
  • CWE.191.AIWIL - Avoid indexer wraparound in loops.
  • CWE.197.ECLSII - Avoid explicit conversions of integrals to integrals of smaller size if the conversion may cause data truncation
  • CWE.250.AUEP - Avoid using elevated privileges.
  • CWE.287.IIPHEU - Do not rely on reverse DNS resolution for security decisions
  • CWE.287.LUAFLA - Lock out the user after failed login attempts
  • CWE.287.UAAMC - Ensure that authorization attributes match the controller
  • CWE.295.DNICV - Do not disable SSL certificate validation
  • CWE.307.LUAFLA - Lock out the user after failed login attempts
  • CWE.316.RSFSS - Do not re-create string from SecureString.
  • CWE.316.SSFP - Use SecureString instead of String for password.
  • CWE.327.ACCA - Avoid using custom cryptographic algorithms.
  • CWE.329.ACCA - Avoid using custom cryptographic algorithms.
  • CWE.350.IIPHEU - Do not rely on reverse DNS resolution for security decisions
  • CWE.352.VAFT - Use anti-forgery attributes on POST methods
  • CWE.391.LGE - Ensure all exceptions are either logged with a standard logger or rethrown.
  • CWE.396.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException'
  • CWE.397.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException'
  • CWE.401.DDFODB - In 'Dispose(bool)' use input parameter to check if it is actually disposing.
  • CWE.476.CNFA - Check for 'null' when using 'as' operator
  • CWE.480.PUO - Avoid using the unary + operator
  • CWE.481.AWC - Avoid assignment within a condition.
  • CWE.494.IREC - Do not execute external code without integrity check.
  • CWE.561.UC - Avoid unreachable code
  • CWE.595.REVT - Do not use ReferenceEquals() on value types.
  • CWE.611.PDTDP - Prevent DTD processing
  • CWE.613.ISE - Ensure sufficient session expiration
  • CWE.676.APDM - Avoid using potentially dangerous methods.
  • CWE.681.ECLTS - Avoid explicit conversions between data types if the conversion may cause data loss or unexpected results
  • CWE.704.ECLTS - Avoid explicit conversions between data types if the conversion may cause data loss or unexpected results
  • CWE.780.UOWR - Use OAEP with RSA algorithm encryption.
  • CWE.827.PDTDP - Prevent DTD processing
  • CWE.835.IVFLC - Use initializer variable in a condition of 'for' loop
  • CWE.835.IVFLI - Use initializer variable in 'for' loop iterator section.
  • CWE.835.NSIVFLN - Do not increment or decrement on the same variable over multiple nested 'for' loop statements.
  • CWE.838.AIHUE - Avoid using improper HTML or URL encoding in HttpResponse methods
  • CWE.862.UAA - Use authorization attributes on pages and controllers
  • CWE.863.UAAMC - Ensure that authorization attributes match the controller
  • EXCEPT.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException'
  • EXCEPT.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException'
  • IFD.DDFODB - In 'Dispose(bool)' use input parameter to check if it is actually disposing.
  • IFD.IDDR - Implement IDisposable in types which are using disposable resources
  • OPU.CPTEQ - Compare parameter type of Equals(Object) method
  • OPU.REVT - Do not use ReferenceEquals() on value types.
  • OWASP2017.A10.LGE - Ensure all exceptions are either logged with a standard logger or rethrown.
  • OWASP2017.A2.ISE - Ensure sufficient session expiration
  • OWASP2017.A2.LUAFLA - Lock out the user after failed login attempts
  • OWASP2017.A3.ACCA - Avoid using custom cryptographic algorithms.
  • OWASP2017.A3.RSFSS - Do not re-create string from SecureString.
  • OWASP2017.A3.SSFP - Use SecureString instead of String for password.
  • OWASP2017.A3.UOWR - Use OAEP with RSA algorithm encryption.
  • OWASP2017.A4.PDTDP - Prevent DTD processing
  • OWASP2017.A5.AUEP - Avoid using elevated privileges.
  • OWASP2017.A5.UAA - Use authorization attributes on pages and controllers
  • OWASP2017.A5.UAAMC - Ensure that authorization attributes match the controller
  • OWASP2017.A5.VAFT - Use anti-forgery attributes on POST methods
  • OWASP2017.A6.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException'
  • OWASP2017.A6.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException'
  • PB.ACDE - Avoid calling the Application.DoEvents() method
  • PB.AIHUE - Avoid using improper HTML or URL encoding in HttpResponse methods
  • PB.CFF - Verify number of arguments in Composite Formatting feature
  • PB.DNCF - Do not compare floating-point types for equality.
  • PB.EMPTYMETHODS - Avoid empty methods
  • PB.INOE - Use String.IsNullOrEmpty to check if a string is null or empty
  • PB.STATICFLD - Do not write to static fields from non-static methods
  • PB.THROWFIN - Avoid 'throw' statements in 'finally' blocks.
  • PCIDSS32.6510.ISE - Ensure sufficient session expiration
  • PCIDSS32.6510.LUAFLA - Lock out the user after failed login attempts
  • PCIDSS32.652.AUK - Avoid 'unsafe' keyword.
  • PCIDSS32.653.ACCA - Avoid using custom cryptographic algorithms.
  • PCIDSS32.653.RSFSS - Do not re-create string from SecureString.
  • PCIDSS32.653.SSFP - Use SecureString instead of String for password.
  • PCIDSS32.653.UOWR - Use OAEP with RSA algorithm encryption.
  • PCIDSS32.654.RSFSS - Do not re-create string from SecureString.
  • PCIDSS32.654.SSFP - Use SecureString instead of String for password.
  • PCIDSS32.655.LGE - Ensure all exceptions are either logged with a standard logger or rethrown.
  • PCIDSS32.655.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException'
  • PCIDSS32.655.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException'
  • PCIDSS32.658.AUEP - Avoid using elevated privileges.
  • PCIDSS32.658.UAA - Use authorization attributes on pages and controllers
  • PCIDSS32.658.UAAMC - Ensure that authorization attributes match the controller
  • PCIDSS32.659.VAFT - Use anti-forgery attributes on POST methods
  • SEC.ACCA - Avoid using custom cryptographic algorithms.
  • SEC.ACWNS - There should be no classes without namespace.
  • SEC.AIWIL - Avoid indexer wraparound in loops.
  • SEC.APDM - Avoid using potentially dangerous methods.
  • SEC.AUEP - Avoid using elevated privileges.
  • SEC.IREC - Do not execute external code without integrity check.
  • SEC.LGE - Ensure all exceptions are either logged with a standard logger or rethrown.
  • SEC.UOWR - Use OAEP with RSA algorithm encryption.
  • SEC.WEB.DNICV - Do not disable SSL certificate validation
  • SEC.WEB.IIPHEU - Do not rely on reverse DNS resolution for security decisions
  • SEC.WEB.ISE - Ensure sufficient session expiration
  • SEC.WEB.LUAFLA - Lock out the user after failed login attempts
  • SEC.WEB.UAA - Use authorization attributes on pages and controllers
  • SEC.WEB.UAAMC - Ensure that authorization attributes match the controller
  • SEC.WEB.VAFT - Use anti-forgery attributes on POST methods
  • SEC.XXE.PDTDP - Prevent DTD processing
  • SERIAL.XML.SOAFAP - Make sure that type of serialized field/property is compatible with type used in XmlElementAttribute
  • VB.BRM.ES - Use string.Empty for empty strings
  • VB.PB.DEFSWITCH - Provide 'Case Else' for each 'Select Case' statement


  • No labels

Need assistance? Visit our support page