The following rules can be enabled in CQA mode:
APSC_DV.001460.IIDC - Implement IDeserializationCallback for classes with NonSerialized fields
APSC_DV.001460.UIS - Use the standard pattern while implementing ISerializable
APSC_DV.000160.ACCA - Avoid using custom cryptographic algorithms.
APSC_DV.000160.RSAKS - Use RSA keys of 2048 bits or longer
APSC_DV.000160.UOWR - Use OAEP with RSA algorithm encryption.
APSC_DV.000170.ACCA - Avoid using custom cryptographic algorithms.
APSC_DV.000170.RSAKS - Use RSA keys of 2048 bits or longer
APSC_DV.000170.UOWR - Use OAEP with RSA algorithm encryption.
APSC_DV.000460.UAA - Use authorization attributes on pages and controllers
APSC_DV.000500.AUEP - Avoid using elevated privileges.
APSC_DV.000510.ISE - Ensure sufficient session expiration
APSC_DV.000510.UAA - Use authorization attributes on pages and controllers
APSC_DV.000530.LUAFLA - Lock out the user after failed login attempts
APSC_DV.000650.ALSI - Avoid logging sensitive information
APSC_DV.001460.ACCA - Avoid using custom cryptographic algorithms.
APSC_DV.001460.ALSI - Avoid logging sensitive information
APSC_DV.001460.AUEP - Avoid using elevated privileges.
APSC_DV.001460.DNICV - Do not disable SSL certificate validation
APSC_DV.001460.IIPHEU - Do not rely on reverse DNS resolution for security decisions
APSC_DV.001460.IREC - Do not execute external code without integrity check.
APSC_DV.001460.ISE - Ensure sufficient session expiration
APSC_DV.001460.LGE - Ensure all exceptions are either logged with a standard logger or rethrown.
APSC_DV.001460.LUAFLA - Lock out the user after failed login attempts
APSC_DV.001460.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException'
APSC_DV.001460.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException'
APSC_DV.001460.PBRTE - Always specify absolute path to execute commands
APSC_DV.001460.PDTDP - Prevent DTD processing
APSC_DV.001460.RSAKS - Use RSA keys of 2048 bits or longer
APSC_DV.001460.RSFSS - Do not re-create string from SecureString.
APSC_DV.001460.SDE - Avoid inclusion of sensitive data in exception
APSC_DV.001460.SSFP - Use SecureString instead of String for password.
APSC_DV.001460.UAA - Use authorization attributes on pages and controllers
APSC_DV.001460.UAAMC - Ensure that authorization attributes match the controller
APSC_DV.001460.UOWR - Use OAEP with RSA algorithm encryption.
APSC_DV.001460.VAFT - Use anti-forgery attributes on POST methods
APSC_DV.001460.VLT - Validate shortcut target paths before use
APSC_DV.001660.UOWR - Use OAEP with RSA algorithm encryption.
APSC_DV.001860.ACCA - Avoid using custom cryptographic algorithms.
APSC_DV.001860.UOWR - Use OAEP with RSA algorithm encryption.
APSC_DV.002000.ISE - Ensure sufficient session expiration
APSC_DV.002010.ACCA - Avoid using custom cryptographic algorithms.
APSC_DV.002010.UOWR - Use OAEP with RSA algorithm encryption.
APSC_DV.002290.ACCA - Avoid using custom cryptographic algorithms.
APSC_DV.002290.UOWR - Use OAEP with RSA algorithm encryption.
APSC_DV.002350.ACCA - Avoid using custom cryptographic algorithms.
APSC_DV.002350.UOWR - Use OAEP with RSA algorithm encryption.
BRM.APNFT - Always provide names for threads
BRM.CMT.MSC - Members should be commented
BRM.CMT.TSC - Types should be commented
BRM.HBCM - Avoid hiding methods from base classes
BRM.HBCP - Avoid hiding properties from base classes
BRM.MLL - Keep line length within predefined parameters
CMUG.MU.AUPM - Avoid unused private methods
CS.BRM.AIBA - Avoid 'is' before 'as'
CS.BRM.BEB - Avoid block statements with empty bodies.
CS.BRM.CCB - Always enclose if and else bodies with curly braces
CS.BRM.CPEB - Avoid checked, unchecked, fixed and unsafe statements with empty bodies.
CS.BRM.ES - Use string.Empty for empty strings
CS.BRM.ETK - Use keyword 'this' explicitly when accessing capitalized members
CS.BRM.ICB - Always enclose iteration statements bodies with curly braces.
CS.BRM.IDOU - Avoid increment/decrement operators inside other expressions.
CS.BRM.IEB - Avoid initialization statements with empty bodies.
CS.BRM.KFATNC - Keep file and type names consistent
CS.BRM.SCHR - Avoid using the Strings.Chr() and Strings.ChrW() methods in C# code.
CS.BRM.SWDEFLAST - Place 'default' as the last case of the 'switch' statement
CS.BRM.UCB - Always enclose using statement body with curly braces.
CS.CDD.DUPU - Avoid duplicate using statements
CS.EU.VZS - Ensure that each enum has member with value 0
CS.INTER.ITT - String literals should be internationalized
CS.NG.VAR.PNCFV - Follow proper naming convention for method variables and consts.
CS.PB.ANIL - Avoid non-iterable loops.
CS.PB.AWC - Avoid assignment within a condition.
CS.PB.BITBOOL - Do not use bitwise operators on bool operands.
CS.PB.CCA - Avoid confusing assignments to constructor arguments.
CS.PB.CEB - Avoid conditional statements with empty bodies.
CS.PB.CNFA - Check for 'null' when using 'as' operator
CS.PB.DEFSWITCH - Provide 'default:' for each 'switch' statement.
CS.PB.EEB - Avoid try, catch, finally and using statements with empty bodies.
CS.PB.FPLI - Do not use floating point variables as loop indices.
CS.PB.IDNE - Avoid increment and decrement statements which have no effect
CS.PB.IEB - Avoid iteration statements with empty bodies.
CS.PB.IVFLC - Use initializer variable in a condition of 'for' loop
CS.PB.IVFLI - Use initializer variable in 'for' loop iterator section.
CS.PB.MCO - Review '?:' operator for potential misuse.
CS.PB.NACC - Avoid inaccessible classes and structs.
CS.PB.NSIVFLB - Do not modify 'for' loop initializer variable in 'for' loop body.
CS.PB.NSIVFLN - Do not increment or decrement on the same variable over multiple nested 'for' loop statements.
CS.PB.PUO - Avoid using the unary + operator
CS.PB.USC.CC - Avoid unreachable code in condition
CS.PB.USC.UC - Avoid unreachable code
CS.PB.VTNV - Do not compare value types to null
CS.PB.WIBS - Avoid wrong indentation of blockless statements
CS.PROTC - Prefer readonly over const
CS.SEC.AUK - Avoid 'unsafe' keyword.
CS.SEC.RSFSS - Do not re-create string from SecureString
CS.SEC.SSFP - Use SecureString instead of String for password.
CS.SERIAL.IIDC - Implement IDeserializationCallback for classes with NonSerialized fields.
CS.SERIAL.UIS - Use the standard pattern while implementing ISerializable.
CS.TRS.LCB - Always enclose lock statement body with curly braces.
CS.TRS.LEB - Avoid lock statements with empty bodies.
CT.ECLSII - Avoid explicit conversions of integrals to integrals of smaller size if the conversion may cause data truncation
CT.ECLTS - Avoid explicit conversions between data types if the conversion may cause data loss or unexpected results
CWE.120.AUK - Avoid 'unsafe' keyword.
CWE.131.AUK - Avoid 'unsafe' keyword.
CWE.1321.SDE - Avoid inclusion of sensitive data in exception
CWE.1386.VLT - Validate shortcut target paths before use
CWE.190.AIOAC - Avoid possible integer overflow in assignment and comparison expressions
CWE.190.AIWIL - Avoid indexer wraparound in loops.
CWE.191.AIOAC - Avoid possible integer overflow in assignment and comparison expressions
CWE.191.AIWIL - Avoid indexer wraparound in loops.
CWE.197.ECLSII - Avoid explicit conversions of integrals to integrals of smaller size if the conversion may cause data truncation
CWE.200.SDE - Avoid inclusion of sensitive data in exception
CWE.209.SDE - Avoid inclusion of sensitive data in exception
CWE.250.AUEP - Avoid using elevated privileges.
CWE.269.UAAMC - Ensure that authorization attributes match the controller
CWE.287.IIPHEU - Do not rely on reverse DNS resolution for security decisions
CWE.287.LUAFLA - Lock out the user after failed login attempts
CWE.287.UAAMC - Ensure that authorization attributes match the controller
CWE.295.DNICV - Do not disable SSL certificate validation
CWE.307.LUAFLA - Lock out the user after failed login attempts
CWE.316.RSFSS - Do not re-create string from SecureString.
CWE.316.SSFP - Use SecureString instead of String for password.
CWE.326.RSAKS - Use RSA keys of 2048 bits or longer
CWE.327.ACCA - Avoid using custom cryptographic algorithms.
CWE.329.ACCA - Avoid using custom cryptographic algorithms.
CWE.350.IIPHEU - Do not rely on reverse DNS resolution for security decisions
CWE.352.VAFT - Use anti-forgery attributes on POST methods
CWE.391.LGE - Ensure all exceptions are either logged with a standard logger or rethrown.
CWE.396.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException'
CWE.397.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException'
CWE.426.PBRTE - Always specify absolute path to execute commands
CWE.427.DNICV - Do not disable SSL certificate validation
CWE.476.CNFA - Check for 'null' when using 'as' operator
CWE.480.PUO - Avoid using the unary + operator
CWE.481.AWC - Avoid assignment within a condition.
CWE.494.IREC - Do not execute external code without integrity check.
CWE.502.IIDC - Implement IDeserializationCallback for classes with NonSerialized fields
CWE.502.UIS - Use the standard pattern while implementing ISerializable
CWE.522.VLT - Validate shortcut target paths before use
CWE.532.ALSI - Avoid logging sensitive information
CWE.561.UC - Avoid unreachable code
CWE.59.VLT - Validate shortcut target paths before use
CWE.595.REVT - Do not use ReferenceEquals() on value types.
CWE.611.PDTDP - Prevent DTD processing
CWE.613.ISE - Ensure sufficient session expiration
CWE.617.ATA - Do not use the Trace.Assert() method in production code
CWE.64.VLT - Validate shortcut target paths before use
CWE.676.APDM - Avoid using potentially dangerous methods.
CWE.681.ECLTS - Avoid explicit conversions between data types if the conversion may cause data loss or unexpected results
CWE.770.UHCF - Avoid instantiating the HttpClient class by creating a HttpClient object
CWE.780.UOWR - Use OAEP with RSA algorithm encryption.
CWE.827.PDTDP - Prevent DTD processing
CWE.835.IVFLC - Use initializer variable in a condition of 'for' loop
CWE.835.IVFLI - Use initializer variable in 'for' loop iterator section.
CWE.835.NSIVFLN - Do not increment or decrement on the same variable over multiple nested 'for' loop statements.
CWE.838.AIHUE - Avoid using improper HTML or URL encoding in HttpResponse methods
CWE.862.UAA - Use authorization attributes on pages and controllers
CWE.863.UAAMC - Ensure that authorization attributes match the controller
EXCEPT.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException'
EXCEPT.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException'
IFD.DDFODB - In 'Dispose(bool)' use input parameter to check if it is actually disposing.
IFD.IDDR - Implement IDisposable in types which are using disposable resources
OPU.CPNEQ - Compare parameter of Equals(Object) method to null
OPU.CPTEQ - Compare parameter type of Equals(Object) method
OPU.REVT - Do not use ReferenceEquals() on value types.
OWASP_ASVS_403.V1_5_2.IIDC - Implement IDeserializationCallback for classes with NonSerialized fields
OWASP_ASVS_403.V1_5_2.UIS - Use the standard pattern while implementing ISerializable
OWASP_ASVS_403.V5_5_1.IIDC - Implement IDeserializationCallback for classes with NonSerialized fields
OWASP_ASVS_403.V5_5_1.UIS - Use the standard pattern while implementing ISerializable
OWASP2017.A10.LGE - Ensure all exceptions are either logged with a standard logger or rethrown.
OWASP2017.A2.ISE - Ensure sufficient session expiration
OWASP2017.A2.LUAFLA - Lock out the user after failed login attempts
OWASP2017.A3.ACCA - Avoid using custom cryptographic algorithms.
OWASP2017.A3.ALSI - Avoid logging sensitive information
OWASP2017.A3.DNICV - Do not disable SSL certificate validation
OWASP2017.A3.RSFSS - Do not re-create string from SecureString.
OWASP2017.A3.SDE - Avoid inclusion of sensitive data in exception
OWASP2017.A3.SSFP - Use SecureString instead of String for password.
OWASP2017.A3.UOWR - Use OAEP with RSA algorithm encryption.
OWASP2017.A4.PDTDP - Prevent DTD processing
OWASP2017.A5.AUEP - Avoid using elevated privileges.
OWASP2017.A5.UAA - Use authorization attributes on pages and controllers
OWASP2017.A5.UAAMC - Ensure that authorization attributes match the controller
OWASP2017.A5.VAFT - Use anti-forgery attributes on POST methods
OWASP2017.A6.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException'
OWASP2017.A6.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException'
OWASP2017.A8.IIDC - Implement IDeserializationCallback for classes with NonSerialized fields
OWASP2017.A8.UIS - Use the standard pattern while implementing ISerializable
OWASP2019.API10.LGE - Ensure all exceptions are either logged with a standard logger or rethrown.
OWASP2019.API2.LUAFLA - Lock out the user after failed login attempts
OWASP2019.API2.RSFSS - Do not re-create string from SecureString.
OWASP2019.API2.SSFP - Use SecureString instead of String for password.
OWASP2019.API3.ACCA - Avoid using custom cryptographic algorithms.
OWASP2019.API3.ALSI - Avoid logging sensitive information
OWASP2019.API3.ATA - Do not use the Trace.Assert() method in production code
OWASP2019.API3.SDE - Avoid inclusion of sensitive data in exception
OWASP2019.API3.UOWR - Use OAEP with RSA algorithm encryption.
OWASP2019.API4.UHCF - Avoid instantiating the HttpClient class by creating a HttpClient object
OWASP2019.API5.ISE - Ensure sufficient session expiration
OWASP2019.API5.UAA - Use authorization attributes on pages and controllers
OWASP2019.API5.UAAMC - Ensure that authorization attributes match the controller
OWASP2019.API7.DNICV - Do not disable SSL certificate validation
OWASP2019.API7.ECLTS - Avoid explicit conversions between data types if the conversion may cause data loss or unexpected results
OWASP2019.API7.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException'
OWASP2019.API7.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException'
OWASP2019.API8.AIHUE - Avoid using improper HTML or URL encoding in HttpResponse methods
OWASP2019.API8.AUK - Avoid 'unsafe' keyword.
OWASP2019.API8.IREC - Do not execute external code without integrity check.
OWASP2019.API8.PBRTE - Always specify absolute path to execute commands
OWASP2019.API8.PDTDP - Prevent DTD processing
OWASP2021.A1.AUEP - Avoid using elevated privileges.
OWASP2021.A1.DNICV - Do not disable SSL certificate validation
OWASP2021.A1.UAA - Use authorization attributes on pages and controllers
OWASP2021.A1.UAAMC - Ensure that authorization attributes match the controller
OWASP2021.A1.VAFT - Use anti-forgery attributes on POST methods
OWASP2021.A1.VLT - Validate shortcut target paths before use
OWASP2021.A2.ACCA - Avoid using custom cryptographic algorithms.
OWASP2021.A2.RSAKS - Use RSA keys of 2048 bits or longer
OWASP2021.A2.UOWR - Use OAEP with RSA algorithm encryption.
OWASP2021.A4.RSFSS - Do not re-create string from SecureString.
OWASP2021.A4.SDE - Avoid inclusion of sensitive data in exception
OWASP2021.A4.SSFP - Use SecureString instead of String for password.
OWASP2021.A5.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException'
OWASP2021.A5.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException'
OWASP2021.A5.PDTDP - Prevent DTD processing
OWASP2021.A7.IIPHEU - Do not rely on reverse DNS resolution for security decisions
OWASP2021.A7.ISE - Ensure sufficient session expiration
OWASP2021.A7.LUAFLA - Lock out the user after failed login attempts
OWASP2021.A8.IIDC - Implement IDeserializationCallback for classes with NonSerialized fields
OWASP2021.A8.IREC - Do not execute external code without integrity check.
OWASP2021.A8.PBRTE - Always specify absolute path to execute commands
OWASP2021.A8.UIS - Use the standard pattern while implementing ISerializable.
OWASP2021.A9.ALSI - Avoid logging sensitive information
OWASP2021.A9.LGE - Ensure all exceptions are either logged with a standard logger or rethrown.
PB.ACDE - Avoid calling the Application.DoEvents() method
PB.AIHUE - Avoid using improper HTML or URL encoding in HttpResponse methods
PB.AIOAC - Avoid possible integer overflow in assignment and comparison expressions
PB.CFF - Verify number of arguments in Composite Formatting feature
PB.DNCF - Do not compare floating-point types for equality.
PB.EMPTYMETHODS - Avoid empty methods
PB.INOE - Use String.IsNullOrEmpty to check if a string is null or empty
PB.STATICFLD - Do not write to static fields from non-static methods
PB.THROWFIN - Avoid 'throw' statements in 'finally' blocks.
PCIDSS32.6510.ISE - Ensure sufficient session expiration
PCIDSS32.6510.LUAFLA - Lock out the user after failed login attempts
PCIDSS32.652.AUK - Avoid 'unsafe' keyword.
PCIDSS32.653.ACCA - Avoid using custom cryptographic algorithms.
PCIDSS32.653.RSFSS - Do not re-create string from SecureString.
PCIDSS32.653.SSFP - Use SecureString instead of String for password.
PCIDSS32.653.UOWR - Use OAEP with RSA algorithm encryption.
PCIDSS32.654.RSFSS - Do not re-create string from SecureString.
PCIDSS32.654.SSFP - Use SecureString instead of String for password.
PCIDSS32.655.ATA - Do not use the Trace.Assert() method in production code
PCIDSS32.655.LGE - Ensure all exceptions are either logged with a standard logger or rethrown.
PCIDSS32.655.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException'
PCIDSS32.655.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException'
PCIDSS32.658.AUEP - Avoid using elevated privileges.
PCIDSS32.658.PBRTE - Always specify absolute path to execute commands
PCIDSS32.658.UAA - Use authorization attributes on pages and controllers
PCIDSS32.658.UAAMC - Ensure that authorization attributes match the controller
PCIDSS32.659.VAFT - Use anti-forgery attributes on POST methods
PCIDSS40.6242.AIWIL - Avoid indexer wraparound in loops.
PCIDSS40.6242.AUK - Avoid 'unsafe' keyword.
PCIDSS40.6243.ACCA - Avoid using custom cryptographic algorithms.
PCIDSS40.6243.RSFSS - Do not re-create string from SecureString.
PCIDSS40.6243.SSFP - Use SecureString instead of String for password.
PCIDSS40.6243.UOWR - Use OAEP with RSA algorithm encryption.
PCIDSS40.6244.ATA - Do not use the Trace.Assert() method in production code
PCIDSS40.6244.LGE - Ensure all exceptions are either logged with a standard logger or rethrown.
PCIDSS40.6244.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException'
PCIDSS40.6244.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException'
PCIDSS40.6244.SDE - Avoid inclusion of sensitive data in exception
PCIDSS40.6245.AUEP - Avoid using elevated privileges.
PCIDSS40.6245.DNICV - Do not disable SSL certificate validation
PCIDSS40.6245.IIPHEU - Do not rely on reverse DNS resolution for security decisions
PCIDSS40.6245.ISE - Ensure sufficient session expiration
PCIDSS40.6245.LUAFLA - Lock out the user after failed login attempts
PCIDSS40.6245.PBRTE - Always specify absolute path to execute commands
PCIDSS40.6245.UAA - Use authorization attributes on pages and controllers
PCIDSS40.6245.UAAMC - Ensure that authorization attributes match the controller
SEC.ACCA - Avoid using custom cryptographic algorithms.
SEC.ACWNS - There should be no classes without namespace.
SEC.AIWIL - Avoid indexer wraparound in loops.
SEC.ALSI - Avoid logging sensitive information
SEC.APDM - Avoid using potentially dangerous methods.
SEC.ATA - Do not use the Trace.Assert() method in production code
SEC.AUEP - Avoid using elevated privileges.
SEC.IREC - Do not execute external code without integrity check.
SEC.LGE - Ensure all exceptions are either logged with a standard logger or rethrown.
SEC.PBRTE - Always specify absolute path to execute commands
SEC.RSAKS - Use RSA keys of 2048 bits or longer
SEC.SDE - Avoid inclusion of sensitive data in exception
SEC.UOWR - Use OAEP with RSA algorithm encryption.
SEC.VLT - Validate shortcut target paths before use
SEC.WEB.DNICV - Do not disable SSL certificate validation
SEC.WEB.IIPHEU - Do not rely on reverse DNS resolution for security decisions
SEC.WEB.ISE - Ensure sufficient session expiration
SEC.WEB.LUAFLA - Lock out the user after failed login attempts
SEC.WEB.UAA - Use authorization attributes on pages and controllers
SEC.WEB.UAAMC - Ensure that authorization attributes match the controller
SEC.WEB.UHCF - Avoid instantiating the HttpClient class by creating a HttpClient object
SEC.WEB.VAFT - Use anti-forgery attributes on POST methods
SEC.XXE.PDTDP - Prevent DTD processing
SERIAL.XML.SOAFAP - Make sure that type of serialized field/property is compatible with type used in XmlElementAttribute
VB.BRM.ES - Use string.Empty for empty strings
VB.PB.DEFSWITCH - Provide 'Case Else' for each 'Select Case' statement
VVSG.11_1_B.ALSI - Avoid logging sensitive information
VVSG.11_3_1_A.UAA - Use authorization attributes on pages and controllers
VVSG.11_3_1_A.UAAMC - Ensure that authorization attributes match the controller
VVSG.11_4_A.AUEP - Avoid using elevated privileges.
VVSG.11_4_A.UAA - Use authorization attributes on pages and controllers
VVSG.11_5_A.ISE - Ensure sufficient session expiration
VVSG.11_5_C.LUAFLA - Lock out the user after failed login attempts
VVSG.13_3_C.RSAKS - Use RSA keys of 2048 bits or longer
VVSG.13_3_C.UOWR - Use OAEP with RSA algorithm encryption.
VVSG.14_2_G.AUPM - Avoid unused private methods
VVSG.14_2_G.NACC - Avoid inaccessible classes and structs.
VVSG.14_2_G.UC - Avoid unreachable code
VVSG.14_2_G.USCCC - Avoid unreachable code in condition
VVSG.2_5_2_A.IREC - Do not execute external code without integrity check.
VVSG.2_5_2_A.VAFT - Use anti-forgery attributes on POST methods
VVSG.2_5_2_A.VLT - Validate shortcut target paths before use
VVSG.2_5_4_C.AUK - Avoid 'unsafe' keyword.
VVSG.2_5_4_F.AIOAC - Avoid possible integer overflow in assignment and comparison expressions
VVSG.2_5_4_F.AIWIL - Avoid indexer wraparound in loops.
VVSG.2_5_4_I.CNFA - Check for 'null' when using 'as' operator
VVSG.2_5_4_J.DDFODB - In 'Dispose(bool)' use input parameter to check if it is actually disposing.
VVSG.3_1_1_C.MSC - Members should be commented
VVSG.3_1_1_C.TSC - Types should be commented
VVSG.5_2_B.ITT - String literals should be internationalized
The following rules can be enabled in CQA mode, but they are not supported when analyzing Visual Basic (.vb) files or when the dottest.rulewizard.enforceold setting is enabled:
APSC_DV.000460.AUSD - Inspect uses of System.DateTime for security holes
APSC_DV.001250.AUMS - Inspect uses of Millisecond on System.DateTime for security problems
APSC_DV.001250.AUSD - Inspect uses of System.DateTime for security holes
APSC_DV.001270.AUMS - Inspect uses of Millisecond on System.DateTime for security problems
APSC_DV.001270.AUSD - Inspect uses of System.DateTime for security holes
APSC_DV.001460.DMSC - Inspect modifications to security settings
APSC_DV.001460.NCNRE - Do not catch 'NullReferenceException''
APSC_DV.001460.SMIII - Seal methods which implement internal interfaces
APSC_DV.001460.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.001660.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.001810.AUSD - Inspect uses of System.DateTime for security holes
APSC_DV.001820.AUSD - Inspect uses of System.DateTime for security holes
APSC_DV.001850.AUSD - Inspect uses of System.DateTime for security holes
APSC_DV.001860.AUSD - Inspect uses of System.DateTime for security holes
APSC_DV.001860.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.001940.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.001950.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.001995.INVOKE - Prefer asynchronous calls to synchronized calls.
APSC_DV.001995.LOCKSETGET - Lock both when either set or get is locked for a property.
APSC_DV.002010.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.002020.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.002030.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.002040.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.002050.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.002290.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.002310.DMSC - Inspect modifications to security settings
APSC_DV.002340.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.002350.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.002360.DMSC - Inspect modifications to security settings
APSC_DV.002440.AUSD - Inspect uses of System.DateTime for security holes
APSC_DV.002440.ENFL - Ensure all sensitive function invocations are logged
APSC_DV.002450.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.002460.AUSD - Inspect uses of System.DateTime for security holes
APSC_DV.002460.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.002470.AUSD - Inspect uses of System.DateTime for security holes
APSC_DV.002470.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.002480.AUSD - Inspect uses of System.DateTime for security holes
APSC_DV.002520.APTIF - Avoid protected instance fields that could be accessed by untrusted classes
APSC_DV.002520.AUIC - Avoid using public inner classes to prevent access from untrusted classes
APSC_DV.002530.APTIF - Avoid protected instance fields that could be accessed by untrusted classes
APSC_DV.002530.AUIC - Avoid using public inner classes to prevent access from untrusted classes
APSC_DV.002570.APTIF - Avoid protected instance fields that could be accessed by untrusted classes
APSC_DV.002570.AUIC - Avoid using public inner classes to prevent access from untrusted classes
APSC_DV.002590.AUPS - Inspect calls to Process.Start()
APSC_DV.002960.AUPS - Inspect calls to Process.Start()
APSC_DV.003100.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.003140.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
ARRU.DNUNGIF - Do not use non-generic collection for making custom collection class
ARRU.NGLVD - Do not declare local variables of non-generic collections types
BRM.BOOLNEGNAME - Use positive instead of negative terms for naming properies/methods that return a 'boolean'.
BRM.COLLPLURALNAME - Use plural name for a property of type collection/array and avoid collection/array in the name.
BRM.ISPREFIX - Use 'Is...' only for naming methods that return a "boolean"
BRM.LONGNAMES - Avoid class, struct, or interface names which are more than 14 characters long
CLS.ACAC - Provide the same accessibility for the property and its accessors
CLS.CONV - Provide alternate methods for conversion if you provide conversion operators
CLS.ENTY - Make the underlying type of enum an inegral type
CLS.NOOO - Do not use operator overloading if you want to be CLS compliant
CLS.NOPT - Do not use pointer types if you want to be CLS-compliant
CLS.PRMT - Use only CLS-compliant primitive types
CLS.TYPR - Avoid using typed references
CMUG.MU.VALRETURN - Do not use value types for returning values from methods or properties.
CMUG.PRU.DPAV - Declare properties in classes that derive from classes using nHibernate as virtual.
CS.IFD.DNPTHIS - Do not pass a reference to 'this' from inside a destructor or dispose method.
CS.OOM.CAST2CONCRETE - Avoid casts to concrete Collection types
CS.PB.INVOKE - Prefer asynchronous calls to synchronized calls.
CS.SMC - Avoid "switch" statements with many "case" statements
CS.TRS.LOCKSETGET - Lock both when either set or get is locked for a property.
CWE.330.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
CWE.362.LOCKSETGET - Lock both when either set or get is locked for a property.
CWE.395.NCNRE - Do not catch 'NullReferenceException''
CWE.829.DMSC - Inspect modifications to security settings
EXCEPT.NCNRE - Do not catch 'NullReferenceException''
GC.DCGC - Do not explicitly call 'System.GC.Collect()' or 'System.GC.Collect(int)'
GC.RCCB - Reuse calls to 'ClipBounds'
INTER.TOLOWERTOUPPER - Do not use directly ToLower(), ToUpper() string methods.
OOM.LNDM - Avoid a large number of data members per class
OOM.LNMM - Avoid a large number of methods per class
OOM.LNPBD - Avoid a large number of public data members per class
OOM.LNPBM - Avoid a large number of public methods per class
OOM.LNPM - Avoid a large number of parameters per method
OOM.LNPTD - Avoid a large number of protected data members per class
OOM.LNPTM - Avoid a large number of protected methods per class
OOM.LNPVD - Avoid a large number of private data members per class
OOM.LNPVM - Avoid a large number of private methods per class
OOM.MLCI - Avoid too many levels of class inheritance
OPU.NOREFEQUAL - Do not override ReferenceEquals() method
OPU.NOSTATICEQUAL - Do not override static Object.Equals() method
OWASP2017.A6.DMSC - Inspect modifications to security settings
OWASP2017.A6.NCNRE - Do not catch 'NullReferenceException''
OWASP2017.A6.SMIII - Seal methods which implement internal interfaces
OWASP2019.API1.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
OWASP2019.API10.ENFL - Ensure all sensitive function invocations are logged
OWASP2019.API7.DMSC - Inspect modifications to security settings
OWASP2019.API7.NCNRE - Do not catch 'NullReferenceException''
OWASP2019.API7.SMIII - Seal methods which implement internal interfaces
OWASP2019.API8.AUPS - Inspect calls to Process.Start()
OWASP2021.A2.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
OWASP2021.A5.NCNRE - Do not catch 'NullReferenceException''
OWASP2021.A5.SMIII - Seal methods which implement internal interfaces
OWASP2021.A8.DMSC - Inspect modifications to security settings
OWASP2023.API1.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
OWASP2023.API3.DMSC - Inspect modifications to security settings
OWASP2023.API3.NCNRE - Do not catch 'NullReferenceException''
OWASP2023.API3.SMIII - Seal methods which implement internal interfaces
OWASP2023.API6.ENFL - Ensure all sensitive function invocations are logged
OWASP2023.API8.DMSC - Inspect modifications to security settings
OWASP2023.API8.NCNRE - Do not catch 'NullReferenceException''
OWASP2023.API8.SMIII - Seal methods which implement internal interfaces
OWASP_ASVS_403.V12_3_6.DMSC - Inspect modifications to security settings
OWASP_ASVS_403.V1_11_2.LOCKSETGET - Lock both when either set or get is locked for a property.
PB.CONSOLEWRITE - Avoid System.Console 'Write()' or 'WriteLine()' statements
PCIDSS32.655.NCNRE - Do not catch 'NullReferenceException''
PCIDSS40.6244.NCNRE - Do not catch 'NullReferenceException''
SEC.AASV - Inspect calls to access environment variables
SEC.AFNRO - Inspect array fields that are declared as readonly
SEC.ALBM - Inspect calls to late-binding methods
SEC.APTIF - Avoid protected instance fields that could be accessed by untrusted classes
SEC.ASNRF - Inspect static fields that are not readonly and consider making them readonly
SEC.AUIC - Avoid using public inner classes to prevent access from untrusted classes
SEC.AUMS - Inspect uses of Millisecond on System.DateTime for security problems
SEC.AUPS - Inspect calls to Process.Start()
SEC.AUSD - Inspect uses of System.DateTime for security holes
SEC.DMSC - Inspect modifications to security settings
SEC.HPTR - Make pointer type fields private
SEC.MCMF - For security, avoid making your 'Clone()' method " virtual "
SEC.SMIII - Seal methods which implement internal interfaces
SEC.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
SERIAL.GETOBJ - Call WriteObjectdata while implementing ISerializable.GetObjectData.
SPR.ENFL - Ensure all sensitive function invocations are logged
VVSG.2_4_A.APTIF - Avoid protected instance fields that could be accessed by untrusted classes
VVSG.2_4_A.AUIC - Avoid using public inner classes to prevent access from untrusted classes
VVSG.2_4_A.HPTR - Make pointer type fields private
VVSG.2_4_A.SMIII - Seal methods which implement internal interfaces
VVSG.2_5_4_I.HPTR - Make pointer type fields private
VVSG.2_5_4_I.NOPT - Do not use pointer types if you want to be CLS-compliant
VVSG.2_5_B.INVOKE - Prefer asynchronous calls to synchronized calls.
VVSG.5_2_B.TOLOWERTOUPPER - Do not use directly ToLower(), ToUpper() string methods.
