The following rules can be enabled in CQA mode:
APSC_DV.000160.ACCA - Avoid using custom cryptographic algorithms.
APSC_DV.000160.RSAKS - Use RSA keys of 2048 bits or longer
APSC_DV.000160.UOWR - Use OAEP with RSA algorithm encryption.
APSC_DV.000170.ACCA - Avoid using custom cryptographic algorithms.
APSC_DV.000170.RSAKS - Use RSA keys of 2048 bits or longer
APSC_DV.000170.UOWR - Use OAEP with RSA algorithm encryption.
APSC_DV.000460.UAA - Use authorization attributes on pages and controllers
APSC_DV.000500.AUEP - Avoid using elevated privileges.
APSC_DV.000510.ISE - Ensure sufficient session expiration
APSC_DV.000510.UAA - Use authorization attributes on pages and controllers
APSC_DV.000530.LUAFLA - Lock out the user after failed login attempts
APSC_DV.000650.ALSI - Avoid logging sensitive information
APSC_DV.001460.ACCA - Avoid using custom cryptographic algorithms.
APSC_DV.001460.ALSI - Avoid logging sensitive information
APSC_DV.001460.AUEP - Avoid using elevated privileges.
APSC_DV.001460.DNICV - Do not disable SSL certificate validation
APSC_DV.001460.IIPHEU - Do not rely on reverse DNS resolution for security decisions
APSC_DV.001460.IREC - Do not execute external code without integrity check.
APSC_DV.001460.ISE - Ensure sufficient session expiration
APSC_DV.001460.LGE - Ensure all exceptions are either logged with a standard logger or rethrown.
APSC_DV.001460.LUAFLA - Lock out the user after failed login attempts
APSC_DV.001460.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException'
APSC_DV.001460.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException'
APSC_DV.001460.PBRTE - Always specify absolute path to execute commands
APSC_DV.001460.PDTDP - Prevent DTD processing
APSC_DV.001460.RSAKS - Use RSA keys of 2048 bits or longer
APSC_DV.001460.RSFSS - Do not re-create string from SecureString.
APSC_DV.001460.SDE - Avoid inclusion of sensitive data in exception
APSC_DV.001460.SSFP - Use SecureString instead of String for password.
APSC_DV.001460.UAA - Use authorization attributes on pages and controllers
APSC_DV.001460.UAAMC - Ensure that authorization attributes match the controller
APSC_DV.001460.UOWR - Use OAEP with RSA algorithm encryption.
APSC_DV.001460.VAFT - Use anti-forgery attributes on POST methods
APSC_DV.001460.VLT - Validate shortcut target paths before use
APSC_DV.001660.UOWR - Use OAEP with RSA algorithm encryption.
APSC_DV.001860.ACCA - Avoid using custom cryptographic algorithms.
APSC_DV.001860.UOWR - Use OAEP with RSA algorithm encryption.
APSC_DV.002000.ISE - Ensure sufficient session expiration
APSC_DV.002010.ACCA - Avoid using custom cryptographic algorithms.
APSC_DV.002010.UOWR - Use OAEP with RSA algorithm encryption.
APSC_DV.002290.ACCA - Avoid using custom cryptographic algorithms.
APSC_DV.002290.UOWR - Use OAEP with RSA algorithm encryption.
APSC_DV.002350.ACCA - Avoid using custom cryptographic algorithms.
APSC_DV.002350.UOWR - Use OAEP with RSA algorithm encryption.
BRM.APNFT - Always provide names for threads
BRM.CMT.MSC - Members should be commented
BRM.CMT.TSC - Types should be commented
BRM.HBCM - Avoid hiding methods from base classes
BRM.HBCP - Avoid hiding properties from base classes
BRM.MLL - Keep line length within predefined parameters
CMUG.MU.AUPM - Avoid unused private methods
CS.BRM.AIBA - Avoid 'is' before 'as'
CS.BRM.BEB - Avoid block statements with empty bodies.
CS.BRM.CCB - Always enclose if and else bodies with curly braces
CS.BRM.CPEB - Avoid checked, unchecked, fixed and unsafe statements with empty bodies.
CS.BRM.ES - Use string.Empty for empty strings
CS.BRM.ETK - Use keyword 'this' explicitly when accessing capitalized members
CS.BRM.ICB - Always enclose iteration statements bodies with curly braces.
CS.BRM.IDOU - Avoid increment/decrement operators inside other expressions.
CS.BRM.IEB - Avoid initialization statements with empty bodies.
CS.BRM.KFATNC - Keep file and type names consistent
CS.BRM.SCHR - Avoid using the Strings.Chr() and Strings.ChrW() methods in C# code.
CS.BRM.SWDEFLAST - Place 'default' as the last case of the 'switch' statement
CS.BRM.UCB - Always enclose using statement body with curly braces.
CS.CDD.DUPU - Avoid duplicate using statements
CS.EU.VZS - Ensure that each enum has member with value 0
CS.INTER.ITT - String literals should be internationalized
CS.NG.VAR.PNCFV - Follow proper naming convention for method variables and consts.
CS.PB.ANIL - Avoid non-iterable loops.
CS.PB.AWC - Avoid assignment within a condition.
CS.PB.BITBOOL - Do not use bitwise operators on bool operands.
CS.PB.CCA - Avoid confusing assignments to constructor arguments.
CS.PB.CEB - Avoid conditional statements with empty bodies.
CS.PB.CNFA - Check for 'null' when using 'as' operator
CS.PB.DEFSWITCH - Provide 'default:' for each 'switch' statement.
CS.PB.EEB - Avoid try, catch, finally and using statements with empty bodies.
CS.PB.FPLI - Do not use floating point variables as loop indices.
CS.PB.IDNE - Avoid increment and decrement statements which have no effect
CS.PB.IEB - Avoid iteration statements with empty bodies.
CS.PB.IVFLC - Use initializer variable in a condition of 'for' loop
CS.PB.IVFLI - Use initializer variable in 'for' loop iterator section.
CS.PB.MCO - Review '?:' operator for potential misuse.
CS.PB.NACC - Avoid inaccessible classes and structs.
CS.PB.NSIVFLB - Do not modify 'for' loop initializer variable in 'for' loop body.
CS.PB.NSIVFLN - Do not increment or decrement on the same variable over multiple nested 'for' loop statements.
CS.PB.PUO - Avoid using the unary + operator
CS.PB.USC.CC - Avoid unreachable code in condition
CS.PB.USC.UC - Avoid unreachable code
CS.PB.VTNV - Do not compare value types to null
CS.PB.WIBS - Avoid wrong indentation of blockless statements
CS.SEC.AUK - Avoid 'unsafe' keyword.
CS.SEC.RSFSS - Do not re-create string from SecureString.
CS.SEC.SSFP - Use SecureString instead of String for password.
CS.TRS.LCB - Always enclose lock statement body with curly braces.
CS.TRS.LEB - Avoid lock statements with empty bodies.
CT.ECLSII - Avoid explicit conversions of integrals to integrals of smaller size if the conversion may cause data truncation
CT.ECLTS - Avoid explicit conversions between data types if the conversion may cause data loss or unexpected results
CWE.120.AUK - Avoid 'unsafe' keyword.
CWE.131.AUK - Avoid 'unsafe' keyword.
CWE.1321.SDE - Avoid inclusion of sensitive data in exception
CWE.1386.VLT - Validate shortcut target paths before use
CWE.190.AIOAC - Avoid possible integer overflow in assignment and comparison expressions
CWE.190.AIWIL - Avoid indexer wraparound in loops.
CWE.191.AIOAC - Avoid possible integer overflow in assignment and comparison expressions
CWE.191.AIWIL - Avoid indexer wraparound in loops.
CWE.197.ECLSII - Avoid explicit conversions of integrals to integrals of smaller size if the conversion may cause data truncation
CWE.200.SDE - Avoid inclusion of sensitive data in exception
CWE.209.SDE - Avoid inclusion of sensitive data in exception
CWE.250.AUEP - Avoid using elevated privileges.
CWE.269.UAAMC - Ensure that authorization attributes match the controller
CWE.287.IIPHEU - Do not rely on reverse DNS resolution for security decisions
CWE.287.LUAFLA - Lock out the user after failed login attempts
CWE.287.UAAMC - Ensure that authorization attributes match the controller
CWE.295.DNICV - Do not disable SSL certificate validation
CWE.307.LUAFLA - Lock out the user after failed login attempts
CWE.316.RSFSS - Do not re-create string from SecureString.
CWE.316.SSFP - Use SecureString instead of String for password.
CWE.326.RSAKS - Use RSA keys of 2048 bits or longer
CWE.327.ACCA - Avoid using custom cryptographic algorithms.
CWE.329.ACCA - Avoid using custom cryptographic algorithms.
CWE.350.IIPHEU - Do not rely on reverse DNS resolution for security decisions
CWE.352.VAFT - Use anti-forgery attributes on POST methods
CWE.391.LGE - Ensure all exceptions are either logged with a standard logger or rethrown.
CWE.396.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException'
CWE.397.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException'
CWE.426.PBRTE - Always specify absolute path to execute commands
CWE.427.DNICV - Do not disable SSL certificate validation
CWE.476.CNFA - Check for 'null' when using 'as' operator
CWE.480.PUO - Avoid using the unary + operator
CWE.481.AWC - Avoid assignment within a condition.
CWE.494.IREC - Do not execute external code without integrity check.
CWE.522.VLT - Validate shortcut target paths before use
CWE.532.ALSI - Avoid logging sensitive information
CWE.561.UC - Avoid unreachable code
CWE.59.VLT - Validate shortcut target paths before use
CWE.595.REVT - Do not use ReferenceEquals() on value types.
CWE.611.PDTDP - Prevent DTD processing
CWE.613.ISE - Ensure sufficient session expiration
CWE.617.ATA - Do not use the Trace.Assert() method in production code
CWE.64.VLT - Validate shortcut target paths before use
CWE.676.APDM - Avoid using potentially dangerous methods.
CWE.681.ECLTS - Avoid explicit conversions between data types if the conversion may cause data loss or unexpected results
CWE.770.UHCF - Avoid instantiating the HttpClient class by creating a HttpClient object
CWE.780.UOWR - Use OAEP with RSA algorithm encryption.
CWE.827.PDTDP - Prevent DTD processing
CWE.835.IVFLC - Use initializer variable in a condition of 'for' loop
CWE.835.IVFLI - Use initializer variable in 'for' loop iterator section.
CWE.835.NSIVFLN - Do not increment or decrement on the same variable over multiple nested 'for' loop statements.
CWE.838.AIHUE - Avoid using improper HTML or URL encoding in HttpResponse methods
CWE.862.UAA - Use authorization attributes on pages and controllers
CWE.863.UAAMC - Ensure that authorization attributes match the controller
EXCEPT.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException'
EXCEPT.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException'
IFD.DDFODB - In 'Dispose(bool)' use input parameter to check if it is actually disposing.
IFD.IDDR - Implement IDisposable in types which are using disposable resources
OPU.CPNEQ - Compare parameter of Equals(Object) method to null
OPU.CPTEQ - Compare parameter type of Equals(Object) method
OPU.REVT - Do not use ReferenceEquals() on value types.
OWASP2017.A10.LGE - Ensure all exceptions are either logged with a standard logger or rethrown.
OWASP2017.A2.ISE - Ensure sufficient session expiration
OWASP2017.A2.LUAFLA - Lock out the user after failed login attempts
OWASP2017.A3.ACCA - Avoid using custom cryptographic algorithms.
OWASP2017.A3.ALSI - Avoid logging sensitive information
OWASP2017.A3.DNICV - Do not disable SSL certificate validation
OWASP2017.A3.RSFSS - Do not re-create string from SecureString.
OWASP2017.A3.SDE - Avoid inclusion of sensitive data in exception
OWASP2017.A3.SSFP - Use SecureString instead of String for password.
OWASP2017.A3.UOWR - Use OAEP with RSA algorithm encryption.
OWASP2017.A4.PDTDP - Prevent DTD processing
OWASP2017.A5.AUEP - Avoid using elevated privileges.
OWASP2017.A5.UAA - Use authorization attributes on pages and controllers
OWASP2017.A5.UAAMC - Ensure that authorization attributes match the controller
OWASP2017.A5.VAFT - Use anti-forgery attributes on POST methods
OWASP2017.A6.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException'
OWASP2017.A6.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException'
OWASP2019.API10.LGE - Ensure all exceptions are either logged with a standard logger or rethrown.
OWASP2019.API2.LUAFLA - Lock out the user after failed login attempts
OWASP2019.API2.RSFSS - Do not re-create string from SecureString.
OWASP2019.API2.SSFP - Use SecureString instead of String for password.
OWASP2019.API3.ACCA - Avoid using custom cryptographic algorithms.
OWASP2019.API3.ALSI - Avoid logging sensitive information
OWASP2019.API3.ATA - Do not use the Trace.Assert() method in production code
OWASP2019.API3.SDE - Avoid inclusion of sensitive data in exception
OWASP2019.API3.UOWR - Use OAEP with RSA algorithm encryption.
OWASP2019.API4.UHCF - Avoid instantiating the HttpClient class by creating a HttpClient object
OWASP2019.API5.ISE - Ensure sufficient session expiration
OWASP2019.API5.UAA - Use authorization attributes on pages and controllers
OWASP2019.API5.UAAMC - Ensure that authorization attributes match the controller
OWASP2019.API7.DNICV - Do not disable SSL certificate validation
OWASP2019.API7.ECLTS - Avoid explicit conversions between data types if the conversion may cause data loss or unexpected results
OWASP2019.API7.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException'
OWASP2019.API7.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException'
OWASP2019.API8.AIHUE - Avoid using improper HTML or URL encoding in HttpResponse methods
OWASP2019.API8.AUK - Avoid 'unsafe' keyword.
OWASP2019.API8.IREC - Do not execute external code without integrity check.
OWASP2019.API8.PBRTE - Always specify absolute path to execute commands
OWASP2019.API8.PDTDP - Prevent DTD processing
OWASP2021.A1.AUEP - Avoid using elevated privileges.
OWASP2021.A1.DNICV - Do not disable SSL certificate validation
OWASP2021.A1.UAA - Use authorization attributes on pages and controllers
OWASP2021.A1.UAAMC - Ensure that authorization attributes match the controller
OWASP2021.A1.VAFT - Use anti-forgery attributes on POST methods
OWASP2021.A1.VLT - Validate shortcut target paths before use
OWASP2021.A2.ACCA - Avoid using custom cryptographic algorithms.
OWASP2021.A2.RSAKS - Use RSA keys of 2048 bits or longer
OWASP2021.A2.UOWR - Use OAEP with RSA algorithm encryption.
OWASP2021.A4.RSFSS - Do not re-create string from SecureString.
OWASP2021.A4.SDE - Avoid inclusion of sensitive data in exception
OWASP2021.A4.SSFP - Use SecureString instead of String for password.
OWASP2021.A5.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException'
OWASP2021.A5.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException'
OWASP2021.A5.PDTDP - Prevent DTD processing
OWASP2021.A7.IIPHEU - Do not rely on reverse DNS resolution for security decisions
OWASP2021.A7.ISE - Ensure sufficient session expiration
OWASP2021.A7.LUAFLA - Lock out the user after failed login attempts
OWASP2021.A8.IREC - Do not execute external code without integrity check.
OWASP2021.A8.PBRTE - Always specify absolute path to execute commands
OWASP2021.A9.ALSI - Avoid logging sensitive information
OWASP2021.A9.LGE - Ensure all exceptions are either logged with a standard logger or rethrown.
PB.ACDE - Avoid calling the Application.DoEvents() method
PB.AIHUE - Avoid using improper HTML or URL encoding in HttpResponse methods
PB.AIOAC - Avoid possible integer overflow in assignment and comparison expressions
PB.CFF - Verify number of arguments in Composite Formatting feature
PB.DNCF - Do not compare floating-point types for equality.
PB.EMPTYMETHODS - Avoid empty methods
PB.INOE - Use String.IsNullOrEmpty to check if a string is null or empty
PB.STATICFLD - Do not write to static fields from non-static methods
PB.THROWFIN - Avoid 'throw' statements in 'finally' blocks.
PCIDSS32.6510.ISE - Ensure sufficient session expiration
PCIDSS32.6510.LUAFLA - Lock out the user after failed login attempts
PCIDSS32.652.AUK - Avoid 'unsafe' keyword.
PCIDSS32.653.ACCA - Avoid using custom cryptographic algorithms.
PCIDSS32.653.RSFSS - Do not re-create string from SecureString.
PCIDSS32.653.SSFP - Use SecureString instead of String for password.
PCIDSS32.653.UOWR - Use OAEP with RSA algorithm encryption.
PCIDSS32.654.RSFSS - Do not re-create string from SecureString.
PCIDSS32.654.SSFP - Use SecureString instead of String for password.
PCIDSS32.655.ATA - Do not use the Trace.Assert() method in production code
PCIDSS32.655.LGE - Ensure all exceptions are either logged with a standard logger or rethrown.
PCIDSS32.655.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException'
PCIDSS32.655.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException'
PCIDSS32.658.AUEP - Avoid using elevated privileges.
PCIDSS32.658.PBRTE - Always specify absolute path to execute commands
PCIDSS32.658.UAA - Use authorization attributes on pages and controllers
PCIDSS32.658.UAAMC - Ensure that authorization attributes match the controller
PCIDSS32.659.VAFT - Use anti-forgery attributes on POST methods
PCIDSS40.6242.AIWIL - Avoid indexer wraparound in loops.
PCIDSS40.6242.AUK - Avoid 'unsafe' keyword.
PCIDSS40.6243.ACCA - Avoid using custom cryptographic algorithms.
PCIDSS40.6243.RSFSS - Do not re-create string from SecureString.
PCIDSS40.6243.SSFP - Use SecureString instead of String for password.
PCIDSS40.6243.UOWR - Use OAEP with RSA algorithm encryption.
PCIDSS40.6244.ATA - Do not use the Trace.Assert() method in production code
PCIDSS40.6244.LGE - Ensure all exceptions are either logged with a standard logger or rethrown.
PCIDSS40.6244.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException'
PCIDSS40.6244.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException'
PCIDSS40.6244.SDE - Avoid inclusion of sensitive data in exception
PCIDSS40.6245.AUEP - Avoid using elevated privileges.
PCIDSS40.6245.DNICV - Do not disable SSL certificate validation
PCIDSS40.6245.IIPHEU - Do not rely on reverse DNS resolution for security decisions
PCIDSS40.6245.ISE - Ensure sufficient session expiration
PCIDSS40.6245.LUAFLA - Lock out the user after failed login attempts
PCIDSS40.6245.PBRTE - Always specify absolute path to execute commands
PCIDSS40.6245.UAA - Use authorization attributes on pages and controllers
PCIDSS40.6245.UAAMC - Ensure that authorization attributes match the controller
SEC.ACCA - Avoid using custom cryptographic algorithms.
SEC.ACWNS - There should be no classes without namespace.
SEC.AIWIL - Avoid indexer wraparound in loops.
SEC.ALSI - Avoid logging sensitive information
SEC.APDM - Avoid using potentially dangerous methods.
SEC.ATA - Do not use the Trace.Assert() method in production code
SEC.AUEP - Avoid using elevated privileges.
SEC.IREC - Do not execute external code without integrity check.
SEC.LGE - Ensure all exceptions are either logged with a standard logger or rethrown.
SEC.PBRTE - Always specify absolute path to execute commands
SEC.RSAKS - Use RSA keys of 2048 bits or longer
SEC.SDE - Avoid inclusion of sensitive data in exception
SEC.UOWR - Use OAEP with RSA algorithm encryption.
SEC.VLT - Validate shortcut target paths before use
SEC.WEB.DNICV - Do not disable SSL certificate validation
SEC.WEB.IIPHEU - Do not rely on reverse DNS resolution for security decisions
SEC.WEB.ISE - Ensure sufficient session expiration
SEC.WEB.LUAFLA - Lock out the user after failed login attempts
SEC.WEB.UAA - Use authorization attributes on pages and controllers
SEC.WEB.UAAMC - Ensure that authorization attributes match the controller
SEC.WEB.UHCF - Avoid instantiating the HttpClient class by creating a HttpClient object
SEC.WEB.VAFT - Use anti-forgery attributes on POST methods
SEC.XXE.PDTDP - Prevent DTD processing
SERIAL.XML.SOAFAP - Make sure that type of serialized field/property is compatible with type used in XmlElementAttribute
VB.BRM.ES - Use string.Empty for empty strings
VB.PB.DEFSWITCH - Provide 'Case Else' for each 'Select Case' statement
VVSG.11_1_B.ALSI - Avoid logging sensitive information
VVSG.11_3_1_A.UAA - Use authorization attributes on pages and controllers
VVSG.11_3_1_A.UAAMC - Ensure that authorization attributes match the controller
VVSG.11_4_A.AUEP - Avoid using elevated privileges.
VVSG.11_4_A.UAA - Use authorization attributes on pages and controllers
VVSG.11_5_A.ISE - Ensure sufficient session expiration
VVSG.11_5_C.LUAFLA - Lock out the user after failed login attempts
VVSG.13_3_C.RSAKS - Use RSA keys of 2048 bits or longer
VVSG.13_3_C.UOWR - Use OAEP with RSA algorithm encryption.
VVSG.14_2_G.AUPM - Avoid unused private methods
VVSG.14_2_G.NACC - Avoid inaccessible classes and structs.
VVSG.14_2_G.UC - Avoid unreachable code
VVSG.14_2_G.USCCC - Avoid unreachable code in condition
VVSG.2_5_2_A.IREC - Do not execute external code without integrity check.
VVSG.2_5_2_A.VAFT - Use anti-forgery attributes on POST methods
VVSG.2_5_2_A.VLT - Validate shortcut target paths before use
VVSG.2_5_4_C.AUK - Avoid 'unsafe' keyword.
VVSG.2_5_4_F.AIOAC - Avoid possible integer overflow in assignment and comparison expressions
VVSG.2_5_4_F.AIWIL - Avoid indexer wraparound in loops.
VVSG.2_5_4_I.CNFA - Check for 'null' when using 'as' operator
VVSG.2_5_4_J.DDFODB - In 'Dispose(bool)' use input parameter to check if it is actually disposing.
VVSG.3_1_1_C.MSC - Members should be commented
VVSG.3_1_1_C.TSC - Types should be commented
VVSG.5_2_B.ITT - String literals should be internationalized