You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

The following rules can be enabled in Live Static Analysis mode:

APSC_DV.001460.IIDC - Implement IDeserializationCallback for classes with NonSerialized fields
APSC_DV.001460.UIS - Use the standard pattern while implementing ISerializable
APSC_DV.000160.ACCA - Avoid using custom cryptographic algorithms. 
APSC_DV.000160.RSAKS - Use RSA keys of 2048 bits or longer 
APSC_DV.000160.UOWR - Use OAEP with RSA algorithm encryption. 
APSC_DV.000170.ACCA - Avoid using custom cryptographic algorithms. 
APSC_DV.000170.RSAKS - Use RSA keys of 2048 bits or longer 
APSC_DV.000170.UOWR - Use OAEP with RSA algorithm encryption. 
APSC_DV.000460.UAA - Use authorization attributes on pages and controllers 
APSC_DV.000500.AUEP - Avoid using elevated privileges. 
APSC_DV.000510.ISE - Ensure sufficient session expiration 
APSC_DV.000510.UAA - Use authorization attributes on pages and controllers 
APSC_DV.000530.LUAFLA - Lock out the user after failed login attempts 
APSC_DV.000650.ALSI - Avoid logging sensitive information 
APSC_DV.001460.ACCA - Avoid using custom cryptographic algorithms. 
APSC_DV.001460.ALSI - Avoid logging sensitive information 
APSC_DV.001460.AUEP - Avoid using elevated privileges. 
APSC_DV.001460.DNICV - Do not disable SSL certificate validation 
APSC_DV.001460.IIPHEU - Do not rely on reverse DNS resolution for security decisions 
APSC_DV.001460.IREC - Do not execute external code without integrity check. 
APSC_DV.001460.ISE - Ensure sufficient session expiration 
APSC_DV.001460.LGE - Ensure all exceptions are either logged with a standard logger or rethrown. 
APSC_DV.001460.LUAFLA - Lock out the user after failed login attempts 
APSC_DV.001460.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException' 
APSC_DV.001460.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException' 
APSC_DV.001460.PBRTE - Always specify absolute path to execute commands 
APSC_DV.001460.PDTDP - Prevent DTD processing 
APSC_DV.001460.RSAKS - Use RSA keys of 2048 bits or longer 
APSC_DV.001460.RSFSS - Do not re-create string from SecureString. 
APSC_DV.001460.SDE - Avoid inclusion of sensitive data in exception 
APSC_DV.001460.SSFP - Use SecureString instead of String for password. 
APSC_DV.001460.UAA - Use authorization attributes on pages and controllers 
APSC_DV.001460.UAAMC - Ensure that authorization attributes match the controller 
APSC_DV.001460.UOWR - Use OAEP with RSA algorithm encryption. 
APSC_DV.001460.VAFT - Use anti-forgery attributes on POST methods 
APSC_DV.001460.VLT - Validate shortcut target paths before use 
APSC_DV.001660.UOWR - Use OAEP with RSA algorithm encryption. 
APSC_DV.001860.ACCA - Avoid using custom cryptographic algorithms. 
APSC_DV.001860.UOWR - Use OAEP with RSA algorithm encryption. 
APSC_DV.002000.ISE - Ensure sufficient session expiration 
APSC_DV.002010.ACCA - Avoid using custom cryptographic algorithms. 
APSC_DV.002010.UOWR - Use OAEP with RSA algorithm encryption. 
APSC_DV.002290.ACCA - Avoid using custom cryptographic algorithms. 
APSC_DV.002290.UOWR - Use OAEP with RSA algorithm encryption. 
APSC_DV.002350.ACCA - Avoid using custom cryptographic algorithms. 
APSC_DV.002350.UOWR - Use OAEP with RSA algorithm encryption. 
BRM.APNFT - Always provide names for threads 
BRM.CMT.MSC - Members should be commented 
BRM.CMT.TSC - Types should be commented 
BRM.HBCM - Avoid hiding methods from base classes 
BRM.HBCP - Avoid hiding properties from base classes 
BRM.MLL - Keep line length within predefined parameters 
CMUG.MU.AUPM - Avoid unused private methods 
CS.BRM.AIBA - Avoid 'is' before 'as' 
CS.BRM.BEB - Avoid block statements with empty bodies. 
CS.BRM.CCB - Always enclose if and else bodies with curly braces 
CS.BRM.CPEB - Avoid checked, unchecked, fixed and unsafe statements with empty bodies. 
CS.BRM.ES - Use string.Empty for empty strings 
CS.BRM.ETK - Use keyword 'this' explicitly when accessing capitalized members 
CS.BRM.ICB - Always enclose iteration statements bodies with curly braces. 
CS.BRM.IDOU - Avoid increment/decrement operators inside other expressions. 
CS.BRM.IEB - Avoid initialization statements with empty bodies. 
CS.BRM.KFATNC - Keep file and type names consistent 
CS.BRM.RFINE - Do not use large if-clause with small else-clause that returns
CS.BRM.SCHR - Avoid using the Strings.Chr() and Strings.ChrW() methods in C# code. 
CS.BRM.SWDEFLAST - Place 'default' as the last case of the 'switch' statement 
CS.BRM.UCB - Always enclose using statement body with curly braces. 
CS.CDD.DUPU - Avoid duplicate using statements 
CS.CMUG.PRU.FSPP - Follow standard pattern for property accessors.
CS.EU.VZS - Ensure that each enum has member with value 0 
CS.INTER.ITT - String literals should be internationalized 
CS.NG.VAR.PNCFV - Follow proper naming convention for method variables and consts. 
CS.PB.ANIL - Avoid non-iterable loops. 
CS.PB.AWC - Avoid assignment within a condition. 
CS.PB.BITBOOL - Do not use bitwise operators on bool operands. 
CS.PB.CCA - Avoid confusing assignments to constructor arguments. 
CS.PB.CEB - Avoid conditional statements with empty bodies. 
CS.PB.CNFA - Check for 'null' when using 'as' operator 
CS.PB.DEFSWITCH - Provide 'default:' for each 'switch' statement. 
CS.PB.EEB - Avoid try, catch, finally and using statements with empty bodies. 
CS.PB.FPLI - Do not use floating point variables as loop indices. 
CS.PB.IDNE - Avoid increment and decrement statements which have no effect 
CS.PB.IEB - Avoid iteration statements with empty bodies. 
CS.PB.IVFLC - Use initializer variable in a condition of 'for' loop 
CS.PB.IVFLI - Use initializer variable in 'for' loop iterator section. 
CS.PB.MCO - Review '?:' operator for potential misuse. 
CS.PB.NACC - Avoid inaccessible classes and structs. 
CS.PB.NSIVFLB - Do not modify 'for' loop initializer variable in 'for' loop body. 
CS.PB.NSIVFLN - Do not increment or decrement on the same variable over multiple nested 'for' loop statements. 
CS.PB.PUO - Avoid using the unary + operator 
CS.PB.USC.CC - Avoid unreachable code in condition 
CS.PB.USC.UC - Avoid unreachable code 
CS.PB.VTNV - Do not compare value types to null 
CS.PB.WIBS - Avoid wrong indentation of blockless statements
CS.PE.VFFP - Verify FileDialog filter pattern.
CS.PFEL - Use foreach loops instead of for loops
CS.PROTC - Prefer readonly over const 
CS.SEC.AUK - Avoid 'unsafe' keyword. 
CS.SEC.RSFSS - Do not re-create string from SecureString
CS.SEC.SSFP - Use SecureString instead of String for password. 
CS.SERIAL.IIDC - Implement IDeserializationCallback for classes with NonSerialized fields. 
CS.SERIAL.SOIS - Do not store non-serializable objects in Session.
CS.SERIAL.UIS - Use the standard pattern while implementing ISerializable. 
CS.TRS.LCB - Always enclose lock statement body with curly braces. 
CS.TRS.LEB - Avoid lock statements with empty bodies. 
CT.ECLSII - Avoid explicit conversions of integrals to integrals of smaller size if the conversion may cause data truncation 
CT.ECLTS - Avoid explicit conversions between data types if the conversion may cause data loss or unexpected results 
CWE.120.AUK - Avoid 'unsafe' keyword. 
CWE.131.AUK - Avoid 'unsafe' keyword. 
CWE.1321.SDE - Avoid inclusion of sensitive data in exception 
CWE.1386.VLT - Validate shortcut target paths before use 
CWE.190.AIOAC - Avoid possible integer overflow in assignment and comparison expressions 
CWE.190.AIWIL - Avoid indexer wraparound in loops. 
CWE.191.AIOAC - Avoid possible integer overflow in assignment and comparison expressions 
CWE.191.AIWIL - Avoid indexer wraparound in loops. 
CWE.197.ECLSII - Avoid explicit conversions of integrals to integrals of smaller size if the conversion may cause data truncation 
CWE.200.SDE - Avoid inclusion of sensitive data in exception 
CWE.209.SDE - Avoid inclusion of sensitive data in exception 
CWE.250.AUEP - Avoid using elevated privileges. 
CWE.269.UAAMC - Ensure that authorization attributes match the controller 
CWE.287.IIPHEU - Do not rely on reverse DNS resolution for security decisions 
CWE.287.LUAFLA - Lock out the user after failed login attempts 
CWE.287.UAAMC - Ensure that authorization attributes match the controller 
CWE.295.DNICV - Do not disable SSL certificate validation 
CWE.307.LUAFLA - Lock out the user after failed login attempts 
CWE.316.RSFSS - Do not re-create string from SecureString. 
CWE.316.SSFP - Use SecureString instead of String for password. 
CWE.326.RSAKS - Use RSA keys of 2048 bits or longer 
CWE.327.ACCA - Avoid using custom cryptographic algorithms. 
CWE.329.ACCA - Avoid using custom cryptographic algorithms. 
CWE.350.IIPHEU - Do not rely on reverse DNS resolution for security decisions 
CWE.352.VAFT - Use anti-forgery attributes on POST methods 
CWE.391.LGE - Ensure all exceptions are either logged with a standard logger or rethrown. 
CWE.396.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException' 
CWE.397.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException' 
CWE.426.PBRTE - Always specify absolute path to execute commands 
CWE.427.DNICV - Do not disable SSL certificate validation 
CWE.476.CNFA - Check for 'null' when using 'as' operator 
CWE.480.PUO - Avoid using the unary + operator 
CWE.481.AWC - Avoid assignment within a condition. 
CWE.494.IREC - Do not execute external code without integrity check. 
CWE.502.IIDC - Implement IDeserializationCallback for classes with NonSerialized fields
CWE.502.UIS - Use the standard pattern while implementing ISerializable
CWE.522.VLT - Validate shortcut target paths before use 
CWE.532.ALSI - Avoid logging sensitive information 
CWE.561.UC - Avoid unreachable code 
CWE.59.VLT - Validate shortcut target paths before use 
CWE.595.REVT - Do not use ReferenceEquals() on value types. 
CWE.611.PDTDP - Prevent DTD processing 
CWE.613.ISE - Ensure sufficient session expiration 
CWE.617.ATA - Do not use the Trace.Assert() method in production code 
CWE.64.VLT - Validate shortcut target paths before use 
CWE.676.APDM - Avoid using potentially dangerous methods. 
CWE.681.ECLTS - Avoid explicit conversions between data types if the conversion may cause data loss or unexpected results 
CWE.770.UHCF - Avoid instantiating the HttpClient class by creating a HttpClient object 
CWE.780.UOWR - Use OAEP with RSA algorithm encryption. 
CWE.827.PDTDP - Prevent DTD processing 
CWE.835.IVFLC - Use initializer variable in a condition of 'for' loop 
CWE.835.IVFLI - Use initializer variable in 'for' loop iterator section. 
CWE.835.NSIVFLN - Do not increment or decrement on the same variable over multiple nested 'for' loop statements. 
CWE.838.AIHUE - Avoid using improper HTML or URL encoding in HttpResponse methods 
CWE.862.UAA - Use authorization attributes on pages and controllers 
CWE.863.UAAMC - Ensure that authorization attributes match the controller 
EXCEPT.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException' 
EXCEPT.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException' 
IFD.DDFODB - In 'Dispose(bool)' use input parameter to check if it is actually disposing. 
IFD.IDDR - Implement IDisposable in types which are using disposable resources 
OPU.CPNEQ - Compare parameter of Equals(Object) method to null 
OPU.CPTEQ - Compare parameter type of Equals(Object) method 
OPU.REVT - Do not use ReferenceEquals() on value types. 
OWASP_ASVS_403.V1_5_2.IIDC - Implement IDeserializationCallback for classes with NonSerialized fields
OWASP_ASVS_403.V1_5_2.UIS - Use the standard pattern while implementing ISerializable
OWASP_ASVS_403.V5_5_1.IIDC - Implement IDeserializationCallback for classes with NonSerialized fields
OWASP_ASVS_403.V5_5_1.UIS - Use the standard pattern while implementing ISerializable
OWASP2017.A10.LGE - Ensure all exceptions are either logged with a standard logger or rethrown. 
OWASP2017.A2.ISE - Ensure sufficient session expiration 
OWASP2017.A2.LUAFLA - Lock out the user after failed login attempts 
OWASP2017.A3.ACCA - Avoid using custom cryptographic algorithms. 
OWASP2017.A3.ALSI - Avoid logging sensitive information 
OWASP2017.A3.DNICV - Do not disable SSL certificate validation 
OWASP2017.A3.RSFSS - Do not re-create string from SecureString. 
OWASP2017.A3.SDE - Avoid inclusion of sensitive data in exception 
OWASP2017.A3.SSFP - Use SecureString instead of String for password. 
OWASP2017.A3.UOWR - Use OAEP with RSA algorithm encryption. 
OWASP2017.A4.PDTDP - Prevent DTD processing 
OWASP2017.A5.AUEP - Avoid using elevated privileges. 
OWASP2017.A5.UAA - Use authorization attributes on pages and controllers 
OWASP2017.A5.UAAMC - Ensure that authorization attributes match the controller 
OWASP2017.A5.VAFT - Use anti-forgery attributes on POST methods 
OWASP2017.A6.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException' 
OWASP2017.A6.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException' 
OWASP2017.A8.IIDC - Implement IDeserializationCallback for classes with NonSerialized fields
OWASP2017.A8.UIS - Use the standard pattern while implementing ISerializable
OWASP2019.API10.LGE - Ensure all exceptions are either logged with a standard logger or rethrown. 
OWASP2019.API2.LUAFLA - Lock out the user after failed login attempts 
OWASP2019.API2.RSFSS - Do not re-create string from SecureString. 
OWASP2019.API2.SSFP - Use SecureString instead of String for password. 
OWASP2019.API3.ACCA - Avoid using custom cryptographic algorithms. 
OWASP2019.API3.ALSI - Avoid logging sensitive information 
OWASP2019.API3.ATA - Do not use the Trace.Assert() method in production code 
OWASP2019.API3.SDE - Avoid inclusion of sensitive data in exception 
OWASP2019.API3.UOWR - Use OAEP with RSA algorithm encryption. 
OWASP2019.API4.UHCF - Avoid instantiating the HttpClient class by creating a HttpClient object 
OWASP2019.API5.ISE - Ensure sufficient session expiration 
OWASP2019.API5.UAA - Use authorization attributes on pages and controllers 
OWASP2019.API5.UAAMC - Ensure that authorization attributes match the controller 
OWASP2019.API7.DNICV - Do not disable SSL certificate validation 
OWASP2019.API7.ECLTS - Avoid explicit conversions between data types if the conversion may cause data loss or unexpected results 
OWASP2019.API7.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException' 
OWASP2019.API7.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException' 
OWASP2019.API8.AIHUE - Avoid using improper HTML or URL encoding in HttpResponse methods 
OWASP2019.API8.AUK - Avoid 'unsafe' keyword. 
OWASP2019.API8.IREC - Do not execute external code without integrity check. 
OWASP2019.API8.PBRTE - Always specify absolute path to execute commands 
OWASP2019.API8.PDTDP - Prevent DTD processing 
OWASP2021.A1.AUEP - Avoid using elevated privileges. 
OWASP2021.A1.DNICV - Do not disable SSL certificate validation 
OWASP2021.A1.UAA - Use authorization attributes on pages and controllers 
OWASP2021.A1.UAAMC - Ensure that authorization attributes match the controller 
OWASP2021.A1.VAFT - Use anti-forgery attributes on POST methods 
OWASP2021.A1.VLT - Validate shortcut target paths before use 
OWASP2021.A2.ACCA - Avoid using custom cryptographic algorithms. 
OWASP2021.A2.RSAKS - Use RSA keys of 2048 bits or longer 
OWASP2021.A2.UOWR - Use OAEP with RSA algorithm encryption. 
OWASP2021.A4.RSFSS - Do not re-create string from SecureString. 
OWASP2021.A4.SDE - Avoid inclusion of sensitive data in exception 
OWASP2021.A4.SSFP - Use SecureString instead of String for password. 
OWASP2021.A5.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException' 
OWASP2021.A5.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException' 
OWASP2021.A5.PDTDP - Prevent DTD processing 
OWASP2021.A7.IIPHEU - Do not rely on reverse DNS resolution for security decisions 
OWASP2021.A7.ISE - Ensure sufficient session expiration 
OWASP2021.A7.LUAFLA - Lock out the user after failed login attempts 
OWASP2021.A8.IIDC - Implement IDeserializationCallback for classes with NonSerialized fields
OWASP2021.A8.IREC - Do not execute external code without integrity check. 
OWASP2021.A8.PBRTE - Always specify absolute path to execute commands 
OWASP2021.A8.UIS - Use the standard pattern while implementing ISerializable.
OWASP2021.A9.ALSI - Avoid logging sensitive information 
OWASP2021.A9.LGE - Ensure all exceptions are either logged with a standard logger or rethrown. 
PB.ACDE - Avoid calling the Application.DoEvents() method 
PB.AIHUE - Avoid using improper HTML or URL encoding in HttpResponse methods 
PB.AIOAC - Avoid possible integer overflow in assignment and comparison expressions 
PB.CFF - Verify number of arguments in Composite Formatting feature 
PB.DNCF - Do not compare floating-point types for equality. 
PB.EMPTYMETHODS - Avoid empty methods 
PB.INOE - Use String.IsNullOrEmpty to check if a string is null or empty 
PB.STATICFLD - Do not write to static fields from non-static methods 
PB.THROWFIN - Avoid 'throw' statements in 'finally' blocks. 
PCIDSS32.6510.ISE - Ensure sufficient session expiration 
PCIDSS32.6510.LUAFLA - Lock out the user after failed login attempts 
PCIDSS32.652.AUK - Avoid 'unsafe' keyword. 
PCIDSS32.653.ACCA - Avoid using custom cryptographic algorithms. 
PCIDSS32.653.RSFSS - Do not re-create string from SecureString. 
PCIDSS32.653.SSFP - Use SecureString instead of String for password. 
PCIDSS32.653.UOWR - Use OAEP with RSA algorithm encryption. 
PCIDSS32.654.RSFSS - Do not re-create string from SecureString. 
PCIDSS32.654.SSFP - Use SecureString instead of String for password. 
PCIDSS32.655.ATA - Do not use the Trace.Assert() method in production code 
PCIDSS32.655.LGE - Ensure all exceptions are either logged with a standard logger or rethrown. 
PCIDSS32.655.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException' 
PCIDSS32.655.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException' 
PCIDSS32.658.AUEP - Avoid using elevated privileges. 
PCIDSS32.658.PBRTE - Always specify absolute path to execute commands 
PCIDSS32.658.UAA - Use authorization attributes on pages and controllers 
PCIDSS32.658.UAAMC - Ensure that authorization attributes match the controller 
PCIDSS32.659.VAFT - Use anti-forgery attributes on POST methods 
PCIDSS40.6242.AIWIL - Avoid indexer wraparound in loops. 
PCIDSS40.6242.AUK - Avoid 'unsafe' keyword. 
PCIDSS40.6243.ACCA - Avoid using custom cryptographic algorithms. 
PCIDSS40.6243.RSFSS - Do not re-create string from SecureString. 
PCIDSS40.6243.SSFP - Use SecureString instead of String for password. 
PCIDSS40.6243.UOWR - Use OAEP with RSA algorithm encryption. 
PCIDSS40.6244.ATA - Do not use the Trace.Assert() method in production code 
PCIDSS40.6244.LGE - Ensure all exceptions are either logged with a standard logger or rethrown. 
PCIDSS40.6244.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException' 
PCIDSS40.6244.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException' 
PCIDSS40.6244.SDE - Avoid inclusion of sensitive data in exception 
PCIDSS40.6245.AUEP - Avoid using elevated privileges. 
PCIDSS40.6245.DNICV - Do not disable SSL certificate validation 
PCIDSS40.6245.IIPHEU - Do not rely on reverse DNS resolution for security decisions 
PCIDSS40.6245.ISE - Ensure sufficient session expiration 
PCIDSS40.6245.LUAFLA - Lock out the user after failed login attempts 
PCIDSS40.6245.PBRTE - Always specify absolute path to execute commands 
PCIDSS40.6245.UAA - Use authorization attributes on pages and controllers 
PCIDSS40.6245.UAAMC - Ensure that authorization attributes match the controller 
SEC.ACCA - Avoid using custom cryptographic algorithms. 
SEC.ACWNS - There should be no classes without namespace. 
SEC.AIWIL - Avoid indexer wraparound in loops. 
SEC.ALSI - Avoid logging sensitive information 
SEC.APDM - Avoid using potentially dangerous methods. 
SEC.ATA - Do not use the Trace.Assert() method in production code 
SEC.AUEP - Avoid using elevated privileges. 
SEC.IREC - Do not execute external code without integrity check. 
SEC.LGE - Ensure all exceptions are either logged with a standard logger or rethrown. 
SEC.PBRTE - Always specify absolute path to execute commands 
SEC.RSAKS - Use RSA keys of 2048 bits or longer 
SEC.SDE - Avoid inclusion of sensitive data in exception 
SEC.UOWR - Use OAEP with RSA algorithm encryption. 
SEC.VLT - Validate shortcut target paths before use 
SEC.WEB.DNICV - Do not disable SSL certificate validation 
SEC.WEB.IIPHEU - Do not rely on reverse DNS resolution for security decisions 
SEC.WEB.ISE - Ensure sufficient session expiration 
SEC.WEB.LUAFLA - Lock out the user after failed login attempts 
SEC.WEB.UAA - Use authorization attributes on pages and controllers 
SEC.WEB.UAAMC - Ensure that authorization attributes match the controller 
SEC.WEB.UHCF - Avoid instantiating the HttpClient class by creating a HttpClient object 
SEC.WEB.VAFT - Use anti-forgery attributes on POST methods 
SEC.XXE.PDTDP - Prevent DTD processing 
SERIAL.XML.SOAFAP - Make sure that type of serialized field/property is compatible with type used in XmlElementAttribute 
VB.BRM.ES - Use string.Empty for empty strings 
VB.PB.DEFSWITCH - Provide 'Case Else' for each 'Select Case' statement 
VVSG.11_1_B.ALSI - Avoid logging sensitive information 
VVSG.11_3_1_A.UAA - Use authorization attributes on pages and controllers 
VVSG.11_3_1_A.UAAMC - Ensure that authorization attributes match the controller 
VVSG.11_4_A.AUEP - Avoid using elevated privileges. 
VVSG.11_4_A.UAA - Use authorization attributes on pages and controllers 
VVSG.11_5_A.ISE - Ensure sufficient session expiration 
VVSG.11_5_C.LUAFLA - Lock out the user after failed login attempts 
VVSG.13_3_C.RSAKS - Use RSA keys of 2048 bits or longer 
VVSG.13_3_C.UOWR - Use OAEP with RSA algorithm encryption. 
VVSG.14_2_G.AUPM - Avoid unused private methods 
VVSG.14_2_G.NACC - Avoid inaccessible classes and structs. 
VVSG.14_2_G.UC - Avoid unreachable code 
VVSG.14_2_G.USCCC - Avoid unreachable code in condition 
VVSG.2_5_2_A.IREC - Do not execute external code without integrity check. 
VVSG.2_5_2_A.VAFT - Use anti-forgery attributes on POST methods 
VVSG.2_5_2_A.VLT - Validate shortcut target paths before use 
VVSG.2_5_4_C.AUK - Avoid 'unsafe' keyword. 
VVSG.2_5_4_F.AIOAC - Avoid possible integer overflow in assignment and comparison expressions 
VVSG.2_5_4_F.AIWIL - Avoid indexer wraparound in loops. 
VVSG.2_5_4_I.CNFA - Check for 'null' when using 'as' operator 
VVSG.2_5_4_J.DDFODB - In 'Dispose(bool)' use input parameter to check if it is actually disposing. 
VVSG.3_1_1_C.MSC - Members should be commented 
VVSG.3_1_1_C.TSC - Types should be commented 
VVSG.5_2_B.ITT - String literals should be internationalized


The following rules can be enabled in Live Static Analysis mode, but they are not supported when analyzing Visual Basic (.vb) files or when the dottest.rulewizard.enforceold setting is enabled:

APSC_DV.000460.AUSD - Inspect uses of System.DateTime for security holes
APSC_DV.001250.AUMS - Inspect uses of Millisecond on System.DateTime for security problems
APSC_DV.001250.AUSD - Inspect uses of System.DateTime for security holes
APSC_DV.001270.AUMS - Inspect uses of Millisecond on System.DateTime for security problems
APSC_DV.001270.AUSD - Inspect uses of System.DateTime for security holes
APSC_DV.001460.DMSC - Inspect modifications to security settings    
APSC_DV.001460.NCNRE - Do not catch 'NullReferenceException''
APSC_DV.001460.SMIII - Seal methods which implement internal interfaces    
APSC_DV.001460.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.001660.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.001810.AUSD - Inspect uses of System.DateTime for security holes
APSC_DV.001820.AUSD - Inspect uses of System.DateTime for security holes
APSC_DV.001850.AUSD - Inspect uses of System.DateTime for security holes
APSC_DV.001860.AUSD - Inspect uses of System.DateTime for security holes
APSC_DV.001860.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.001940.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.001950.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.001995.INVOKE - Prefer asynchronous calls to synchronized calls.
APSC_DV.001995.LOCKSETGET - Lock both when either set or get is locked for a property.
APSC_DV.002010.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.002020.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.002030.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.002040.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.002050.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.002290.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.002310.DMSC - Inspect modifications to security settings    
APSC_DV.002340.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.002350.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.002360.DMSC - Inspect modifications to security settings    
APSC_DV.002440.AUSD - Inspect uses of System.DateTime for security holes
APSC_DV.002440.ENFL - Ensure all sensitive function invocations are logged
APSC_DV.002450.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.002460.AUSD - Inspect uses of System.DateTime for security holes
APSC_DV.002460.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.002470.AUSD - Inspect uses of System.DateTime for security holes
APSC_DV.002470.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.002480.AUSD - Inspect uses of System.DateTime for security holes
APSC_DV.002520.APTIF - Avoid protected instance fields that could be accessed by untrusted classes
APSC_DV.002520.AUIC - Avoid using public inner classes to prevent access from untrusted classes
APSC_DV.002530.APTIF - Avoid protected instance fields that could be accessed by untrusted classes
APSC_DV.002530.AUIC - Avoid using public inner classes to prevent access from untrusted classes
APSC_DV.002570.APTIF - Avoid protected instance fields that could be accessed by untrusted classes
APSC_DV.002570.AUIC    - Avoid using public inner classes to prevent access from untrusted classes
APSC_DV.002590.AUPS - Inspect calls to Process.Start()
APSC_DV.002960.AUPS - Inspect calls to Process.Start()
APSC_DV.003100.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
APSC_DV.003140.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
ARRU.DNUNGIF - Do not use non-generic collection for making custom collection class
ARRU.NGLVD - Do not declare local variables of non-generic collections types
BRM.BOOLNEGNAME - Use positive instead of negative terms for naming properies/methods that return a 'boolean'.
BRM.COLLPLURALNAME - Use plural name for a property of type collection/array and avoid collection/array in the name.
BRM.ISPREFIX - Use 'Is...' only for naming methods that return a "boolean"
BRM.LONGNAMES - Avoid class, struct, or interface names which are more than 14 characters long
CLS.ACAC - Provide the same accessibility for the property and its accessors
CLS.CONV - Provide alternate methods for conversion if you provide conversion operators
CLS.ENTY - Make the underlying type of enum an inegral type
CLS.NOOO - Do not use operator overloading if you want to be CLS compliant 
CLS.NOPT - Do not use pointer types if you want to be CLS-compliant
CLS.PRMT - Use only CLS-compliant primitive types
CLS.TYPR - Avoid using typed references
CMUG.MU.VALRETURN - Do not use value types for returning values from methods or properties.
CMUG.PRU.DPAV - Declare properties in classes that derive from classes using nHibernate as virtual.
CS.IFD.DNPTHIS - Do not pass a reference to 'this' from inside a destructor or dispose method.
CS.OOM.CAST2CONCRETE - Avoid casts to concrete Collection types
CS.PB.INVOKE - Prefer asynchronous calls to synchronized calls.
CS.SMC - Avoid "switch" statements with many "case" statements
CS.TRS.LOCKSETGET - Lock both when either set or get is locked for a property.
CWE.330.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
CWE.362.LOCKSETGET - Lock both when either set or get is locked for a property.
CWE.395.NCNRE - Do not catch 'NullReferenceException''
CWE.829.DMSC - Inspect modifications to security settings
EXCEPT.NCNRE - Do not catch 'NullReferenceException''
GC.DCGC - Do not explicitly call 'System.GC.Collect()' or 'System.GC.Collect(int)'
GC.RCCB - Reuse calls to 'ClipBounds'
INTER.TOLOWERTOUPPER - Do not use directly ToLower(), ToUpper() string methods.
OOM.LNDM - Avoid a large number of data members per class
OOM.LNMM - Avoid a large number of methods per class
OOM.LNPBD - Avoid a large number of public data members per class
OOM.LNPBM - Avoid a large number of public methods per class
OOM.LNPM - Avoid a large number of parameters per method
OOM.LNPTD - Avoid a large number of protected data members per class
OOM.LNPTM - Avoid a large number of protected methods per class
OOM.LNPVD - Avoid a large number of private data members per class
OOM.LNPVM - Avoid a large number of private methods per class
OOM.MLCI - Avoid too many levels of class inheritance
OPU.NOREFEQUAL - Do not override ReferenceEquals() method
OPU.NOSTATICEQUAL - Do not override static Object.Equals() method
OWASP2017.A6.DMSC - Inspect modifications to security settings    
OWASP2017.A6.NCNRE - Do not catch 'NullReferenceException''
OWASP2017.A6.SMIII - Seal methods which implement internal interfaces
OWASP2019.API1.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
OWASP2019.API10.ENFL - Ensure all sensitive function invocations are logged
OWASP2019.API7.DMSC - Inspect modifications to security settings    
OWASP2019.API7.NCNRE - Do not catch 'NullReferenceException''
OWASP2019.API7.SMIII - Seal methods which implement internal interfaces    
OWASP2019.API8.AUPS - Inspect calls to Process.Start()
OWASP2021.A2.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
OWASP2021.A5.NCNRE - Do not catch 'NullReferenceException''
OWASP2021.A5.SMIII - Seal methods which implement internal interfaces
OWASP2021.A8.DMSC - Inspect modifications to security settings
OWASP2023.API1.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
OWASP2023.API3.DMSC - Inspect modifications to security settings    
OWASP2023.API3.NCNRE - Do not catch 'NullReferenceException''
OWASP2023.API3.SMIII - Seal methods which implement internal interfaces    
OWASP2023.API6.ENFL - Ensure all sensitive function invocations are logged
OWASP2023.API8.DMSC - Inspect modifications to security settings    
OWASP2023.API8.NCNRE - Do not catch 'NullReferenceException''
OWASP2023.API8.SMIII - Seal methods which implement internal interfaces    
OWASP_ASVS_403.V12_3_6.DMSC - Inspect modifications to security settings
OWASP_ASVS_403.V1_11_2.LOCKSETGET - Lock both when either set or get is locked for a property.
PB.CONSOLEWRITE - Avoid System.Console 'Write()' or 'WriteLine()' statements
PCIDSS32.655.NCNRE - Do not catch 'NullReferenceException''
PCIDSS40.6244.NCNRE - Do not catch 'NullReferenceException''
SEC.AASV - Inspect calls to access environment variables
SEC.AFNRO - Inspect array fields that are declared as readonly
SEC.ALBM - Inspect calls to late-binding methods
SEC.APTIF - Avoid protected instance fields that could be accessed by untrusted classes
SEC.ASNRF - Inspect static fields that are not readonly and consider making them readonly
SEC.AUIC - Avoid using public inner classes to prevent access from untrusted classes
SEC.AUMS - Inspect uses of Millisecond on System.DateTime for security problems
SEC.AUPS - Inspect calls to Process.Start()
SEC.AUSD - Inspect uses of System.DateTime for security holes
SEC.DMSC - Inspect modifications to security settings
SEC.HPTR - Make pointer type fields private
SEC.MCMF - For security, avoid making your 'Clone()' method " virtual "
SEC.SMIII - Seal methods which implement internal interfaces
SEC.USSCR - Use System.Security.Cryptography.RandomNumberGenerator instead of System.Random
SERIAL.GETOBJ - Call WriteObjectdata while implementing ISerializable.GetObjectData.
SPR.ENFL - Ensure all sensitive function invocations are logged
VVSG.2_4_A.APTIF - Avoid protected instance fields that could be accessed by untrusted classes
VVSG.2_4_A.AUIC - Avoid using public inner classes to prevent access from untrusted classes
VVSG.2_4_A.HPTR - Make pointer type fields private
VVSG.2_4_A.SMIII - Seal methods which implement internal interfaces
VVSG.2_5_4_I.HPTR - Make pointer type fields private
VVSG.2_5_4_I.NOPT - Do not use pointer types if you want to be CLS-compliant
VVSG.2_5_B.INVOKE - Prefer asynchronous calls to synchronized calls.
VVSG.5_2_B.TOLOWERTOUPPER - Do not use directly ToLower(), ToUpper() string methods.


  • No labels