281 Rules
| ID | Name | Severity |
|---|---|---|
| 2616 | Avoid undocumented Forms |
medium
|
| 2624 | Avoid unreferenced Forms |
medium
|
| 3550 | Namespace naming convention - case control |
medium
|
| 3554 | Interface naming convention - case and character set control |
medium
|
| 3558 | Enumerations naming convention - case and character set control |
medium
|
| 3560 | Enumeration Items naming convention - case and character set control |
medium
|
| 3562 | Private Fields naming convention - case and character set control |
medium
|
| 3564 | Public Fields naming convention - case and character set control |
medium
|
| 3566 | Methods naming convention - case and character set control |
medium
|
| 3568 | Events naming convention - case and character set control |
medium
|
| 3570 | DEPRECATED: Avoid using Keywords as names |
medium
|
| 3572 | Controls naming convention - prefix, case and character set control |
medium
|
| 3574 | Properties naming convention - case and character set control |
medium
|
| 3576 | Avoid declaring public Fields |
high
|
| 3578 | Avoid large Classes - too many Constructors (.NET) |
medium
|
| 3580 | Avoid large Classes - too many Methods (.NET) |
medium
|
| 3586 | Avoid large Methods - too many Lines of Code |
medium
|
| 3590 | Avoid Interface implementation on Structures |
medium
|
| 3612 | Avoid missing release of SQL connection after an effective lifetime (C#, VB.NET) |
critical
|
| 3614 | Avoid using String.Empty for empty string tests |
medium
|
| 3616 | DELETED: Data Access must be based on Stored Procedure Calls |
medium
|
| 3626 | Avoid Interfaces with a very low comment/code ratio |
medium
|
| 3630 | Avoid having Classes implementing too many Interfaces |
medium
|
| 7194 | DEPRECATED: Avoid large number of String concatenation (.NET) |
medium
|
| 7198 | Avoid String concatenation in loops (.NET) |
medium
|
| 7208 | DEPRECATED: Avoid the use of is inside loops |
medium
|
| 7212 | Avoid instantiations inside loops (.NET) |
high
|
| 7258 | DataReader must be called using CommandBehavior.CloseConnection enumeration |
medium
|
| 7260 | User Interface elements must not use directly the database |
medium
|
| 7262 | Avoid Namespaces with High Efferent Coupling (CE) |
medium
|
| 7264 | Avoid namespaces with High Afferent Coupling (CA) |
medium
|
| 7266 | Call 'base.Dispose()' or 'MyBase.Finalize()' in the "finally" block of 'Dispose(bool)' methods |
medium
|
| 7268 | Dispose() methods should call GC.SuppressFinalize |
medium
|
| 7270 | Methods that do not use instance fields\methods should be static (.NET) |
medium
|
| 7272 | Provide a private default Constructor for utility Classes (.NET) |
medium
|
| 7294 | Avoid cyclical calls and inheritances between namespaces content |
medium
|
| 7352 | Avoid calling properties that clone values in loops |
medium
|
| 7358 | Avoid call to AcceptChanges in a loop |
critical
|
| 7458 | Avoid large Interfaces - too many Methods (.NET) |
medium
|
| 7466 | Avoid changing DataSource member before ValueMember/DisplayMember |
high
|
| 7468 | Disable constraints before merging DataSet |
medium
|
| 7470 | DEPRECATED: Avoid doing select on Datatable in loop |
high
|
| 7474 | Avoid Repainting When Updating a ListBox |
medium
|
| 7740 | Avoid HTTP response splitting |
critical
|
| 7742 | Avoid SQL injection |
critical
|
| 7746 | Avoid LDAP injection |
critical
|
| 7748 | Avoid OS command injection |
critical
|
| 7750 | Avoid XPath injection |
critical
|
| 7752 | Avoid file path manipulation |
high
|
| 7766 | Avoid Artifacts with High Cyclomatic Complexity |
medium
|
| 7768 | Avoid Artifacts with High Depth of Code |
medium
|
| 7770 | Avoid Artifacts with too many parameters |
medium
|
| 7772 | Avoid Artifacts with High Essential Complexity |
medium
|
| 7774 | Avoid Artifacts with High Integration Complexity |
medium
|
| 7776 | Avoid Artifacts with High Fan-In |
medium
|
| 7778 | Avoid Artifacts with High Fan-Out |
medium
|
| 7780 | Avoid Classes with a very low comment/code ratio |
medium
|
| 7782 | Avoid empty finally blocks |
medium
|
| 7784 | Avoid Artifacts with lines longer than X characters |
medium
|
| 7788 | Avoid empty catch blocks |
high
|
| 7792 | Avoid Classes with a High Number Of Children |
medium
|
| 7794 | Avoid Classes with a High Public Data Ratio |
medium
|
| 7796 | Avoid Classes with a High Lack of Cohesion - variant |
medium
|
| 7798 | Avoid Classes with a High Lack of Cohesion |
medium
|
| 7800 | Avoid Classes with High Coupling Between Objects |
medium
|
| 7802 | Avoid Classes with a High Depth of Inheritance Tree |
medium
|
| 7804 | Avoid Classes with High Weighted Methods per Class |
medium
|
| 7806 | Avoid Artifacts with Group By |
medium
|
| 7812 | Class naming convention - case and character set control |
medium
|
| 7816 | Avoid using GOTO statement |
medium
|
| 7824 | Avoid directly throwing instance of Exception class |
high
|
| 7830 | Avoid unreferenced Interfaces |
medium
|
| 7834 | Avoid undocumented Interfaces |
medium
|
| 7838 | Avoid undocumented Methods |
medium
|
| 7842 | Avoid large Artifacts - too many Lines of Code |
medium
|
| 7844 | Avoid undocumented Classes |
medium
|
| 7846 | Avoid Methods with a very low comment/code ratio |
medium
|
| 7848 | Interface naming convention - prefix |
medium
|
| 7862 | Avoid catching an exception of type Exception, RuntimeException, or Throwable |
medium
|
| 7914 | Avoid direct access to Database Tables |
medium
|
| 7918 | Exceptions naming convention -suffix control |
medium
|
| 7920 | Exceptions naming convention - case and character set control |
medium
|
| 7934 | Avoid Superclass (or Interface) knowing Subclass (or Interface) |
medium
|
| 7944 | Avoid High Response for Classes |
medium
|
| 8028 | Avoid missing default in switch statements |
medium
|
| 8032 | Avoid using break statement in FOR loops |
medium
|
| 8044 | Avoid log forging |
high
|
| 8086 | Avoid types that own disposable fields and are not disposable |
medium
|
| 8088 | Avoid override artifacts not having link demands identical to base |
medium
|
| 8090 | Avoid using NaN to test the result of an expression |
high
|
| 8092 | Avoid Objects having exposed pointers allowed to access unmanaged memory |
medium
|
| 8094 | Avoid locking of Objects with weak identities |
medium
|
| 8098 | Avoid uncontrolled format string |
critical
|
| 8108 | Avoid missing release of stream connection after an effective lifetime |
critical
|
| 8110 | Avoid not using dedicated stored procedures when processing multiple data accesses |
high
|
| 8112 | Avoid improper processing of the execution status of data handling operations |
high
|
| 8148 | Avoid artifacts having Incorrect Type Conversion or Cast |
high
|
| 8150 | Avoid using Parse for primitive types and used instead TryParse |
medium
|
| 8152 | Avoid having transaction with the Thread.Sleep method in a loop |
medium
|
| 8154 | Avoid using GC.Collect() |
high
|
| 8156 | Persistent classes should implement GetHashCode() and Equals() |
high
|
| 8158 | Avoid thread creation for application running on application server |
critical
|
| 8222 | Avoid hard-coded credentials |
critical
|
| 8238 | Avoid mixing trusted and untrusted data in HTTP requests |
high
|
| 8240 | Avoid using unsecured cookie |
critical
|
| 8242 | Avoid using insufficient random values for cookies |
high
|
| 8400 | Avoid having lock on this object |
medium
|
| 8402 | All types of a serializable class must be serializable |
medium
|
| 8408 | Avoid reflected cross-site scripting (non persistent) |
critical
|
| 8410 | Avoid cross-site scripting (persistent) |
critical
|
| 8414 | Avoid weak cryptographic algorithm |
high
|
| 8416 | Avoid use of a reversible one-way hash |
high
|
| 8418 | Avoid NoSQL injection |
critical
|
| 8420 | Avoid second order SQL injection |
critical
|
| 8424 | Avoid hard-coded HMAC and cryptographic key |
critical
|
| 8434 | Avoid process control |
critical
|
| 8436 | Avoid thread injection |
critical
|
| 8438 | Avoid code injection |
critical
|
| 8440 | Avoid reflection injection |
critical
|
| 8442 | Avoid resource injection |
critical
|
| 8444 | Avoid resource URL manipulation |
critical
|
| 8446 | Avoid URL redirection to untrusted site |
critical
|
| 8482 | Avoid cross-site scripting through API requests |
critical
|
| 8484 | Avoid HTTP response splitting through API requests |
critical
|
| 8486 | Avoid resource injection through API requests |
critical
|
| 8488 | Avoid resource URL manipulation through API requests |
critical
|
| 8490 | Avoid SQL injection through API requests |
critical
|
| 8492 | Avoid LDAP injection through API requests |
critical
|
| 8494 | Avoid OS command injection through API requests |
critical
|
| 8496 | Avoid process control through API requests |
critical
|
| 8498 | Avoid thread injection through API requests |
critical
|
| 8500 | Avoid code injection through API requests |
critical
|
| 8502 | Avoid reflection injection through API requests |
critical
|
| 8504 | Avoid XPath injection through API requests |
critical
|
| 8506 | Avoid file path manipulation through API requests |
critical
|
| 8508 | Avoid log forging through API requests |
high
|
| 8510 | Avoid uncontrolled format string through API requests |
critical
|
| 8512 | Avoid mixing trusted and untrusted data in HTTP requests through API requests |
critical
|
| 8514 | Avoid NoSQL injection through API requests |
critical
|
| 8516 | Avoid URL redirection to untrusted site through API requests |
critical
|
| 8518 | Avoid regular expression injection |
critical
|
| 8520 | Avoid second order regular expression injection |
critical
|
| 8522 | Avoid regular expression injection through API requests |
critical
|
| 8524 | Avoid deserialization injection |
critical
|
| 8526 | Avoid second order deserialization injection |
critical
|
| 8528 | Avoid deserialization injection through API requests |
critical
|
| 8530 | Avoid XQuery injection |
critical
|
| 8532 | Avoid second order XQuery injection |
critical
|
| 8534 | Avoid XQuery injection through API requests |
critical
|
| 8542 | Avoid debug forging |
medium
|
| 8544 | Avoid debug forging through API requests |
medium
|
| 8554 | Avoid using insufficient random generator |
critical
|
| 8560 | Avoid server-side request forgery |
critical
|
| 8562 | Avoid server-side request forgery through API requests |
critical
|
| 8564 | Avoid second order server-side request forgery |
critical
|
| 1019400 | Avoid calling Entity DbContext SaveChanges() inside loops |
high
|
| 1019402 | Avoid using Entity DbContext.Update() in loops |
high
|
| 1019404 | Avoid calling Add() inside a loop when AddRange() is applicable |
high
|
| 1019406 | Avoid using DbSet queries ToList()/ToArray()/ToDictionary() in foreach clause |
high
|
| 1019408 | Avoid using ToList() / ToArray() before applying further LINQ operators |
high
|
| 1019410 | Avoid Unnecessary .Include() Calls |
medium
|
| 1019412 | Use .AsSplitQuery() When Including Multiple Collections |
high
|
| 1019414 | Ensure using AsNoTracking for Select operations |
medium
|
| 1019416 | Avoid using Count() when Any() is sufficient |
medium
|
| 1019418 | Avoid Full Entity Projection in Entity Framework Queries |
medium
|
| 1019420 | Avoid doing bulk changes without disabling Entity changes Tracking |
medium
|
| 1025000 | Avoid second order OS command injection |
critical
|
| 1025002 | Avoid second order XPath injection |
critical
|
| 1025004 | Avoid second order URL redirection to untrusted site |
critical
|
| 1025010 | Avoid second order LDAP injection |
critical
|
| 1025016 | Avoid using cookie without the HttpOnly flag |
critical
|
| 1025018 | Avoid cookie injection |
critical
|
| 1025020 | Avoid data filter injection |
critical
|
| 1025022 | Avoid data filter injection through API requests |
critical
|
| 1025024 | Avoid disabling the expiration time validation of a JWT token |
critical
|
| 1025026 | Avoid disabling the expiration time requirement of a JWT token |
critical
|
| 1025028 | Avoid disabling the signature requirement of a JWT token |
critical
|
| 1025030 | Avoid hard-coded JWT secret keys |
critical
|
| 1025032 | Avoid insecure parameters for PBKDF2 password encoder |
critical
|
| 1025034 | Avoid insecure parameters for BCrypt password encoder |
critical
|
| 1025036 | Avoid insecure parameters for Argon2 password encoder |
critical
|
| 1025038 | Avoid insecure parameters for SCrypt password encoder |
critical
|
| 1025040 | Avoid external control of system or configuration setting |
critical
|
| 1025042 | Avoid external control of system or configuration setting through API requests |
critical
|
| 1025044 | Avoid MVC injection |
critical
|
| 1025046 | Avoid MVC injection through API requests |
critical
|
| 1025048 | Avoid hard-coded password in connection string |
critical
|
| 1025050 | Avoid dangerous file inclusion |
critical
|
| 1025052 | Avoid using unnormalized input strings |
critical
|
| 1025054 | Avoid plaintext storage of password |
critical
|
| 1025056 | Avoid running SQL queries inside a loop |
critical
|
| 1025058 | Avoid numeric user inputs in SQL queries |
critical
|
| 1025060 | Avoid second order numeric user inputs in SQL queries |
critical
|
| 1025062 | Avoid numeric user inputs in SQL queries through API requests |
critical
|
| 1025064 | Avoid weak encoding for password |
high
|
| 1027000 | Avoid Managed type declaration for Win32 API using Overlapped IO |
medium
|
| 1027002 | Avoid exposing methods that use Platform Invocation Services to access unmanaged code |
medium
|
| 1027004 | Avoid using deprecated XmlTextReader .NET API |
medium
|
| 1027008 | Always Revert After Impersonation |
high
|
| 1027010 | Avoid weak encryption providing insufficient key size (.NET) |
high
|
| 1027012 | Avoid storing Non-Serializable Object as HttpSessionState attributes. |
high
|
| 1027014 | Avoid using Thread API (Suspend\Resume) to manage thread state |
medium
|
| 1027016 | Avoid throwing exceptions in destructors |
high
|
| 1027018 | Avoid throwing exceptions from finally block |
medium
|
| 1027020 | Prefer using Any() over Count() or LongCount() |
medium
|
| 1027022 | Avoid using "new Guid()" |
medium
|
| 1027024 | Avoid comparing passwords against hard-coded strings |
critical
|
| 1027030 | Avoid using "Obsolete" attribute without message |
medium
|
| 1027032 | Avoid hard-coded network resource names (.NET, VB) |
medium
|
| 1027034 | Never catch NullReferenceException |
medium
|
| 1027036 | Avoid rethrowing exception explicitly |
medium
|
| 1027038 | Avoid if … else if constructs not terminated with an else clause (.NET, VB) |
medium
|
| 1027040 | Avoid using multiple OrderBy calls |
medium
|
| 1027042 | Avoid having unmatched contracts for exported interfaces |
medium
|
| 1027044 | Avoid using SafeHandle.DangerousGetHandle |
critical
|
| 1027046 | Avoid storing passwords in Comments |
medium
|
| 1027048 | Avoid returning null from non-async Task/Task<T> method |
medium
|
| 1027050 | Avoid throwing ArgumentException from yielding method. |
medium
|
| 1027052 | DEPRECATED: Avoid NULL Pointer Dereference (C#, VB.NET) |
medium
|
| 1027054 | Always use System.Uri instead of string to build URLs |
medium
|
| 1027058 | Avoid blocking async methods (.NET, VB) |
medium
|
| 1027064 | Always override 'Equals' and Comparison operators with IComparable implementation |
medium
|
| 1027066 | Avoid throwing exception from property getters |
medium
|
| 1027068 | Avoid returning null from ToString() |
medium
|
| 1027070 | Avoid if statements and blocks that are always TRUE or FALSE |
medium
|
| 1027074 | Avoid hard-coded URIs (.NET) |
medium
|
| 1027076 | Avoid allowing File IO unrestricted access |
medium
|
| 1027078 | Always mark Windows Forms starting point as STAThread |
medium
|
| 1027080 | Always use ConfigureAwait(false) in library code awaited tasks |
medium
|
| 1027082 | Avoid using console logging (.Net) |
medium
|
| 1027084 | Avoid calling CoSetProxyBlanket and CoInitializeSecurity |
high
|
| 1027086 | Avoid having the same implementation in a conditional structure |
medium
|
| 1027088 | Avoid non-public custom exception types |
medium
|
| 1027090 | Avoid improper instantiation of argument exceptions |
medium
|
| 1027092 | Always pass optional parameters too, when making 'base' calls |
medium
|
| 1027094 | Always provide deserialization methods for optional fields |
medium
|
| 1027096 | Avoid raising exceptions in unexpected location |
medium
|
| 1027098 | Avoid unused private types or members |
medium
|
| 1027100 | Avoid dangerous File Upload |
high
|
| 1027102 | Avoid using Regex constructor or static method without timeout |
high
|
| 1027104 | Ensure anti-forgery token validation for POST, PUT, PATCH, and DELETE methods |
medium
|
| 1043006 | Avoid disabling ValidateInput on ASP.NET Http Post/Put Request |
high
|
| 1043008 | Avoid disabling ValidateInput on controller |
high
|
| 1043010 | Avoid creating cookie without setting httpOnly option (C#) |
high
|
| 1043012 | Avoid creating cookie without setting httpOnly option in Config file (ASP.NET) |
high
|
| 1043014 | Avoid disabling ValidateRequest in Config file (ASP.NET) |
high
|
| 1043018 | Avoid storing passwords in the config files |
high
|
| 1043020 | Avoid having applications with the debug mode activated |
medium
|
| 1043022 | Avoid using unsecured cookie (C#) |
medium
|
| 1043024 | Always enable RequireSSL attribute for cookies in Config file (ASP.NET) |
medium
|
| 1043026 | Avoid disabling EnableViewStateMac in Config file (ASP.NET) |
medium
|
| 1043030 | Ensure the X-Frame-Options header is setup (ASP.NET) |
high
|
| 1043034 | Avoid having applications with the tracing activated in the web config file |
medium
|
| 1043036 | Avoid using Impersonate identity (ASP.NET) |
medium
|
| 1043038 | Avoid having applications with the tracing activated in the source code |
medium
|
| 1043044 | Avoid disabling the XSRF/CSRF Protection (ASP.NET MVC) |
critical
|
| 1043046 | Avoid creating cookie with overly broad path (C#) |
critical
|
| 1043048 | Avoid having cookie with an overly broad domain (C#) |
critical
|
| 1043050 | Avoid having long timeout for HttpCookie (> 5 mn) |
medium
|
| 1043052 | Ensure aspnet:UseLegacyFormsAuthenticationTicketCompatibility is set to true |
medium
|
| 1043054 | Avoid overly permissive Cross-Origin Resource Sharing (CORS) policy |
medium
|
| 1043058 | Avoid disabling Header Checking flag in config file |
medium
|
| 1043060 | Avoid disabling HMAC signature verification (C#) |
high
|
| 1043062 | Avoid having all users accessing resources (.NET) |
medium
|
| 1043066 | Always use HTTPS Redirection Middleware and HSTS Middleware in your ASP.NET Core application |
high
|
| 1043068 | Avoid using RequireHttpsAttribute on Web APIs that receive sensitive information |
medium
|
| 1043070 | Avoid disabling the XSRF/CSRF Protection (ASP.NET Core MVC) |
critical
|
| 1043072 | Avoid creating unsecured HTTPS GET metadata endpoint in code |
high
|
| 1043076 | Avoid disabling custom errors mode to prevent exposure of exceptions and error data |
medium
|
| 1043078 | Avoid debug binaries that include detailed debug information |
medium
|
| 1043084 | Avoid XML schemas with unbounded occurrences |
medium
|
| 1043086 | Avoid using Html.Raw() or HtmlHelper.Raw() |
high
|
| 1060020 | Avoid empty catch blocks for methods with high fan-in |
critical
|
| 1060022 | Avoid too many SQL calls for methods with high fan-in |
critical
|
| 1101036 | Use ANSI standard operators in SQL WHERE clauses |
medium
|
| 1101958 | Avoid artifacts having db.collection.ensureIndex() to create new indexes |
medium
|
| 1101962 | Avoid using explain() in production code |
medium
|
| 1101964 | When using compound indexes, avoid having different index ordering in collection access |
medium
|
| 1101968 | Avoid having multiple Artifacts updating data on the same NoSQL Collection |
medium
|
| 1101970 | Avoid having multiple Artifacts inserting data on the same NoSQL Collection |
medium
|
| 1101972 | Avoid having multiple artifacts deleting data on the same NoSQL collection |
medium
|
