Security Rules rule set for managed code
Use the Microsoft Security Rules rule set for legacy code analysis to maximize the number of potential security issues that are reported.
| Rule | Description |
|---|---|
| CA2100 | Review SQL queries for security vulnerabilities |
| CA2102 | Catch non-CLSCompliant exceptions in general handlers |
| CA2103 | Review imperative security |
| CA2104 | Do not declare read only mutable reference types |
| CA2105 | Array fields should not be read only |
| CA2106 | Secure asserts |
| CA2107 | Review deny and permit only usage |
| CA2108 | Review declarative security on value types |
| CA2109 | Review visible event handlers |
| CA2111 | Pointers should not be visible |
| CA2112 | Secured types should not expose fields |
| CA2114 | Method security should be a superset of type |
| CA2115 | Call GC.KeepAlive when using native resources |
| CA2116 | APTCA methods should only call APTCA methods |
| CA2117 | APTCA types should only extend APTCA base types |
| CA2118 | Review SuppressUnmanagedCodeSecurityAttribute usage |
| CA2119 | Seal methods that satisfy private interfaces |
| CA2120 | Secure serialization constructors |
| CA2121 | Static constructors should be private |
| CA2122 | Do not indirectly expose methods with link demands |
| CA2123 | Override link demands should be identical to base |
| CA2124 | Wrap vulnerable finally clauses in outer try |
| CA2126 | Type link demands require inheritance demands |
| CA2130 | Security critical constants should be transparent |
| CA2131 | Security critical types may not participate in type equivalence |
| CA2132 | Default constructors must be at least as critical as base type default constructors |
| CA2133 | Delegates must bind to methods with consistent transparency |
| CA2134 | Methods must keep consistent transparency when overriding base methods |
| CA2135 | Level 2 assemblies should not contain LinkDemands |
| CA2136 | Members should not have conflicting transparency annotations |
| CA2137 | Transparent methods must contain only verifiable IL |
| CA2138 | Transparent methods must not call methods with the SuppressUnmanagedCodeSecurity attribute |
| CA2139 | Transparent methods may not use the HandleProcessCorruptingExceptions attribute |
| CA2140 | Transparent code must not reference security critical items |
| CA2141 | Transparent methods must not satisfy LinkDemands |
| CA2142 | Transparent code should not be protected with LinkDemands |
| CA2143 | Transparent methods should not use security demands |
| CA2144 | Transparent code should not load assemblies from byte arrays |
| CA2145 | Transparent methods should not be decorated with the SuppressUnmanagedCodeSecurityAttribute |
| CA2146 | Types must be at least as critical as their base types and interfaces |
| CA2147 | Transparent methods may not use security asserts |
| CA2149 | Transparent methods must not call into native code |
| CA2210 | Assemblies should have valid strong names |
| CA2300 | Do not use insecure deserializer BinaryFormatter |
| CA2301 | Do not call BinaryFormatter.Deserialize without first setting BinaryFormatter.Binder |
| CA2302 | Ensure BinaryFormatter.Binder is set before calling BinaryFormatter.Deserialize |
| CA2305 | Do not use insecure deserializer LosFormatter |
| CA2310 | Do not use insecure deserializer NetDataContractSerializer |
| CA2311 | Do not deserialize without first setting NetDataContractSerializer.Binder |
| CA2312 | Ensure NetDataContractSerializer.Binder is set before deserializing |
| CA2315 | Do not use insecure deserializer ObjectStateFormatter |
| CA2321 | Do not deserialize with JavaScriptSerializer using a SimpleTypeResolver |
| CA2322 | Ensure JavaScriptSerializer is not initialized with SimpleTypeResolver before deserializing |
| CA3001 | Review code for SQL injection vulnerabilities |
| CA3002 | Review code for XSS vulnerabilities |
| CA3003 | Review code for file path injection vulnerabilities |
| CA3004 | Review code for information disclosure vulnerabilities |
| CA3005 | Review code for LDAP injection vulnerabilities |
| CA3006 | Review code for process command injection vulnerabilities |
| CA3007 | Review code for open redirect vulnerabilities |
| CA3008 | Review code for XPath injection vulnerabilities |
| CA3009 | Review code for XML injection vulnerabilities |
| CA3010 | Review code for XAML injection vulnerabilities |
| CA3011 | Review code for DLL injection vulnerabilities |
| CA3012 | Review code for regex injection vulnerabilities |
| CA5358 | Do Not Use Unsafe Cipher Modes |
| CA5403 | Do not hard-code certificate |