This is an archived version of the documentation for SonarQube-7.3.
See the Latest Documentation for current functionality.

Built-in Rule Tags

Tags are a way to categorize rules and issues. Issues inherit the tags on the rules that raised them. Some tags are language-specific, but many more appear across languages. Users can add tags to rules and issues, but most rules have some tags out of the box. Here is a non-comprehensive list of what some of those built-in tags mean:

  • brain-overload - there is too much to keep in your head at one time

  • bad-practice - the code likely works as designed, but the way it was designed is widely recognized as being a bad idea.

  • bug - something is wrong and it will probably affect production

  • cert - relates to a rule in a CERT standard. There are currently three CERT standards: C, C++, and Java. Many of these rules are not language-specific, but are good programming practices. That's why you'll see this tag on non-C/C++, Java rules.

  • clumsy - extra steps are used to accomplish something that could be done more clearly and concisely. (E.G. calling .toString() on a String).

  • confusing - will take maintainers longer to understand than is really justified by what the code actually does

  • convention - coding convention - typically formatting, naming, whitespace...

  • cwe - relates to a rule in the Common Weakness Enumeration. For more on CWE in SonarQube language plugins, and on security-related rules in general, see Security-related rules.

  • design - there is something questionable about the design of the code

  • lock-in - environment-specific features are used

  • misra - relates to a rule in one of the MISRA standards. While the MISRA rules are primarily about C and C++, many of them are not language-specific (E.G. don't use a float as a loop counter) but are simply good programming practices. That's why you'll see these tags on non-C/C++ rules.

  • owasp-.* - relates to a rule in the OWASP Top Ten security standards. Note, that the OWASP Top Ten is a list of high-level vulnerabilities which translates to many, many potential rules.

  • pitfall - nothing is wrong yet, but something could go wrong in the future; a trap has been set for the next guy, & he'll probably fall into it and screw up the code.

  • sans-top25-.* - relates to the SANS Top 25 Coding Errors, which are security-related. Note that the SANS Top 25 list is pulled directly from the CWE.

  • security - relates to the security of an application.

  • suspicious - it's not guaranteed that this is a bug, but it looks suspiciously like one. At the very least, the code should be re-examined & likely refactored for clarity.

  • unpredictable - the code may work fine under current conditions, but may fail erratically if conditions change.

  • unused - unused code, E.G. a private variable that is never used.

  • user-experience - there's nothing technically wrong with your code, but it may make some or all of your users hate you.