The annual cost of poor software quality in the U.S. has climbed to over $2.41 trillion. It’s a staggering figure that highlights a crucial reality: the health of our code directly impacts business success, customer satisfaction, and competitive standing. But what does "poor software quality" actually look like in the wild? What are the most common issues lurking in the code being written today?
To answer these questions, we went directly to the source.
Today, we’re launching The State of Code, a new multi-part report series that provides a unique window into the real-world state of software development. We analyzed Sonar’s massive dataset from the last six months of 2024, encompassing:
- More than 7.9 billion lines of code
- Code from over 970,000 developers across 40,000+ organizations
- Analysis of Java, JavaScript, TypeScript, Python, C#, C++, and PHP
Unlike survey-based reports, Sonar’s findings are drawn from hard data, highlighting the actual issues developers using SonarQube encounter in their daily work. This series of reports released throughout the summer will explore the three critical issues in your codebase: reliability, security, and maintainability, across the seven most common languages software developers use.
Volume 1: Reliability
The first in the series, our The State of Code: Reliability report dives into the most common and fixable code reliability issues. Our analysis found about 2,100 reliability issues (bugs) for every million lines of code. These are the bugs that can degrade performance, cause unpredictable crashes, and ultimately erode user trust. For developers, they represent frustrating debugging sessions and late-night fixes. For leaders, they mean costly delays, project risks, and a struggle to maintain consistent quality across teams.
The usual suspects: Today’s most common bugs
When we explored the 16 million reliability issues flagged by Sonar, a few clear patterns emerged. The most frequently found issues were dead code and illegal memory access.
1. Dead code: More than just wasted space
The most common reliability issue we found involves statements that have no side effects and don't change the control flow of a program. Often called "dead code," these are lines that accomplish nothing.
While "dead code" bugs are incredibly common, their real-world impact is often more subtle than a single catastrophic outage. A related real-world example is Apple's "goto fail" security bug from 2014, when a single duplicated line of code (goto fail;) infamously made the essential function that verifies a secure connection's authenticity completely unreachable. The result was a critical security flaw that left millions of users vulnerable to man-in-the-middle attacks.
Like the Apple bug, the dead code found in our analysis often represents programming errors or incomplete refactoring.
- Why it's a problem: At best, dead code adds performance overhead and makes maintenance harder. At worst, it can mask serious bugs. These statements often result from incomplete refactoring or logical mistakes, creating the illusion that the code works as intended when critical operations are actually missing or incorrect. For managers, this means teams can waste time investigating code that has no function, and for developers, it’s a source of confusion and technical debt.
- How to fix it: SonarQube's automated code review capabilities detect dead code during development through real-time analysis. The platform provides clear remediation guidance to help understand why there's an issue and how to fix it. Quality gates can prevent code containing dead code issues from reaching production, ensuring teams maintain high standards early in the development process.
2. Null pointer dereferencing: The ghost in the machine
A close second is the infamous null pointer dereference. This occurs when the code tries to access or use a variable that is null, leading to an error or crash that could be catastrophic to critical applications. You don't have to look far for a real-world example. A Google Cloud outage in June 2025 caused widespread 503 errors for users of many Google Cloud services globally. The root cause was a code change that lacked proper error handling when it encountered an unexpected blank value in a new policy. This single oversight caused critical services to enter a crash loop, demonstrating how a mishandled null value can bring down even the most robust systems.
- Why it's a problem: These bugs are notoriously difficult to diagnose. A null value might originate in one part of an application but only cause a crash much later in the execution flow when another component tries to use it. These failures often surface unexpectedly in production environments, causing unpredictable application crashes and potentially exposing sensitive data through stack traces. For developers, this means chasing bugs far from their root cause, while leaders are left dealing with unreliable software and potential security risks.
- How to fix it: Developers can leverage SonarQube's analysis to detect these issues early in the development cycle. The platform provides actionable guidance through detailed issue descriptions and contextual help for fixing null pointer issues. AI CodeFix offers suggested fixes for detected issues directly in the IDE. Quality gates serve as an additional safeguard, preventing code with null pointer vulnerabilities from being merged or deployed to production environments.
Building more reliable code
As AI coding assistants generate more and more code, the quality of our existing applications becomes paramount, as this code is the primary data used to train these tools. Understanding and addressing these common reliability pitfalls is no longer just about fixing bugs—it's about building a stable foundation for the future of software development.
These findings are just the beginning. Download The State of Code: Reliability report to see:
- A closer look at the most commonly found blocker bug
- The top five reliability issues we found in nearly 8 billion lines of code
- Actionable solutions to help you eliminate these issues
Stay tuned for the next reports in our series, where we’ll explore the top security vulnerabilities , maintainability pitfalls, and language-specific challenges impacting codebases globally.