Releases: SonarSource/sonar-dotnet
8.48
8.47
In this release, we further improved S2259 (Null pointers should not be dereferenced) and fixed security-related false positives.
Special thanks to @Corniel for his contribution: #6112.
New Rules
Improvements
- 6213 - Fix S2068 FP: Do not report on empty values in config files
- 6182 - Rule S2068: detect hard-coded passwords in web.config files
- 6199 - S2068: Support colon in uri password
- 3905 - [C#, VB.NET] Rule S2077: support for additional database libraries
- 6204 - Support new C#11 string types in CopyPasteTokenAnalyzer and TokenTypeAnalyzer
- 6181 - [C#] Improve S3963: Highlight only the identifier instead of the full constructor body
- 5824 - [C#] Improve S2259: Support DoesNotReturnIf for custom assertions
- 6175 - Update RSPEC before 8.47 release
False Positive
- 6176 - [C#, VB.NET] Fix S2259 FP: SingleOrDefault() and FirstOrDefault() used within EF LINQ queries
- 6157 - [C#, VB.NET] Fix S2259 FP: Support TypeOf operation
- 6100 - [C#, VB.NET] Fix S2259 FP: Reset constraints on calls in static methods
- 6103 - [C#] Fix S2259 FP: Reset fields on this invocation with flow captures
- 6170 - [C#] Fix S2259 FP: Should not report in switch expression after a null check
- 6141 - [C#] Fix S5332 FP: Ignore for WPF xml definitions
- 6080 - [C#, VB.NET] Fix S1313: Exclude local IPv4-mapped IPv6 address
- 6064 - [C#, VB.NET] Rule S1313: Exclude reserved documentation IP ranges
8.46
Hi everyone,
We've worked on improving S2259 rule after it's migration to our new Symbolic Execution engine. We can now fix issues that were previously too difficult or impossible to fix.
Improvements
- 6128 - [C#, VB.NET] S2259: Support NotNullWhenAttribute
- 6092 - [C#] Improve S2259: Take nullable flow state from Roslyn into account
- 6083 - [C#] Improve S2259: Add support for [NotNull]
- 6081 - [C#] Improve S2259: ThrowHelper and Debug.Fail
- 6152 - Update RSPEC before 8.46 release
False Positive
- 6117 - [C#] Fix S2259 FP: Suppress warnings for lifted operator results in null value in value type comparison
- 4989 - [C#] Fix S2259 FP: Combining a null-coalescing operator with the “continue” keyword
- 4784 - [C#] Fix S2259 FP: Return value of ToList() is not null
- 4537 - [C#] Fix S2259 FP: Null conditional combined with null coalescing
- 3416 - [C#] Fix S2259 FP: object.Equals method recognizes null arguments
- 890 - [C#] Fix S2259 FP: Symbolic execution does not enter the
for
loop - 349 - [C#] Fix S2259 FP: "Null pointer dereference" should not raise if the variable was tested with Debug.Assert before
- 6135 - [VB.NET] Fix S2259 FPs: Support Microsoft.VisualBasic.Information.IsNothing
False Negative
8.45
Hi everyone,
With this release, we worked on S2259 to support VB and newer C# language features.
Special thanks to @Corniel for his contribution: #194.
New Rules
Improvements
- 5863 - [C#] S2259: Change default SE engine to Roslyn-based
- 5973 - [C#] Improve S2259: Support C# 9 and C# 10 syntax
- 6082 - [C#] Improve S2259: Respect ! (null-forgiving) operator
- 2949 - [C#] Improve S2259: Fill basic constraints for SE of Switch Expressions
- 5971 - [C#] Improve S3353: Improve message
- 6045 - Update RSPEC before 8.45 release
False Positive
- 6067 - [C#] Fix S2259 FP/FN: in the new engine
- 5285 - [C#] Fix S2259 FP: Unrelated ref parameter call breaks constraints
- 6014 - [C#] Fix S3236 FP: Passthrough parameters should be compliant
- 5995 - [C#] Fix S6421 FP: for Azure Functions with already wrapped body in try/catch block.
- 6048 - [C#, VB.NET] Fix S2222 FP: Consider symbols released only if they were previously held
False Negative
8.44
Hello everyone,
In this release we improve support for constant interpolated strings, file scoped namespace declaration, extended property patterns and attributes on lambda functions. You can find more details below.
Improvements
- 5980 - [C#] Fix CodeFix S3217: Using directives are now moved to the closest namespace when this is file scoped.
False Positives
- 5946 - [C#] FIix FP S1128: Issue raised in global usings although they are used in file projects.
- 5925 - [C#] Fix FP S2360: Extend CallerInfoAttributes with CallerArgumentExpressionAttribute
- 5094 - [C#] Fix FP S3928: When using record parameters
False Negatives
- 6012 - [C#] Fix FN S1128: No issue is raised when the unnecessary using is inside a file scoped namespace
- 5984 - [C#] Fix FN S3927: No issue is raised when an attribute is placed on a lambda
- 5983 - [C#] Fix FN S3981: No issue is raised when property check is done through a pattern.
- 5981 - [C#] Fix FN S2857: No issue is raised when in file scoped namespace
- 5979 - [C#] Fix FN S3261: No issue is raised when in file scoped namespace
- 5947 - [C#] Fix FN S2857: No issue is raised if the SQL string is assembled with constant interpolated strings
- 5945 - [C#] Fix FN S5443: No issue is raised if the publicly writable directory path is assembled with the help of a constant interpolated string
- 5944 - [C#] Fix FN S1313: A hardcoded IP address is not recognized if it is assembled as part of a constant interpolated string
- 5943 - [C#] Fix FN S5332: No issue is raised if an insecure protocol is used as part of a constant interpolated string
- 5942 - [C#] Fix FN S2857: No issue is raised if the malformed SQL query is formatted with the help of constant interpolated strings
- 5998 - [VB.NET] Fix FN S5443: No issue is raised if the publicly writable directory path is assembled with the help of an interpolated string
- 5996 - [VB.NET] Fix FN S1313: No issue is raised if the IP address is assembled as an interpolated string
8.43
Hi everyone,
With this release, we introduced 2 new VB.Net rules and improved the stability and the accuracy of some of our rules. You can find more details below.
Special thanks to @Corniel for his contributions: #5823 and #5930.
New Rules
- 5930 - [VB.NET] Rule S4060: Avoid unsealed attributes
- 5823 - [VB.NET] Rule S4225: Extension method should not extend on object
Improvements
- 5929 - [C#, VB.NET] Add support PCI DSS and ASVS Security Standards
- 5910 - [C#] Fix issue duplication on top-level statements when using Roslyn 4.0.0
- 5896 - [C#, VB.NET] Fix S3776 configuration: Cognitive complexity threshold for property is not registered properly
Bug Fixes
- 5906 - [C#] S3874: Fix AD0001
- 5661 - [C#] [AD0001] S2234 throws ArgumentException when analyzing a constructor call for a type not part of the current compilation
- 5916 - [C#] [AD0001] S2222: IndexOutOfRange for lambda in try/finally
- 5809 - [C#] Fix AD0001 in DatabasePasswordsShouldBeSecure
False Positive
- 5856 - [C#] Fix S1186: FP: Conditional compilation in method should not be considered empty
- 5816 - [C#] Fix S3874 FP: Should not be raised on Deconstruct methods
- 5789 - [C#] S3240 Quick action is incorrect
- 5660 - [C#] Fix S3903: False Positive when using top level statments and partial Program
- 5641 - [C#] Fix S4159: Rule should handle generic interfaces when using System.ComponentModel.Composition
- 5587 - [C#, VB.NET] False-positive for S1871:Two branches in a switch-case when one branches use different overloads of methods
- 5432 - [C#] Fix S3168 FP: Method used as TimerCallback not recognized
- 4962 - [C#] Fix S3240 FP: When using same method on different variables
- 4724 - [C#]
#pragma warning disable
compiler directives are not working for hotspot rules
8.42
Hello everyone,
In this release, we added support for tuple deconstruction and addressed a couple of FNs/FPs.
Special thanks to @nesc58 for their contribution to #5827.
Improvements
- 5808 - S148: Add support for tuple deconstruction
- 5802 - S2184: Add support for tuple deconstruction
- 5797 - S2123: Add support for tuple deconstruction
- 5793 - S3010, S2696: Add support for tuple deconstruction
- 5785 - S1854: Add support for tuple deconstruction
- 5767 - S1117: Add support for tuple deconstruction
- 5764 - S4057: Add support for tuple deconstruction
- [ 5841 5833 ] - S4433, S2755, S3330, S2092: Add support for tuple deconstruction
- 5794 - S2674: Performance improvements
- 5590 - Remove use of deprecated RulesDefinitionXmlLoader
- 5210 - Remove SQ 7.3 workaround for issue types
- 5852 - Replace 404 doc link to coverage documentation
False Negatives - False Positives
8.41
Hello!
This release brings new rules for Azure Functions code quality and a major milestone in our new Symbolic Execution engine: support for try/catch/finally blocks. We've also fixed a nasty stochastic bug.
Special thanks to @Corniel for his contributions (#5702, #5703 and #5536).
You can find the details below:
New Rules
- 5710 - S2222: Support try/catch/finally in Symbolic Execution
- 5600 - [C#] Rule S6424: Azure Functions - Entity interfaces restrictions
- 5599 - [C#] Rule S6423: Always log failures in Azure Functions
- 5598 - [C#] Rule S6422: Calls to "async" methods should not be blocking in Azure Functions
- 5597 - [C#] Rule S6421: Azure Functions should use Structured Error Handling
- 5596 - [C#] Rule S6420: Azure Functions should use static clients
- 5595 - [C#] Rule S6419: Azure Functions should be stateless
Improvements
- 5786 - S1226: Add support for deconstruction
- 5784 - S1656: Add support for deconstruction
- 5765 - S127: Add support for assignment and declaration in same deconstruction
- 5760 - S1944: Add support for deconstruction
- 5756 - S4055: Add support for deconstruction
- 5752 - S2934: Add support for deconstruction
- 5727 - Update RSPEC before 8.41 release
- 5696 - [C#] S6354: Inconsistent analyzer title
Bug Fixes
- 5692 - Usage of
ISymbol.ToDisplayString
leads to uncaught exceptions stochastically
False Positive
- 5773 - [C#] Fix S3358 FP: Nested ternary operator is in a lambda
- 5703 - [C#] Fix S4581 FP: Support target-typed new expression
- 5686 - [C#] S1185: Derived records need to override ToString to prevent default code generation by the compiler
- 5657 - [C#] Fix S2221 FP: Do not raise in Azure Functions
- 5625 - [C#] S138, S1541, S3776 - exclude static local functions from computing method complexity
- 5507 - [C#] S2187: Rule should not raise False Positives if MSTEST test method is in a base class higher up in the inheritance hierarchy
False Negative
- 5680 - [C#] S138, S1541, S3776 - compute complexity for static local functions as a separate piece of code.
Performance
8.40
Hi everyone,
In the last sprint, we took the time to reduce the noise by addressing some false positives and improving the handling of static local functions.
Special thanks to @Corniel for his contributions to improving our S4581 rule.
You can find the details below:
New Rules
- 5616 - [C#] Rule S4581: Add C# code fix
- 5615 - [VB.NET] Rule S4581: Guid.Empty is preferred for VB.NET
Improvements
- 5674 - Update rule documentation
- 5669 - S138: Exclude local static functions from the sum of lines when they are placed in other methods.
- 5668 - [C#] S3776: Exclude static local functions from complexity computation
- 5666 - [C#, VB.NET] S4159: Add support for System.Composition.ExportAttribute
False Positive
8.39
Hi everyone,
In the last sprint, we added support for record structs for the remaining rules.
Improvements
- 5609 - S1192: Add support for record structs
- 5592 - S1450: Add support for record struct
- 5606 - S1939: Add support for record struct
- 5632 - S2257: Add support for record structs
- 5580 - S2326, S3925: Add support for record struct
- 5605 - S2333: Add support for record struct
- 5611 - S2436: Add support for record structs
- 5607 - S2743: Add support for record struct
- 5612 - S3059: Add support for record structs
- 5577 - S3218: Add support for record structs
- 5622 - S3241: Add support for record structs
- 5608 - S3263 Add support for record struct
- 5620 - S3898: Add support for record struct
- 5633 - S3996: Add support for record structs
- 5613 - S4041: Add support for record structs
- 5593 - S4049: Add support for record struct
- 5604 - S4059: Add support for record struct
- 5578 - S4136: Add support for record struct
- 5634 - S5766: Add support for record struct
- 5614 - Update RSPEC before 8.39 release