8.49

Hi everyone,

This release brings you the first fragment of C# 11 support in our Sonarway rules. It fixes a nice number of false positives and false negatives that were caused by the new C# 11 syntax. Look out for new releases as we will continue working on our C# 11 syntax support.

Special thanks to @Corniel for his contribution: #6279.

New Rules

• 6279 - [VB.NET] Implement S3871: Exceptions should be public - for VB.NET

Improvements

• 6338 - Add repository link to NuGet packages
• 6315 - Update RSPEC before 8.49 release

Bug Fixes

• 6341 - [C#] AD0001 for S4426: CryptographicKeyShouldNotBeTooShort

False Positive

• 6313 - Fix S2933 FP: Support unsigned right-shift operator (>>>)
• 6312 - Fix S3875 FP: Do not raise an issue when implementing IEqualityOperators interface
• 6311 - Fix S3927 FP: Support static abstract/virtual interface methods
• 6307 - Fix S2225 FP: Support static virtual/abstract interface methods
• 6302 - Fix S1854 FP: Support newlines in string interpolation
• 6301 - Fix S1854 FP: Support interpolated raw string literals

False Negative

• 6309 - Fix S6419 FN: Support unsigned right-shift operator (>>>)
• 6308 - Fix S1121 FN: Support unsigned right-shift operator (>>>)
• 6304 - Fix S2696 FN: Support unsigned right-shift operator (>>>)
• 6303 - Fix S3010 FN: Support unsigned right-shift operator (>>>)
• 6299 - Fix S4790 FN: Support multi-line string interpolation
• 6298 - Fix S4790 FN: Support raw string literals
• 6297 - Fix S5332 FN: Support utf-8 string literals
• 6296 - Fix S2934 FN: Support unsigned right shift operator (>>>)
• 6295 - Fix S3060 FN: Support list patterns
• 6294 - Fix S2183 FN: Support unsigned right-shift operator (>>>)
• 6293 - Fix S2115 FN: Support multi-line string interpolation inside a raw string literal
• 6292 - Fix S2479 FP: Ignore raw string literals
• 6291 - Fix S2479 FN: Support utf-8 strings
• 6290 - Fix S2479 FN: Support raw string literals with interpolation
• 6289 - S2688 FN: Do not raise for IsExpression since it works as expected
• 6288 - Fix S1118 FN: Support static abstract/virtual interface implementation classes
• 6287 - Fix S3247 FN: Support list patterns
• 5744 - Fix S4456/S4457 FN: Recognize ArgumentNullException.ThrowIfNull()

8.48

Hi everyone,

This release fixes a false positive on the null pointers should not be dereferenced rule for VB.NET.

False Positives

• 6271 - [VB.NET] Fix S2259 FP: Support VB.NET static local variables

Improvements

• 6269 - Mention altcover in public link
• 6225 - Update RSPEC before 8.48 release

8.47

In this release, we further improved S2259 (Null pointers should not be dereferenced) and fixed security-related false positives.

Special thanks to @Corniel for his contribution: #6112.

New Rules

• 6112 - [VB.NET] Implement S2225 - ToString should not return null - for VB.NET

Improvements

• 6213 - Fix S2068 FP: Do not report on empty values in config files
• 6182 - Rule S2068: detect hard-coded passwords in web.config files
• 6199 - S2068: Support colon in uri password
• 3905 - [C#, VB.NET] Rule S2077: support for additional database libraries
• 6204 - Support new C#11 string types in CopyPasteTokenAnalyzer and TokenTypeAnalyzer
• 6181 - [C#] Improve S3963: Highlight only the identifier instead of the full constructor body
• 5824 - [C#] Improve S2259: Support DoesNotReturnIf for custom assertions
• 6175 - Update RSPEC before 8.47 release

False Positive

• 6176 - [C#, VB.NET] Fix S2259 FP: SingleOrDefault() and FirstOrDefault() used within EF LINQ queries
• 6157 - [C#, VB.NET] Fix S2259 FP: Support TypeOf operation
• 6100 - [C#, VB.NET] Fix S2259 FP: Reset constraints on calls in static methods
• 6103 - [C#] Fix S2259 FP: Reset fields on this invocation with flow captures
• 6170 - [C#] Fix S2259 FP: Should not report in switch expression after a null check
• 6141 - [C#] Fix S5332 FP: Ignore for WPF xml definitions
• 6080 - [C#, VB.NET] Fix S1313: Exclude local IPv4-mapped IPv6 address
• 6064 - [C#, VB.NET] Rule S1313: Exclude reserved documentation IP ranges

8.46

Hi everyone,

We've worked on improving S2259 rule after it's migration to our new Symbolic Execution engine. We can now fix issues that were previously too difficult or impossible to fix.

Improvements

• 6128 - [C#, VB.NET] S2259: Support NotNullWhenAttribute
• 6092 - [C#] Improve S2259: Take nullable flow state from Roslyn into account
• 6083 - [C#] Improve S2259: Add support for [NotNull]
• 6081 - [C#] Improve S2259: ThrowHelper and Debug.Fail
• 6152 - Update RSPEC before 8.46 release

False Positive

• 6117 - [C#] Fix S2259 FP: Suppress warnings for lifted operator results in null value in value type comparison
• 4989 - [C#] Fix S2259 FP: Combining a null-coalescing operator with the “continue” keyword
• 4784 - [C#] Fix S2259 FP: Return value of ToList() is not null
• 4537 - [C#] Fix S2259 FP: Null conditional combined with null coalescing
• 3416 - [C#] Fix S2259 FP: object.Equals method recognizes null arguments
• 890 - [C#] Fix S2259 FP: Symbolic execution does not enter the for loop
• 349 - [C#] Fix S2259 FP: "Null pointer dereference" should not raise if the variable was tested with Debug.Assert before
• 6135 - [VB.NET] Fix S2259 FPs: Support Microsoft.VisualBasic.Information.IsNothing

False Negative

• 3290 - [C#] Fix S2259 FN: Linq 'XxxOrDefault' extensions should create null and not-null constraints

8.45

Hi everyone,

With this release, we worked on S2259 to support VB and newer C# language features.

Special thanks to @Corniel for his contribution: #194.

New Rules

• 5861 - [VB.NET] Implement S2259: Null pointers should not be dereferenced - for VB.NET

Improvements

• 5863 - [C#] S2259: Change default SE engine to Roslyn-based
• 5973 - [C#] Improve S2259: Support C# 9 and C# 10 syntax
• 6082 - [C#] Improve S2259: Respect ! (null-forgiving) operator
• 2949 - [C#] Improve S2259: Fill basic constraints for SE of Switch Expressions
• 5971 - [C#] Improve S3353: Improve message
• 6045 - Update RSPEC before 8.45 release

False Positive

• 6067 - [C#] Fix S2259 FP/FN: in the new engine
• 5285 - [C#] Fix S2259 FP: Unrelated ref parameter call breaks constraints
• 6014 - [C#] Fix S3236 FP: Passthrough parameters should be compliant
• 5995 - [C#] Fix S6421 FP: for Azure Functions with already wrapped body in try/catch block.
• 6048 - [C#, VB.NET] Fix S2222 FP: Consider symbols released only if they were previously held

False Negative

• 194 - [C#] Rule S2681: Expand implementation for additional patterns
• 6089 - [C#, VB.NET] Fix S2222 FN: Support methods with throw

8.44

Hello everyone,

In this release we improve support for constant interpolated strings, file scoped namespace declaration, extended property patterns and attributes on lambda functions. You can find more details below.

Improvements

• 5980 - [C#] Fix CodeFix S3217: Using directives are now moved to the closest namespace when this is file scoped.

False Positives

• 5946 - [C#] FIix FP S1128: Issue raised in global usings although they are used in file projects.
• 5925 - [C#] Fix FP S2360: Extend CallerInfoAttributes with CallerArgumentExpressionAttribute
• 5094 - [C#] Fix FP S3928: When using record parameters

False Negatives

• 6012 - [C#] Fix FN S1128: No issue is raised when the unnecessary using is inside a file scoped namespace
• 5984 - [C#] Fix FN S3927: No issue is raised when an attribute is placed on a lambda
• 5983 - [C#] Fix FN S3981: No issue is raised when property check is done through a pattern.
• 5981 - [C#] Fix FN S2857: No issue is raised when in file scoped namespace
• 5979 - [C#] Fix FN S3261: No issue is raised when in file scoped namespace
• 5947 - [C#] Fix FN S2857: No issue is raised if the SQL string is assembled with constant interpolated strings
• 5945 - [C#] Fix FN S5443: No issue is raised if the publicly writable directory path is assembled with the help of a constant interpolated string
• 5944 - [C#] Fix FN S1313: A hardcoded IP address is not recognized if it is assembled as part of a constant interpolated string
• 5943 - [C#] Fix FN S5332: No issue is raised if an insecure protocol is used as part of a constant interpolated string
• 5942 - [C#] Fix FN S2857: No issue is raised if the malformed SQL query is formatted with the help of constant interpolated strings
• 5998 - [VB.NET] Fix FN S5443: No issue is raised if the publicly writable directory path is assembled with the help of an interpolated string
• 5996 - [VB.NET] Fix FN S1313: No issue is raised if the IP address is assembled as an interpolated string

8.43

Hi everyone,

With this release, we introduced 2 new VB.Net rules and improved the stability and the accuracy of some of our rules. You can find more details below.

Special thanks to @Corniel for his contributions: #5823 and #5930.

New Rules

• 5930 - [VB.NET] Rule S4060: Avoid unsealed attributes
• 5823 - [VB.NET] Rule S4225: Extension method should not extend on object

Improvements

• 5929 - [C#, VB.NET] Add support PCI DSS and ASVS Security Standards
• 5910 - [C#] Fix issue duplication on top-level statements when using Roslyn 4.0.0
• 5896 - [C#, VB.NET] Fix S3776 configuration: Cognitive complexity threshold for property is not registered properly

Bug Fixes

• 5906 - [C#] S3874: Fix AD0001
• 5661 - [C#] [AD0001] S2234 throws ArgumentException when analyzing a constructor call for a type not part of the current compilation
• 5916 - [C#] [AD0001] S2222: IndexOutOfRange for lambda in try/finally
• 5809 - [C#] Fix AD0001 in DatabasePasswordsShouldBeSecure

False Positive

• 5856 - [C#] Fix S1186: FP: Conditional compilation in method should not be considered empty
• 5816 - [C#] Fix S3874 FP: Should not be raised on Deconstruct methods
• 5789 - [C#] S3240 Quick action is incorrect
• 5660 - [C#] Fix S3903: False Positive when using top level statments and partial Program
• 5641 - [C#] Fix S4159: Rule should handle generic interfaces when using System.ComponentModel.Composition
• 5587 - [C#, VB.NET] False-positive for S1871:Two branches in a switch-case when one branches use different overloads of methods
• 5432 - [C#] Fix S3168 FP: Method used as TimerCallback not recognized
• 4962 - [C#] Fix S3240 FP: When using same method on different variables
• 4724 - [C#] #pragma warning disable compiler directives are not working for hotspot rules

8.42

Hello everyone,

In this release, we added support for tuple deconstruction and addressed a couple of FNs/FPs.

Special thanks to @nesc58 for their contribution to #5827.

Improvements

• 5808 - S148: Add support for tuple deconstruction
• 5802 - S2184: Add support for tuple deconstruction
• 5797 - S2123: Add support for tuple deconstruction
• 5793 - S3010, S2696: Add support for tuple deconstruction
• 5785 - S1854: Add support for tuple deconstruction
• 5767 - S1117: Add support for tuple deconstruction
• 5764 - S4057: Add support for tuple deconstruction
• [ 5841 5833 ] - S4433, S2755, S3330, S2092: Add support for tuple deconstruction
• 5794 - S2674: Performance improvements
• 5590 - Remove use of deprecated RulesDefinitionXmlLoader
• 5210 - Remove SQ 7.3 workaround for issue types
• 5852 - Replace 404 doc link to coverage documentation

False Negatives - False Positives

• 5826 - [C#] Fix S2699 FP: When using NSubstitute Received with quantity
• 5835 - [C#] Fix S127 FN: Fix FNs for tuple deconstruction in for loop initializer
• 5846 - [C#] Fix S4057 FN: Fix declarator handling

8.41

Hello!

This release brings new rules for Azure Functions code quality and a major milestone in our new Symbolic Execution engine: support for try/catch/finally blocks. We've also fixed a nasty stochastic bug.

Special thanks to @Corniel for his contributions (#5702, #5703 and #5536).

You can find the details below:

New Rules

• 5710 - S2222: Support try/catch/finally in Symbolic Execution
• 5600 - [C#] Rule S6424: Azure Functions - Entity interfaces restrictions
• 5599 - [C#] Rule S6423: Always log failures in Azure Functions
• 5598 - [C#] Rule S6422: Calls to "async" methods should not be blocking in Azure Functions
• 5597 - [C#] Rule S6421: Azure Functions should use Structured Error Handling
• 5596 - [C#] Rule S6420: Azure Functions should use static clients
• 5595 - [C#] Rule S6419: Azure Functions should be stateless

Improvements

• 5786 - S1226: Add support for deconstruction
• 5784 - S1656: Add support for deconstruction
• 5765 - S127: Add support for assignment and declaration in same deconstruction
• 5760 - S1944: Add support for deconstruction
• 5756 - S4055: Add support for deconstruction
• 5752 - S2934: Add support for deconstruction
• 5727 - Update RSPEC before 8.41 release
• 5696 - [C#] S6354: Inconsistent analyzer title

Bug Fixes

• 5692 - Usage of ISymbol.ToDisplayString leads to uncaught exceptions stochastically

False Positive

• 5773 - [C#] Fix S3358 FP: Nested ternary operator is in a lambda
• 5703 - [C#] Fix S4581 FP: Support target-typed new expression
• 5686 - [C#] S1185: Derived records need to override ToString to prevent default code generation by the compiler
• 5657 - [C#] Fix S2221 FP: Do not raise in Azure Functions
• 5625 - [C#] S138, S1541, S3776 - exclude static local functions from computing method complexity
• 5507 - [C#] S2187: Rule should not raise False Positives if MSTEST test method is in a base class higher up in the inheritance hierarchy

False Negative

• 5680 - [C#] S138, S1541, S3776 - compute complexity for static local functions as a separate piece of code.

Performance

• 5777 - [C#] Improve performance of S1854, S1172, S2190 and S2222 in IDE

8.40

Hi everyone,

In the last sprint, we took the time to reduce the noise by addressing some false positives and improving the handling of static local functions.

Special thanks to @Corniel for his contributions to improving our S4581 rule.

You can find the details below:

New Rules

• 5616 - [C#] Rule S4581: Add C# code fix
• 5615 - [VB.NET] Rule S4581: Guid.Empty is preferred for VB.NET

Improvements

• 5674 - Update rule documentation
• 5669 - S138: Exclude local static functions from the sum of lines when they are placed in other methods.
• 5668 - [C#] S3776: Exclude static local functions from complexity computation
• 5666 - [C#, VB.NET] S4159: Add support for System.Composition.ExportAttribute

False Positive

• 5264 - [C#] Fix S3242 FP: Don't raise on public methods in controllers
• 5245 - [C#] Fix S4581 FP: Cannot give method parameter a default value of an empty Guid.