-
-
Notifications
You must be signed in to change notification settings - Fork 159
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Suppress errors in generated code #57
Comments
Thanks for the report. This is something we didn't investigate. However I was able to suppress the warning from context menu "Suppress SCS0007->In Suppression File". Since the file is auto-generated it is preferable to suppress in a separate file rather in the same file source. [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Security", "SCS0007:XML parsing vulnerable to XXE", Justification = "<Pending>", Scope = "member", Target = "~M:Build.MainConsole.Dispose(System.Boolean)")] and this is fine if you go and click on every occurrence, but I guess if you play with the scope it is possible to suppress for whole generated file with just a single attribute. You can read about scopes here - https://msdn.microsoft.com/en-us/library/ms244717.aspx Another workaround for the particular warning a workaround would be to target at least .NET 4.5.2. P.S. // Security analyzer - analyze and report diagnostics on generated code.
analysisContext.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics); SCS is a security analyzer :) but I think it should be configurable and suppressible even in generated code. |
For me this issue remains unresolved. Yes it is possible to put in an individual exception for each warning in generated files, but this is a major nuisance. Targeting a newer framework brings with it a whole other set of considerations and is not a solution to the general problem. Finally, I have not found a way to suppress an entire code member in the suppression file. Yes, as you point out there are scoping options but none seem to do what is needed. And the ability for SCS to respect the "no scan for generated code" setting, which it does not do apparently, seems important. |
You are welcome to pull request. |
I have some ADO dataset generated code, where I see many instances of the following:
The default setting for VS is supposed to suppress code analysis errors on generated code but SCS does not seem to do so. Is there a workaround? For example, is it possible to suppress analysis on the entire class via the global suppression file?
The text was updated successfully, but these errors were encountered: