Suppress errors in generated code

[lellis1936]

I have some ADO dataset generated code, where I see many instances of the following:

SCS0007 XML parsing vulnerable to XXE

The default setting for VS is supposed to suppress code analysis errors on generated code but SCS does not seem to do so. Is there a workaround? For example, is it possible to suppress analysis on the entire class via the global suppression file?

[JarLob]

Thanks for the report. This is something we didn't investigate. However I was able to suppress the warning from context menu "Suppress SCS0007->In Suppression File". Since the file is auto-generated it is preferable to suppress in a separate file rather in the same file source.
It generated me

[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Security", "SCS0007:XML parsing vulnerable to XXE", Justification = "<Pending>", Scope = "member", Target = "~M:Build.MainConsole.Dispose(System.Boolean)")]

and this is fine if you go and click on every occurrence, but I guess if you play with the scope it is possible to suppress for whole generated file with just a single attribute. You can read about scopes here - https://msdn.microsoft.com/en-us/library/ms244717.aspx

Another workaround for the particular warning a workaround would be to target at least .NET 4.5.2.

P.S.
Overall, Microsoft analyzers call ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.None); all over. I need to investigate does it mean do not analyze even if "Analyze Generaged Code" enabled...
Another funny fact is here https://github.com/dotnet/roslyn-analyzers/blob/9ed3fc4d2f2d69f511b44948ecc9215b2be12cf7/src/Microsoft.NetCore.Analyzers/Core/Security/DoNotUseInsecureCryptographicAlgorithms.cs

// Security analyzer - analyze and report diagnostics on generated code.
analysisContext.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics);

SCS is a security analyzer :) but I think it should be configurable and suppressible even in generated code.

[lellis1936]

For me this issue remains unresolved. Yes it is possible to put in an individual exception for each warning in generated files, but this is a major nuisance.

Targeting a newer framework brings with it a whole other set of considerations and is not a solution to the general problem.

Finally, I have not found a way to suppress an entire code member in the suppression file. Yes, as you point out there are scoping options but none seem to do what is needed. And the ability for SCS to respect the "no scan for generated code" setting, which it does not do apparently, seems important.

[JarLob]

You are welcome to pull request.