Sonar Dotnet Versions Save

This release focused on improving the precision of existing rules. We fixed a lot of False Positives, False Negatives, and bugs in Code Fixes.

We also reduced our memory footprint by reducing allocations in the hot path. Thank you @sharwell, for reporting this in #7439 and #7440.

Special thanks to our contributor @nalka0 for the correction of our rule documentation in #7587

Improvements

• 7462 - [C#] Fix S1125: Codefix should set correct condition priority by adding parentheses.
• 2618 - [C#] Fix S1125: Faulty code fix on C# pattern matching in conditional operator
• 7213 - [C#] Improve S109 message

False Positive

• 7633 - [C#] Fix S4023 FP: Interfaces that provide type parameters from base interface
• 7629 - [C#] Fix S1186 FP: Empty method comes from interface
• 7508 - [C#, VB.NET] Fix S6605 FP: Should not fire in expressions
• 7324 - [C#] Fix S3063 FP: StringBuilder used in concatenation
• 6912 - [C#] Fix S1144 FP: Unused fields in class with StructLayout
• 5521 - [C#] Fix S1643 FP: should not apply when strings are not aggregated
• 3945 - [C#] Fix S3925 FP: Classes not having extra properties should not have to extend ISerializable interface

False Negative

• 7688 - [C#] Fix S1125 FN: recognize C#9 "is not" constant pattern
• 2619 - [C#] Fix S1125 FN: recognize "is" keyword with constant pattern
• 7713 - [C#] Fix S1643 FN: consider simple assignments with variable not on the innermost add expression

Performance

• 7664 - Allocations: Make IsUnchanged allocation free in the common case
• 7663 - Allocations: Move stringliteral tokens array to static field
• 7656 - Allocations: Remove delegate allocation from IsExcluded
• 7655 - Allocations: Remove delegate allocation from IsGenerated
• 7440 - Allocations: Unroll AdditionalFile extension method
• 7439 - Allocations: Avoid capturing and delegate allocations in SonarAnalysisContextBase

This release introduces 3 new security-related rules for VB.NET and improves the precision of their existing C# versions by migrating them to the new symbolic execution engine. This version also includes a new code fix and fixes for false negative issues. Kudos to @Corniel for his contribution by implementing a codefix for S125 (https://github.com/SonarSource/sonar-dotnet/issues/313)

New Rules

• 7560 - [VB.NET] New rule S2053: Hashes should include an unpredictable salt
• 7562 - [VB.NET] New rule S3329: Cipher Block Chaining IVs should be unpredictable
• 7565 - [VB.NET] New Rule S5773: Types allowed to be deserialized should be restricted

Improvements

• 7424 - [VB.NET] Merge rule S2373 onto S119 (S2373 is now deprecated)
• 313 - [C#] Rule S125: Add a code fix to remove the commented code

False Negative

• 7617 - [C#, VB.NET] Fix S2053 FN: Encoding.GetBytes
• 7547 - [C#, VB.NET] Fix S6588 FN: Rule should cover case with epoch ticks

Release 9.5 introduces 9 new rules for C# and VB.NET developers, providing guidelines and best practices for handling date and time operations within their applications. These rules cover a wide range of topics, including time zone conventions, common pitfalls, date parsing and formatting, time arithmetic, and more.

This release includes also one additional security rule and introduces fixes for false negatives and false positives.

Thanks to @Corniel for his contribution by implementing a new codefix for S6610 (#7517) and fixing a FP in S6354 (#7504).

New Rules

Date & time

• 7080 - [C#, VB.NET] New rule S6588: Use DateTime(Offset).UnixEpoch instead of pointing to that date using the constructor
• 7085 - [C#, VB.NET] New rule S6566: Always use DateTimeOffset instead of DateTime
• 7083 - [C#, VB.NET] New rule S6561: Do not use DateTime.Now for benchmarking or timing operations
• 7081 - [C#, VB.NET] New rule S6562: Always set the DateTimeKind when creating a new DateTime object
• 7079 - [C#, VB.NET] New rule S6585: Don't hardcode the format provider when turning dates and times to string
• 7078 - [C#, VB.NET] New Rule S6580: Always use DateTime.Parse overloads with an IFormatProvider parameter
• 7077 - [C#, VB.NET] New rule S6575: Use TimeZoneInfo.FindSystemTimeZoneById instead of TimezoneConverter
• 7076 - [C#, VB.NET] New Rule S6563: Use UTC when recoding DateTime instants
• 7490|7086 - [C#, VB.NET] New rule S3363: Date and time should not be used as types for primary keys

Others

• 7290 - [C#] New rule S6640: Allowing unsafe code is security-sensitive

Improvements

• 7516 - [C#, VB.NET] Rule S6588: implement CodeFix
• 7517 - [C#] Rule S6610: implement CodeFix
• 7469 - SE: Run for local functions
• 7468 - SE: Run for Top-Level statements

False Positive

• 7504 - [C#, VB.NET] Fix S6354 FP: Do not report on XML crefs and nameof
• 6223 - [C#, VB.NET] Fix S5332 FP: Improve detection of namespace uris

False Negative

• 7261 - [C#] Fix S2077 FN: Add support for Mono.Data.Sqlite
• 7323 - [C#] Fix S2068 FN: add support for SecureString

Release 9.4 brings one new rule for C# and four new rules for VB.NET. It also brings improvements by migrating two more rules to the new symbolic execution engine, fixing false positives, and improving memory allocation.

Thanks to @sharwell for his contribution by reporting 7438. Thanks to @Corniel for his contribution by implementing new rule S2925 in 7342.

New Rules

• 7305 - [VB.NET] New rule S3966: Objects should not be disposed more than once
• 7304 - [VB.NET] New rule S1944: Invalid casts should not be made
• 7303 - [VB.NET] New rule S4158: Empty collections should not be accessed or iterated
• 7342 - [C#, VB.NET] New Rule: S2925 Do not use Thread.Sleep() in a test

Improvements

• 7302 - [C#] Migrate S3966 to the new Symbolic Execution engine
• 7300 - [C#] Migrate S4158 to the new Symbolic Execution engine
• 7301 - [C#] Improve S1944: Rule now detects more issues
• 7322 - [C#] Symbolic Execution: Learn NotNull from ??= for nullable types
• 7267 - [C#, VB.NET] Symbolic Execution: Add BinaryOperation for literals: division, remainder, xor
• 7435 - [C#] Improve S4635: Update issue message
• 7365 - [C#] Improve S2198: Update issue message
• 7337 - Update RSPEC before 9.4 release

False Positives

• 4261 - [C#] Fix S4158 FP: When a collection was filled by using delegates
• 2147 - [C#] Fix S4158 FP: Variable instance mismatch
• 7308 - [C#] Fix S3655 FP: Recognize ??= for nullable types
• 6179 - [C#, VB.NET] Fix S4158 FP: When the collection was filled during for loops, was reported to be empty

Performance

• 7438 - Memory allocation improvement: HasMatchingScope should not allocate a new delegate on every call

Improvements

• 7318 - [C#, VB.NET] Improve S2437: message - replace silly with unnecessary

False Positive

• 7286 - [C#] Fix S6605 and S6617 FP: Should not be applied to expressions used by EntityFramework

This release brings a new implementation of S3949 rule, that is now part of SonarWay again.

New features

• 7147 - [VB.NET] New rule S3949: Integral operations should not overflow - for VB.NET
• 7239 - [C#] Rule S6613: implement CodeFix

False Positive fixes

• 7104 - [C#] Fix S2259 FP: Conditional access checked for bool
• 3491 - [C#] Fix S3949 FP: Do not report inside GetHashCode

Improvements

• 4631 - [C#] Migrate S3949 to the new Symbolic Execution engine
• 7148 - [C#] S3949: Add rule to SonarWay profile
• 7138 - [C#] Remove CBDE dependency
• 7212 - [C#] Modify S3237 message to be more accurate
• 7262 - [C#, VB.NET] Revert "UtilityAnalyzer: Use RegisterCompilationStartAction" - fix performance regression
• 7234 - [C#, VB.NET] SE Fix FPs: Improve fixed-count loops
• 7156 - [C#, VB.NET] SE: Cache NumberConstraint
• 7111 - [C#, VB.NET] SE: Concatenate string expression returns non-null string
• 7260 - Update RSPEC before 9.2 release

Bug Fixes

• 7050 - [C#] Fix AD0001 on S1186: NullReferenceException for top-level methods

Release 9.1 brings a set of rules that help users avoid performance pitfalls.

New Rules

• 7132 - [C#] New rule S6618: "string.Create" should be used instead of "FormattableString"
• 7131 - [C#, VB.NET] New rule S6617: "Contains" should be used instead of "Any" for simple equality checks
• 7129 - [C#, VB.NET] New rule S6613: "First" and "Last" properties of "LinkedList" should be used instead of the "First()" and "Last()" extension methods
• 7128 - [C#, VB.NET] New rule S6612: The lambda parameter should be used instead of capturing arguments in "ConcurrentDictionary" methods
• 7127 - [C#, VB.NET] New rule S6610: "StartsWith" and "EndsWith" overloads that take a "char" should be used instead of the ones that take a "string"
• 7126 - [C#, VB.NET] New rule S6609: "Min/Max" properties of "Set" types should be used instead of the "Enumerable" extension methods
• 7125 - [C#, VB.NET] New rule S6608: Indexing should be used instead of "Enumerable" methods on types implementing "IList"
• 7124 - [C#, VB.NET] New rule S6607: The collection should be filtered before sorting by using "Where" before "OrderBy"
• 7123 - [C#, VB.NET] New rule S6605: Collection-specific "Exists" method should be used instead of the "Any" extension
• 7122 - [C#, VB.NET] New rule S6603: The collection-specific "TrueForAll" method should be used instead of the "All" extension
• 7121 - [C#, VB.NET] New rule S6602: "Find" method should be used instead of the "FirstOrDefault" extension

Improvements

• 7197 - [VB.NET] Improve S2302 Message: Use NameOf for VB.NET
• 7133 - [C#] Extend S3260 to include file access modifier on types

Bug Fixes

• 7134 - [C#] Fix AD0001 in S138: NullReferenceException

False Negative

• 2528 - [C#] FPs and FNs in the Symbolic Execution rules when null coalescing is combined with arithmetic expressions because we do not support constraints on integers

Release 9.0 changes the target framework from net46 to netstandard2.0. Thus the minimal support version is .NET Framework 4.6.2 now.
Thanks to @Corniel for fixing an FP in S2049.

Improvements

• 7095 - Update RSPEC before 9.0 release
• 6028 - Target netstandard2.0 instead of net46
• 4824 - [C#, VB.NET] SE: Update rule activation to be compatible with .editorconfig

False Positive

• 3400 - [C#] Fix S3900 FP: When parameter reassigned from a method
• 2591 - [C#] Fix S3900 FP: Re-assignment of parameters is ignored
• 6972 - [C#] Fix S3900 FP: Ignore parameters with assigned values
• 5729 - [C#] Fix S3900 FP: Recognize ArgumentNullException.ThrowIfNull()
• 6953 - [C#] Fix S2094 FP: Records which set the base record's properties in their initializer

Release 8.56 is here and it brings a whole lot of improvements. We implemented S3900 and S3655 for VB.NET and at the same time, we also got improvements to the C# versions of S3900, S3655, S2222, and S2259. Special kudos to @Corniel who contributed new rule S5856 and several other enhancements.

New Rules

• 6797 - [VB.NET] New Rule S3900 for VB.NET: Arguments of public methods should be validated against Nothing
• 6795 - [VB.NET] New Rule S3655 for VB.NET: Empty nullable value should not be accessed
• 6691 - [C#, VB.NET] New Rule S5856: Regex literals should be valid by @Corniel

Improvements (S3900, S3655, S2222, and S2259)

• 6794 - [C#] Improve S3655: Support C# 9 and C# 10 syntax
• 6793 - [C#] Improve S3900: Support C# 9 and C# 10 syntax
• 6997 - [C#] Fix S3900: FN and FP
• 7060 - [C#] Fix S3900 FP: Don't raise if parameter is captured
• 2775 - [C#] Fix S3900 FP: is is not considered as null-check
• 2670 - [C#] Fix S3900 FP: with string.IsNullOrEmpty
• 7004 - [C#] Fix S3900: Change parameter dereference check to top-down
• 6682 - [C#] Fix S3655 FP: HasValue checked with Pattern matching
• 4250 - [C#] Fix S2259 FP: Lifted operator results in null value in value type comparison
• 6994 - [C#, VB.NET] Fix S2222: Branch on createdNew parameter on Mutex constructor
• 6840 - [C#, VB.NET] Fix S2259 FP/FN: Do not raise on Nullable members
• 6241 - [C#, VB.NET] Fix S2259 FP: is null check on generic type
• 6930 - [C#, VB.NET] Fix S2259 FN: Auto-Properties don't learn ObjectConstraint
• 6898 - [C#, VB.NET] Fix S2259 FN: Raise on fields and events
• 7048 - [VB.NET] Fix S2259 FP: ValidatedNotNullAttribute in extension method
• 7047 - [VB.NET] Fix S3900 FP: Recognize VB extensions
• 6991 - [VB.NET] Fix S3655 FN: VB implicit conversions

Other improvements

• 6899 - Update RSPEC
• 6910 - Fix S2094 FP: Allow to have empty classes, used as generic parameter
• 6878 - [C#] Fix S1168 FP: Does not respect nullable annotations by @Corniel
• 6890 - [C#, VB.NET] Fix S1123 FN: The explanation should not be null or whitespace by @Corniel

@corniel contributions

• 6691 - [C#, VB.NET] New Rule S5856: Regex literals should be valid
• 6890 - [C#, VB.NET] Fix S1123 FN: The explanation should not be null or whitespace
• 6825 - [C#] Expand the ShimLayer with ITypeSymbol.NullableAnnotation
• 6878 - [C#] Fix S1168 FP: Does not respect nullable annotations

This version contains the prerequisite to support sonar.exclusions, sonar.inclusions, sonar.global.exclusions, sonar.test.exclusions, sonar.test.inclusions and sonar.global.test.exclusions parameters when the analysis is run inside SonarLint for Visual Studio. Stay tuned, the second and final part of the feature will be implemented soon by the SonarLint team.

In the meantime, if you are wondering what these parameters are, you can find more information about them in our documentation.

• 6877 - Support exclusion and inclusion parameters when run by SonarLint

New Rules

• 6885 - [C#, VB.NET] ExcludeFromCodeCoverage attributes should include a justification Special thanks to @Corniel for implementing this new rule!

Improvements

• 6798 - Update RSPEC before 8.55 release

False Positive

• 6630 - [C#] Fix S3415 FP/FN: Support named arguments
• 6525 - [C#] Fix S2699 FP: AssertionMethodAttribute is ignored when assertion method is inherited
• 6438 - [C#] Fix S1905 FP: Nullability context and array of anonymous types