From 6bc8c182af3ab618aabfeabca1595f5082855bc7 Mon Sep 17 00:00:00 2001 From: Antonio Aversa Date: Thu, 16 Feb 2023 15:37:56 +0100 Subject: [PATCH] Update RSPEC for release (#6762) --- analyzers/rspec/cs/S2198_c#.html | 16 ++++----- analyzers/rspec/cs/S3063_c#.html | 32 ++++++++++-------- analyzers/rspec/cs/S3878_c#.html | 32 +++++++++--------- analyzers/rspec/cs/S3937_c#.html | 13 ++++++-- analyzers/rspec/cs/S4507_c#.html | 13 +++----- analyzers/rspec/cs/S4663_c#.html | 10 +++--- analyzers/rspec/vbnet/S3063_vb.net.html | 24 +++++++++----- analyzers/rspec/vbnet/S3878_vb.net.html | 33 +++++++++---------- analyzers/rspec/vbnet/S4507_vb.net.html | 13 +++----- .../src/SonarAnalyzer.CSharp/sonarpedia.json | 2 +- .../SonarAnalyzer.VisualBasic/sonarpedia.json | 2 +- 11 files changed, 96 insertions(+), 94 deletions(-) diff --git a/analyzers/rspec/cs/S2198_c#.html b/analyzers/rspec/cs/S2198_c#.html index d0d070dc92b..64344eb0219 100644 --- a/analyzers/rspec/cs/S2198_c#.html +++ b/analyzers/rspec/cs/S2198_c#.html @@ -1,18 +1,14 @@

Certain mathematical comparisons will always return the same value, and should simply not be made.

-

This comparison will always return false:

+

These comparisons will return either always true or always false depending on the kind of comparison:

-

These will always return true:

-

Noncompliant Code Example

 float f = 42.0f;
-const double d = float.MaxValue + 1;
-if (f <= d) { } // Noncompliant
+if (f <= double.MaxValue) { } // Noncompliant
diff --git a/analyzers/rspec/cs/S3063_c#.html b/analyzers/rspec/cs/S3063_c#.html index e4076481597..22b9210a8a6 100644 --- a/analyzers/rspec/cs/S3063_c#.html +++ b/analyzers/rspec/cs/S3063_c#.html @@ -1,11 +1,11 @@ -

StringBuilder instances that are appended but never toStringed needlessly clutter the code, and worse are a -drag on performance. Either they should be removed, or the missing toString call added.

+

StringBuilder instances that never build a string clutter the code and worse are a drag on performance. Either they +should be removed, or the missing ToString() call should be added.

Noncompliant Code Example

-public void doSomething(List<string> strings) {
-  StringBuilder sb = new StringBuilder();  // Noncompliant
+public void DoSomething(List<string> strings) {
+  var sb = new StringBuilder();  // Noncompliant
   sb.Append("Got: ");
-  foreach(string str in strings) {
+  foreach(var str in strings) {
     sb.Append(str).Append(", ");
     // ...
   }
@@ -13,25 +13,31 @@ 
Noncompliant Code Example

Compliant Solution

-public void doSomething(List<string> strings) {
-  foreach(string str in strings) {
+public void DoSomething(List<string> strings) {
+  foreach(var str in strings) {
     // ...
   }
 }

or

-public void doSomething(List<string> strings) {
-  StringBuilder sb = new StringBuilder();  // Noncompliant
+public void DoSomething(List<string> strings) {
+  var sb = new StringBuilder();
   sb.Append("Got: ");
-  foreach(string str in strings) {
+  foreach(var str in strings) {
     sb.Append(str).Append(", ");
     // ...
   }
-  _logger.LogInformation(sb.toString, DateTimeOffset.UtcNow);
+  logger.LogInformation(sb.ToString());
 }

Exceptions

-

This rule ignores StringBuilders that are passed as method arguments on the grounds that they are likely toStringed -there.

+

No issue is reported when StringBuilder is:

+ diff --git a/analyzers/rspec/cs/S3878_c#.html b/analyzers/rspec/cs/S3878_c#.html index d9fc819cdc8..ff6791e604f 100644 --- a/analyzers/rspec/cs/S3878_c#.html +++ b/analyzers/rspec/cs/S3878_c#.html @@ -1,31 +1,31 @@ -

There’s no point in creating an array solely for the purpose of passing it as a params (...) argument; params keyword allow to pass a -variable number of parameters that will behave exactly like an array variable inside the method implementation. Simply pass the elements directly.

+

There’s no point in creating an array solely for the purpose of passing it to a params parameter. Simply pass the elements directly. +They will be consolidated into an array automatically.

Noncompliant Code Example

-public void CallTheThing() {
-	//...
-	DoTheThing(new string[] { "s1", "s2"});  // Noncompliant: unnecessary
-	DoTheThing(new string[12]);  // Compliant
-	// ...
+public void Base()
+{
+    Method(new string[] { "s1", "s2" }); // Noncompliant: unnecessary
+    Method(new string[] { });            // Noncompliant
+    Method(new string[12]);              // Compliant
 }
 
-public void DoTheThing (params string[] args) {
-	// ...
+public void Method(params string[] args)
+{
+    // ...
 }

Compliant Solution

-public void CallTheThing()
+public void Base()
 {
-	//...
-	DoTheThing("s1", "s2");
-	DoTheThing(new string[12]);
-	// ...
+    Method("s1", "s2");
+    Method();
+    Method(new string[12]);
 }
 
-public void DoTheThing(params string[] args)
+public void Method(params string[] args)
 {
-	// ...
+    // ...
 }
diff --git a/analyzers/rspec/cs/S3937_c#.html b/analyzers/rspec/cs/S3937_c#.html index 060b4615948..1bed6c7cb34 100644 --- a/analyzers/rspec/cs/S3937_c#.html +++ b/analyzers/rspec/cs/S3937_c#.html @@ -3,9 +3,16 @@

This rule raises an issue when underscores (_) are used to break a number into irregular subgroups.

Noncompliant Code Example

-int duos = 1_00_00;
-int million = 1_000_00_000;  // Noncompliant
+int thousand = 100_0;
+int tenThousand = 100_00;
+int million = 1_000_00_000;
+
+

Compliant Solution

+
 int thousand = 1000;
-int tenThousand = 100_00;  // Noncompliant
+int tenThousand = 10_000;
+int tenThousandWithout = 10000;
+int duos = 1_00_00;
+int million = 100_000_000;
diff --git a/analyzers/rspec/cs/S4507_c#.html b/analyzers/rspec/cs/S4507_c#.html index 1f990e1c455..e6c71cf0e5b 100644 --- a/analyzers/rspec/cs/S4507_c#.html +++ b/analyzers/rspec/cs/S4507_c#.html @@ -1,11 +1,6 @@ -

Delivering code in production with debug features activated is security-sensitive. It has led in the past to the following vulnerabilities:

- -

An application’s debug features enable developers to find bugs more easily and thus facilitate also the work of attackers. It often gives access to -detailed information on both the system running the application and users.

+

Development tools and frameworks usually have options to make debugging easier for developers. Although these features are useful during +development, they should never be enabled for applications deployed in production. Debug instructions or error messages can leak detailed information +about the system, like the application’s path or file names.

Ask Yourself Whether

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

-

Do not enable debug features on production servers.

+

Do not enable debugging features on production servers.

The .Net Core framework offers multiple features which help during debug. Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage and Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage are two of them. Make sure that those features are disabled in diff --git a/analyzers/rspec/cs/S4663_c#.html b/analyzers/rspec/cs/S4663_c#.html index a250d368623..257f1dc77bc 100644 --- a/analyzers/rspec/cs/S4663_c#.html +++ b/analyzers/rspec/cs/S4663_c#.html @@ -3,14 +3,12 @@

Noncompliant Code Example

 //
 
+/*
+*/
+
 ///
 
 /**
-
- */
-
-/*
-
- */
+*/
diff --git a/analyzers/rspec/vbnet/S3063_vb.net.html b/analyzers/rspec/vbnet/S3063_vb.net.html index 3d204c44c43..c77335e3fd3 100644 --- a/analyzers/rspec/vbnet/S3063_vb.net.html +++ b/analyzers/rspec/vbnet/S3063_vb.net.html @@ -1,9 +1,9 @@ -

StringBuilder instances that are appended but never toStringed needlessly clutter the code, and worse are a -drag on performance. Either they should be removed, or the missing toString call added.

+

StringBuilder instances that never build a string clutter the code and worse are a drag on performance. Either they +should be removed, or the missing ToString() call should be added.

Noncompliant Code Example

-Public Sub doSomething(ByVal strings As List(Of String))
-    Dim sb As StringBuilder = New StringBuilder()
+Public Sub DoSomething(ByVal strings As List(Of String))
+    Dim sb As StringBuilder = New StringBuilder() ' Noncompliant
     sb.Append("Got: ")
 
     For Each str As String In strings
@@ -13,14 +13,14 @@ 
Noncompliant Code Example

Compliant Solution

-Public Sub doSomething(ByVal strings As List(Of String))
+Public Sub DoSomething(ByVal strings As List(Of String))
     For Each str As String In strings
     Next
 End Sub

or

-Public Sub doSomething(ByVal strings As List(Of String))
+Public Sub DoSomething(ByVal strings As List(Of String))
     Dim sb As StringBuilder = New StringBuilder()
     sb.Append("Got: ")
 
@@ -28,10 +28,16 @@ 
Compliant Solution

         sb.Append(str).Append(", ")
     Next
 
-    My.Application.Log.WriteEntry(sb.toString)
+    My.Application.Log.WriteEntry(sb.ToString())
 End Sub

Exceptions

-

This rule ignores StringBuilders that are passed as method arguments on the grounds that they are likely toStringed -there.

+

No issue is reported when StringBuilder is:

+ diff --git a/analyzers/rspec/vbnet/S3878_vb.net.html b/analyzers/rspec/vbnet/S3878_vb.net.html index d64dc4f8527..02d271df633 100644 --- a/analyzers/rspec/vbnet/S3878_vb.net.html +++ b/analyzers/rspec/vbnet/S3878_vb.net.html @@ -1,30 +1,29 @@ -

There’s no point in creating an array solely for the purpose of passing it as a ParamArray (...) argument; ParamArray keyword allow to -pass a variable number of parameters that will behave exactly like an array variable inside the method implementation. Simply pass the elements -directly.

+

There’s no point in creating an array solely for the purpose of passing it to a ParamArray parameter. Simply pass the elements +directly. They will be consolidated into an array automatically.

Noncompliant Code Example

 Class SurroundingClass
-	Public Sub CallTheThing()
-		DoTheThing(New String() {"s1", "s2"})
-		DoTheThing(New String(11) {})
-	End Sub
+    Public Sub Base()
+        Method(New String() { "s1", "s2" }) ' Noncompliant: unnecessary
+        Method(New String(12) {}) ' Compliant
+    End Sub
 
-	Public Sub DoTheThing(ParamArray args As String())
-		' Do something
-	End Sub
+    Public Sub Method(ParamArray args As String())
+        ' Do something
+    End Sub
 End Class

Compliant Solution

 Class SurroundingClass
-	Public Sub CallTheThing()
-		DoTheThing("s1", "s2")
-		DoTheThing(New String(11) {})
-	End Sub
+    Public Sub Base()
+        Method("s1", "s2")
+        Method(New String(12) {})
+    End Sub
 
-	Public Sub DoTheThing(ParamArray args As String())
-		' Do something
-	End Sub
+    Public Sub Method(ParamArray args As String())
+        ' Do something
+    End Sub
 End Class
diff --git a/analyzers/rspec/vbnet/S4507_vb.net.html b/analyzers/rspec/vbnet/S4507_vb.net.html index 11fbb756404..ce1ed49ca34 100644 --- a/analyzers/rspec/vbnet/S4507_vb.net.html +++ b/analyzers/rspec/vbnet/S4507_vb.net.html @@ -1,11 +1,6 @@ -

Delivering code in production with debug features activated is security-sensitive. It has led in the past to the following vulnerabilities:

- -

An application’s debug features enable developers to find bugs more easily and thus facilitate also the work of attackers. It often gives access to -detailed information on both the system running the application and users.

+

Development tools and frameworks usually have options to make debugging easier for developers. Although these features are useful during +development, they should never be enabled for applications deployed in production. Debug instructions or error messages can leak detailed information +about the system, like the application’s path or file names.

Ask Yourself Whether

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

-

Do not enable debug features on production servers.

+

Do not enable debugging features on production servers.

The .Net Core framework offers multiple features which help during debug. Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage and Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage are two of them. Make sure that those features are disabled in diff --git a/analyzers/src/SonarAnalyzer.CSharp/sonarpedia.json b/analyzers/src/SonarAnalyzer.CSharp/sonarpedia.json index 4aa94652203..4c00453c9e5 100644 --- a/analyzers/src/SonarAnalyzer.CSharp/sonarpedia.json +++ b/analyzers/src/SonarAnalyzer.CSharp/sonarpedia.json @@ -3,5 +3,5 @@ "languages": [ "CSH" ], - "latest-update": "2023-01-27T09:06:22.842339300Z" + "latest-update": "2023-02-16T13:29:06.541771900Z" } \ No newline at end of file diff --git a/analyzers/src/SonarAnalyzer.VisualBasic/sonarpedia.json b/analyzers/src/SonarAnalyzer.VisualBasic/sonarpedia.json index 3ab3c9d1c94..b46d8a27db4 100644 --- a/analyzers/src/SonarAnalyzer.VisualBasic/sonarpedia.json +++ b/analyzers/src/SonarAnalyzer.VisualBasic/sonarpedia.json @@ -3,5 +3,5 @@ "languages": [ "VBNET" ], - "latest-update": "2023-01-27T09:06:56.299025700Z" + "latest-update": "2023-02-16T13:29:34.979573400Z" } \ No newline at end of file