9.23

Hello everyone!
This release comes with two new rules for ASP.NET, false positive fixes, and other improvements.

A big thank you to @Corniel for their external contribution with #8898!

New Rules

• 8872 - [C#] New rule S6934: You should specify the RouteAttribute when an HttpMethodAttribute is specified at an action level
• 8870 - [C#, VB.NET] New rule S6931: ASP.NET controller actions should not have a route template starting with "/"

False Positives

• 8898 - [C#] Fix S3993 FP: Allow abstract attributes not to decorate Attribute usage
• 8510 - [C#] Fix S3878 FP: When the input array is a collection expression with the spread operator
• 8260 - [C#] Fix S1117 FP: Field/property instances are not accessible from static methods
• 7709 - [C#] Fix S2094 FP: Marker interface not detected when using records
• 6633 - [C#] Fix S2857 FP: Rule is not checking SQL keywords in const interpolated string

Other improvements and fixes

• 8935 - [C#] Rule S6602: Improve the logging message when recommending for Array.Find
• 7999 - [C#] Fix S1125 codefix: Do not add ! when transforming x == false.

9.22

New Rules

• 8869 - [C#, VB.NET] New rule S6930: Backslash should be avoided in route templates
• 8844 - [C#] New rule S3416: Loggers should be named for their enclosing types
• 8840 - [C#] New rule S6675: Trace.WriteLineIf should not be used with TraceSwitch levels
• 8847 - [C#] New rule S2139: Exceptions should be either logged or rethrown but not both
• 8845 - [C#] New rule S6664: Too many logging calls within a code block
• 8843 - [C#] New rule S6672: Generic logger injection should match enclosing type
• 8842 - [C#] New rule S6669: Logger field names should comply with a naming convention
• 8841 - [C#] New rule S6670: Trace.Write and Trace.WriteLine should not be used
• 8769 - [C#] New rule S6673: Log message template placeholders should be in the right order
• 8846 - [C#] New rule S1312: Logger fields should be private static readonly [Non-SonarWay]

False Positive

• 7088 - [C#, VB.NET] Fix S2589 FP: When local is assigned in for loop
• 8264 - [C#, VB.NET] Fix S2583 FP: Code wrongly considered unreachable
• 8891 - [C#] Fix S2629 FP: Allow concatenation of constants

9.21

New Rules

• 8771 - [C#] New rule S6678: Use PascalCase for named placeholders
• 8770 - [C#] New rule S6674: Log message template should be syntactically correct
• 8768 - [C#] New rule S2629: Logging templates should be constant
• 8767 - [C#] New rule S6677: Named placeholders should be unique
• 8766 - [C#] New rule S6667: Exceptions should be passed as an argument when logging in a catch clause
• 8765 - [C#] New rule S6668: Logging arguments should be passed to the correct parameter

Improvements

• The following rules were promoted to the SonarWay profile: S127, S1244, S1696, S1192, S1994, S2701, S2955

Bug Fixes

• 8787 - [C#] Fix AD0001: SonarAnalyzer.Rules.CSharp.SymbolicExecutionRunner throws an exception on unknown Numeric Constraints

False Positive

• 8823 - [C#] Fix S2701 FP: avoid raising for xUnit Assert.True()
• 6772 - [C#] Fix S4507 FP: Error raised on .NET 7 although the debug feature is deactivated

9.20

Hey everyone!

This release brings a vast number of improvements. The main focus lies on improving the capabilities of our Symbolic Execution engine, which results in much more accurate findings. The biggest visible impact is a significant reduction in false positives around loops for the rules S2583 and S2589.

And a big thank you to @rcatley for their external contribution!

Bug Fixes

• 8642 - [C#] Exception in SonarAnalyzer.Rules.CSharp.SymbolicExecutionRunner

False Positive

• 8678 - [C#, VB.NET] Fix S2583 FP: Variable Updated in Catch Block
• 8028 - [C#, VB.NET] Fix S2583 FP: Loop with manually incremented counter
• 8449 - [C#, VB.NET] Fix S2589 FP: Change this condition so that it does not always evaluate to 'True'
• 8495 - [C#, VB.NET] Fix S2583/S2589 FP: Return inside lock and using causes FP after the block
• 8428 - [C#, VB.NET] Fix S2583/S2589 FP: For loop with Array.Length
• 8483 - [C#, VB.NET] Fix S4158 FP: Should not report on HashSet.UnionWith for readonly fields.
• 8739 - [C#] Fix S4049 FP: Do not raise on methods with generic parameters
• 8638 - [C#] Fix S2386 & S3887 FP: should not be raised for FrozenDictionary and FrozenSet
• 8611 - [C#] Fix S2372 FP: Add support for method invocations (@rcatley)
• 8567 - [C#] Fix S2325 FP: Primary Constructor Support

False Negative

• 8486 - [C#] Fix S2589 FN: Tuple binary operations (comparison)

Improvements

• 8010 - [C#, VB.NET] S2589: Improve message in the case of null propagating operator
• 7866 - [C#, VB.NET] SE: Allow collection tracking even when S4158 is not active
• 8499 - [C#] SE: Learn number constraints from relational pattern
• 8651 - Update RSPEC before 9.20 release

9.19

Hello,

small release to enhance the deprecation warning before SonarQube v.10.4, explicitly notifying users analyzing with MSBuild 14 that it's no longer supported while maintaining the deprecation status for MSBuild 15.
Furthermore, we've also introduced three improvements to our rules:

Improvements

• 8609 - AnalysisWarningAnalyzerBase: targeted warnings for MSBuild14/15
• 8559 - [C#, VB.NET] Fix S2178 Rule message: Mention extracting right operand if applicable
• 6139 - [C#, VB.NET] Detect symbol references for @ keyword identifiers
• 3753 - [C#, VB.NET] S1186: also inspect empty set and init and empty local functions

9.18

Hi everyone!

This release focuses on fixing false positives and on general improvements that will be included in the upcoming SonarQube 10.4.

False Positive

• 7792 - [C#, VB.NET] Fix S1125 FP: Type check with System.Object
• 7904 - [C#] Fix S1144 FP: Record method PrintMembers
• 6326 - [C#] Fix S2437 FP: None of the operands is 0
• 7620 - [C#] Fix S6618 FP: Projects targeting runtime lower than .NET 6.0
• 8560 - [C#] Fix S4027 FP: BinaryFormatter. Serialization constructors are obsolete and should not be required

Improvements

• 4993 - [C#] Improve S3925 message to be clear about expected action
• 3604 - [C#] Improve S2971 message to use AsEnumerable in LINQ database query
• 7960 - [C#, VB.NET] Deprecate rule S3884
• 8554 - Update RSPEC before 9.18 release

9.17

Hi everyone!

We are shipping some more improvements to our Symbolic Execution rules reducing the number of false positives.

False Negatives

• 8493 - [C#] Fix S2583/S2589 FN and S2259 FP: Add support for relational pattern

False Positive

• 7665 - [C#, VB.NET] Fix S2259 FP: is not and short-circuit or
• 8382 - [C#, VB.NET] Fix S2589 FP: Custom Equals(null) is wrongly assumed to always return false
• 8504 - [C#, VB.NET] Fix S1104 FP: Should be ignored on classes and structs marked as [Serializable]

9.16

Hello everyone!

For this release, we focused on improving the symbolic execution engine, specifically rules S2589 and S2583, to increase their accuracy.
We also deprecated rule S4792.

False Positive

• 8470 - [C#, VB.NET] Fix S2583 FP: Should not raise on double condition
• 8378 - [C#, VB.NET] Fix S2583 FP: Variable Set in Catch Block
• 8140 - [C#, VB.NET] Fix S2583 FP: nested try catch blocks
• 8094 - [C#, VB.NET] Fix S2583/S2589 FP: Delegate can be null when last invocation is removed but comparing the delegate against null gets reported as always false
• 8326 - [C#] Fix S2589 FP: Var pattern should not raise
• 8324 - [C#] Fix S2259 FP: Raising issue in unreachable code when using declaration pattern on unknown value
• 8149 - [C#] Fix S2589 FP: Switch Expression default case with bool literal
• 8011 - [C#] Fix S2589 FP: Rule is erroneously raised on var-type pattern matches that use when clauses
• 8008 - [C#] Fix S2589 FP: Rule is raised on catch-all tuples in switch expressions
• 7057 - [C#] Fix S2583/S2589 FP: When tuple deconstruction is used
• 8489 - [VB.NET] Fix S1172 FP: VB names should not be case sensitive

Improvements

• 8466 - [C#, VB.NET] Deprecate rule S4792

9.15

Hello everyone,

This release focuses on performance improvement.
We made several changes to how we register our rules for analysis.
Based on our measurement, we improve the build time by 5% to 15%, depending on project size and complexity! 🔥 🚀

Fixes

• 8424 - Razor: SymbolReference locations for @typeparam are misplaced

Improvements

• 8314 - [C#, VB.NET] Add timeouts to all regular expressions
• 8402 - Update RSPEC before 9.15 release

False Positive

• 8371 - [C#, VB.NET] Fix S1172 FP: Unused parameter cannot be removed

Performance

• 8183 - [C#, VB.NET] Improve S5443 performance: Reuse compiled Regex
• 8185 - [C#, VB.NET] Improve S2068 performance: Reuse compiled Regex
• 8399 - [C#, VB.NET] Reduce time spend in HasMatchingScope for SyntaxNode registration
• 8406 - [C#, VB.NET] Cache RegisterNodeAction checks result per SyntaxTree
• 7858 - [C#, VB.NET] FileMetadataAnalyzer and UtilityAnalyzerBase should use IsGenerated from SyntaxTreeExtensions
• 6558 - [C#, VB.NET] Performance: UtilityAnalyzerBase calls GetSemanticModel for each SyntaxTree
• 7368 - [C#, VB.NET] UtilityAnalyzer: Use RegisterCompilationStartAction
• 7411 - [C#, VB.NET] UtilityAnalyzer: Reduce lock contention in ShouldGenerateMetrics

9.14

Hello everyone!

We are happy to announce that we now have 5 dedicated Blazor rules 🚀 🥳

Special thanks to our contributor (and former colleague) @sagi1623 for fixing #8302.

Improvements

• 8274 - [C#] New rule S6797: Query parameter should be of supported type
• 8278 - [C#] New rule S6798: [JSInvokable] attribute should only be used on public methods
• 8275 - [C#] New rule S6800: Component parameter type should match the route parameter type constraint
• 8277 - [C#] New rule S6802: Using lambda expressions in loops should be avoided in Blazor markup section
• 8338 - [C#] New rule S6803: Parameters with SupplyParameterFromQuery attribute should be used only in routable components
• 8228 - [C#] Deprecate S4212
• 8346 - Create CFG from member node
• 8271 - Adding missing operation wrappers and syntax kinds to the shim layer
• 8230 - Update Signing Certificate
• 8290 - Update RSPEC before 9.14 release

Bug Fixes

• 8310 - [C#, VB.NET] Fix S2068 AD0001: Overflow exception when a configuration file value is a number greater than Int32.MaxValue

False Positive

• 8285 - [C#, VB.NET] Fix S2583 FP: Number constraint from remainder calculation is not correct.
• 8358 - [C#] Fix S2743 FP: Arrow properties do not have static fields
• 7624 - [C#] Fix S3604 FP: Primary constructors

False Negative

• 8335 - [C#] Fix S2259 FN: FlowCaptures in Field/PropertyReference.Instance
• 6050 - [C#] Fix S2930 FN: Track System.Threading.CancellationTokenSource

Performance

• 8181 - [C#] Improve S5332 performance: Reuse compiled regex