Scaffolding

analyzers/rspec/cs/S2445_c#.html

@@ -0,0 +1,39 @@
+<p>Synchronizing on a class field synchronizes not on the field itself, but on the object assigned to it. So synchronizing on a non-<code>final</code>
+field makes it possible for the field’s value to change while a thread is in a block synchronized on the old value. That would allow a second thread,
+synchronized on the new value, to enter the block at the same time.</p>
+<p>The story is very similar for synchronizing on parameters; two different threads running the method in parallel could pass two different object
+instances in to the method as parameters, completely undermining the synchronization.</p>
+<h2>Noncompliant Code Example</h2>
+<pre>
+private String color = "red";
+
+private void doSomething(){
+  synchronized(color) {  // Noncompliant; lock is actually on object instance "red" referred to by the color variable
+    //...
+    color = "green"; // other threads now allowed into this block
+    // ...
+  }
+  synchronized(new Object()) { // Noncompliant this is a no-op.
+     // ...
+  }
+}
+</pre>
+<h2>Compliant Solution</h2>
+<pre>
+private String color = "red";
+private final Object lockObj = new Object();
+
+private void doSomething(){
+  synchronized(lockObj) {
+    //...
+    color = "green";
+    // ...
+  }
+}
+</pre>
+<h2>See</h2>
+<ul>
+  <li> <a href="https://cwe.mitre.org/data/definitions/412">MITRE, CWE-412</a> - Unrestricted Externally Accessible Lock </li>
+  <li> <a href="https://cwe.mitre.org/data/definitions/413">MITRE, CWE-413</a> - Improper Resource Locking </li>
+</ul>
+

analyzers/rspec/cs/S2445_c#.json

@@ -0,0 +1,24 @@
+{
+  "title": "Blocks should be synchronized on \"private final\" fields",
+  "type": "BUG",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "15min"
+  },
+  "tags": [
+    "cwe",
+    "multi-threading"
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-2445",
+  "sqKey": "S2445",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      412,
+      413
+    ]
+  },
+  "quickfix": "unknown"
+}

analyzers/rspec/cs/Sonar_way_profile.json

@@ -96,6 +96,7 @@
     "S2386",
     "S2436",
     "S2437",
+    "S2445",
     "S2479",
     "S2486",
     "S2551",

analyzers/src/SonarAnalyzer.CSharp/Rules/SynchronizedFieldAssignment.cs

@@ -0,0 +1,43 @@
+/*
+ * SonarAnalyzer for .NET
+ * Copyright (C) 2015-2023 SonarSource SA
+ * mailto: contact AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+
+namespace SonarAnalyzer.Rules.CSharp;
+
+[DiagnosticAnalyzer(LanguageNames.CSharp)]
+public sealed class SynchronizedFieldAssignment : SonarDiagnosticAnalyzer
+{
+    private const string DiagnosticId = "S2445";
+    private const string MessageFormat = "FIXME";
+
+    private static readonly DiagnosticDescriptor Rule = DescriptorFactory.Create(DiagnosticId, MessageFormat);
+
+    public override ImmutableArray<DiagnosticDescriptor> SupportedDiagnostics => ImmutableArray.Create(Rule);
+
+    protected override void Initialize(SonarAnalysisContext context) =>
+        context.RegisterNodeAction(c =>
+            {
+                var node = c.Node;
+                if (true)
+                {
+                    c.ReportIssue(Diagnostic.Create(Rule, node.GetLocation()));
+                }
+            },
+            SyntaxKind.InvocationExpression);
+}

analyzers/tests/SonarAnalyzer.UnitTest/PackagingTests/RuleTypeMappingCS.cs

@@ -2369,7 +2369,7 @@ internal static class RuleTypeMappingCS
         // ["S2442"],
         // ["S2443"],
         // ["S2444"],
-        // ["S2445"],
+        ["S2445"] = "BUG",
         // ["S2446"],
         // ["S2447"],
         // ["S2448"],

analyzers/tests/SonarAnalyzer.UnitTest/Rules/SynchronizedFieldAssignmentTest.cs

@@ -0,0 +1,33 @@
+/*
+ * SonarAnalyzer for .NET
+ * Copyright (C) 2015-2023 SonarSource SA
+ * mailto: contact AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+
+using SonarAnalyzer.Rules.CSharp;
+
+namespace SonarAnalyzer.UnitTest.Rules;
+
+[TestClass]
+public class SynchronizedFieldAssignmentTest
+{
+    private readonly VerifierBuilder builder = new VerifierBuilder<SynchronizedFieldAssignment>();
+
+    [TestMethod]
+    public void SynchronizedFieldAssignment_CS() =>
+        builder.AddPaths("SynchronizedFieldAssignment.cs").Verify();
+}

analyzers/tests/SonarAnalyzer.UnitTest/TestCases/SynchronizedFieldAssignment.cs

@@ -0,0 +1,5 @@
+using System;
+
+public class Program
+{
+}