Merge branch 'master' into feature/SL-exclusions-inclusions

analyzers/its/expected/Automapper/AutoMapper--net461-S2445.json → analyzers/its/expected/Automapper/AutoMapper--net461-S6507.json

@@ -1,7 +1,7 @@
 {
 "issues":  [
 {
-"id":  "S2445",
+"id":  "S6507",
 "message":  "Do not lock on local variable 'typeMap', use a readonly field instead.",
 "location":  {
 "uri":  "sources\Automapper\src\AutoMapper\Configuration\MapperConfiguration.cs",

analyzers/its/expected/Automapper/AutoMapper--netstandard2.0-S2445.json → analyzers/its/expected/Automapper/AutoMapper--netstandard2.0-S6507.json

@@ -1,7 +1,7 @@
 {
 "issues":  [
 {
-"id":  "S2445",
+"id":  "S6507",
 "message":  "Do not lock on local variable 'typeMap', use a readonly field instead.",
 "location":  {
 "uri":  "sources\Automapper\src\AutoMapper\Configuration\MapperConfiguration.cs",

analyzers/packaging/SonarAnalyzer.CSharp.nuspec

@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2011/08/nuspec.xsd">
   <metadata>
     <id>SonarAnalyzer.CSharp</id>
-    <version>8.54.0.0</version>
+    <version>8.55.0.0</version>
     <title>SonarAnalyzer for C#</title>
     <authors>SonarSource</authors>
     <owners>SonarSource</owners>
@@ -13,7 +13,7 @@
     <requireLicenseAcceptance>false</requireLicenseAcceptance>
     <summary>Roslyn analyzers that spot Bugs, Vulnerabilities and Code Smells in your code. For an even better overall experience, you can use SonarLint for Visual Studio, which is a free extension that can be used standalone or with SonarQube and/or SonarCloud.</summary>
     <description>Roslyn analyzers that spot Bugs, Vulnerabilities and Code Smells in your code. For an even better overall experience, you can use SonarLint for Visual Studio, which is a free extension (https://www.sonarlint.org/visualstudio/) that can be used standalone or with SonarQube (https://www.sonarqube.org/) and/or SonarCloud (https://sonarcloud.io/).</description>
-    <releaseNotes>https://github.com/SonarSource/sonar-dotnet/releases/tag/8.54.0.0</releaseNotes>
+    <releaseNotes>https://github.com/SonarSource/sonar-dotnet/releases/tag/8.55.0.0</releaseNotes>
     <language>en-US</language>
     <copyright>Copyright © 2015-2023 SonarSource SA</copyright>
     <tags>Roslyn Analyzers Refactoring CodeAnalysis CleanCode Clean Code</tags>

analyzers/packaging/SonarAnalyzer.VisualBasic.nuspec

@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2011/08/nuspec.xsd">
   <metadata>
     <id>SonarAnalyzer.VisualBasic</id>
-    <version>8.54.0.0</version>
+    <version>8.55.0.0</version>
     <title>SonarAnalyzer for Visual Basic</title>
     <authors>SonarSource</authors>
     <owners>SonarSource</owners>
@@ -13,7 +13,7 @@
     <requireLicenseAcceptance>false</requireLicenseAcceptance>
     <summary>Roslyn analyzers that spot Bugs, Vulnerabilities and Code Smells in your code. For an even better overall experience, you can use SonarLint for Visual Studio, which is a free extension that can be used standalone or with SonarQube and/or SonarCloud.</summary>
     <description>Roslyn analyzers that spot Bugs, Vulnerabilities and Code Smells in your code. For an even better overall experience, you can use SonarLint for Visual Studio, which is a free extension (https://www.sonarlint.org/visualstudio/) that can be used standalone or with SonarQube (https://www.sonarqube.org/) and/or SonarCloud (https://sonarcloud.io/).</description>
-    <releaseNotes>https://github.com/SonarSource/sonar-dotnet/releases/tag/8.54.0.0</releaseNotes>
+    <releaseNotes>https://github.com/SonarSource/sonar-dotnet/releases/tag/8.55.0.0</releaseNotes>
     <language>en-US</language>
     <copyright>Copyright © 2015-2023 SonarSource SA</copyright>
     <tags>Roslyn Analyzers Refactoring CodeAnalysis CleanCode Clean Code</tags>

analyzers/rspec/cs/S2445_c#.html

@@ -3,8 +3,8 @@
 <ol>
   <li> Locking on a non-<code>readonly</code> field makes it possible for the field’s value to change while a thread is in the code block locked on
   the old value. This allows another thread to lock on the new value and access the same block concurrently. </li>
-  <li> Locking on a local variable or a new instance of an object can undermine synchronization because two different threads running the same method
-  in parallel will potentially lock on different instances of the same object, allowing them to access the synchronized block at the same time. </li>
+  <li> Locking on a new instance of an object undermines synchronization because two different threads running the same method in parallel will lock
+  on different instances of the same object, allowing them to access the synchronized block at the same time. </li>
   <li> Locking on a string literal is also dangerous since, depending on whether the string is interned or not, different threads may or may not
   synchronize on the same object instance. </li>
 </ol>

analyzers/rspec/cs/S4433_c#.html

@@ -1,5 +1,5 @@
 <p>An LDAP client authenticates to an LDAP server with a "bind request" which provides, among other, a <a
-href="https://ldapwiki.com/wiki/Simple%20Authentication">simple authentication method</a>.</p>
+href="https://web.archive.org/web/20220922153922/https://ldapwiki.com/wiki/Simple%20Authentication">simple authentication method</a>.</p>
 <p>Simple authentication in LDAP can be used with three different mechanisms:</p>
 <ul>
   <li> <em>Anonymous Authentication Mechanism</em> by performing a bind request with a username and password value of zero length. </li>
@@ -30,6 +30,7 @@ <h2>See</h2>
   <li> <a href="https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication">OWASP Top 10 2017 Category A2</a> - Broken Authentication
   </li>
   <li> <a href="https://cwe.mitre.org/data/definitions/521">MITRE, CWE-521</a> - Weak Password Requirements </li>
-  <li> <a href="https://ldapwiki.com/wiki/Simple%20Authentication">ldapwiki.com</a>- Simple Authentication </li>
+  <li> <a href="https://web.archive.org/web/20220922153922/https://ldapwiki.com/wiki/Simple%20Authentication">ldapwiki.com</a>- Simple Authentication
+  </li>
 </ul>
 

analyzers/rspec/cs/S4545_c#.html

@@ -1,8 +1,9 @@
 <p>The <code>DebuggerDisplayAttribute</code> is used to determine how an object is displayed in the debugger window.</p>
-<p>The <code>DebuggerDisplayAttribute</code> constructor takes a single argument: the string to be displayed in the value column for instances of the
-type. Any text within curly braces is evaluated as the name of a field, property, or method.</p>
-<p>Naming a non-existent field, property or method between curly braces will result in a CS0103 error in the debug window when debugging objects.
-Although there is no impact on the production code, providing a wrong value can lead to difficulties when debugging the application.</p>
+<p>The <code>DebuggerDisplayAttribute</code> constructor takes a single mandatory argument: the string to be displayed in the value column for
+instances of the type. Any text within curly braces is evaluated as the name of a field or property, or any complex expression containing method calls
+and operators.</p>
+<p>Naming a non-existent member between curly braces will result in a CS0103 error in the debug window when debugging objects. Although there is no
+impact on the production code, providing a wrong value can lead to difficulties when debugging the application.</p>
 <p>This rule raises an issue when text specified between curly braces refers to members that don’t exist in the current context.</p>
 <h2>Noncompliant Code Example</h2>
 <pre>

analyzers/rspec/cs/S6507_c#.html

@@ -0,0 +1,35 @@
+<p>Locking on a local variable can undermine synchronization because two different threads running the same method in parallel will potentially lock
+on different instances of the same object, allowing them to access the synchronized block at the same time.</p>
+<h2>Noncompliant Code Example</h2>
+<pre>
+private void DoSomething()
+{
+  object local = new object();
+  // Code potentially modifying the local variable ...
+
+  lock (local) // Noncompliant
+  {
+    // ...
+  }
+}
+</pre>
+<h2>Compliant Solution</h2>
+<pre>
+private readonly object lockObj = new object();
+
+private void DoSomething()
+{
+  lock (lockObj)
+  {
+    //...
+  }
+}
+</pre>
+<h2>See</h2>
+<ul>
+  <li> <a href="https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/statements/lock">Lock Statement</a> - lock statement - ensure
+  exclusive access to a shared resource </li>
+  <li> <a href="https://cwe.mitre.org/data/definitions/412">MITRE, CWE-412</a> - Unrestricted Externally Accessible Lock </li>
+  <li> <a href="https://cwe.mitre.org/data/definitions/413">MITRE, CWE-413</a> - Improper Resource Locking </li>
+</ul>
+

analyzers/rspec/cs/S6507_c#.json

@@ -0,0 +1,24 @@
+{
+  "title": "Blocks should not be synchronized on local variables",
+  "type": "BUG",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "15min"
+  },
+  "tags": [
+    "cwe",
+    "multi-threading"
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-6507",
+  "sqKey": "S6507",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      412,
+      413
+    ]
+  },
+  "quickfix": "unknown"
+}

analyzers/rspec/vbnet/S4545_vb.net.html

@@ -1,8 +1,9 @@
 <p>The <code>DebuggerDisplayAttribute</code> is used to determine how an object is displayed in the debugger window.</p>
-<p>The <code>DebuggerDisplayAttribute</code> constructor takes a single argument: the string to be displayed in the value column for instances of the
-type. Any text within curly braces is evaluated as the name of a field, property, or method.</p>
-<p>Naming a non-existent field, property or method between curly braces will result in a BC30451 error in the debug window when debugging objects.
-Although there is no impact on the production code, providing a wrong value can lead to difficulties when debugging the application.</p>
+<p>The <code>DebuggerDisplayAttribute</code> constructor takes a single mandatory argument: the string to be displayed in the value column for
+instances of the type. Any text within curly braces is evaluated as the name of a field or property, or any complex expression containing method calls
+and operators.</p>
+<p>Naming a non-existent member between curly braces will result in a BC30451 error in the debug window when debugging objects. Although there is no
+impact on the production code, providing a wrong value can lead to difficulties when debugging the application.</p>
 <p>This rule raises an issue when text specified between curly braces refers to members that don’t exist in the current context.</p>
 <h2>Noncompliant Code Example</h2>
 <pre>

analyzers/src/AssemblyInfo.Shared.cs

@@ -23,10 +23,10 @@
 using System.Resources;
 using System.Runtime.InteropServices;
 
-[assembly: AssemblyVersion("8.54.0")]
-[assembly: AssemblyFileVersion("8.54.0.0")]
+[assembly: AssemblyVersion("8.55.0")]
+[assembly: AssemblyFileVersion("8.55.0.0")]
 // The value should look like "Version:X.X.X.X Branch:not-set Sha1:not-set"
-[assembly: AssemblyInformationalVersion("Version:8.54.0.0 Branch: Sha1:")]
+[assembly: AssemblyInformationalVersion("Version:8.55.0.0 Branch: Sha1:")]
 [assembly: AssemblyConfiguration("")]
 [assembly: AssemblyCompany("SonarSource")]
 [assembly: AssemblyCopyright("Copyright © 2015-2023 SonarSource SA")]

analyzers/src/SonarAnalyzer.CFG/SonarAnalyzer.CFG.cs.nuspec

@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2011/08/nuspec.xsd">
   <metadata>
     <id>SonarAnalyzer.CFG.CSharp</id>
-    <version>8.54.0.0</version>
+    <version>8.55.0.0</version>
     <title>C# CFG library for SonarAnalyzer</title>
     <authors>SonarSource</authors>
     <owners>SonarSource</owners>

analyzers/src/SonarAnalyzer.CSharp/Facade/CSharpFacade.cs

@@ -18,6 +18,7 @@
  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  */
 
+using Microsoft.CodeAnalysis;
 using SonarAnalyzer.Helpers.Facade;
 
 namespace SonarAnalyzer.Helpers;
@@ -51,13 +52,19 @@ internal sealed class CSharpFacade : ILanguageFacade<SyntaxKind>
         node.FindConstantValue(model);
 
     public IMethodParameterLookup MethodParameterLookup(SyntaxNode invocation, IMethodSymbol methodSymbol) =>
+        invocation != null ? new CSharpMethodParameterLookup(GetArgumentList(invocation), methodSymbol) : null;
+
+    public IMethodParameterLookup MethodParameterLookup(SyntaxNode invocation, SemanticModel semanticModel) =>
+        invocation != null ? new CSharpMethodParameterLookup(GetArgumentList(invocation), semanticModel) : null;
+
+    private static ArgumentListSyntax GetArgumentList(SyntaxNode invocation) =>
         invocation switch
         {
-            null => null,
-            ObjectCreationExpressionSyntax x => new CSharpMethodParameterLookup(x.ArgumentList, methodSymbol),
-            InvocationExpressionSyntax x => new CSharpMethodParameterLookup(x, methodSymbol),
+            ArgumentListSyntax x => x,
+            ObjectCreationExpressionSyntax x => x.ArgumentList,
+            InvocationExpressionSyntax x => x.ArgumentList,
             _ when ImplicitObjectCreationExpressionSyntaxWrapper.IsInstance(invocation) =>
-                new CSharpMethodParameterLookup(((ImplicitObjectCreationExpressionSyntaxWrapper)invocation).ArgumentList, methodSymbol),
+                ((ImplicitObjectCreationExpressionSyntaxWrapper)invocation).ArgumentList,
             _ => throw new ArgumentException($"{invocation.GetType()} does not contain an ArgumentList.", nameof(invocation)),
         };
 

analyzers/src/SonarAnalyzer.CSharp/Facade/CSharpSyntaxFacade.cs

@@ -50,7 +50,7 @@ internal sealed class CSharpSyntaxFacade : SyntaxFacade<SyntaxKind>
 
     public override bool IsNullLiteral(SyntaxNode node) => node.IsNullLiteral();
 
-    public override bool IsKnownAttributeType(SyntaxNode attribute, KnownType knownType, SemanticModel model) =>
+    public override bool IsKnownAttributeType(SemanticModel model, SyntaxNode attribute, KnownType knownType) =>
         AttributeSyntaxExtensions.IsKnownType(Cast<AttributeSyntax>(attribute), knownType, model);
 
     public override IEnumerable<SyntaxNode> ArgumentExpressions(SyntaxNode node) =>

analyzers/src/SonarAnalyzer.CSharp/Helpers/CSharpMethodParameterLookup.cs

@@ -18,26 +18,25 @@
  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  */
 
-namespace SonarAnalyzer.Helpers
+namespace SonarAnalyzer.Helpers;
+
+internal class CSharpMethodParameterLookup : MethodParameterLookupBase<ArgumentSyntax>
 {
-    internal class CSharpMethodParameterLookup : MethodParameterLookupBase<ArgumentSyntax>
-    {
-        public CSharpMethodParameterLookup(InvocationExpressionSyntax invocation, SemanticModel semanticModel)
-            : this(invocation.ArgumentList, semanticModel) { }
+    public CSharpMethodParameterLookup(InvocationExpressionSyntax invocation, SemanticModel semanticModel)
+        : this(invocation.ArgumentList, semanticModel) { }
 
-        public CSharpMethodParameterLookup(InvocationExpressionSyntax invocation, IMethodSymbol methodSymbol)
-            : this(invocation.ArgumentList, methodSymbol) { }
+    public CSharpMethodParameterLookup(InvocationExpressionSyntax invocation, IMethodSymbol methodSymbol)
+        : this(invocation.ArgumentList, methodSymbol) { }
 
-        public CSharpMethodParameterLookup(ArgumentListSyntax argumentList, SemanticModel semanticModel)
-            : base(argumentList?.Arguments, argumentList == null ? null : semanticModel.GetSymbolInfo(argumentList.Parent).Symbol as IMethodSymbol) { }
+    public CSharpMethodParameterLookup(ArgumentListSyntax argumentList, SemanticModel semanticModel)
+        : base(argumentList.Arguments, semanticModel.GetSymbolInfo(argumentList.Parent)) { }
 
-        public CSharpMethodParameterLookup(ArgumentListSyntax argumentList, IMethodSymbol methodSymbol)
-            : base(argumentList?.Arguments, methodSymbol) { }
+    public CSharpMethodParameterLookup(ArgumentListSyntax argumentList, IMethodSymbol methodSymbol)
+        : base(argumentList.Arguments, methodSymbol) { }
 
-        protected override SyntaxNode Expression(ArgumentSyntax argument) =>
-            argument.Expression;
+    protected override SyntaxNode Expression(ArgumentSyntax argument) =>
+        argument.Expression;
 
-        protected override SyntaxToken? GetNameColonArgumentIdentifier(ArgumentSyntax argument) =>
-            argument.NameColon?.Name.Identifier;
-    }
+    protected override SyntaxToken? GetNameColonArgumentIdentifier(ArgumentSyntax argument) =>
+        argument.NameColon?.Name.Identifier;
 }

analyzers/src/SonarAnalyzer.CSharp/Helpers/CSharpSyntaxHelper.cs

@@ -338,12 +338,10 @@ public static bool IsComment(this SyntaxTrivia trivia)
         ///
         /// There can be zero, one or more results based on parameter type (Optional or ParamArray/params).
         /// </summary>
-        public static ImmutableArray<SyntaxNode> ArgumentValuesForParameter(SemanticModel semanticModel, ArgumentListSyntax argumentList, string parameterName)
-        {
-            var methodParameterLookup = new CSharpMethodParameterLookup(argumentList, semanticModel);
-            return methodParameterLookup.TryGetSyntax(parameterName, out var expressions)
-                ? expressions
-                : ImmutableArray<SyntaxNode>.Empty;
-        }
+        public static ImmutableArray<SyntaxNode> ArgumentValuesForParameter(SemanticModel semanticModel, ArgumentListSyntax argumentList, string parameterName) =>
+            argumentList != null
+                && new CSharpMethodParameterLookup(argumentList, semanticModel).TryGetSyntax(parameterName, out var expressions)
+                    ? expressions
+                    : ImmutableArray<SyntaxNode>.Empty;
     }
 }