Bump SonarAnalyzer.CSharp from 9.16.0.82469 to 10.15.0.120848

[dependabot]

User description

Updated SonarAnalyzer.CSharp from 9.16.0.82469 to 10.15.0.120848.

Release notes

Sourced from SonarAnalyzer.CSharp's releases.

10.15

False Positive

• NET-2198 - Fix S1905 FP: Cast of default! expression is required
• NET-2197 - Fix S1905 FP: stackalloc and Span conversions
• NET-1641 - Fix S1905 FP: casting IEnumerable<string?> to IEnumerable<string>
• NET-2157 - Fix S2589 FP: Don't raise an issue after a delegate is invoked
• NET-2073 - Fix S2699 FP: Add support for FsCheck property tests
• NET-1537 - Fix S6964 FP: Don't raise on properties annotated with the BindRequiredAttribute

Improvement

• NET-2112 - Consider ExplodedNodes relevant if a successor would be relevant
• NET-2183 - SE: Set constraint on operation when learning from IsPattern

False Negative

• NET-429 - Fix S4275 FN: Support partial properties

Task

• NET-2208 - Update RSpec before release

10.14

Hey everyone,

This release mostly focuses on mitigating (NET-2196) a performance regression that was introduced in 10.13.

Improvement

• NET-2196 - Fix path algorithm for execution flows to mitigate performance regression
• NET-2177 - Improve how the Symbolic Execution engine handles exception paths
• NET-2135 - Support xUnit V3
• NET-2163 - Provide Interface for other plugins to add rules to VB.NET SonarWay profile

False Negative

• NET-235 - Fix S2053: Adjust required salt length to be 32 bytes

Task

• NET-2170 - Update RSPEC before 10.14 release

10.13

Hello everyone,

In this release, we've focused on:

• False positive fixes
• Enhancing S2259's secondary locations to provide clearer, step-by-step explanations of null pointer dereferences issues.

False Positives

• NET-2099 - Fix S3885 FP: Do not raise in ResolutionEventHandler
• NET-2023 - Fix S3257 FP: Array with target-typed new
• NET-1646 - Fix S3267 FP: Loops should be simplified with LINQ expressions
• NET-1588 - Fix S1066 FP: Combination of dynamic and out should not raise
• NET-882 - Fix S3257 FP: Don't raise for C# 10 and later when there's explicit delegate creation

Improvements

• NET-2095 - Improve incremental PR analysis path detection
• SE: S2259 - Improve secondary locations

10.12

This release brings the VB version of S6418 and a few FP and FN fixes.

New Rule

• NET-1379 - New Rule: Implement S6418 Hard-coded secrets are security-sensitive for VB.NET

False Positive

• NET-1526 - Fix S3267 FP: Only raise on IEnumerable

False Negative

• NET-1260 - Fix S1215 FN: GC.GetTotalMemory(forceFullCollection: true) should not be called
• NET-1258 - Fix S6678 FN: Lowercase placeholders in interpolated string
• NET-1255 - Fix S3267 FN: Logical operators are not supported

Task

• NET-2060 - Update RSPEC before 11.12 release

10.11

Hello everyone!
In this release we fixed a bunch of false positives and false negatives.
Additionally this version adds support for telemetry in order to gather information on feature usage. Telemetry, requires scanner 10.2.0 or greater.

False Positive

• NET-1522 - Fix S2068 FP: Do not raise on password:secret
• NET-1149 - Fix S3626 FP: Add exception when return statement is preceding local functions

False Negative

• NET-1263 - Fix S1871 FN: Nested if .. else if chain
• NET-1256 - S2068: Remove word boundary(\b) from regex
• NET-1254 - Fix S3878 FN: When params are passed as array through an attribute
• NET-1252 - FN S1168: Support IndexerDeclaration and ConversionOperatorDeclaration
• NET-459 - Fix S1168 FN: Add support for partial indexers

10.10.1

Bugfix release to fix combability with SonarQube Cloud + a simplification to the ProfileRegistrar

Task

• NET-1463 - Update RSPEC before 10.10.1 release
• NET-1461 - Make CSharpSonarWayProfile be compatible and simplify ProfileRegistrar

10.10

Hey everyone, this release mostly focuses on internal and technical things.

General

• NET-1444 - Move ProfileRegistrar to org.sonar.plugins.csharpenterprise.api
• NET-1326 - Update RSPEC before 10.10 release

Internal Styling Rules

• NET-1378 - New Rule T0045: Use var
• NET-1359 - New Rule T0043: Avoid primary constructors on normal classes and structs
• NET-1358 - New Rule T0042: Indent raw string literal +4
• NET-1357 - New Rule T0041: Use raw string literals for multiline strings
• NET-1356 - New Rule T0040: Use minimum necessary interpolation characters
• NET-1355 - New Rule T0039: Protected field should start with lower case letter
• NET-1354 - New Rule T0038: Use fields instead of auto-implemented private or protected properties
• NET-1347 - New Rule T0000: Don't use Get prefixes
• NET-1346 - New Rule T0037: Use .Test suffix namespace
• NET-1345 - New rule T0046: Move extension method to dedicated class
• NET-1344 - New Rule T0035: Do not use var for this deconstruction
• NET-1343 - New Rule T0034: Do not embed var into this condition
• NET-1342 - New Rule T0033: Swap the logic to use positive conditions instead
• NET-1341 - New Rule T0032: Move the method body to the next line
• NET-1339 - New Rule T0030: Move the field initializer on the same line
• NET-1338 - New Rule T0029: Indent all arguments +4 further than the invocation line
• NET-1337 - New Rule T0028: Move all arguments on the same line, or wrap all of them
• NET-1336 - New Rule T0027: Move subsequent expressions on separate lines
• NET-1335 - New Rule T0026: Indent member access +4 further than the initial line
• NET-1334 - New Rule T0025: Indent ‘?’ and ‘:’ +4 further than the condition line
• NET-1333 - New Rule T0024: Place multiline ‘?’ and ‘:’ on separate lines
• NET-1332 - New Rule T0022: Indent all parameters with the first one
• NET-1331 - New Rule T0021: Use extension methods for Linq
• NET-1329 - New Rule T0019: Indent operator correctly
• NET-1328 - New Rule T0018: Move the operator to the beginning of the next line
• NET-1327 - New Rule T0015: Move local function at the end of the method
• NET-1237 - New Rule T0044: Don't add Arrange, Act, and Assert(s) comments
• NET-1325 - Improve T0007: Raise on nondeclaring is { } check

10.9

Hello everyone!

This is a mega-hardening release! Enjoy 😄

False Positive

• NET-1309 - Fix S2583 FP: Support overrides in IsImplementingInterfaceMember
• NET-1308 - Fix S2583 FP: Add support for AdressOf operator
• NET-1302 - Fix S4158 FP: Don't raise on GetEnumerator() calls
• NET-1295 - Fix S3236 FP: Exclude Debug.Assert
• NET-1290 - Fix S4158 FP: Support RouteValueDictionary in AspNetCore
• NET-1289 - Fix S4158 FP: Adding methods with well defined sematics
• NET-1288 - Fix S4158 FP: Recognize Add methods with bool return type
• NET-1287 - Fix S4158 FP: Don't raise on SetValue
• NET-1280 - Fix S2342 FP: Flaky reports
• NET-1278 - Fix S3440 FP: Variable assignment and switch expression
• NET-1246 - Fix S1481 FP: Don't report on discard like looking variables
• NET-1242 - Fix S2583/S4158 FP: Support for collections that are initialized with object
• NET-1241 - Fix S2589 FP: Don't track concurrent collections
• NET-1230 - Fix S4158 FP: Immutable collections
• NET-1223 - Fix S3267 FP: ref struct types cannot leave the stack
• NET-1214 - Fix S2259 FP: Foreach loop over empty collection
• NET-1212 - Fix S2259 FP: Learn bool from NotNull constraint and Null value
• NET-1208 - Fix S2589 FP: Rule ignores case guards
• NET-1207 - Fix S3966 FP: disposing element of indexable after declaration pattern
• NET-1203 - Fix S3966 FP: Enumerating a collection of tuples
• NET-1202 - Fix S2259 FP: Foreach nested in try, nested in loop
• NET-1188 - Improve S4158 - Empty Collections should not be Enumerated
• NET-1088 - Fix S3240 FP: Ignore when a conditional block contains a ternary
• NET-800 - Fix S2259 FP: FlowCaptures in loops and try-regions

False Negative

• NET-1299 - Fix S2053 FN: Support Copy methods
• NET-1257 - Fix S4790 FN: New HashData overloads not recognized
• NET-1194 - Fix S4158 FN: Collection Expressions (C# 12)
• NET-357 - Fix S2068 FN: does not consider launchSettings.json files
• NET-210 - Fix S4158 FN: AddRange with empty collection

Bug

• NET-1267 - Fix S2068 bug: Issue location is out of range in web.config for elements or attributes with an xml namespace
• NET-1184 - Roslyn rule import should map the issue severity to the Software Quality impact in SonarQube Server

Improvement

• NET-1217 - Improve S3996: Set location to the property instead of record

10.8

A small release with a few improvements for S1172, S2222 and S4158:

False Positive

• NET-1210 - Fix S4158 FP: collection filled by another function
• NET-1168 - Fix S1172 FP: When parameter is used in local function in a null-conditional or null-coalescing statement

False Negative

• NET-427 - Fix S2222 FN: Support locking via Lock object primitives
• NET-1228 - Fix S4158 FN: Support LinkedList

10.7



Improvement

• NET-1116 - Deprecate S1227: break statements should not be used except for switch cases
• NET-1045 - Remove unused AnalyzerId and RuleNamespace server properties

Bug

• NET-1047 - Fix install scripts for NuGet packages

10.6

Improvement

• NET-735 - Remove RoslynProfileExporter
• NET-1031 - Remove deprecated SonarLintProfileExporter
• NET-1038 - Add symbolic-execution tag to our rules
• NET-988 - Remove S1197 from SonarWay for VB.NET
• NET-989 - S3444: Add secondary location message
• NET-982 - S4144: Add secondary location message
• NET-979 - S4663: Add secondary location message
• NET-978 - S1168: Add secondary location message
• NET-977 - S4047: Add secondary location message
• NET-976 - S4457: Add secondary location message
• NET-975 - S1066: Add secondary location message
• NET-974 - S4070: Add secondary location message
• NET-973 - S1110: Add secondary location message
• NET-971 - S2612: Add secondary location message
• NET-970 - S6667: Add secondary location message
• NET-969 - S6931: Add secondary location message
• NET-968 - S6934: Add secondary location message
• NET-967 - S5034: Add secondary location message
• NET-966 - S6607: Add secondary location message
• NET-965 - S4143: Add secondary location message
• NET-961 - S6664: Add secondary location message
• NET-960 - S6677: Add secondary location message
• NET-956 - S6673: Add secondary location message

10.5

### Improvement

• NET-957 - S5693: Add secondary location message

10.4

Improvements

In this release, we have added support for test density and metrics at the individual file level. You can now view the number of unit tests, as well as details on skipped tests, failed tests, and test duration, from all supported coverage tools (xUnit, MsTest, and nUnit).

Additionally, we have significantly optimized memory allocation, resulting in memory usage reduction during registration.

False Positive

• NET-868 - Fix S1854 FP: Don't raise when inner finally assignment is used to outer block
• NET-865 - Fix S1172 FP: Parameter used as extension delegate target
• NET-863 - Fix S1172 FP: Don't report on partial method parameters
• NET-862 - Fix S1854 FP: Don't raise in catch when variable is used in following catch
• NET-857 - Fix S3655 FP: Types with implicit conversion operator
• NET-836 - Fix S1854 FP: Value used after catch

False Negative

• NET-798 - Fix S1854 FN: Support &&, ||, ?? and ??=

Task

• NET-763 - Update RSPEC before 10.4 release

10.3



False Positive

• NET-675 - Fix S1144 FP: support struct constructor calls
• NET-499 Telemetry: Report Language version and target framework

Other

• NET-622 - Update license files to SSAL

10.2



New Rules

• NET-635 - [C#] New rule S6418 for C#: Hard-coded secrets are security-sensitive

Improvement

• NET-567 - Remove S6605 from SonarWay profile and update the RSPEC to mention that the rule makes sense only for .NET versions <9
• NET-566 - Remove S6603 from SonarWay profile and update the RSPEC to mention that the rule makes sense only for .NET versions <9
• NET-407 - S2551: Improve RSpec recommendation
• NET-226 - S3878: Improve RSPEC to include collection expressions
• NET-528 - MetricAnalyzer: Line numbers does not respect ExcludeFromCodeCoverage for partial properties
• NET-527 - MetricAnalyzer: Function count should not count partial property declaration parts

False Positive

• NET-553 - Fix S4260 FP: Do not raise twice for partial properties
• NET-543 - Fix S4059 FP: Do not raise twice for partial properties
• NET-534 - Fix S3353 FP: Support ref locals
• NET-456 - Fix S2292 FP: Do not raise on partial properties
• NET-389 - Fix S2386 FP: support 'ReadOnlySet'
• NET-388 - Fix S3887 FP: support 'ReadOnlySet'
• NET-356 - Fix S3878 FP: support 'param' with implicit custom methods
• NET-568 - Remove S6602 from SonarWay profile and update the RSPEC to mention that the rule makes sense only for .NET versions <9
• NET-601 - Fix S4275 FP: Support &= assignment

False Negative

• NET-550 - SymbolReferenceAnalyzer: References to partial declarations are not detected
• NET-416 - Fix S2201 FN: Add support for FrozenSet
• NET-368 - Fix S4015 FN: Does not trigger on indexers
• NET-359 - Fix S4545 FN: Escape chars and new lines breaks DebuggerDisplay

10.1

False Negative

• NET-228 - S5856: Support Regex.EnumerateSplits and Regex.EnumerateMatches
• NET-227 - S6444: Support Regex.EnumerateSplits and Regex.EnumerateMatches

10.0

New rule

• NET-24 - New Rule S7039: Content Security Policies should be restrictive

False negatives

• NET-497 - Fix S3343 FN: Support primary constructors
• NET-486 - Fix S1125 FN: Null-suppression operator suppresses S1125
• NET-278 - Fix FN S1481: Support linq range variables
• NET-305 - Fix S1481 FN: Support for C# 7 variable declarations

False positives

• NET-402 - Fix S2953 FP: Implement IDisposable.Dispose on extension methods static class
• NET-212 - Fix S2589 FP: List count with AddRange()
• NET-165 - Fix S4144 FP: Methods with different return types
• NET-108 - Fix S3963 FP: Tuple assignments
• NET-125 - Fix S2933 FP: Assignment to this
• NET-265 - Fix S1144 FP: Public indexer in nested class used in parent class
• NET-265 - Fix S6967 FP: Methods with string, object and dynamic arguments
• NET-278 - Fix S2629 FP: Do not raise on log4net.Error(Exception)
• NET-405 - Fix S3459 FP: Support @​ref bindings in razor files / partial Blazor components

Bug

• NET-29 - Fix AD0001: NullReferenceException is thrown in S1871

Improvements

• NET-63 - Rule S5693: Extend the rule to support OpenReadStream

9.32

This rule includes the promotion of 4 rules to Sonar-way, the deprecation of 1 rule and 2 FP fixes.

Rule Promotions and Deprecations

• 9644 - Modify S2387: Deprecate rule
• 9643 - Modify S4050: Promote to Sonar-way
• 9642 - Modify S2674: Promote to Sonar-way
• 9641 - Modify S3993: Promote to Sonar-way
• 9640 - Modify S4052: Promote to Sonar-way

False Positive

• 9590 - [C#] Fix S6966 FP: EntityFrameworks IDbContextFactory CreateDbContext method is preferred over its Async counterpart
• 8300 - [C#] Fix S3431 FP: Don't raise if assertions are done in catch or finally

9.31

This release focuses on improving the SonarQube plugin for the .NET analyzers.

Improvements

• 9558 - SQ Plugin: Load STIG standard after ACOMMONS-11 is done
• 8503 - SQ Plugin: Align logging for not indexed files
• 7798 - SQ Plugin: Remove the sonar runtime checks for versions prior 9.9
• 7115 - SQ Plugin: Replace org.sonar.api.utils.log.Logger
• 4687 - SQ Plugin: Add xunit report paths in products UI
• 4685 - SQ Plugin: Remove deprecated import of integration test coverage from plugins
• 3102 - SQ Plugin: Replace usages of deprecated Build.setProfile in the integration tests
• 8032 - SQ Plugin: Update the plugin to store the hash for the .cshtml files to enable incremental PR analysis

9.30

Hello, everyone. In this release, we worked on hardening our live variable analysis, which improved the analyzer's accuracy.

False Positives

• 9473 - Fix S1854 FP: Raises when a variable is reassigned in a using body after it has been already assigned in using statement
• 9472 - Fix S1854 FP: Raises when a variable is assigned in the switch statement and not used in the first case
• 9471 - Fix S1854 FP: Raises when a variable is assigned in expression that is part of the ternary condition
• 9468 - Fix S1854 FP: Throw should connect to outer catch
• 9466 - Fix S1854 FP: Throw should visit finally

9.29

This release includes a lot of false positive and false negative fixes.

Improvements

• 2120 - [C#] Improve S3247: Rule should recommend pattern matching for new C# instead of as
• 9465 - Update RSPEC before 9.29 release

False Positive

• 7522 - [C#] Fix S1104 FP: Do not report in Unity3D serializable classes
• 6990 - [C#] Fix S1144 FP: Event with a concrete sender
• 3842 - [C#] Fix S1144 FP: Ignore unused Deconstruct methods
• 8239 - [C#] Fix S1450 FP: When field is assigned value in event handler
• 9494 - [C#] Fix S1694 FP: Abstract class with field or constructor
• 9421 - [C#] Fix S1694 FP: Protected abstract methods
• 3605 - [C#] Fix S2219 FP: Is operator used for pattern matching
• 8266 - [C#] Fix S2259 FP: SE engine doesn't take into account element existence collection methods
• 9485 - [C#] Fix S3247 FP: Should not report on member access objects
• 6343 - [C#] Fix S3963 FP: Static constructor with conditional and no static field initialization
• 7961 - [C#, VB.NET] Fix S2699 FP: Support Moq

False Negative

• 9491 - [C#] Fix S3247 FN: When cast expression contains parentheses
•   223 - [C#] Fix S3247 FN: Rule should catch more duplicated cast

9.28

False Positive

• 9432 - [C#] Fix S1144 FP: Unused fields in class with StructLayout when struct is in deep hierarchy class
• 9379 - [C#] Fix S1144 FP: Diagnostic doesn't respect reflection with DynamicallyAccessedMembers attribute
• 8342 - [C#] Fix S1144 FP: Private Attributes
• 7068 - [C#] Fix S4144 FP: when type constraints are used
• 3050 - [C#] Fix S1479 FP: Single line case clause should be ignored
• 9447 - [C#] Fix S1854 FP: Value used in catch or when should LiveIn for all try blocks
• 9440 - [C#] Fix S1854 FP: Value used in finally should LiveIn for all try blocks
• 4948 - [C#] Fix S1854 FP: Value used in finally should LiveIn after throw
• 6894 - [C#, VB.NET] Fix S3878 FP: When non-object array is passed to object[] params as first argument
• 6893 - [C#, VB.NET] Fix S3878 FP: when a params argument is named

False Negative

• 8719 - [C#, VB.NET] Fix S2583/S2589 FN: try-catch in loop, LVA purges symbol prematurely
• 4940 - [C#] Fix S1854 FN: Proper support of try/catch statements
• 1255 - [C#] Fix S1871 FN: Support single line conditional block

9.27

This release includes a ton of false positive and false negative fixes. We would also like to thank @​sagi1623 for his contribution in #​8464, which fixed three issues 🚀.

Improvements

• RSPEC change - Rule S1694: Promoted to SonarWay
• 9390 - Rule S6608: Benchmark is benchmarking the wrong things
• 8795 - [C#] Improve S1694: Remove part about protected constructor
• 5417 - Enable multiple project level issues
• 9372 - Update RSPEC before 9.27 release

False Positive

• 9247 - [C#] Fix S2629 FP: Constant fields in interpolated string
• 9241 - [C#, VB.NET] Fix S2094 FP: Allow empty queries
• 9106 - [C#] Fix S3459 FP: Backing field with ref property
• 8522 - [C#, VB.NET] Fix S3220 FP: Rule does not take into account generics
• 8436 - [C#] Fix S3253 FP: Don't raise for primary constructor in type declarations without parameters when they inherit from types with parameters
• 8199 - [C#, VB.NET] Fix S2737 FP: Raised when exception filter is used
• 8025 - [C#] Fix S2325 FP: Partial method implementations
• 7521 - [C#] Fix S2743 FP: Should not raise when base type is generic
• 7137 - [VB.NET] Fix S1654 FP: Do not report on event handlers, interfaces and overrides

False Negative

• 9002 - [C#, VB.NET] Fix S6931 FN: Route templates starting with ~/
• 6644 - [C#] Fix S2190 FN: No issues raised if recursion is inside an EventDeclaration by @​sagi1623
• 6643 - [C#] Fix S2190 FN: No issues raised if recursion is inside a ConversionOperatorDeclaration by @​sagi1623
• 6642 - [C#] Fix S2190 FN: No issues raised if recursion is inside an indexer by @​sagi1623
• 4081 - [C#] Fix S2743 FN: Static fields of nested class inside generic class

9.26

New Rules

• 8871 - [C#] New rule S6932: Use model binding instead of reading raw request data
• 8992 - [C#] New rule S4347: Secure random number generators must not output predictable values
• 8996 - [C#] New rule S6781: JWT secret keys should not be disclosed
• 8982 - [C#] New rule S6377: XML signatures should be verified securely
• 8998 - [C#] New rule S5344: Passwords should not be stored in plain-text or with a fast hashing algorithm

Bug Fixes

• 8577 - Fix S2234 Bug: AD0001 is thrown due to referencing a location outside of the current compilation

Improvements

• 9282 - [C#] S6964: Issue is reported on the attribute instead of the property

False Positive

• 9360 - [C#] Fix S6964 FP: Properties decorated with the [BindNever] attribute
• 9337 - [C#] Fix S6964 FP: Add more attributes to the exclusions
• 9336 - [C#] Fix S6966 FP: Don't raise on XmlReader and XmlWriter methods
• 9331 - [C#] Fix S6964 FP: Property with a default value
• 9285 - [C#] Fix S6964 FP: Do not raise in properties with required modifier
• 9284 - [C#] Fix S6964 FP: Should not raise for reference properties in nullable context
• 9275 - [C#] Fix S6964 FP: Don't raise on properties annotated with the JsonRequiredAttribute
• 9269 - [C#] Fix S6966 FP: EntityFrameworks DbContext/DBSet Add/AddRange methods are preferred over their Async counterpart
• 9265 - [C#] Fix S6966 FP: MongoDB Find can not be replaced by FindAsync
• 9252 - [C#] Fix S6934 FP: Abstract Controller base class
• 8985 - [C#] Fix S6934 FP: Attributes implementing IRouteTemplateProvider or inheriting from RouteAttribute

False Negative

• 9263 - [C#] Fix S6964 FN: Rule should raise in case of value type property annotated with RequiredAttribute

9.25.1

The latest Roslyn compiler version changes the way Razor files are compiled, and this hotfix release takes care of these changes. For more information check this issue.

Bug Fixes

• 9288 - [C#] Metrics analyzer for Razor: Lines of code are outside the range of the file

9.25

Hello everyone,

This release comes with seven new rules for ASP.NET core alongside some improvements.
Enjoy!

New Rules

• 9096 - [C#] New Rule S6966: Awaitable method should be used
• 9095 - [C#] New Rule S6967: ModelState.IsValid should be called in controller actions
• 9094 - [C#] New Rule S6964: The value type properties of a model class should be nullable or marked as "Required" to avoid under-posting.
• 9093 - [C#] New rule S6968: Actions that return a value should be annotated with ProducesResponseTypeAttribute containing the return type
• 9092 - [C#] New rule S6965: You should use HttpAttribute in API controller actions
• 9091 - [C#] New rule S6962: You should pool HTTP connections with HttpClientFactory
• 9089 - [C#] New rule S6960: Controllers should not have too many responsibilities

Bug Fixes

• 9193 - Fix AD0001: Named Attribute Arguments in S6930

False Positive

• 9219 - [C#] Fix S1144 FP: Getters/Setters of property with attribute are being flagged

Improvements

• 9187 - Update RSPEC before 9.25 release
• 9186 - [C#] Rule S6961: Implement CodeFix

Rule deprecations and deletions

• 9175 - [VB.NET] Delete S2353: Remove deprecated rule
• 9189 - [C#] Deprecate S6803

9.24

Hey everyone,
This release contains one new ASP.NET Rule (S6961) and several general improvements and fixes. Enjoy!

Improvements

• 9090 - [C#] New rule S6961 for C#: API Controllers should derive from ControllerBase instead of Controller
• 8696 - Fix coverage aggregation from multiple reports
• 9048 - Create SonarAnalyzer.CSharp.Styling project
• 7774 - [C#, VB.NET] Fix S1144: Nested type constructor accessibility is wrong in the rule message
• 8980 - Update RSPEC before 9.24 release

Bug Fixes

• 9113 - [C#, VB.NET] AD0001: ArgumentNullException in SymbolicExecutionRunner
• 8977 - [C#] CfgAllPathValidator AreAllSuccessorsValid Stack Overflow on Windows and error MSB6006 in Linux Codespaces

False Positive

• 9063 - [C#, VB.NET] Fix S2094 FP: Should not raise for messages
• 9062 - [C#, VB.NET] Fix S2094 FP: Documentation using the DefaultDocumentation package
• 7591 - [C#, VB.NET] Fix S2094 FP: Implicit parameterless constructor widens the scope of the base class constructor
• 8163 - [C#, VB.NET] Fix S3878 FP: Jagged arrays

False Negative

• 6724 - [C#, VB.NET] Fix S1144 FN: Unused private getters and private setters
• 6699 - [C#] Fix S1144 FN: Unused local functions

9.23.2

Hello, everyone!

Today we are doing a bug fix release that also addresses a couple of false positives. We deprecated VB support for S6931 and removed the rule from the "Sonar Way" quality profile for VB.

Special thanks to @​Corniel for fixing #​9019!

Bug fix

• 9022 - S6931 and S6934 raises AD0001 warnings

Improvements

• 9075 - Update RSPEC before 9.23.2 release

False Positive

• 9011 - [C#] Fix S2094 FP: Primary constructor calling base class constructor
• 8905 - [C#, VB.NET] Fix S2259 FP: PropertyReference does not learn from the underlying symbol

9.23.1

Bug Fixes

• 8984 - Fix StackOverflow in CfgAllPathValidator.AreAllSuccessorsValid
• 8991 - [C#, VB.NET] Fix TypeInitializationException in SymbolStartAnalysisContextWrapper

False Positive

• 8532 - [C#, VB.NET] Fix S1144 FP: Do not raise on serializable members

9.23

Hello everyone!
This release comes with two new rules for ASP.NET, false positive fixes, and other improvements.

A big thank you to @​Corniel for their external contribution with #​8898!

New Rules

• 8872 - [C#] New rule S6934: You should specify the RouteAttribute when an HttpMethodAttribute is specified at an action level
• 8870 - [C#, VB.NET] New rule S6931: ASP.NET controller actions should not have a route template starting with "/"

False Positives

• 8898 - [C#] Fix S3993 FP: Allow abstract attributes not to decorate Attribute usage
• 8510 - [C#] Fix S3878 FP: When the input array is a collection expression with the spread operator
• 8260 - [C#] Fix S1117 FP: Field/property instances are not accessible from static methods
• 7709 - [C#] Fix S2094 FP: Marker interface not detected when using records
• 6633 - [C#] Fix S2857 FP: Rule is not checking SQL keywords in const interpolated string

Other improvements and fixes

• 8935 - [C#] Rule S6602: Improve the logging message when recommending for Array.Find
• 7999 - [C#] Fix S1125 codefix: Do not add ! when transforming x == false.

9.22

New Rules

• 8869 - [C#, VB.NET] New rule S6930: Backslash should be avoided in route templates
• 8844 - [C#] New rule S3416: Loggers should be named for their enclosing types
• 8840 - [C#] New rule S6675: Trace.WriteLineIf should not be used with TraceSwitch levels
• 8847 - [C#] New rule S2139: Exceptions should be either logged or rethrown but not both
• 8845 - [C#] New rule S6664: Too many logging calls within a code block
• 8843 - [C#] New rule S6672: Generic logger injection should match enclosing type
• 8842 - [C#] New rule S6669: Logger field names should comply with a naming convention
• 8841 - [C#] New rule S6670: Trace.Write and Trace.WriteLine should not be used
• 8769 - [C#] New rule S6673: Log message template placeholders should be in the right order
• 8846 - [C#] New rule S1312: Logger fields should be private static readonly [Non-SonarWay]

False Positive

• 7088 - [C#, VB.NET] Fix S2589 FP: When local is assigned in for loop
• 8264 - [C#, VB.NET] Fix S2583 FP: Code wrongly considered unreachable
• 8891 - [C#] Fix S2629 FP: Allow concatenation of constants

9.21

New Rules

• 8771 - [C#] New rule S6678: Use PascalCase for named placeholders
• 8770 - [C#] New rule S6674: Log message template should be syntactically correct
• 8768 - [C#] New rule S2629: Logging templates should be constant
• 8767 - [C#] New rule S6677: Named placeholders should be unique
• 8766 - [C#] New rule S6667: Exceptions should be passed as an argument when logging in a catch clause
• 8765 - [C#] New rule S6668: Logging arguments should be passed to the correct parameter

Improvements

• The following rules were promoted to the SonarWay profile: S127, S1244, S1696, S1192, S1994, S2701, S2955

Bug Fixes

• 8787 - [C#] Fix AD0001: SonarAnalyzer.Rules.CSharp.SymbolicExecutionRunner throws an exception on unknown Numeric Constraints

False Positive

• 8823 - [C#] Fix S2701 FP: avoid raising for xUnit Assert.True()
• 6772 - [C#] Fix S4507 FP: Error raised on .NET 7 although the debug feature is deactivated

9.20

Hey everyone!

This release brings a vast number of improvements. The main focus lies on improving the capabilities of our Symbolic Execution engine, which results in much more accurate findings. The biggest visible impact is a significant reduction in false positives around loops for the rules S2583 and S2589.

And a big thank you to @​rcatley for their external contribution!

Bug Fixes

• 8642 - [C#] Exception in SonarAnalyzer.Rules.CSharp.SymbolicExecutionRunner

False Positive

• 8678 - [C#, VB.NET] Fix S2583 FP: Variable Updated in Catch Block
• 8028 - [C#, VB.NET] Fix S2583 FP: Loop with manually incremented counter
• 8449 - [C#, VB.NET] Fix S2589 FP: Change this condition so that it does not always evaluate to 'True'
• 8495 - [C#, VB.NET] Fix S2583/S2589 FP: Return inside lock and using causes FP after the block
• 8428 - [C#, VB.NET] Fix S2583/S2589 FP: For loop with Array.Length
• 8483 - [C#, VB.NET] Fix S4158 FP: Should not report on HashSet.UnionWith for readonly fields.
• 8739 - [C#] Fix S4049 FP: Do not raise on methods with generic parameters
• 8638 - [C#] Fix S2386 & S3887 FP: should not be raised for FrozenDictionary and FrozenSet
• 8611 - [C#] Fix S2372 FP: Add support for method invocations (@​rcatley)
• 8567 - [C#] Fix S2325 FP: Primary Constructor Support

False Negative

• 8486 - [C#] Fix S2589 FN: Tuple binary operations (comparison)

Improvements

• 8010 - [C#, VB.NET] S2589: Improve message in the case of null propagating operator
• 7866 - [C#, VB.NET] SE: Allow collection tracking even when S4158 is not active
• 8499 - [C#] SE: Learn number constraints from relational pattern
• 8651 - Update RSPEC before 9.20 release

9.19

Hello,

small release to enhance the deprecation warning before SonarQube v.10.4, explicitly notifying users analyzing with MSBuild 14 that it's no longer supported while maintaining the deprecation status for MSBuild 15.
Furthermore, we've also introduced three improvements to our rules:

Improvements

• 8609 - AnalysisWarningAnalyzerBase: targeted warnings for MSBuild14/15
• 8559 - [C#, VB.NET] Fix S2178 Rule message: Mention extracting right operand if applicable
• 6139 - [C#, VB.NET] Detect symbol references for @ keyword identifiers
• 3753 - [C#, VB.NET] S1186: also inspect empty set and init and empty local functions

9.18

Hi everyone!

This release focuses on fixing false positives and on general improvements that will be included in the upcoming SonarQube 10.4.

False Positive

• 7792 - [C#, VB.NET] Fix S1125 FP: Type check with System.Object
• 7904 - [C#] Fix S1144 FP: Record method PrintMembers
• 6326 - [C#] Fix S2437 FP: None of the operands is 0
• 7620 - [C#] Fix S6618 FP: Projects targeting runtime lower than .NET 6.0
• 8560 - [C#] Fix S4027 FP: BinaryFormatter. Serialization constructors are obsolete and should not be required

Improvements

• 4993 - [C#] Improve S3925 message to be clear about expected action
• 3604 - [C#] Improve S2971 message to use AsEnumerable in LINQ database query
• 7960 - [C#, VB.NET] Deprecate rule S3884
• 8554 - Update RSPEC before 9.18 release

9.17

Hi everyone!

We are shipping some more improvements to our Symbolic Execution rules reducing the number of false positives.

False Negatives

• 8493 - [C#] Fix S2583/S2589 FN and S2259 FP: Add support for relational pattern

False Positive

• 7665 - [C#, VB.NET] Fix S2259 FP: is not and short-circuit or
• 8382 - [C#, VB.NET] Fix S2589 FP: Custom Equals(null) is wrongly assumed to always return false
• 8504 - [C#, VB.NET] Fix S1104 FP: Should be ignored on classes and structs marked as [Serializable]

Commits viewable in compare view.

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

CodeAnt-AI Description

• Upgraded the SonarAnalyzer.CSharp global package reference from version 9.16.0.82469 to 10.15.0.120848 in Directory.Packages.props.
• No other files or settings were modified; existing PrivateAssets and IncludeAssets metadata remain unchanged.

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codeant-ai]

CodeAnt AI is reviewing your PR.

[codeant-ai]

Pull Request Feedback 🔍

🔒 No security issues identified

⚡ Recommended areas for review Build Impact Updating SonarAnalyzer.CSharp from 9.x to 10.x can surface many new diagnostics. If any project treats warnings as errors, the build may suddenly fail. Make sure CI passes with the stricter analyzer set and consider suppressing or fixing newly-raised issues before merging.

[codeant-ai]

CodeAnt AI finished reviewing your PR.