Jun 22, 2019A little from everything. Menu and widgets. Android (8); Azure (32); Car maintenance (3). Subaru Impreza (2); Volvo XC90 (1. Deeper IDE integration: Security Hotspots & taint vulnerabilities in SonarLint Investigation of Security Hotspots and taint analysis Vulnerabilities (available in commercial editions) is now available in all four versions of SonarLint, for IntelliJ IDEA, Visual Studio, Eclipse and VSCode. PVS-Studio is a tool for detecting bugs and security weaknesses in the source code of. The options below allow you get back to your code quicker with the helpfulness of database automation and analysis tooling. Redgate’s products work with PowerShell, and have add-on extensions for Visual Studio and VS Code. SQL Change Automation. This is the tool that gets your database scheduled updates live, quickly, without manually pushing.
Tags: VisualStudio StaticCodeAnalysis Static code analysis analyzes your source code or compiled DLL files for certain patterns or filenames. There are several code analyzers available for C# in Visual Studio and/or Azure DevOps. These code analyzers improve consistency, prevent technical debt and prevent security issues.
The older Code Analysis features in Visual Studio (Analyze > Run Code Analysis option) and Project properties (Code Analysis tab) are marked as deprecated and will not be covered in this post.
Table of contents:
Visual Studio built-in analyzers
The Visual Studio compiler (Roslyn) already has some built-in analyzer rules. When loading a project (like the eShopOnWeb reference implementation) and opening a file, the analyzers installed in Visual Studio will analyze the file and show any error, warning or information message in the Visual Studio error list window.
By default, Visual Studio will only contain some analyzers for code styling that output as information messages. You can edit the default code analyzer rules in the Visual Studio options via:
Tools > Options > Text Editor > C# > Code Style
The severity of the ruleset can be changed in this options window:
By default, it only analyzes the open file but you can enable solution-wide analysis in the Visual Studio options to asynchronously analyze the entire solution. This option is found via:
Tools > Options > Text Editor > C# > Advanced > Enable full solution analysis
If you use Visual Studio 2019 and you have set rules resulting in errors or warnings, you will also see a counter at the bottom of the file alerting you to issues in the files. There are also the colored squiggly lines in the text editor below the statement that may have and issue. There are colored blocks in the scrollbar of the text editor indicating where the issues are located in a file. And if you have the Productivity Power Tools extension installed the Solution Error Visualization will show the same colored squiggly lines in the Solution Explorer window below filenames that have issues.
I have marked all visual indicators for errors and or warnings in the screenshot below:
SonarLint
For extra code analysis, I use the SonarLint extension in Visual Studio. This extension loads extra code analysis rules for several categories (code smells, bugs and security issues). For the full list see the SonarSource rules pages. Rules from SonarLint can be identified by the S prefix in the Error list window.
You can use a .ruleset file in your project to disable or change the default severities or disable warnings for the default rules. See the Microsoft Docs page for adding ruleset files for more instructions.
When using SonarLint, I usually enable the category column in my error list window to triage the warnings shown. You can right-click the error list window and use the option Show Columns > Category to add it.
SonarQube
The SonarLint extension also enables integration with a SonarQube server. SonarQube is open source static code analysis platform that can integrate with Visual Studio and with Azure DevOps. SonarQube can be used to define a ruleset that all team members can download into new or existing projects. SonarQube (when integrating with Azure DevOps) can also provide code coverage metrics and code duplication analysis. It can also provide insight into the number of issues over time and provides a technical debt score for a solution. You can also fail a build if your solution does not meet a configured quality gate. SonarQube is great in providing code analysis and related dashboards especially when working with a team on a code project. See the SonarQube website for all the features and installation instructions.
Security Code Scan
Security Code Scan is a static analyzer extension focusing on security issues in your code. It checks for patterns that indicate SQL injection or XSS vulnerabilities in your code and several other issues that are defined by OWASP as security issues.
After installing the extension (and enabling full solution-wide analysis) the warnings from Security Code Scan are listed with the prefix SCS.
Audit.NET
Audit.NET is an extension for Visual Studio that scans your package.config file and compares the package references against several public databases containing known vulnerabilities. Any issues with packages are shown in the Error window as errors. These errors are not blocking and will not result prevent you from building, debugging or running your solutions.
Sonarlint Visual Studio 2019 Serial
At the time of this writing, the extension can analyze .NET Core projects (and the new package references) but it does not seem to properly show the current issues in the error window.
WhiteSource Bolt
Sonarlint For Vscode
WhiteSoure Bolt is the free version of WhiteSource and can be integrated with Azure DevOps. The free version can be used in a commercial environment but beware of the terms of service data and usage policies as it does send and store metadata and file hashes to WhiteSource hosted in America. This may be an issue in certain corporate environments (especially in Europe).
WhiteSource Bolt analyzes your project and will report on NuGet packages or included DLL files with known vulnerabilities. It will also give you an overview of all used 3rd party components and their licenses.
Sonarlint Visual Studio 2019
See the Azure DevOps labs last step of the Trigger a build section for screenshots of the report for a build.