9.9

Hello everyone!

This release is focused on improving the symbolic execution engine to increase the issue accuracy.
We also deleted rule S2255 as its deprecation period came to an end.

Deleted Rules:

• 7853 - Delete S2255 (Deprecated).

False Positives

• 7859 - [C#, VB.NET] Fix S2589/S4158: Do not consider a collection not to be empty if a remove method was called.
• 6158 - [C#, VB.NET] Fix S2259 FP: Recognize NotNull results of String methods

False Negatives

• 7910 - [C#] Fix S112 FN: When using null-coalesce operator.
• 7861 - [C#, VB.NET] Fix S4158 FN: If a collection is cleared, mark the collection as empty.
• 7780 - [C#, VB.NET] Fix S2589 FN: Track numerical constant patterns.
• 7704 - [C#, VB.NET] Fix FN S2583/S2589 when Equals is invoked with bool or number parameters.

Other improvements

• Modify rule S3776 - Change the remediation cost from constant to analogous to the excess over the complexity threshold.
• 7825 - Update RSPEC before the 9.9 release.

9.8

This release completes our effort to migrate all our symbolic execution rules from our old to our new engine: S2583 and S2589 are now migrated and see significant improvements. Also, they are now available for VB.NET. This being the last analyzer to migrate means that the engines don't run in parallel anymore, which significantly reduces analysis time.

On top of that, our TokenTypeAnalyzer got a rework, which also improves performance in terms of analysis time and memory usage.

This new release supports a new taxonomy for issues and hotspots that better reflects the characteristics of Clean Code.

New Rules

• 7648 - [VB.NET] S2589: Boolean expressions should not be gratuitous
• 7647 - [VB.NET] S2583: Conditionally executed code should be reachable

Improvements

• 7646 - [C#] Migrate S2583/S2589 to the new Symbolic Execution engine (C#)
• 7369 - [C#] UtilityAnalyzer: Move to a syntax based classification of identifiers in the token type utility analyzer
• 7697, 7803 - Update RSPEC before 9.8 release

False Positives

• 7789 - [C#] Fix S2583/S2589 FP: Do not raise when condition is in the body of a lock statement.
• 2496 - [C#] Fix S2583,S2589 FP: with nullable struct - update symbolic execution engine
• 5601 - [C#] Fix S2583 FP: Variable change not detected inside a loop
• 5002 - [C#] Fix S2583 FP: Property pattern match in else-if condition
• 4755 - [C#] Fix S2583 FP: When using nullable boolean in if-elseif-else.
• 4559 - [C#] Fix S2583 FP: User-defined explicit/implicit casts
• 3288 - [C#] Fix S2583 FP: Invocation argument constraints should be independent
• 2411 - [C#] Fix S2583 FP: confusing message for Guid comparison - should trigger S2589 instead
• 739 - [C#] Fix S2583 FP: Condition evaluates to constant - false positive when casting floating point numbers
• 7489 - [C#] Fix S2589 FP: Deconstructing a tuple in foreach loop
• 7096 - [C#] Fix S2589 FP: || and property patterns
• 5221 - [C#] Fix S2589 FP with nullable value types
• 3910 - [C#] Fix S2589 FP and FN: Conditional access and pattern matching
• 3565 - [C#] Fix S2589 FP: with StringSegment and literal null
• 3353 - [C#] Fix S2589 FP: ref parameters in multithreading

False Negative

• 6745 - [C#, VB.NET] Fix S2589 FN: Detect comparison between constant values
• 4515 - [C#] Fix S2583 FN: Local functions

9.7

This release focused on improving the precision of existing rules. We fixed a lot of False Positives, False Negatives, and bugs in Code Fixes.

We also reduced our memory footprint by reducing allocations in the hot path. Thank you @sharwell, for reporting this in #7439 and #7440.

Special thanks to our contributor @nalka0 for the correction of our rule documentation in #7587

Improvements

• 7462 - [C#] Fix S1125: Codefix should set correct condition priority by adding parentheses.
• 2618 - [C#] Fix S1125: Faulty code fix on C# pattern matching in conditional operator
• 7213 - [C#] Improve S109 message

False Positive

• 7633 - [C#] Fix S4023 FP: Interfaces that provide type parameters from base interface
• 7629 - [C#] Fix S1186 FP: Empty method comes from interface
• 7508 - [C#, VB.NET] Fix S6605 FP: Should not fire in expressions
• 7324 - [C#] Fix S3063 FP: StringBuilder used in concatenation
• 6912 - [C#] Fix S1144 FP: Unused fields in class with StructLayout
• 5521 - [C#] Fix S1643 FP: should not apply when strings are not aggregated
• 3945 - [C#] Fix S3925 FP: Classes not having extra properties should not have to extend ISerializable interface

False Negative

• 7688 - [C#] Fix S1125 FN: recognize C#9 "is not" constant pattern
• 2619 - [C#] Fix S1125 FN: recognize "is" keyword with constant pattern
• 7713 - [C#] Fix S1643 FN: consider simple assignments with variable not on the innermost add expression

Performance

• 7664 - Allocations: Make IsUnchanged allocation free in the common case
• 7663 - Allocations: Move stringliteral tokens array to static field
• 7656 - Allocations: Remove delegate allocation from IsExcluded
• 7655 - Allocations: Remove delegate allocation from IsGenerated
• 7440 - Allocations: Unroll AdditionalFile extension method
• 7439 - Allocations: Avoid capturing and delegate allocations in SonarAnalysisContextBase

9.6

This release introduces 3 new security-related rules for VB.NET and improves the precision of their existing C# versions by migrating them to the new symbolic execution engine.
This version also includes a new code fix and fixes for false negative issues.
Kudos to @Corniel for his contribution by implementing a codefix for S125 (#313)

New Rules

• 7560 - [VB.NET] New rule S2053: Hashes should include an unpredictable salt
• 7562 - [VB.NET] New rule S3329: Cipher Block Chaining IVs should be unpredictable
• 7565 - [VB.NET] New Rule S5773: Types allowed to be deserialized should be restricted

Improvements

• 7424 - [VB.NET] Merge rule S2373 onto S119 (S2373 is now deprecated)
• 313 - [C#] Rule S125: Add a code fix to remove the commented code

False Negative

• 7617 - [C#, VB.NET] Fix S2053 FN: Encoding.GetBytes
• 7547 - [C#, VB.NET] Fix S6588 FN: Rule should cover case with epoch ticks

9.5

Release 9.5 introduces 9 new rules for C# and VB.NET developers, providing guidelines and best practices for handling date and time operations within their applications.
These rules cover a wide range of topics, including time zone conventions, common pitfalls, date parsing and formatting, time arithmetic, and more.

This release includes also one additional security rule and introduces fixes for false negatives and false positives.

Thanks to @Corniel for his contribution by implementing a new codefix for S6610 (#7517) and fixing a FP in S6354 (#7504).

New Rules

Date & time

• 7080 - [C#, VB.NET] New rule S6588: Use DateTime(Offset).UnixEpoch instead of pointing to that date using the constructor
• 7085 - [C#, VB.NET] New rule S6566: Always use DateTimeOffset instead of DateTime
• 7083 - [C#, VB.NET] New rule S6561: Do not use DateTime.Now for benchmarking or timing operations
• 7081 - [C#, VB.NET] New rule S6562: Always set the DateTimeKind when creating a new DateTime object
• 7079 - [C#, VB.NET] New rule S6585: Don't hardcode the format provider when turning dates and times to string
• 7078 - [C#, VB.NET] New Rule S6580: Always use DateTime.Parse overloads with an IFormatProvider parameter
• 7077 - [C#, VB.NET] New rule S6575: Use TimeZoneInfo.FindSystemTimeZoneById instead of TimezoneConverter
• 7076 - [C#, VB.NET] New Rule S6563: Use UTC when recoding DateTime instants
• 7490|7086 - [C#, VB.NET] New rule S3363: Date and time should not be used as types for primary keys

Others

• 7290 - [C#] New rule S6640: Allowing unsafe code is security-sensitive

Improvements

• 7516 - [C#, VB.NET] Rule S6588: implement CodeFix
• 7517 - [C#] Rule S6610: implement CodeFix
• 7469 - SE: Run for local functions
• 7468 - SE: Run for Top-Level statements

False Positive

• 7504 - [C#, VB.NET] Fix S6354 FP: Do not report on XML crefs and nameof
• 6223 - [C#, VB.NET] Fix S5332 FP: Improve detection of namespace uris

False Negative

• 7261 - [C#] Fix S2077 FN: Add support for Mono.Data.Sqlite
• 7323 - [C#] Fix S2068 FN: add support for SecureString

9.4

Release 9.4 brings one new rule for C# and four new rules for VB.NET. It also brings improvements by migrating two more rules to the new symbolic execution engine, fixing false positives, and improving memory allocation.

Thanks to @sharwell for his contribution by reporting 7438.
Thanks to @Corniel for his contribution by implementing new rule S2925 in 7342.

New Rules

• 7305 - [VB.NET] New rule S3966: Objects should not be disposed more than once
• 7304 - [VB.NET] New rule S1944: Invalid casts should not be made
• 7303 - [VB.NET] New rule S4158: Empty collections should not be accessed or iterated
• 7342 - [C#, VB.NET] New Rule: S2925 Do not use Thread.Sleep() in a test

Improvements

• 7302 - [C#] Migrate S3966 to the new Symbolic Execution engine
• 7300 - [C#] Migrate S4158 to the new Symbolic Execution engine
• 7301 - [C#] Improve S1944: Rule now detects more issues
• 7322 - [C#] Symbolic Execution: Learn NotNull from ??= for nullable types
• 7267 - [C#, VB.NET] Symbolic Execution: Add BinaryOperation for literals: division, remainder, xor
• 7435 - [C#] Improve S4635: Update issue message
• 7365 - [C#] Improve S2198: Update issue message
• 7337 - Update RSPEC before 9.4 release

False Positives

• 4261 - [C#] Fix S4158 FP: When a collection was filled by using delegates
• 2147 - [C#] Fix S4158 FP: Variable instance mismatch
• 7308 - [C#] Fix S3655 FP: Recognize ??= for nullable types
• 6179 - [C#, VB.NET] Fix S4158 FP: When the collection was filled during for loops, was reported to be empty

Performance

• 7438 - Memory allocation improvement: HasMatchingScope should not allocate a new delegate on every call

9.3

Improvements

• 7318 - [C#, VB.NET] Improve S2437: message - replace silly with unnecessary

False Positive

• 7286 - [C#] Fix S6605 and S6617 FP: Should not be applied to expressions used by EntityFramework

9.2

This release brings a new implementation of S3949 rule, that is now part of SonarWay again.

New features

• 7147 - [VB.NET] New rule S3949: Integral operations should not overflow - for VB.NET
• 7239 - [C#] Rule S6613: implement CodeFix

False Positive fixes

• 7104 - [C#] Fix S2259 FP: Conditional access checked for bool
• 3491 - [C#] Fix S3949 FP: Do not report inside GetHashCode

Improvements

• 4631 - [C#] Migrate S3949 to the new Symbolic Execution engine
• 7148 - [C#] S3949: Add rule to SonarWay profile
• 7138 - [C#] Remove CBDE dependency
• 7212 - [C#] Modify S3237 message to be more accurate
• 7262 - [C#, VB.NET] Revert "UtilityAnalyzer: Use RegisterCompilationStartAction" - fix performance regression
• 7234 - [C#, VB.NET] SE Fix FPs: Improve fixed-count loops
• 7156 - [C#, VB.NET] SE: Cache NumberConstraint
• 7111 - [C#, VB.NET] SE: Concatenate string expression returns non-null string
• 7260 - Update RSPEC before 9.2 release

Bug Fixes

• 7050 - [C#] Fix AD0001 on S1186: NullReferenceException for top-level methods

9.1

Release 9.1 brings a set of rules that help users avoid performance pitfalls.

New Rules

• 7132 - [C#] New rule S6618: "string.Create" should be used instead of "FormattableString"
• 7131 - [C#, VB.NET] New rule S6617: "Contains" should be used instead of "Any" for simple equality checks
• 7129 - [C#, VB.NET] New rule S6613: "First" and "Last" properties of "LinkedList" should be used instead of the "First()" and "Last()" extension methods
• 7128 - [C#, VB.NET] New rule S6612: The lambda parameter should be used instead of capturing arguments in "ConcurrentDictionary" methods
• 7127 - [C#, VB.NET] New rule S6610: "StartsWith" and "EndsWith" overloads that take a "char" should be used instead of the ones that take a "string"
• 7126 - [C#, VB.NET] New rule S6609: "Min/Max" properties of "Set" types should be used instead of the "Enumerable" extension methods
• 7125 - [C#, VB.NET] New rule S6608: Indexing should be used instead of "Enumerable" methods on types implementing "IList"
• 7124 - [C#, VB.NET] New rule S6607: The collection should be filtered before sorting by using "Where" before "OrderBy"
• 7123 - [C#, VB.NET] New rule S6605: Collection-specific "Exists" method should be used instead of the "Any" extension
• 7122 - [C#, VB.NET] New rule S6603: The collection-specific "TrueForAll" method should be used instead of the "All" extension
• 7121 - [C#, VB.NET] New rule S6602: "Find" method should be used instead of the "FirstOrDefault" extension

Improvements

• 7197 - [VB.NET] Improve S2302 Message: Use NameOf for VB.NET
• 7133 - [C#] Extend S3260 to include file access modifier on types

Bug Fixes

• 7134 - [C#] Fix AD0001 in S138: NullReferenceException

False Negative

• 2528 - [C#] FPs and FNs in the Symbolic Execution rules when null coalescing is combined with arithmetic expressions because we do not support constraints on integers

9.0

Release 9.0 changes the target framework from net46 to netstandard2.0. Thus the minimal support version is .NET Framework 4.6.2 now.
Thanks to @Corniel for fixing an FP in S2049.

Improvements

• 7095 - Update RSPEC before 9.0 release
• 6028 - Target netstandard2.0 instead of net46
• 4824 - [C#, VB.NET] SE: Update rule activation to be compatible with .editorconfig

False Positive

• 3400 - [C#] Fix S3900 FP: When parameter reassigned from a method
• 2591 - [C#] Fix S3900 FP: Re-assignment of parameters is ignored
• 6972 - [C#] Fix S3900 FP: Ignore parameters with assigned values
• 5729 - [C#] Fix S3900 FP: Recognize ArgumentNullException.ThrowIfNull()
• 6953 - [C#] Fix S2094 FP: Records which set the base record's properties in their initializer