What’s new in Code Analysis for Visual Studio 2010
This post summarizes the new functionality you will experience sing the Code Analysis functionality in Visual Studio 2010. Note that Code Analysis is only available in the Premium and Ultimate editions of Visual Studio 2010.
Rule Sets
In Visual Studio 2010 you can manage the list of rules that are executed against your managed code using rule sets. Rule sets are persisted as xml files that may be included as part of your project or solution and checked into source code control along with your code. Visual Studio ships with several pre-defined rule sets
- Basic Correctness
- Basic Design Guidelines
- Extended Correctness
- Extended Design Guidelines
- Globalization
- Minimum Recommended
- Security
The new rule set editor allows you to create your own custom rule sets. You access the rule set configuration dialog and rule set editor from the Project Properties \ Code Analysis tab. For more information on using rule sets see the MSDN documentation: https://msdn.microsoft.com/en-us/library/dd264949(VS.100).aspx.
You also have the ability to configure all projects in a solution to use the same rule set from the Solution Properties. See the MSDN documentation: https://msdn.microsoft.com/en-us/library/dd465181(VS.100).aspx.
New Rules
The following managed code analysis rules are new
Validate arguments of public methods |
|
Do not pass literals as localized parameters |
|
Dispose objects before losing scope |
|
Review SQL queries for security vulnerabilities |
|
Security critical constants should be transparent |
|
Security critical types may not participate in type equivalence |
|
Default constructors must be at least as critical as base type default constructors |
|
Delegates must bind to methods with consistent transparency |
|
Methods must keep consistent transparency when overriding base methods |
|
Level 2 assemblies should not contain LinkDemands |
|
Members should not have conflicting transparency annotations |
|
Transparent methods must contain only verifiable IL |
|
Transparent methods must not call methods with the SuppressUnmanagedCodeSecurity attribute |
|
Transparent methods may not use the HandleProcessCorruptingExceptions attribute |
|
Transparent code must not reference security critical items |
|
Transparent code must not reference security critical items |
|
Transparent methods must not satisfy LinkDemands |
|
Transparent code should not be protected with LinkDemands |
|
Transparent methods should not use security demands |
|
Transparent code should not load assemblies from byte arrays |
|
Transparent methods should not be decorated with the SuppressUnmanagedCodeSecurityAttribute |
|
Types must be at least as critical as their base types and interfaces |
|
Transparent methods may not use security asserts |
|
Transparent methods must not call native code |
|
Do not dispose objects multiple times |
|
Literals should be spelled correctly |
|
Dispose methods should call base class dispose |
|
Provide correct arguments to formatting methods |
Rules CA1062, CA1303, CA2000, CA2100, CA2202, CA2204, CA2215 and CA2241 are all implemented using the new Phoenix analysis engine. We’ll discuss the Phoenix engine in a subsequent blog post.
Metrics
We improved the accuracy of calculating several metrics for switch statements and catch blocks.
New errors and warnings that FxCopCmd will generate
The follow new error codes may be generated when FxCopCmd is unable to successfully analyze your code for one reason or another.
The rule 'RuleId' referenced in rule set 'RuleSetName' could not be found. |
|
The rule 'RuleId' could not be found. |
|
Failed to load rule set file or one of its dependent rule set files. |
|
No analysis was performed because the specified rule set did not contain any FxCop rules. |
|
Unsupported metadata construct: Type 'TypeName' contains both a property and a field with the same name 'PropertyFieldName' |
|
CA0066 |
The value '{0}' provided to the /targetframeworkversion is not a recognized version. |
Directory not found. |
|
Debug information could not be found for target assembly 'AssemblyName'. |
|
UsingAlternatePlatform. FrameworkVersion1 could not be found. Using FrameworkVersion2 instead. For best analysis results please ensure that the correct .NET Framework is installed. |
|
Unable to analyze permission attributes |
Support for C# 4 language constructs
Support for C++ 0x language constructs
What’s gone
- Policy Migration – TFS Checkin Policy
In Visual Studio 2008 you had the ability to copy your Code Analysis checkin policy settings from a TFS team project into the Solution / Project(s). This feature is not available in Visual Studio 2010. Use the new rule sets feature to configure the rules that will be executed during a build.
- The following rules are no longer available
Do not initialize unnecessarily |
||
Security transparent assemblies should not contain security critical code |
Replaced by CA2136 |
|
Security transparent code should not assert |
Replaced by CA2147 |
|
Security transparent code should not reference non-public security critical members |
Replaced by CA2140 |
- Managed C++ in-source suppression. Use the code analysis global suppression file. If you need the suppression attributes to be defined in your source code you will need to copy or move them from the global suppression file into your source code.
Conclusion
Questions and comments are welcome. You may either post a comment for this blog or post a question on the Code Analysis team’s MSDN forum.
The Visual Studio Code Analysis Team.