v2.9.0

Release build of Roslyn-analyzers based on Microsoft.CodeAnalysis 2.9.0 NuGet packages. Contains additional analyzers/fixers and additional bug fixes on top of v2.6.3 release.

Works with VS 2017.9 or later.

Added

• Design
  • CA1031: Do not catch general exception types -- Enabled by default
  • CA1062: Validate arguments of public methods
• Globalization
  • CA1303: Do not pass literals as localized parameters
• Maintainability
  • CA1508: Avoid dead conditional code
• Naming
  • CA1712: Do not prefix enum values with type name -- Enabled by default
• Reliability
  • CA2000: Dispose objects before losing scope
• Security
  • CA2100: Review SQL queries for security vulnerabilities
  • CA2300: Do not use insecure deserializer BinaryFormatter
  • CA2301: Do not call BinaryFormatter.Deserialize without first setting BinaryFormatter.Binder
  • CA2302: Ensure BinaryFormatter.Binder is set before calling BinaryFormatter.Deserialize
  • CA2305: Do not use insecure deserializer LosFormatter
  • CA2310: Do not use insecure deserializer NetDataContractSerializer
  • CA2311: Do not deserialize without first setting NetDataContractSerializer.Binder
  • CA2312: Ensure NetDataContractSerializer.Binder is set before deserializing
  • CA2315: Do not use insecure deserializer ObjectStateFormatter
  • CA3001: Review code for SQL injection vulnerabilities
  • CA3002: Review code for XSS vulnerabilities
  • CA3003: Review code for file path injection vulnerabilities
  • CA3004: Review code for information disclosure vulnerabilities
  • CA3005: Review code for LDAP injection vulnerabilities
  • CA3006: Review code for process command injection vulnerabilities
  • CA3007: Review code for open redirect vulnerabilities
  • CA3008: Review code for XPath injection vulnerabilities
  • CA3009: Review code for XML injection vulnerabilities
  • CA3010: Review code for XAML injection vulnerabilities
  • CA3011: Review code for DLL injection vulnerabilities
  • CA3012: Review code for regex injection vulnerabilities
  • CA5359: Do Not Disable Certificate Validation -- Enabled by default
  • CA5360: Do Not Call Dangerous Methods In Deserialization -- Enabled by default
  • CA5361: Do Not Disable SChannel Use of Strong Crypto -- Enabled by default
  • CA5362: Do Not Refer Self In Serializable Class
  • CA5363: Do Not Disable Request Validation -- Enabled by default
  • CA5364: Do Not Use Deprecated Security Protocols -- Enabled by default
  • CA5365: Do Not Disable HTTP Header Checking -- Enabled by default
• Usage
  • CA2213: Disposable fields should be disposed

Removed

• Naming
  • Async002: Async Method Names Should End in Async
• Usage
  • Async001: Avoid Async Void
  • Async003: Don't Pass Async Lambdas as Void Returning Delegate Types
  • Async004: Don't Store Async Lambdas as Void Returning Delegate Types
  • Async006: Don't Mix Blocking and Async