Enable roslyn analyzers (#1044)

* Add roslyn analyzers and corresponding rules

* Fix basic errors spotted by first round of analyzers

* Add exception to CA1507

Author: hoyosjs

eng/Analyzers.props

@@ -0,0 +1,9 @@
+<Project>
+  <PropertyGroup>
+    <CodeAnalysisRuleset>$(MSBuildThisFileDirectory)CodeAnalysis.ruleset</CodeAnalysisRuleset>
+    <EnableAnalyzers>true</EnableAnalyzers>
+  </PropertyGroup>
+  <ItemGroup>
+    <PackageReference Include="Microsoft.CodeAnalysis.FxCopAnalyzers" Version="3.0.0-beta3.final" PrivateAssets="all" />
+  </ItemGroup>
+</Project>

eng/CodeAnalysis.Repository.ruleset

@@ -0,0 +1,64 @@
+<?xml version="1.0"?>
+<RuleSet Name="Microsoft SDL Roslyn Rules - v9.1"
+         Description="Microsoft SDL Roslyn Rules - v9.1"
+         ToolsVersion="14.0">
+
+  <Rules AnalyzerId="Microsoft.NetCore.Analyzers" RuleNamespace="Microsoft.NetCore.Analyzers">
+    <Rule Id="CA2301" Action="Error" />          <!-- Do not call BinaryFormatter.Deserialize without first setting BinaryFormatter.Binder -->
+    <Rule Id="CA2302" Action="Error" />          <!-- Ensure BinaryFormatter.Binder is set before calling BinaryFormatter.Deserialize -->
+    <Rule Id="CA2305" Action="Error" />          <!-- Do not use insecure deserializer LosFormatter -->
+    <Rule Id="CA2311" Action="Error" />          <!-- Do not deserialize without first setting NetDataContractSerializer.Binder -->
+    <Rule Id="CA2312" Action="Error" />          <!-- Ensure NetDataContractSerializer.Binder is set before deserializing -->
+    <Rule Id="CA2315" Action="Error" />          <!-- Do not use insecure deserializer ObjectStateFormatter -->
+    <Rule Id="CA2321" Action="Error" />          <!-- Do not deserialize with JavaScriptSerializer using a SimpleTypeResolver -->
+    <Rule Id="CA2327" Action="Error" />          <!-- Do not use insecure JsonSerializerSettings -->
+    <Rule Id="CA2328" Action="Error" />          <!-- Ensure that JsonSerializerSettings are secure -->
+    <Rule Id="CA2329" Action="Error" />          <!-- Do not deserialize with JsonSerializer using an insecure configuration -->
+    <Rule Id="CA2330" Action="Error" />          <!-- Ensure that JsonSerializer has a secure configuration when deserializing -->
+    <Rule Id="CA3061" Action="Error" />          <!-- Do Not Add Schema By URL -->
+    <Rule Id="CA5350" Action="Error" />          <!-- Do Not Use Weak Cryptographic Algorithms -->
+    <Rule Id="CA5351" Action="Error" />          <!-- Do Not Use Broken Cryptographic Algorithms -->
+    <Rule Id="CA5358" Action="Error" />          <!-- Review cipher mode usage with cryptography experts -->
+    <Rule Id="CA5361" Action="Error" />          <!-- Do Not Disable SChannel Use of Strong Crypto -->
+    <Rule Id="CA5364" Action="Error" />          <!-- Do Not Use Deprecated Security Protocols -->
+    <Rule Id="CA5378" Action="Error" />          <!-- Do not disable ServicePointManagerSecurityProtocols -->
+    <Rule Id="CA5397" Action="Error" />          <!-- Do not use deprecated SslProtocols values -->
+    <Rule Id="CA2322" Action="Info" />           <!-- Ensure JavaScriptSerializer is not initialized with SimpleTypeResolver before deserializing -->
+    <Rule Id="CA3001" Action="Info" />           <!-- Review code for SQL injection vulnerabilities -->
+    <Rule Id="CA3002" Action="Info" />           <!-- Review code for XSS vulnerabilities -->
+    <Rule Id="CA3003" Action="Info" />           <!-- Review code for file path injection vulnerabilities -->
+    <Rule Id="CA3004" Action="Info" />           <!-- Review code for information disclosure vulnerabilities -->
+    <Rule Id="CA3005" Action="Info" />           <!-- Review code for LDAP injection vulnerabilities -->
+    <Rule Id="CA3006" Action="Info" />           <!-- Review code for process command injection vulnerabilities -->
+    <Rule Id="CA3007" Action="Info" />           <!-- Review code for open redirect vulnerabilities -->
+    <Rule Id="CA3008" Action="Info" />           <!-- Review code for XPath injection vulnerabilities -->
+    <Rule Id="CA3009" Action="Info" />           <!-- Review code for XML injection vulnerabilities -->
+    <Rule Id="CA3010" Action="Info" />           <!-- Review code for XAML injection vulnerabilities -->
+    <Rule Id="CA3011" Action="Info" />           <!-- Review code for DLL injection vulnerabilities -->
+    <Rule Id="CA3012" Action="Info" />           <!-- Review code for regex injection vulnerabilities -->
+    <Rule Id="CA5359" Action="Info" />           <!-- Do Not Disable Certificate Validation -->
+    <Rule Id="CA5380" Action="Info" />           <!-- Do Not Add Certificates To Root Store -->
+    <Rule Id="CA5381" Action="Info" />           <!-- Ensure Certificates Are Not Added To Root Store -->
+    <Rule Id="CA5386" Action="Info" />           <!-- Avoid hardcoding SecurityProtocolType value -->
+    <Rule Id="CA5391" Action="Info" />           <!-- Use antiforgery tokens in ASP.NET Core MVC controllers -->
+    <Rule Id="CA5395" Action="Info" />           <!-- Miss HttpVerb attribute for action methods -->
+    <Rule Id="CA5396" Action="Info" />           <!-- Set HttpOnly to true for HttpCookie -->
+    <Rule Id="CA5398" Action="Info" />           <!-- Avoid hardcoded SslProtocols values -->
+  </Rules>
+
+  <Rules AnalyzerId="Microsoft.NetFramework.Analyzers" RuleNamespace="Microsoft.NetFramework.Analyzers">
+    <Rule Id="CA2153" Action="Error" />          <!-- Do Not Catch Corrupted State Exceptions -->
+    <Rule Id="CA3075" Action="Error" />          <!-- Insecure DTD processing in XML -->
+    <Rule Id="CA3147" Action="Error" />          <!-- Mark Verb Handlers With Validate Antiforgery Token -->
+  </Rules>
+
+  <Rules AnalyzerId="Microsoft.NetFramework.CSharp.Analyzers" RuleNamespace="Microsoft.NetFramework.CSharp.Analyzers">
+    <Rule Id="CA3076" Action="Error" />          <!-- Insecure XSLT script processing. -->
+    <Rule Id="CA3077" Action="Error" />          <!-- Insecure Processing in API Design, XmlDocument and XmlTextReader -->
+  </Rules>
+
+  <Rules AnalyzerId="Microsoft.NetFramework.VisualBasic.Analyzers" RuleNamespace="Microsoft.NetFramework.VisualBasic.Analyzers">
+    <Rule Id="CA3076" Action="Error" />          <!-- Insecure XSLT script processing. -->
+    <Rule Id="CA3077" Action="Error" />          <!-- Insecure Processing in API Design, XmlDocument and XmlTextReader -->
+  </Rules>
+</RuleSet>

eng/CodeAnalysis.Security.ruleset

@@ -0,0 +1,10 @@
+<RuleSet Name="Diagnostics Ruleset"
+         Description="Diagnostics Ruleset"
+         ToolsVersion="14.0">
+
+    <!-- Define all the analyzer rule actions for this repo. -->
+    <Include Path="CodeAnalysis.Repository.ruleset" Action="Default" />
+
+    <!-- This will override or define all rules needed values to be SDL compliant. -->
+    <Include Path="CodeAnalysis.Security.ruleset" Action="Default" />
+</RuleSet>

eng/CodeAnalysis.ruleset

@@ -26,4 +26,6 @@
   <PropertyGroup Condition="'$(TargetFramework)' != 'net462'">
     <DebugType>portable</DebugType>
   </PropertyGroup>
+
+  <Import Project="$(RepositoryEngineeringDir)Analyzers.props" />
 </Project>

src/Directory.Build.props

@@ -17,7 +17,7 @@ namespace Microsoft.Diagnostics.Monitoring
     public class LogValuesFormatter
     {
         private const string NullValue = "(null)";
-        private static readonly object[] EmptyArray = new object[0];
+        private static readonly object[] EmptyArray = Array.Empty<object>();
         private static readonly char[] FormatDelimiters = { ',', ':' };
         private readonly string _format;
         private readonly List<string> _valueNames = new List<string>();

src/Microsoft.Diagnostics.Monitoring/Logging/LogValuesFormatter.cs

@@ -36,7 +36,9 @@ public override void GetObjectData(SerializationInfo info, StreamingContext cont
             info.AddValue("WatsonBuckets", null, typeof(byte[])); // Do not rename (binary serialization)
         }
 
+#pragma warning disable CA1507
         public override string Message => _exceptionMessage.GetProperty("Message").GetString();
+#pragma warning restore CA1507
 
         public override string StackTrace => _exceptionMessage.GetProperty("VerboseMessage").GetString();
 

src/Microsoft.Diagnostics.Monitoring/Logging/LoggerException.cs

@@ -50,7 +50,7 @@ public byte[] SerializeV2()
                 writer.Write((uint)Format);
                 writer.Write(RequestRundown);
 
-                writer.Write(Providers.Count());
+                writer.Write(Providers.Count);
                 foreach (var provider in Providers)
                 {
                     writer.Write(provider.Keywords);

src/Microsoft.Diagnostics.NETCore.Client/DiagnosticsClient/EventPipeSessionConfiguration.cs

@@ -286,7 +286,7 @@ private void Invoke(MethodInfo methodInfo, InvocationContext context)
                 try
                 {
                     // Assumes zero parameter constructor
-                    object instance = _constructor.Invoke(new object[0]);
+                    object instance = _constructor.Invoke(Array.Empty<object>());
                     SetProperties(context, instance);
 
                     object[] arguments = BuildArguments(methodInfo, context);

src/Microsoft.Diagnostics.Repl/Command/CommandProcessor.cs

@@ -510,7 +510,7 @@ internal int GetNumberModules(
             out uint loaded,
             out uint unloaded)
         {
-            loaded = (uint)DataReader.EnumerateModules().Count();
+            loaded = (uint)DataReader.EnumerateModules().Count;
             unloaded = 0;
             return S_OK;
         }

src/SOS/SOS.Hosting/SOSHost.cs

@@ -93,7 +93,7 @@ private static Option RunCommand() =>
                 aliases: new[] { "-c", "--command" }, 
                 description: "Run the command on start.") 
             {
-                Argument = new Argument<string[]>(name: "command", defaultValue: new string[0]) { Arity = ArgumentArity.ZeroOrMore }
+                Argument = new Argument<string[]>(name: "command", defaultValue: System.Array.Empty<string>()) { Arity = ArgumentArity.ZeroOrMore }
             };
     }
 }

src/Tools/dotnet-dump/Program.cs

@@ -190,7 +190,7 @@ public static bool DumpFromEventPipe(CancellationToken ct, int processID, Memory
                     {
                         if (!(e is TaskCanceledException))
                         {
-                            throw ae;
+                            throw;
                         }
                     }
                 }

src/Tools/dotnet-gcdump/DotNetHeapDump/EventPipeDotNetHeapDumper.cs

@@ -252,12 +252,12 @@ private int Validate()
                     source.Process();
                     _droppedEvents = source.EventsLost;
                 }
-                catch (Exception e)
+                catch (Exception)
                 {
                     Logger.logger.Log($"Exception thrown while reading; dumping culprit stream to disk...");
                     eventPipeStream.DumpStreamToDisk();
                     // rethrow it to fail the test
-                    throw e;
+                    throw;
                 }
                 Logger.logger.Log("Stopping stream processing");
                 Logger.logger.Log($"Dropped {source.EventsLost} events");