What’s new in Code Analysis for Visual Studio 2010

  • Article

This post summarizes the new functionality you will experience sing the Code Analysis functionality in Visual Studio 2010. Note that Code Analysis is only available in the Premium and Ultimate editions of Visual Studio 2010.

Rule Sets

In Visual Studio 2010 you can manage the list of rules that are executed against your managed code using rule sets. Rule sets are persisted as xml files that may be included as part of your project or solution and checked into source code control along with your code. Visual Studio ships with several pre-defined rule sets

  • Basic Correctness
  • Basic Design Guidelines
  • Extended Correctness
  • Extended Design Guidelines
  • Globalization
  • Minimum Recommended
  • Security

The new rule set editor allows you to create your own custom rule sets. You access the rule set configuration dialog and rule set editor from the Project Properties \ Code Analysis tab. For more information on using rule sets see the MSDN documentation: https://msdn.microsoft.com/en-us/library/dd264949(VS.100).aspx.

You also have the ability to configure all projects in a solution to use the same rule set from the Solution Properties. See the MSDN documentation: https://msdn.microsoft.com/en-us/library/dd465181(VS.100).aspx.

New Rules

The following managed code analysis rules are new

CA1062

Validate arguments of public methods

CA1303

Do not pass literals as localized parameters

CA2000

Dispose objects before losing scope

CA2100

Review SQL queries for security vulnerabilities

CA2130

Security critical constants should be transparent

CA2131

Security critical types may not participate in type equivalence

CA2132

Default constructors must be at least as critical as base type default constructors

CA2133

Delegates must bind to methods with consistent transparency

CA2134

Methods must keep consistent transparency when overriding base methods

CA2135

Level 2 assemblies should not contain LinkDemands

CA2136

Members should not have conflicting transparency annotations

CA2137

Transparent methods must contain only verifiable IL

CA2138

Transparent methods must not call methods with the SuppressUnmanagedCodeSecurity attribute

CA2139

Transparent methods may not use the HandleProcessCorruptingExceptions attribute

CA2140

Transparent code must not reference security critical items

CA2140

Transparent code must not reference security critical items

CA2141

Transparent methods must not satisfy LinkDemands

CA2142

Transparent code should not be protected with LinkDemands

CA2143

Transparent methods should not use security demands

CA2144

Transparent code should not load assemblies from byte arrays

CA2145

Transparent methods should not be decorated with the SuppressUnmanagedCodeSecurityAttribute

CA2146

Types must be at least as critical as their base types and interfaces

CA2147

Transparent methods may not use security asserts

CA2149

Transparent methods must not call native code

CA2202

Do not dispose objects multiple times

CA2204

Literals should be spelled correctly

CA2215

Dispose methods should call base class dispose

CA2241

Provide correct arguments to formatting methods

Rules CA1062, CA1303, CA2000, CA2100, CA2202, CA2204, CA2215 and CA2241 are all implemented using the new Phoenix analysis engine. We’ll discuss the Phoenix engine in a subsequent blog post.

Metrics

We improved the accuracy of calculating several metrics for switch statements and catch blocks.

New errors and warnings that FxCopCmd will generate

The follow new error codes may be generated when FxCopCmd is unable to successfully analyze your code for one reason or another.

CA0061

The rule 'RuleId' referenced in rule set 'RuleSetName' could not be found.

CA0062

The rule 'RuleId' could not be found.

CA0063

Failed to load rule set file or one of its dependent rule set files.

CA0064

No analysis was performed because the specified rule set did not contain any FxCop rules.

CA0065

Unsupported metadata construct: Type 'TypeName' contains both a property and a field with the same name 'PropertyFieldName'

CA0066

The value '{0}' provided to the /targetframeworkversion is not a recognized version.

CA0067

Directory not found.

CA0068

Debug information could not be found for target assembly 'AssemblyName'.

CA0069

UsingAlternatePlatform. FrameworkVersion1 could not be found. Using FrameworkVersion2 instead. For best analysis results please ensure that the correct .NET Framework is installed.

CA0070

Unable to analyze permission attributes

 

Support for C# 4 language constructs

 

Support for C++ 0x language constructs

 

What’s gone

  • Policy Migration – TFS Checkin Policy

In Visual Studio 2008 you had the ability to copy your Code Analysis checkin policy settings from a TFS team project into the Solution / Project(s). This feature is not available in Visual Studio 2010. Use the new rule sets feature to configure the rules that will be executed during a build.

  • The following rules are no longer available

CA1805

Do not initialize unnecessarily

  

CA2127

Security transparent assemblies should not contain security critical code

Replaced by CA2136

CA2128

Security transparent code should not assert

Replaced by CA2147

CA2129

Security transparent code should not reference non-public security critical members

Replaced by CA2140
  • Managed C++ in-source suppression. Use the code analysis global suppression file. If you need the suppression attributes to be defined in your source code you will need to copy or move them from the global suppression file into your source code.

Conclusion

Questions and comments are welcome. You may either post a comment for this blog or post a question on the Code Analysis team’s MSDN forum.

 

The Visual Studio Code Analysis Team.