Bump Microsoft.CodeAnalysis.Analyzers from 2.9.3 to 2.9.4

Bumps Microsoft.CodeAnalysis.Analyzers from 2.9.3 to 2.9.4.

Release notes

*Sourced from [Microsoft.CodeAnalysis.Analyzers's releases](https://github.com/dotnet/roslyn-analyzers/releases).* > ## v2.9.4 > Release build of Roslyn-analyzers based on Microsoft.CodeAnalysis 2.9.0 NuGet packages. Contains bug fixes on top of v2.9.3 release and additional rules listed below. > > Works with VS 2017.9 or later. > > ### Added > - Performance > - CA1827: Do not use Count() when Any() can be used -- **Enabled by default** > - Security > - CA2326: Do not use TypeNameHandling values other than None > - CA2327: Do not use insecure JsonSerializerSettings > - CA2328: Ensure that JsonSerializerSettings are secure > - CA5387: Do Not Use Weak Key Derivation Function With Insufficient Iteration Count > - CA5388: Ensure Sufficient Iteration Count When Using Weak Key Derivation Function > - CA5389: Do Not Add Archive Item's Path To The Target File System Path -- **Enabled by default** > - CA5390: Do Not Hard Code Encryption Key -- **Enabled by default** > - Usage > - CA2245: Do not assign a property to itself. -- **Enabled by default** > ### Fixes > - CA3075: Insecure DTD processing in XML -- Performance improvements. > - CA5360: Do Not Call Dangerous Methods In Deserialization -- Fixed KeyNotFoundException. > > ## v2.9.4-beta1.final > Pre-Release build of Roslyn-analyzers based on Microsoft.CodeAnalysis 2.9.0 NuGet packages. Contains following additional analyzers and additional bug fixes on top of v2.9.3 release: > > 1. Usage rule [CA2245](https://github-redirect.dependabot.com/MicrosoftDocs/visualstudio-docs/issues/3511) (AvoidPropertySelfAssignment) - On by default > 2. Security rule [CA5387](https://github.com/dotnet/roslyn-analyzers/blob/bd2a0946ddfa1b11314737161a1b88d938302cbd/src/Microsoft.NetCore.Analyzers/Core/Security/DoNotUseWeakKDFInsufficientIterationCount.cs#L25) (DefinitelyUseWeakKDFInsufficientIterationCount) - Off by default > 3. Security rule [CA5388](https://github.com/dotnet/roslyn-analyzers/blob/bd2a0946ddfa1b11314737161a1b88d938302cbd/src/Microsoft.NetCore.Analyzers/Core/Security/DoNotUseWeakKDFInsufficientIterationCount.cs#L34) (MaybeUseWeakKDFInsufficientIterationCount) - Off by default > 4. Security rule [CA5389](https://github.com/dotnet/roslyn-analyzers/blob/1ee8a5d85ea54cd16a9f67a2ba087282d153d3d7/src/Microsoft.NetCore.Analyzers/Core/Security/DoNotAddArchiveItemPathToTheTargetFileSystemPath.cs#L14) (DoNotAddArchiveItemPathToTheTargetFileSystemPath) - Off by default > > Works with VS 2017.9 or later.

Changelog

*Sourced from [Microsoft.CodeAnalysis.Analyzers's changelog](https://github.com/dotnet/roslyn-analyzers/blob/master/PostReleaseActivities.md).* > Post-release activities > ================================================================= > > Please follow the below steps after publishing analyzer NuGet packages from this repo onto NuGet.org: > > 1. Create a new release OR Update an existing draft release: > 1. Draft: Either click [here](https://github.com/dotnet/roslyn-analyzers/releases/new) to draft a new release OR update an [existing draft release](https://github.com/dotnet/roslyn-analyzers/releases). For reference, you can look at any of the existing releases, say [v2.9.3](https://github.com/dotnet/roslyn-analyzers/releases/edit/v2.9.3). > 2. Release notes: Follow the steps in the *Steps to generate Release Notes* below to generate Release notes and copy the generated notes to the description section of the new release. > 3. Publish: Mark the release as a pre-release if appropriate and click "Publish Release". > 2. Repo changes: > 1. Checkout a new branch from latest sources of release branch. > 2. Update `VERSIONING.md`: Add a new row in the released version table. > 3. Update `.github\ISSUE_TEMPLATE.md`: Update the package version in the example section to the latest released package version. > 4. Update `eng\Versions.props`: > 1. Bump up the `VersionPrefix`. If the new version prefix is greater then or equals the current `FlowAnalysisUtilitiesVersionPrefix`, then update `FlowAnalysisUtilitiesVersionPrefix` to `$(VersionPrefix)`. > 2. Reset `PreReleaseVersionLabel` to `beta1`. > 3. Update `MicrosoftCodeAnalysisFXCopAnalyersVersion` to the latest released package version. > 5. Build the repo by invoking `eng\common\CIBuild.cmd` and fix/suppress any new CA diagnostics, as appropriate. This should also update the analyzer documentation files in the repo to use the new version prefix. > 6. Create and submit a PR with the above changes. > > Steps to generate Release Notes > ================================================================= > > 1. Checkout the sources for the release branch locally. This would normally be the master branch. > 2. Build. > 3. Ensure that nuget.exe is on path. > 4. Generate notes: Switch to the output directory, say `artifacts\bin\ReleaseNotesUtil\Debug\netcoreapp2.0` and execute `GenDiffNotes.cmd` to generate release notes. Example command line for v2.9.4 to v2.9.5: `GenDiffNotes.cmd C:\scratch nuget.org 2.9.3 2.9.4`.

Commits

- [`a1a198d`](https://github.com/dotnet/roslyn-analyzers/commit/a1a198d1c5d2359e93dd4ab4b1c4f7421512724e) Merge pull request [#2710](https://github-redirect.dependabot.com/dotnet/roslyn-analyzers/issues/2710) from LLLXXXCCC/DoNotHardCodedEncryptionKey - [`9d09736`](https://github.com/dotnet/roslyn-analyzers/commit/9d097367fcf6056302a7b8553cf5390e542b0d36) Update. - [`13bf3cd`](https://github.com/dotnet/roslyn-analyzers/commit/13bf3cdc6fc14d53083230ad5d2047f453a1c1af) Hopefully fixed the bug. - [`a1c8b3a`](https://github.com/dotnet/roslyn-analyzers/commit/a1c8b3ac4aeb09056f600dcca0c1e63ecdaa206e) Merge pull request [#2705](https://github-redirect.dependabot.com/dotnet/roslyn-analyzers/issues/2705) from mavasani/GenerateRulesetsCustomTags - [`ecc1fed`](https://github.com/dotnet/roslyn-analyzers/commit/ecc1fedeb82e0b631a1e271879e7967821ab6ff9) Merge pull request [#2704](https://github-redirect.dependabot.com/dotnet/roslyn-analyzers/issues/2704) from mavasani/Issue2703 - [`dbc4f18`](https://github.com/dotnet/roslyn-analyzers/commit/dbc4f182ca747f895fad1addb44369d810e107f0) Merge pull request [#2699](https://github-redirect.dependabot.com/dotnet/roslyn-analyzers/issues/2699) from mavasani/AnalysisExclusion - [`aa1b293`](https://github.com/dotnet/roslyn-analyzers/commit/aa1b29318968fdb198204aceaf9000c70eb5da83) Merge pull request [#2701](https://github-redirect.dependabot.com/dotnet/roslyn-analyzers/issues/2701) from LLLXXXCCC/RemoveDisallowReturningRSA - [`fbadcb7`](https://github.com/dotnet/roslyn-analyzers/commit/fbadcb7650dd8b58c90901531171589710dd5220) Test case from issue's repro - [`5fe406c`](https://github.com/dotnet/roslyn-analyzers/commit/5fe406cd9d5606f3f896e579a0b05ea5e9c5f9e7) Revert "Test case for repro from issue" - [`9acfd50`](https://github.com/dotnet/roslyn-analyzers/commit/9acfd50a770a976349f17ff87224a082c036cea5) Generate analyzer rulesets based on custom tags - Additional commits viewable in [compare view](https://github.com/dotnet/roslyn-analyzers/compare/v2.9.3...v2.9.4)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.

You can always request more updates by clicking Bump now in your Dependabot dashboard.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.

Daniel-Svensson / OpenRiaServices

Bump Microsoft.CodeAnalysis.Analyzers from 2.9.3 to 2.9.4 #3