Closed Corniel closed 4 years ago
This was introduced in this PR.
Rule S2755 detects XXE vulnerabilities (which got shipped in the latest release 8.4) depending on the target .NET Framework.
.NET Framework 3.5 Service Pack 1 Mainstream Support End Date is 10/10/2023 and Extended Support End Date is in October 2028. That means vulnerable applications are still out there, and we're here to help.
Lifecycle dates are applicable to .NET 3.5 SP1 when running on Windows 10 version 1809, Windows Server 2019 or later. On older versions of Windows, .NET 3.5 SP1 adopts the lifecycle of the underlying Windows OS. Support for the .NET Framework 3.x versions prior to 3.5 SP1 ended on July 12th, 2011. .NET 3.5 SP1 is the only supported service pack level after this date.
And given #3149, we will keep that dependency (we need it for regressions tests).
I agree it's a bit annoying 😞
although we should remove the dependency from the solution csproj (the UTs should not depend on that). to run the ITs, though, it will be necessary.
@andrei-epure-sonarsource : Obviously, it is important to support .NET 3.5 for vulnerabilities. :) But, and that is my point, it is now hard (I didn't succeed yet) to build the solution and make contributions.
When I try to build the SonarAnalyzer.sln locally that fails (I recently got a new PC, on my previous one it worked). There are a lot of issues, But the big on seems to be that I didn't install the .NET 3.5 SDK (SP1). I tried, and didn't work (I rebooted because I was asked to, but no result). I successfully installed the 3.5 developer tools.
The more fundamental issue here, however, is obviously that I think that a solution like SonarAnalyzer should not depend on .NET 3.5 anymore (introduced in 2007), as we're in 2020 now.