Open mavasani opened 5 years ago
Would be good to also take care of https://github.com/dotnet/roslyn-analyzers/pull/2687#discussion_r307794032
As far as I can see this is handled. I'll let @mavasani or @dotpaul confirm and close the ticket.
Thanks @Evangelink for the ping. Still need to figure out what the behavior should be and implement that, if needed.
Except if I am missing something here but the ticket and the comment are talking about the excluded_symbol_names
options which are handled here https://github.com/dotnet/roslyn-analyzers/blob/master/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerJsonNetWithoutBinder.cs#L132-L141
It's currently handled by skipping dataflow analysis when both rules disable a symbol. This issue was opened to figure out what to do if one rule disables the symbol for dataflow analysis, and the other rule leaves the symbol enabled for dataflow analysis.
I suppose I can say no one's complained so far, so the current implementation is good enough. :smile:
Ohhh got it! I saw the TODO in the code but I thought this was one TODO missing an associated work item. My bad!
Would it be possible to say that we store the result of the IsConfiguredToSkipAnalysis
option in a variable and at the time where we report we do a match?
foreach (KeyValuePair<(Location Location, IMethodSymbol? Method), HazardousUsageEvaluationResult> kvp
in allResults)
{
DiagnosticDescriptor descriptor;
switch (kvp.Value)
{
case HazardousUsageEvaluationResult.Flagged:
if (skipDefinitelyInsecureSerializer)
{
continue;
}
else
{
descriptor = DefinitelyInsecureSerializer;
}
break;
case HazardousUsageEvaluationResult.MaybeFlagged:
if (skipMaybeInsecureSerializer)
{
continue;
}
else
{
descriptor = MaybeInsecureSerializer;
}
break;
default:
Debug.Fail($"Unhandled result value {kvp.Value}");
continue;
}
compilationAnalysisContext.ReportDiagnostic(
Diagnostic.Create(
descriptor,
kvp.Key.Location));
}
WDYT?
See https://github.com/dotnet/roslyn-analyzers/pull/2699#discussion_r307550346.