Remaining work for Security analyzers to respect `excluded_symbol_names` option

[mavasani]

See https://github.com/dotnet/roslyn-analyzers/pull/2699#discussion_r307550346.

[mavasani]

Would be good to also take care of https://github.com/dotnet/roslyn-analyzers/pull/2687#discussion_r307794032

[Evangelink]

As far as I can see this is handled. I'll let @mavasani or @dotpaul confirm and close the ticket.

[dotpaul]

Thanks @Evangelink for the ping. Still need to figure out what the behavior should be and implement that, if needed.

[Evangelink]

Except if I am missing something here but the ticket and the comment are talking about the excluded_symbol_names options which are handled here https://github.com/dotnet/roslyn-analyzers/blob/master/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerJsonNetWithoutBinder.cs#L132-L141

[dotpaul]

It's currently handled by skipping dataflow analysis when both rules disable a symbol. This issue was opened to figure out what to do if one rule disables the symbol for dataflow analysis, and the other rule leaves the symbol enabled for dataflow analysis.

I suppose I can say no one's complained so far, so the current implementation is good enough. :smile:

[Evangelink]

Ohhh got it! I saw the TODO in the code but I thought this was one TODO missing an associated work item. My bad!

[Evangelink]

Would it be possible to say that we store the result of the IsConfiguredToSkipAnalysis option in a variable and at the time where we report we do a match?

foreach (KeyValuePair<(Location Location, IMethodSymbol? Method), HazardousUsageEvaluationResult> kvp
                                    in allResults)
{
    DiagnosticDescriptor descriptor;
    switch (kvp.Value)
    {
        case HazardousUsageEvaluationResult.Flagged:
            if (skipDefinitelyInsecureSerializer)
            {
                continue;
            }
            else
            {
                descriptor = DefinitelyInsecureSerializer;
            }
            break;

        case HazardousUsageEvaluationResult.MaybeFlagged:
            if (skipMaybeInsecureSerializer)
            {
                continue;
            }
            else
            {
                descriptor = MaybeInsecureSerializer;
            }
            break;

        default:
            Debug.Fail($"Unhandled result value {kvp.Value}");
            continue;
    }

    compilationAnalysisContext.ReportDiagnostic(
        Diagnostic.Create(
            descriptor,
            kvp.Key.Location));
}

WDYT?