Hide DOTNET_RESOURCE_LEAK on empty IDisposable implementations

microsoft / infersharp

Infer# is an interprocedural and scalable static code analyzer for C#. Via the capabilities of Facebook's Infer, this tool detects null dereferences, resource leaks, and thread-safety violations. It also performs taint flow tracking to detect critical security vulnerabilities like SQL injections.

MIT License

730 stars 29 forks source link

Hide DOTNET_RESOURCE_LEAK on empty IDisposable implementations #118

Closed Dimension4 closed 2 years ago

Dimension4 commented 2 years ago

I just tried the Visual Studio extension of Infer# on a 500k LOC code base and it works surprisingly well, I've found lots of things to fix.

I noticed quite a few DOTNET_RESOURCE_LEAK reports on classes that implement a no-op IDisposable (empty body in Dispose). These are usually mock classes needed for testing so I can't remove the IDisposable there. Is it possible to hide diagnostics that originate from an empty Dispose body?

matjin commented 2 years ago

Currently, we don't have a way to suppress this specific kind of issue. With that said, one potential mitigation is to remove the mock DLLs from the folder you're analyzing, if they are isolated from the part of the project you do want to analyze.

Also, we have a PR out https://github.com/facebook/infer/pull/1597 which will allow you to incrementally analyze projects; once we release this, you'll be able to see the warnings introduced since a prior commit (which will also cause such warnings to be excluded, unless your changes go over those files).

Dimension4 commented 2 years ago

That's unfortunate. I don't really want to exclude the test assemblies because I also found quite a few legitimate leaks in those so far. I guess for the time being I can just skip these leaks since I only use infer# locally and not on the CI.

The incremental analysis sounds promising though, I'll keep an eye out for that.

Thank you