Environment:

Version: 3.5.3 / 3.5.4 / 5.1.0
Branch:
- [x] vs2019
- [x] vs2017
- [x] vs2015
Installation/Running method:
- [ ] Visual Studio Extension
- [x] NuGet package
- [ ] Standalone tool
  - [ ] DotNet Core Tool from NuGet
  - [ ] security-scan4x.zip from GitHub Release section
Operating System:
- [x] Windows
- [ ] Linux
- [ ] Mac

Describe the bug Today I'm using SecurityCodeScan v3.5.3 across all my projects, netcore3, maybe some libraries in netcore2 and net framework 3/4/5.

However I'm seeing some issues not being found depending on the project version. My main question is: Should we use v3.5.3 for coreapp/netframework 3.x and version 5.1.0 for framework 5+? I tried running .vs2019 in my netcore 3.1 but none of the previous findings were found, and I was getting a lot of warnings like this: CS8032: An instance of analyzer SecurityCodeScan.Analyzers.Taint.CommandInjectionTaintAnalyzer cannot be created

So, is there any matrix of which version to use in each netframework/netcore version?

Security-code-scan versioning is not related to .NET versioning. vs2019 branch is the newest so it may have latest C# support though. The error you get is unexpected and I would appreciate if you could attach a sample solution. It might though be related to conflicting versions of security-code-scan, so make sure there are no 3.5.3 versions referenced in these projects.

@JarLob this is a code where it's happening: https://github.com/MarlonMrN/chsarp-sqlinjection

to reproduce: dotnet add csharp-sqlinjection.csproj package SecurityCodeScan.vs2017 dotnet build csharp-sqlinjection.csproj it will find the sql injects and no warnings.

now if we remove the 2017 and add the 2019 with dotnet remove csharp-sqlinjection.csproj package SecurityCodeScan.vs2017 dotnet add csharp-sqlinjection.csproj package SecurityCodeScan.vs2019 dotnet build csharp-sqlinjection.csproj

a lot of warnings happens and the project doens't get scanned.

This is a really simple test project, there's no much dependencies (and it may do nothing :b)

Thanks for your help

any ideas on why this is happening and how to fix or any workaround for it? Looks like I'm having this issue with a lot of projects depending on the version of the .net and the scanner...

Attempt at error

1. Build

dotnet add csharp-sqlinjection.csproj package SecurityCodeScan.vs2017
dotnet build csharp-sqlinjection.csproj

2. Output

dotnet build csharp-sqlinjection.csproj                                                                                                                                                              18:42:09
Microsoft (R) Build Engine version 16.9.0+57a23d249 for .NET
Copyright (C) Microsoft Corporation. All rights reserved.

  Determining projects to restore...
  Restored C:\Users\peder\Documents\Projects\chsarp-sqlinjection\csharp-sqlinjection.csproj (in 253 ms).
C:\Users\peder\Documents\Projects\chsarp-sqlinjection\Controllers\WeatherForecastController.cs(31,20): warning CS0219: The variable 'jobName' is assigned but its value is never used [C:\Users\peder\Documents\Projects\chsarp-sqlinjection\csharp-sqlinjection.csproj]
CSC : warning SCS9999: This package is legacy and is no longer maintained. [C:\Users\peder\Documents\Projects\chsarp-sqlinjection\csharp-sqlinjection.csproj]
C:\Users\peder\Documents\Projects\chsarp-sqlinjection\Controllers\WeatherForecastController.cs(34,61): warning SCS0026: MsSQL Data Provider: SQL injection possible in 1st argument passed to 'new SqlCommand' [C:\Users\peder\Documents\Projects\chsarp-sqlinjection\csharp-sqlinjection.csproj]
C:\Users\peder\Documents\Projects\chsarp-sqlinjection\Controllers\WeatherForecastController.cs(48,32): warning SCS0005: Weak random generator [C:\Users\peder\Documents\Projects\chsarp-sqlinjection\csharp-sqlinjection.csproj]
C:\Users\peder\Documents\Projects\chsarp-sqlinjection\Controllers\WeatherForecastController.cs(49,37): warning SCS0005: Weak random generator [C:\Users\peder\Documents\Projects\chsarp-sqlinjection\csharp-sqlinjection.csproj]
  csharp-sqlinjection -> C:\Users\peder\Documents\Projects\chsarp-sqlinjection\bin\Debug\netcoreapp3.1\csharp-sqlinjection.dll

Build succeeded.

C:\Users\peder\Documents\Projects\chsarp-sqlinjection\Controllers\WeatherForecastController.cs(31,20): warning CS0219: The variable 'jobName' is assigned but its value is never used [C:\Users\peder\Documents\Projects\chsarp-sqlinjection\csharp-sqlinjection.csproj]
CSC : warning SCS9999: This package is legacy and is no longer maintained. [C:\Users\peder\Documents\Projects\chsarp-sqlinjection\csharp-sqlinjection.csproj]
C:\Users\peder\Documents\Projects\chsarp-sqlinjection\Controllers\WeatherForecastController.cs(34,61): warning SCS0026: MsSQL Data Provider: SQL injection possible in 1st argument passed to 'new SqlCommand' [C:\Users\peder\Documents\Projects\chsarp-sqlinjection\csharp-sqlinjection.csproj]
C:\Users\peder\Documents\Projects\chsarp-sqlinjection\Controllers\WeatherForecastController.cs(48,32): warning SCS0005: Weak random generator [C:\Users\peder\Documents\Projects\chsarp-sqlinjection\csharp-sqlinjection.csproj]
C:\Users\peder\Documents\Projects\chsarp-sqlinjection\Controllers\WeatherForecastController.cs(49,37): warning SCS0005: Weak random generator [C:\Users\peder\Documents\Projects\chsarp-sqlinjection\csharp-sqlinjection.csproj]
    5 Warning(s)
    0 Error(s)

Time Elapsed 00:00:02.73

3. Swap 2017 for 2019

dotnet remove csharp-sqlinjection.csproj package SecurityCodeScan.vs2017
dotnet add csharp-sqlinjection.csproj package SecurityCodeScan.vs2019
dotnet build csharp-sqlinjection.csproj

4. Output

 dotnet build csharp-sqlinjection.csproj                                                                                                                                                              18:43:34
Microsoft (R) Build Engine version 16.9.0+57a23d249 for .NET
Copyright (C) Microsoft Corporation. All rights reserved.

  Determining projects to restore...
  Restored C:\Users\peder\Documents\Projects\chsarp-sqlinjection\csharp-sqlinjection.csproj (in 239 ms).
C:\Users\peder\Documents\Projects\chsarp-sqlinjection\Controllers\WeatherForecastController.cs(31,20): warning CS0219: The variable 'jobName' is assigned but its value is never used [C:\Users\peder\Documents\Projects\chsarp-sqlinjection\csharp-sqlinjection.csproj]
C:\Users\peder\Documents\Projects\chsarp-sqlinjection\Controllers\WeatherForecastController.cs(48,32): warning SCS0005: Weak random number generator. [C:\Users\peder\Documents\Projects\chsarp-sqlinjection\csharp-sqlinjection.csproj]
C:\Users\peder\Documents\Projects\chsarp-sqlinjection\Controllers\WeatherForecastController.cs(49,37): warning SCS0005: Weak random number generator. [C:\Users\peder\Documents\Projects\chsarp-sqlinjection\csharp-sqlinjection.csproj]
C:\Users\peder\Documents\Projects\chsarp-sqlinjection\Controllers\WeatherForecastController.cs(34,61): warning SCS0002: Potential SQL injection vulnerability was found where 'cmdText' in 'SqlCommand.SqlCommand(string cmdText, SqlConnection connection)' may be tainted by user-controlled data from 'string password' in method 'IEnumerable<WeatherForecast> WeatherForecastController.Get(string password)'. [C:\Users\peder\Documents\Projects\chsarp-sqlinjection\csharp-sqlinjection.csproj]
  csharp-sqlinjection -> C:\Users\peder\Documents\Projects\chsarp-sqlinjection\bin\Debug\netcoreapp3.1\csharp-sqlinjection.dll

Build succeeded.

C:\Users\peder\Documents\Projects\chsarp-sqlinjection\Controllers\WeatherForecastController.cs(31,20): warning CS0219: The variable 'jobName' is assigned but its value is never used [C:\Users\peder\Documents\Projects\chsarp-sqlinjection\csharp-sqlinjection.csproj]
C:\Users\peder\Documents\Projects\chsarp-sqlinjection\Controllers\WeatherForecastController.cs(48,32): warning SCS0005: Weak random number generator. [C:\Users\peder\Documents\Projects\chsarp-sqlinjection\csharp-sqlinjection.csproj]
C:\Users\peder\Documents\Projects\chsarp-sqlinjection\Controllers\WeatherForecastController.cs(49,37): warning SCS0005: Weak random number generator. [C:\Users\peder\Documents\Projects\chsarp-sqlinjection\csharp-sqlinjection.csproj]
C:\Users\peder\Documents\Projects\chsarp-sqlinjection\Controllers\WeatherForecastController.cs(34,61): warning SCS0002: Potential SQL injection vulnerability was found where 'cmdText' in 'SqlCommand.SqlCommand(string cmdText, SqlConnection connection)' may be tainted by user-controlled data from 'string password' in method 'IEnumerable<WeatherForecast> WeatherForecastController.Get(string password)'. [C:\Users\peder\Documents\Projects\chsarp-sqlinjection\csharp-sqlinjection.csproj]
    4 Warning(s)
    0 Error(s)

Time Elapsed 00:00:02.40

I only have 5.0.202 installed

dotnet --list-sdks                                                                                                                                                                                   18:43:47
5.0.202 [C:\Program Files\dotnet\sdk]

They seem to produce the same warnings, the only difference is the wording.

my dotnet sdks returns

$ dotnet --list-sdks
2.1.602 [C:\Program Files\dotnet\sdk]
3.1.100 [C:\Program Files\dotnet\sdk]

but when running the build with the vs.2019, this is what I got (and a copy of all thos erros again after the build message

$ dotnet build
Microsoft (R) Build Engine version 16.4.0+e901037fe for .NET Core
Copyright (C) Microsoft Corporation. All rights reserved.

  Restore completed in 618 ms for {{path}}csharp-sqlinjection\csharp-sqlinjection.csproj.
CSC : warning CS8032: An instance of analyzer SecurityCodeScan.Analyzers.CompilationAnalyzer cannot be created from {{path}}\.nuget\packages\securitycodescan.vs2019\5.1.0\analyzers\dotnet\SecurityCodeScan.VS2019.dll : Could not load file or assembly 'Microsoft.CodeAnalysis, Version=3.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. The system cannot find the file specified.. [{{path}}csharp-sqlinjection\csharp-sqlinjection.csproj]
CSC : warning CS8032: An instance of analyzer SecurityCodeScan.Analyzers.WeakCipherAnalyzerCSharp cannot be created from {{path}}\.nuget\packages\securitycodescan.vs2019\5.1.0\analyzers\dotnet\SecurityCodeScan.VS2019.dll : Could not load file or assembly 'Microsoft.CodeAnalysis, Version=3.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. The system cannot find the file specified.. [{{path}}csharp-sqlinjection\csharp-sqlinjection.csproj]
CSC : warning CS8032: An instance of analyzer SecurityCodeScan.Analyzers.WeakCertificateValidationAnalyzerCSharp cannot be created from {{path}}\.nuget\packages\securitycodescan.vs2019\5.1.0\analyzers\dotnet\SecurityCodeScan.VS2019.dll : Could not load file or assembly 'Microsoft.CodeAnalysis, Version=3.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. The system cannot find the file specified.. [{{path}}csharp-sqlinjection\csharp-sqlinjection.csproj]
CSC : warning CS8032: An instance of analyzer SecurityCodeScan.Analyzers.Taint.XPathTaintAnalyzer cannot be created from {{path}}\.nuget\packages\securitycodescan.vs2019\5.1.0\analyzers\dotnet\SecurityCodeScan.VS2019.dll : Could not load file or assembly 'Microsoft.CodeAnalysis, Version=3.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. The system cannot find the file specified.. [{{path}}csharp-sqlinjection\csharp-sqlinjection.csproj]
CSC : warning CS8032: An instance of analyzer SecurityCodeScan.Analyzers.Taint.HardcodedPasswordAnalyzer cannot be created from {{path}}\.nuget\packages\securitycodescan.vs2019\5.1.0\analyzers\dotnet\SecurityCodeScan.VS2019.dll : Could not load file or assembly 'Microsoft.CodeAnalysis, Version=3.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. The system cannot find the file specified.. [{{path}}csharp-sqlinjection\csharp-sqlinjection.csproj]
CSC : warning CS8032: An instance of analyzer SecurityCodeScan.Analyzers.Taint.LdapPathTaintAnalyzer cannot be created from {{path}}\.nuget\packages\securitycodescan.vs2019\5.1.0\analyzers\dotnet\SecurityCodeScan.VS2019.dll : Could not load file or assembly 'Microsoft.CodeAnalysis, Version=3.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. The system cannot find the file specified.. [{{path}}csharp-sqlinjection\csharp-sqlinjection.csproj]
CSC : warning CS8032: An instance of analyzer SecurityCodeScan.Analyzers.HtmlValidateRequestAnalyzer cannot be created from {{path}}\.nuget\packages\securitycodescan.vs2019\5.1.0\analyzers\dotnet\SecurityCodeScan.VS2019.dll : Could not load file or assembly 'Microsoft.CodeAnalysis, Version=3.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. The system cannot find the file specified.. [{{path}}csharp-sqlinjection\csharp-sqlinjection.csproj]
CSC : warning CS8032: An instance of analyzer SecurityCodeScan.Analyzers.Taint.LdapFilterTaintAnalyzer cannot be created from {{path}}\.nuget\packages\securitycodescan.vs2019\5.1.0\analyzers\dotnet\SecurityCodeScan.VS2019.dll : Could not load file or assembly 'Microsoft.CodeAnalysis, Version=3.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. The system cannot find the file specified.. [{{path}}csharp-sqlinjection\csharp-sqlinjection.csproj]
CSC : warning CS8032: An instance of analyzer SecurityCodeScan.Analyzers.UnsafeDeserializationAnalyzerCSharp cannot be created from {{path}}\.nuget\packages\securitycodescan.vs2019\5.1.0\analyzers\dotnet\SecurityCodeScan.VS2019.dll : Could not load file or assembly 'Microsoft.CodeAnalysis, Version=3.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. The system cannot find the file specified.. [{{path}}csharp-sqlinjection\csharp-sqlinjection.csproj]
CSC : warning CS8032: An instance of analyzer SecurityCodeScan.Analyzers.RequestValidationAnalyzerCSharp cannot be created from {{path}}\.nuget\packages\securitycodescan.vs2019\5.1.0\analyzers\dotnet\SecurityCodeScan.VS2019.dll : Could not load file or assembly 'Microsoft.CodeAnalysis, Version=3.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. The system cannot find the file specified.. [{{path}}csharp-sqlinjection\csharp-sqlinjection.csproj]
CSC : warning CS8032: An instance of analyzer SecurityCodeScan.Analyzers.CookieAnalyzer cannot be created from {{path}}\.nuget\packages\securitycodescan.vs2019\5.1.0\analyzers\dotnet\SecurityCodeScan.VS2019.dll : Could not load file or assembly 'Microsoft.CodeAnalysis, Version=3.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. The system cannot find the file specified.. [{{path}}csharp-sqlinjection\csharp-sqlinjection.csproj]
CSC : warning CS8032: An instance of analyzer SecurityCodeScan.Analyzers.Taint.PathTraversalTaintAnalyzer cannot be created from {{path}}\.nuget\packages\securitycodescan.vs2019\5.1.0\analyzers\dotnet\SecurityCodeScan.VS2019.dll : Could not load file or assembly 'Microsoft.CodeAnalysis, Version=3.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. The system cannot find the file specified.. [{{path}}csharp-sqlinjection\csharp-sqlinjection.csproj]
CSC : warning CS8032: An instance of analyzer SecurityCodeScan.Analyzers.XsltSettingsAnalyzer cannot be created from {{path}}\.nuget\packages\securitycodescan.vs2019\5.1.0\analyzers\dotnet\SecurityCodeScan.VS2019.dll : Could not load file or assembly 'Microsoft.CodeAnalysis, Version=3.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. The system cannot find the file specified.. [{{path}}csharp-sqlinjection\csharp-sqlinjection.csproj]
CSC : warning CS8032: An instance of analyzer SecurityCodeScan.Analyzers.Taint.XssTaintAnalyzer cannot be created from {{path}}\.nuget\packages\securitycodescan.vs2019\5.1.0\analyzers\dotnet\SecurityCodeScan.VS2019.dll : Could not load file or assembly 'Microsoft.CodeAnalysis, Version=3.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. The system cannot find the file specified.. [{{path}}csharp-sqlinjection\csharp-sqlinjection.csproj]
CSC : warning CS8032: An instance of analyzer SecurityCodeScan.Analyzers.WeakRandomAnalyzerCSharp cannot be created from {{path}}\.nuget\packages\securitycodescan.vs2019\5.1.0\analyzers\dotnet\SecurityCodeScan.VS2019.dll : Could not load file or assembly 'Microsoft.CodeAnalysis, Version=3.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. The system cannot find the file specified.. [{{path}}csharp-sqlinjection\csharp-sqlinjection.csproj]
CSC : warning CS8032: An instance of analyzer SecurityCodeScan.Analyzers.OutputCacheAnnotationAnalyzer cannot be created from {{path}}\.nuget\packages\securitycodescan.vs2019\5.1.0\analyzers\dotnet\SecurityCodeScan.VS2019.dll : Could not load file or assembly 'Microsoft.CodeAnalysis, Version=3.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. The system cannot find the file specified.. [{{path}}csharp-sqlinjection\csharp-sqlinjection.csproj]
CSC : warning CS8032: An instance of analyzer SecurityCodeScan.Analyzers.CsrfTokenDiagnosticAnalyzer cannot be created from {{path}}\.nuget\packages\securitycodescan.vs2019\5.1.0\analyzers\dotnet\SecurityCodeScan.VS2019.dll : Could not load file or assembly 'Microsoft.CodeAnalysis, Version=3.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. The system cannot find the file specified.. [{{path}}csharp-sqlinjection\csharp-sqlinjection.csproj]
CSC : warning CS8032: An instance of analyzer SecurityCodeScan.Analyzers.WeakPasswordValidatorPropertyAnalyzer cannot be created from {{path}}\.nuget\packages\securitycodescan.vs2019\5.1.0\analyzers\dotnet\SecurityCodeScan.VS2019.dll : Could not load file or assembly 'Microsoft.CodeAnalysis, Version=3.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. The system cannot find the file specified.. [{{path}}csharp-sqlinjection\csharp-sqlinjection.csproj]
CSC : warning CS8032: An instance of analyzer SecurityCodeScan.Analyzers.Taint.OpenRedirectTaintAnalyzer cannot be created from {{path}}\.nuget\packages\securitycodescan.vs2019\5.1.0\analyzers\dotnet\SecurityCodeScan.VS2019.dll : Could not load file or assembly 'Microsoft.CodeAnalysis, Version=3.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. The system cannot find the file specified.. [{{path}}csharp-sqlinjection\csharp-sqlinjection.csproj]
CSC : warning CS8032: An instance of analyzer SecurityCodeScan.Analyzers.Taint.CommandInjectionTaintAnalyzer cannot be created from {{path}}\.nuget\packages\securitycodescan.vs2019\5.1.0\analyzers\dotnet\SecurityCodeScan.VS2019.dll : Could not load file or assembly 'Microsoft.CodeAnalysis, Version=3.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. The system cannot find the file specified.. [{{path}}csharp-sqlinjection\csharp-sqlinjection.csproj]
CSC : warning CS8032: An instance of analyzer SecurityCodeScan.Analyzers.WebConfigAnalyzer cannot be created from {{path}}\.nuget\packages\securitycodescan.vs2019\5.1.0\analyzers\dotnet\SecurityCodeScan.VS2019.dll : Could not load file or assembly 'Microsoft.CodeAnalysis, Version=3.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. The system cannot find the file specified.. [{{path}}csharp-sqlinjection\csharp-sqlinjection.csproj]
CSC : warning CS8032: An instance of analyzer SecurityCodeScan.Analyzers.XxeDiagnosticAnalyzerCSharp cannot be created from {{path}}\.nuget\packages\securitycodescan.vs2019\5.1.0\analyzers\dotnet\SecurityCodeScan.VS2019.dll : Could not load file or assembly 'Microsoft.CodeAnalysis, Version=3.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. The system cannot find the file specified.. [{{path}}csharp-sqlinjection\csharp-sqlinjection.csproj]
CSC : warning CS8032: An instance of analyzer SecurityCodeScan.Analyzers.AthorizationAttributeDiagnosticAnalyzer cannot be created from {{path}}\.nuget\packages\securitycodescan.vs2019\5.1.0\analyzers\dotnet\SecurityCodeScan.VS2019.dll : Could not load file or assembly 'Microsoft.CodeAnalysis, Version=3.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. The system cannot find the file specified.. [{{path}}csharp-sqlinjection\csharp-sqlinjection.csproj]
CSC : warning CS8032: An instance of analyzer SecurityCodeScan.Analyzers.Taint.SqlInjectionTaintAnalyzer cannot be created from {{path}}\.nuget\packages\securitycodescan.vs2019\5.1.0\analyzers\dotnet\SecurityCodeScan.VS2019.dll : Could not load file or assembly 'Microsoft.CodeAnalysis, Version=3.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. The system cannot find the file specified.. [{{path}}csharp-sqlinjection\csharp-sqlinjection.csproj]
CSC : warning CS8032: An instance of analyzer SecurityCodeScan.Analyzers.Taint.DeserializationTaintAnalyzer cannot be created from {{path}}\.nuget\packages\securitycodescan.vs2019\5.1.0\analyzers\dotnet\SecurityCodeScan.VS2019.dll : Could not load file or assembly 'Microsoft.CodeAnalysis, Version=3.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. The system cannot find the file specified.. [{{path}}csharp-sqlinjection\csharp-sqlinjection.csproj]
CSC : warning CS8032: An instance of analyzer SecurityCodeScan.Analyzers.WeakCipherModeAnalyzerCSharp cannot be created from {{path}}\.nuget\packages\securitycodescan.vs2019\5.1.0\analyzers\dotnet\SecurityCodeScan.VS2019.dll : Could not load file or assembly 'Microsoft.CodeAnalysis, Version=3.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. The system cannot find the file specified.. [{{path}}csharp-sqlinjection\csharp-sqlinjection.csproj]
CSC : warning CS8032: An instance of analyzer SecurityCodeScan.Analyzers.WeakHashingAnalyzerCSharp cannot be created from {{path}}\.nuget\packages\securitycodescan.vs2019\5.1.0\analyzers\dotnet\SecurityCodeScan.VS2019.dll : Could not load file or assembly 'Microsoft.CodeAnalysis, Version=3.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. The system cannot find the file specified.. [{{path}}csharp-sqlinjection\csharp-sqlinjection.csproj]
Controllers\WeatherForecastController.cs(31,20): warning CS0219: The variable 'jobName' is assigned but its value is never used [{{path}}csharp-sqlinjection\csharp-sqlinjection.csproj]
  csharp-sqlinjection -> {{path}}csharp-sqlinjection\bin\Debug\netcoreapp3.1\csharp-sqlinjection.dll

Build succeeded.

so I i think I will rephrase my question, what versions of the sdk are required to run each version of security code scan?

Okay, installed 3.1 now.

 dotnet --list-sdks                               
3.1.408 [C:\Program Files\dotnet\sdk]
5.0.202 [C:\Program Files\dotnet\sdk]

And built it using 3.1. It fails on the first build it seems but then seems to return 0 warnings and 0 errors on the second run. Weird. Anyway, running dotnet build -v diag gives the following

...SecurityCodeScan.VS2019.dll : Could not load file or assembly 'Microsoft.CodeAnalysis, Version=3.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. The system cannot find the file specified..

The version of Microsoft.CodeAnalysis with my VS2019 installation, located in C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\Extensions\Microsoft\IntelliCode\CLI\Extractors\csharp, shows version 3.3.0.0 in dotPeek.

Tried adding the nuget package directly

dotnet add package Microsoft.CodeAnalysis --version 3.8.0

But to no avail.. :/

Edit: Adding the Microsoft.Net.Compilers package seems to do the trick;

<Project Sdk="Microsoft.NET.Sdk.Web">
  <PropertyGroup>
    <TargetFramework>netcoreapp3.1</TargetFramework>
    <RootNamespace>csharp_sqlinjection</RootNamespace>
  </PropertyGroup>

  <ItemGroup>        
    <PackageReference Include="Microsoft.Identity.Web" Version="1.0.0" />
    <PackageReference Include="SecurityCodeScan.vs2019" Version="5.1.0">
      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
      <PrivateAssets>all</PrivateAssets>
    </PackageReference>
    <PackageReference Include="Microsoft.Net.Compilers" Version="3.9.0">
      <PrivateAssets>all</PrivateAssets>
      <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
    </PackageReference>
    <PackageReference Include="System.Data.SqlClient" Version="4.8.0" />
  </ItemGroup>
</Project>

very interesting finding @hayer Shouldn't this be part of the securitycodescan already? Like a dependency or so? I will do more testings here on my end with that and give back what I find

closed by mistake, by bad :b

I think the issue here is that 3.1 references an older version of the package than SCS does? So the fix is to include a reference to the newer version of the package to force the usage of it.

Adding a direct reference to Microsoft.Net.Compilers in the SCS project might be a solution. Don't have time to test that at the moment :/

Thank you @hayer for taking time to dig into it! My investigation also concluded that this is because the analyzer references a newer version of the compiler assemblies than the build is using. However I was more pessimistic in https://github.com/security-code-scan/security-code-scan/issues/198: Since the version has C# 9.0 support it is unlikely I'm going to downgrade the package. Maybe there is a way to include and use the assemblies in the nuge. Although they were not delivered in the nuget since the very first version and I doubt it could work. In that case the only option is to use the older version of SCS. I'll try your workaround.

Yea, sorry I didn't have any time trying it out myself. Hope this fixes @MarlonMrN's issue :)

Adding the lines into the nuspec under the metadata element solved the error:

    <dependencies>
      <dependency id="Microsoft.Net.Compilers.Toolset" version="3.8.0" />
    </dependencies>

However it is written in the description of the package Referencing this package will cause the project to be built using the C# and Visual Basic compilers contained in the package, as opposed to the version installed with MSBuild. This package is primarily intended as a method for rapidly shipping hotfixes to customers. Using it as a long term solution for providing newer compilers on older MSBuild installations is explicitly not supported. That can and will break on a regular basis. The supported mechanism for providing new compilers in a build enviroment is updating to the newer .NET SDK or Visual Studio Build Tools SKU.

Since current SCS uses the 3.8 version of the toolchain adding it into any project that builds with the latest 3.9 could potentially break it.

For now, I have added a section into the documentation regarding the behavior https://github.com/security-code-scan/security-code-scan/commit/be8b416901db6f39a9ee79aad988df938e8ead5d

P.S. I have tried to deliver all analysis dlls with SCS, but it didn't work with a slightly different message Could not find or load a specific file. (0x80131621).

@JarLob Thank you explaining the issue.

Just for curiosity: Why this package suffers from this and other analyzers like SonarAnalyzer.CSharp or Roslynator.Analyzers don't have this issue?

I don't know. To whoever would like to play with it, testing development NuGet package is easy. Make your changes. Increment the version in Directory.Build.props just to be sure and build. Add --source *****\bin\Debug\netstandard2.0 to the dotnet add package command to add the locally built SCS nuget package to a testing project.

All in all SCS does depend on a target .NET framework version and the vs2019 (5.x) branch doesn't support targeting net core 3.x. The workarounds are listed in the previous comments.

Ideally there would be multiple previous releases of SCS you could stick to for analyzing net core 3.x projects. Please note, that SCS 5.x has interprocedural taint analysis and is whole better than 3.5.x branch (stressed by the version gap - there is no 4.x version available).

Support for net core 3.1 is possible, but requires creation and maintenance of a new branch. I was actually relieved dropping vs2015 and vs2017 branches in the past and it was a burden to merge and maintain. Said that I would consider maintaining the new branch if I've got 100$ per month sponsorship flow for this feature.

Start sponsoring the project. Register your name here. Once I reach the target of the additional sponsorship I'll work on the new version to support net core 3.1.

I'm curious if it'd require owning a whole separate branch to support the .NET Core 3.1 scenario or just a multitarget in the project, like

<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <TargetFrameworks>netstandard2.0;netcoreapp3.1</TargetFrameworks>
  </PropertyGroup>
  <ItemGroup>
    <!-- common references -->
  </ItemGroup>
  <ItemGroup Condition=" '$(TargetFramework)' == 'netstandard2.0' ">
    <!-- netstandard 2.0 specific references -->
  </ItemGroup>
  <ItemGroup Condition=" '$(TargetFramework)' == 'netcoreapp3.1' ">
    <!-- .NET Core 3.1 references -->
  </ItemGroup>
</Project>

I'm on a Mac and not using Visual Studio at all, but it seems like the analyzers should work regardless. Has this been tried? Would a PR for it be reasonable?

SCS includes a modified copy of subdirectory from the Master branch of Roslyn analyzers - https://github.com/security-code-scan/security-code-scan/tree/vs2019/Roslyn. Making it compatible with VS2017 requires forking the directory from Roslyn branch that supports VS2017 and backporting most of the changes one by one. Then the branch needs to be maintained.

Said that you can try your suggestion and see if it works.

Afaik Visual Studio for Mac is a different beast and doesn't support analyzers at all.

I'm building entirely at the command line - dotnet build xxxxx. That totally supports analyzers, and VS Code + OmniSharp also support analyzers and quick fixes. I don't have Visual Studio at all. The StyleCop and Microsoft.CodeAnalysis.NetAnalyzers packages work perfectly in this environment.

While I admit I haven't dived deep into how SecurityCodeScan is built, I can say the SecurityCodeScan.VS2019 v5.0.0 package also works perfectly in this no-Visual-Studio environment building .NET Core projects of all natures, from netstandard2.0 through .NET 6 preview. Whatever happened in 5.1.0 - the standalone runner maybe? - caused the requirement for Microsoft.CodeAnalysis and things at the command line stopped working.

Gotcha, yes, command line should not depend on the installed visual studio. Interesting, this is what was changed between 5.0 and 5.1 https://github.com/security-code-scan/security-code-scan/compare/5.0.0...5.1.0 Roslyn was updated to the latest Master at the moment of time. Actually there were two changes related to Roslyn:

Sync with the master https://github.com/security-code-scan/security-code-scan/commit/bd3ce752e274ede91d9b26690d3b39aa258a7a14
Cleanup, because it was referencing different versions https://github.com/security-code-scan/security-code-scan/commit/9a9aaed73e51c45ebaf113b7f553149280308b71

Quick scan shows the Directory.Build.props got updated to Microsoft.CodeAnalysis 3.8.0, not sure where that's used, but I'm guessing there's something to do with how the Roslyn fork build is working. I do see the .projitems files have certain constants that get defined based on the version but I'm unclear what impact that has on requiring references.

On updating to SCS 5.6.3 and .NET 6.0, it appears the issue has gone away, at least in the projects I've been working with. I'm not sure if it's the difference between .NET 5 and .NET 6 (where the analyzers are "built in") or if it's something that changed since SCS 5.1, but my gut says it's that difference between .NET 5 and 6.