Merge pull request #2827 from mavasani/VB_FalsePositives

Do not flag CA1820 for VB

src/Microsoft.CodeAnalysis.FxCopAnalyzers/Microsoft.CodeAnalysis.FxCopAnalyzers.md

@@ -16,7 +16,7 @@ Sr. No. | Rule ID | Title | Category | Enabled | CodeFix | Description |
 13 | [CA1027](https://docs.microsoft.com/visualstudio/code-quality/ca1027-mark-enums-with-flagsattribute) | Mark enums with FlagsAttribute | Design | False | True | An enumeration is a value type that defines a set of related named constants. Apply FlagsAttribute to an enumeration when its named constants can be meaningfully combined. |
 14 | [CA1028](https://docs.microsoft.com/visualstudio/code-quality/ca1028-enum-storage-should-be-int32) | Enum Storage should be Int32 | Design | True | True | An enumeration is a value type that defines a set of related named constants. By default, the System.Int32 data type is used to store the constant value. Although you can change this underlying type, it is not required or recommended for most scenarios. |
 15 | [CA1030](https://docs.microsoft.com/visualstudio/code-quality/ca1030-use-events-where-appropriate) | Use events where appropriate | Design | True | False | This rule detects methods that have names that ordinarily would be used for events. If a method is called in response to a clearly defined state change, the method should be invoked by an event handler. Objects that call the method should raise events instead of calling the method directly. |
-16 | [CA1031](https://docs.microsoft.com/en-us/visualstudio/code-quality/ca1031-do-not-catch-general-exception-types) | Do not catch general exception types | Design | True | False | A general exception such as System.Exception or System.SystemException is caught in a catch statement, or a general catch clause is used. General exceptions should not be caught. |
+16 | [CA1031](https://docs.microsoft.com/en-us/visualstudio/code-quality/ca1031-do-not-catch-general-exception-types) | Do not catch general exception types | Design | True | False | A general exception such as System.Exception or System.SystemException or a disallowed exception type is caught in a catch statement, or a general catch clause is used. General and disallowed exceptions should not be caught. |
 17 | [CA1032](https://docs.microsoft.com/visualstudio/code-quality/ca1032-implement-standard-exception-constructors) | Implement standard exception constructors | Design | True | True | Failure to provide the full set of constructors can make it difficult to correctly handle exceptions. |
 18 | [CA1033](https://docs.microsoft.com/visualstudio/code-quality/ca1033-interface-methods-should-be-callable-by-child-types) | Interface methods should be callable by child types | Design | False | True | An unsealed externally visible type provides an explicit method implementation of a public interface and does not provide an alternative externally visible method that has the same name. |
 19 | [CA1034](https://docs.microsoft.com/visualstudio/code-quality/ca1034-nested-types-should-not-be-visible) | Nested types should not be visible | Design | True | False | A nested type is a type that is declared in the scope of another type. Nested types are useful to encapsulate private implementation details of the containing type. Used for this purpose, nested types should not be externally visible. |
@@ -198,4 +198,6 @@ Sr. No. | Rule ID | Title | Category | Enabled | CodeFix | Description |
 195 | CA5396 | Set HttpOnly to true for HttpCookie | Security | False | False | As a defense in depth measure, ensure security sensitive HTTP cookies are marked as HttpOnly. This indicates web browsers should disallow scripts from accessing the cookies. Injected malicious scripts are a common way of stealing cookies. |
 196 | [CA5397](https://docs.microsoft.com/visualstudio/code-quality/ca5397) | Do not use deprecated SslProtocols values | Security | True | False | Older protocol versions of Transport Layer Security (TLS) are less secure than TLS 1.2 and TLS 1.3, and are more likely to have new vulnerabilities. Avoid older protocol versions to minimize risk. |
 197 | [CA5398](https://docs.microsoft.com/visualstudio/code-quality/ca5398) | Avoid hardcoded SslProtocols values | Security | False | False | Current Transport Layer Security protocol versions may become deprecated if vulnerabilities are found. Avoid hardcoding SslProtocols values to keep your application secure. Use 'None' to let the Operating System choose a version. |
-198 | CA9999 | Analyzer version mismatch | Reliability | True | False | Analyzers in this package require a certain minimum version of Microsoft.CodeAnalysis to execute correctly. Refer to https://docs.microsoft.com/visualstudio/code-quality/install-fxcop-analyzers#fxcopanalyzers-package-versions to install the correct analyzer version. |
+198 | CA5399 | Definitely disable HttpClient certificate revocation list check | Security | False | False | Using HttpClient without providing a platform specific handler (WinHttpHandler or CurlHandler or HttpClientHandler) where the CheckCertificateRevocationList property is set to true, will allow revoked certificates to be accepted by the HttpClient as valid. |
+199 | CA5400 | Ensure HttpClient certificate revocation list check is not disabled | Security | False | False | Using HttpClient without providing a platform specific handler (WinHttpHandler or CurlHandler or HttpClientHandler) where the CheckCertificateRevocationList property is set to true, will allow revoked certificates to be accepted by the HttpClient as valid. |
+200 | CA9999 | Analyzer version mismatch | Reliability | True | False | Analyzers in this package require a certain minimum version of Microsoft.CodeAnalysis to execute correctly. Refer to https://docs.microsoft.com/visualstudio/code-quality/install-fxcop-analyzers#fxcopanalyzers-package-versions to install the correct analyzer version. |

src/Microsoft.CodeAnalysis.FxCopAnalyzers/Microsoft.CodeAnalysis.FxCopAnalyzers.sarif

@@ -277,7 +277,7 @@
         "CA1031": {
           "id": "CA1031",
           "shortDescription": "Do not catch general exception types",
-          "fullDescription": "A general exception such as System.Exception or System.SystemException is caught in a catch statement, or a general catch clause is used. General exceptions should not be caught.",
+          "fullDescription": "A general exception such as System.Exception or System.SystemException or a disallowed exception type is caught in a catch statement, or a general catch clause is used. General and disallowed exceptions should not be caught.",
           "defaultLevel": "warning",
           "helpUri": "https://docs.microsoft.com/en-us/visualstudio/code-quality/ca1031-do-not-catch-general-exception-types",
           "properties": {
@@ -2101,8 +2101,7 @@
             "isEnabledByDefault": true,
             "typeName": "TestForEmptyStringsUsingStringLengthAnalyzer",
             "languages": [
-              "C#",
-              "Visual Basic"
+              "C#"
             ],
             "tags": [
               "PortedFromFxCop",
@@ -3743,6 +3742,44 @@
               "Telemetry"
             ]
           }
+        },
+        "CA5399": {
+          "id": "CA5399",
+          "shortDescription": "Definitely disable HttpClient certificate revocation list check",
+          "fullDescription": "Using HttpClient without providing a platform specific handler (WinHttpHandler or CurlHandler or HttpClientHandler) where the CheckCertificateRevocationList property is set to true, will allow revoked certificates to be accepted by the HttpClient as valid.",
+          "defaultLevel": "warning",
+          "properties": {
+            "category": "Security",
+            "isEnabledByDefault": false,
+            "typeName": "DoNotDisableHttpClientCRLCheck",
+            "languages": [
+              "C#",
+              "Visual Basic"
+            ],
+            "tags": [
+              "Dataflow",
+              "Telemetry"
+            ]
+          }
+        },
+        "CA5400": {
+          "id": "CA5400",
+          "shortDescription": "Ensure HttpClient certificate revocation list check is not disabled",
+          "fullDescription": "Using HttpClient without providing a platform specific handler (WinHttpHandler or CurlHandler or HttpClientHandler) where the CheckCertificateRevocationList property is set to true, will allow revoked certificates to be accepted by the HttpClient as valid.",
+          "defaultLevel": "warning",
+          "properties": {
+            "category": "Security",
+            "isEnabledByDefault": false,
+            "typeName": "DoNotDisableHttpClientCRLCheck",
+            "languages": [
+              "C#",
+              "Visual Basic"
+            ],
+            "tags": [
+              "Dataflow",
+              "Telemetry"
+            ]
+          }
         }
       }
     },

src/Microsoft.CodeQuality.Analyzers/Microsoft.CodeQuality.Analyzers.md

@@ -16,7 +16,7 @@ Sr. No. | Rule ID | Title | Category | Enabled | CodeFix | Description |
 13 | [CA1027](https://docs.microsoft.com/visualstudio/code-quality/ca1027-mark-enums-with-flagsattribute) | Mark enums with FlagsAttribute | Design | False | True | An enumeration is a value type that defines a set of related named constants. Apply FlagsAttribute to an enumeration when its named constants can be meaningfully combined. |
 14 | [CA1028](https://docs.microsoft.com/visualstudio/code-quality/ca1028-enum-storage-should-be-int32) | Enum Storage should be Int32 | Design | True | True | An enumeration is a value type that defines a set of related named constants. By default, the System.Int32 data type is used to store the constant value. Although you can change this underlying type, it is not required or recommended for most scenarios. |
 15 | [CA1030](https://docs.microsoft.com/visualstudio/code-quality/ca1030-use-events-where-appropriate) | Use events where appropriate | Design | True | False | This rule detects methods that have names that ordinarily would be used for events. If a method is called in response to a clearly defined state change, the method should be invoked by an event handler. Objects that call the method should raise events instead of calling the method directly. |
-16 | [CA1031](https://docs.microsoft.com/en-us/visualstudio/code-quality/ca1031-do-not-catch-general-exception-types) | Do not catch general exception types | Design | True | False | A general exception such as System.Exception or System.SystemException is caught in a catch statement, or a general catch clause is used. General exceptions should not be caught. |
+16 | [CA1031](https://docs.microsoft.com/en-us/visualstudio/code-quality/ca1031-do-not-catch-general-exception-types) | Do not catch general exception types | Design | True | False | A general exception such as System.Exception or System.SystemException or a disallowed exception type is caught in a catch statement, or a general catch clause is used. General and disallowed exceptions should not be caught. |
 17 | [CA1032](https://docs.microsoft.com/visualstudio/code-quality/ca1032-implement-standard-exception-constructors) | Implement standard exception constructors | Design | True | True | Failure to provide the full set of constructors can make it difficult to correctly handle exceptions. |
 18 | [CA1033](https://docs.microsoft.com/visualstudio/code-quality/ca1033-interface-methods-should-be-callable-by-child-types) | Interface methods should be callable by child types | Design | False | True | An unsealed externally visible type provides an explicit method implementation of a public interface and does not provide an alternative externally visible method that has the same name. |
 19 | [CA1034](https://docs.microsoft.com/visualstudio/code-quality/ca1034-nested-types-should-not-be-visible) | Nested types should not be visible | Design | True | False | A nested type is a type that is declared in the scope of another type. Nested types are useful to encapsulate private implementation details of the containing type. Used for this purpose, nested types should not be externally visible. |

src/Microsoft.CodeQuality.Analyzers/Microsoft.CodeQuality.Analyzers.sarif

@@ -262,7 +262,7 @@
         "CA1031": {
           "id": "CA1031",
           "shortDescription": "Do not catch general exception types",
-          "fullDescription": "A general exception such as System.Exception or System.SystemException is caught in a catch statement, or a general catch clause is used. General exceptions should not be caught.",
+          "fullDescription": "A general exception such as System.Exception or System.SystemException or a disallowed exception type is caught in a catch statement, or a general catch clause is used. General and disallowed exceptions should not be caught.",
           "defaultLevel": "warning",
           "helpUri": "https://docs.microsoft.com/en-us/visualstudio/code-quality/ca1031-do-not-catch-general-exception-types",
           "properties": {

src/Microsoft.NetCore.Analyzers/Core/Runtime/TestForEmptyStringsUsingStringLength.cs

@@ -17,8 +17,9 @@ namespace Microsoft.NetCore.Analyzers.Runtime
     /// Comparing strings using the <see cref="string.Length"/> property or the <see cref="string.IsNullOrEmpty"/> method is significantly faster than using <see cref="string.Equals(string)"/>.
     /// This is because Equals executes significantly more MSIL instructions than either IsNullOrEmpty or the number of instructions executed to retrieve the Length property value and compare it to zero.
     /// </para>
+    /// <remarks>NOTE: This rule is not supported for VisualBasic. See https://github.com/dotnet/roslyn-analyzers/issues/2684 for details.</remarks>
     /// </summary>
-    [DiagnosticAnalyzer(LanguageNames.CSharp, LanguageNames.VisualBasic)]
+    [DiagnosticAnalyzer(LanguageNames.CSharp)]
     public sealed class TestForEmptyStringsUsingStringLengthAnalyzer : DiagnosticAnalyzer
     {
         internal const string RuleId = "CA1820";

src/Microsoft.NetCore.Analyzers/Microsoft.NetCore.Analyzers.md

@@ -106,3 +106,5 @@ Sr. No. | Rule ID | Title | Category | Enabled | CodeFix | Description |
 103 | CA5396 | Set HttpOnly to true for HttpCookie | Security | False | False | As a defense in depth measure, ensure security sensitive HTTP cookies are marked as HttpOnly. This indicates web browsers should disallow scripts from accessing the cookies. Injected malicious scripts are a common way of stealing cookies. |
 104 | [CA5397](https://docs.microsoft.com/visualstudio/code-quality/ca5397) | Do not use deprecated SslProtocols values | Security | True | False | Older protocol versions of Transport Layer Security (TLS) are less secure than TLS 1.2 and TLS 1.3, and are more likely to have new vulnerabilities. Avoid older protocol versions to minimize risk. |
 105 | [CA5398](https://docs.microsoft.com/visualstudio/code-quality/ca5398) | Avoid hardcoded SslProtocols values | Security | False | False | Current Transport Layer Security protocol versions may become deprecated if vulnerabilities are found. Avoid hardcoding SslProtocols values to keep your application secure. Use 'None' to let the Operating System choose a version. |
+106 | CA5399 | Definitely disable HttpClient certificate revocation list check | Security | False | False | Using HttpClient without providing a platform specific handler (WinHttpHandler or CurlHandler or HttpClientHandler) where the CheckCertificateRevocationList property is set to true, will allow revoked certificates to be accepted by the HttpClient as valid. |
+107 | CA5400 | Ensure HttpClient certificate revocation list check is not disabled | Security | False | False | Using HttpClient without providing a platform specific handler (WinHttpHandler or CurlHandler or HttpClientHandler) where the CheckCertificateRevocationList property is set to true, will allow revoked certificates to be accepted by the HttpClient as valid. |

src/Microsoft.NetCore.Analyzers/Microsoft.NetCore.Analyzers.sarif

@@ -181,8 +181,7 @@
             "isEnabledByDefault": true,
             "typeName": "TestForEmptyStringsUsingStringLengthAnalyzer",
             "languages": [
-              "C#",
-              "Visual Basic"
+              "C#"
             ],
             "tags": [
               "PortedFromFxCop",
@@ -1823,6 +1822,44 @@
               "Telemetry"
             ]
           }
+        },
+        "CA5399": {
+          "id": "CA5399",
+          "shortDescription": "Definitely disable HttpClient certificate revocation list check",
+          "fullDescription": "Using HttpClient without providing a platform specific handler (WinHttpHandler or CurlHandler or HttpClientHandler) where the CheckCertificateRevocationList property is set to true, will allow revoked certificates to be accepted by the HttpClient as valid.",
+          "defaultLevel": "warning",
+          "properties": {
+            "category": "Security",
+            "isEnabledByDefault": false,
+            "typeName": "DoNotDisableHttpClientCRLCheck",
+            "languages": [
+              "C#",
+              "Visual Basic"
+            ],
+            "tags": [
+              "Dataflow",
+              "Telemetry"
+            ]
+          }
+        },
+        "CA5400": {
+          "id": "CA5400",
+          "shortDescription": "Ensure HttpClient certificate revocation list check is not disabled",
+          "fullDescription": "Using HttpClient without providing a platform specific handler (WinHttpHandler or CurlHandler or HttpClientHandler) where the CheckCertificateRevocationList property is set to true, will allow revoked certificates to be accepted by the HttpClient as valid.",
+          "defaultLevel": "warning",
+          "properties": {
+            "category": "Security",
+            "isEnabledByDefault": false,
+            "typeName": "DoNotDisableHttpClientCRLCheck",
+            "languages": [
+              "C#",
+              "Visual Basic"
+            ],
+            "tags": [
+              "Dataflow",
+              "Telemetry"
+            ]
+          }
         }
       }
     },