Roslyn Analyzers - Added Security Warnings for CA1013, CA3075, CA3076, CA3077 and Addressed Them#13652
Merged
AlesProkop merged 11 commits intodotnet:mainfrom May 4, 2026
Merged
Conversation
AlesProkop
force-pushed
the
roslyn-analyzers-fix
branch
from
a88b9dc to
e819a99
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR aims to eliminate current Roslyn analyzer findings (notably TSA-flagged CA1310/CA307x) across MSBuild code/tests and add configuration so these issues are continuously checked going forward.
Changes:
- Adds analyzer configuration under
src/to surface CA1310 and CA3075/CA3076/CA3077 findings. - Updates many string operations to specify an explicit
StringComparison(and some path comparisons to use repo helpers). - Updates multiple XML/XSLT call sites (and tests) to use safer parsing patterns (e.g.,
XmlResolver = null, explicitDtdProcessing).
Reviewed changes
Copilot reviewed 63 out of 63 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| src/Xunit.NetCore.Extensions/UseInvariantCultureAttribute.cs | Seals attribute type (analyzer-driven). |
| src/UnitTests.Shared/ObjectModelHelpers.cs | Adds StringComparison usage; changes XML normalization load pattern. |
| src/UnitTests.Shared/DummyMappedDriveUtils.cs | Uses StringComparison.Ordinal for prefix check. |
| src/Tasks/XslTransformation.cs | Adjusts XSLT loading/resolver usage; adds trusted/default branching. |
| src/Tasks/ResourceHandling/MSBuildResXReader.cs | Tightens XML reader settings; adds explicit string comparison. |
| src/Tasks/ResolveManifestFiles.cs | Adjusts TaskEnvironment property placement/usage; adds string comparison. |
| src/Tasks/ManifestUtil/mansign2.cs | Changes XmlDocument load pattern and resolver settings. |
| src/Tasks/ManifestUtil/XmlUtil.cs | Changes XSLT load input reader settings and resolver passed to Load. |
| src/Tasks/ManifestUtil/TrustInfo.cs | Changes trust info XML load pattern/resolver settings. |
| src/Tasks/ManifestUtil/SecurityUtil.cs | Adds helper for safer XML loading and applies it at several call sites. |
| src/Tasks/ManifestUtil/Manifest.cs | Uses ordinal comparison for sorting. |
| src/Tasks/GenerateResource.cs | Uses ordinal comparisons; tightens XML reader settings. |
| src/Tasks/BootstrapperUtil/BootstrapperBuilder.cs | Reworks prefix compare; tightens XSLT reader/resolver usage. |
| src/Tasks.UnitTests/XmlPoke_Tests.cs | Uses XmlReader with safer settings for test XML loads. |
| src/Tasks.UnitTests/WriteCodeFragment_Tests.cs | Adds StringComparison.Ordinal to comparisons in assertions/helpers. |
| src/Tasks.UnitTests/ResourceManagement_Tests.cs | Adds StringComparison.Ordinal to message filtering; adds missing using. |
| src/Tasks.UnitTests/ErrorWarningMessage_Tests.cs | Adds StringComparison.Ordinal to IndexOf assertions. |
| src/Tasks.UnitTests/DependentAssembly_Tests.cs | Replaces XmlTextReader usage with XmlReader.Create. |
| src/Tasks.UnitTests/CommandLine_Support.cs | Adds StringComparison.Ordinal to IndexOf checks. |
| src/Tasks.UnitTests/CodeTaskFactoryTests.cs | Adds StringComparison.Ordinal to EndsWith filter. |
| src/Tasks.UnitTests/AssemblyDependency/WinMDTests.cs | Uses FileUtilities.PathComparison for suffix checks. |
| src/Tasks.UnitTests/AssemblyDependency/ResolveAssemblyReferenceTestFixture.cs | Uses explicit StringComparison across string/path checks. |
| src/Tasks.UnitTests/AssemblyDependency/Miscellaneous.cs | Uses explicit StringComparison in multiple EndsWith checks. |
| src/Tasks.UnitTests/AppConfig_Tests.cs | Replaces XmlTextReader usage with XmlReader.Create. |
| src/Tasks.UnitTests/AddToWin32Manifest_Tests.cs | Uses XmlReader.Create instead of XmlDocument.Load(stream/path) directly. |
| src/Shared/TypeLoader.cs | Adds StringComparison.Ordinal to StartsWith. |
| src/Samples/XmlFileLogger/XmlFileLogger.cs | Adds StringComparison.Ordinal to message prefix checks. |
| src/Samples/XmlFileLogger/LogProcessNode.cs | Replaces ContainsKey + indexer with TryGetValue. |
| src/Samples/XmlFileLogger/ItemGroupParser.cs | Replaces EndsWith("=", …) with last-char check. |
| src/MSBuild/CommandLine/CommandLineParser.cs | Adds StringComparison.Ordinal to env-var detection. |
| src/MSBuild.UnitTests/XMake_Tests.cs | Adds StringComparison.Ordinal to EndsWith assertions. |
| src/MSBuild.UnitTests/ValidateAssemblyLoadContext.cs | Adds StringComparison.Ordinal to EndsWith check. |
| src/MSBuild.UnitTests/CommandLineSwitches_Tests.cs | Uses InvariantCulture resource set + explicit StringComparison. |
| src/Framework/FileUtilities.cs | Uses FileUtilities.PathComparison for path IndexOf. |
| src/Framework.UnitTests/FileMatcher_Tests.cs | Adds StringComparison.Ordinal for UNC-prefix checks. |
| src/Directory.Build.props | Adds AnalysisMode property. |
| src/BuildCheck.UnitTests/EndToEndTests.cs | Uses XmlReader with safer settings for XML load. |
| src/Build/Evaluation/Expander/WellKnownFunctions.cs | Adds explicit StringComparison to string-function implementations. |
| src/Build/ElementLocation/XmlDocumentWithLocation.cs | Sets XmlResolver = null in constructors. |
| src/Build/Construction/Solution/SolutionProjectGenerator.cs | Adds StringComparison.Ordinal to .slnx check. |
| src/Build/BackEnd/Components/Logging/ProjectTelemetry.cs | Adds StringComparison.Ordinal to namespace prefix checks. |
| src/Build/BackEnd/Components/FileAccesses/FileAccessManager.cs | Adds StringComparison.Ordinal to path prefix checks. |
| src/Build.UnitTests/Utilities_Tests.cs | Uses XmlReader with safer settings for XML load. |
| src/Build.UnitTests/Telemetry/Telemetry_Tests.cs | Adds StringComparison.Ordinal; one comment text changed. |
| src/Build.UnitTests/Scanner_Tests.cs | Replaces String.Compare(...) == 0 patterns with direct equality assertions. |
| src/Build.UnitTests/NodeStatus_Transition_Tests.cs | Adds StringComparison.Ordinal to prefix comparisons. |
| src/Build.UnitTests/Instance/HostServices_Tests.cs | Replaces XmlTextReader usage with XmlReader.Create. |
| src/Build.UnitTests/Graph/GraphTestingUtilities.cs | Adds StringComparison.Ordinal to suffix check; adds missing using. |
| src/Build.UnitTests/Evaluation/ProjectSdkImplicitImport_Tests.cs | Adds StringComparison.Ordinal to prefix check. |
| src/Build.UnitTests/Evaluation/Preprocessor_Tests.cs | Adds StringComparison.Ordinal to prefix check. |
| src/Build.UnitTests/Evaluation/Expander_Tests.cs | Adds StringComparison.Ordinal to String.Compare. |
| src/Build.UnitTests/EscapingInProjects_Tests.cs | Replaces XmlTextReader usage with XmlReader.Create. |
| src/Build.UnitTests/Definition/ToolsVersion_Tests.cs | Adds StringComparison.Ordinal and uses safer XML load pattern. |
| src/Build.UnitTests/Definition/ProjectEvaluationContext_Tests.cs | Adds StringComparison.Ordinal to suffix check. |
| src/Build.UnitTests/Construction/SolutionProjectGenerator_Tests.cs | Adds StringComparison.Ordinal to suffix checks. |
| src/Build.UnitTests/Construction/ElementLocation_Tests.cs | Introduces helper to load XML with explicit settings; replaces direct doc.Load. |
| src/Build.UnitTests/Collections/OMcollections_tests.cs | Adds StringComparison.Ordinal to String.Compare. |
| src/Build.UnitTests/BackEnd/TaskBuilder_Tests.cs | Adds StringComparison.Ordinal to IndexOf loop. |
| src/Build.UnitTests/BackEnd/SdkResolverService_Tests.cs | Adds StringComparison.Ordinal to prefix checks. |
| src/Build.UnitTests/BackEnd/OnError_Tests.cs | Replaces IndexOf checks with Contains(..., StringComparison.Ordinal) patterns. |
| src/Build.OM.UnitTests/ObjectModelRemoting/LinkedConstructionModify_Tests.cs | Adds StringComparison.Ordinal to suffix check. |
| src/.editorconfig | New analyzer severity configuration for CA1310/CA3075/CA3076/CA3077. |
AlesProkop
changed the title
AlesProkop
changed the title
JanProvaznik
approved these changes
May 4, 2026
MichalPavlik
approved these changes
May 4, 2026
OvesN
added a commit
to OvesN/msbuild
that referenced
this pull request
May 5, 2026
…, CA3076, CA3077 and Addressed Them (dotnet#13652)" This reverts commit 0bff674.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes https://devdiv.visualstudio.com/DevDiv/_queries/query/4ea588ce-fba9-420c-a7b4-693bbd9b8552/ - RoslynAnalyzer bugs
Context
There are currently multiple RoslynAnalyzer errors. This PR does two things:
Changes Made
Multiple files - resolved RoslynAnalyzer errors. Mostly one line changes.
Testing
UnitTests passing