public RuleResult CheckMethod (MethodDefinition method)
{
// rule only applies to indexers
if (method.Name != "get_Item")
return RuleResult.DoesNotApply;
// ok if the method is not visible outside the assembly
if (!method.IsVisible ())
return RuleResult.Success;
foreach (ParameterDefinition parameter in method.Parameters) {
TypeReference ptype = parameter.ParameterType;
bool ok = (ptype.Namespace == "System");
if (ok) {
switch (ptype.Name) {
case "Int32":
case "Int64":
case "String":
case "Object": // tolerable in some circumstances
break;
default:
ok = false;
break;
}
}
if (!ok)
Runner.Report (parameter, Severity.Medium, Confidence.Total);
}
return Runner.CurrentRuleResult;
}
public RuleResult CheckMethod (MethodDefinition method)
{
// rule only applies to indexers
if (method.Name != "get_Item")
return RuleResult.DoesNotApply;
// if there is a single argument or if the method is not visible outside the assembly
if ((method.HasParameters && (method.Parameters.Count == 1)) || !method.IsVisible ())
return RuleResult.Success;
Runner.Report (method, Severity.Medium, Confidence.Total);
return RuleResult.Failure;
}
public RuleResult CheckMethod(MethodDefinition method)
{
// rule does not apply to non-p/invoke
if (!method.IsPInvokeImpl)
return RuleResult.DoesNotApply;
// rule applies
// code is very unlikely to work (because of the extra this parameter)
// note: existing C# compilers won't compile instance p/invoke, e.g.
// error CS0601: The DllImport attribute must be specified on a method marked `static' and `extern'
if (!method.IsStatic)
Runner.Report (method, Severity.Critical, Confidence.Total);
// code will work (low) but it's bad design (non-fx-like validations) and makes
// it easier to expose security vulnerabilities
if (method.IsVisible ())
Runner.Report (method, Severity.Low, Confidence.Total);
return Runner.CurrentRuleResult;
}
public RuleResult CheckMethod (MethodDefinition method)
{
// note: using anonymous methods creates a lot of defects but they are all non-visible
if (!method.IsVisible ())
return RuleResult.DoesNotApply;
MethodReturnType return_type = method.MethodReturnType;
Severity? severity = Check (return_type.ReturnType);
if (severity.HasValue)
Runner.Report (return_type, severity.Value, Confidence.Total);
if (method.HasParameters) {
foreach (ParameterDefinition parameter in method.Parameters) {
severity = Check (parameter.ParameterType);
if (severity.HasValue)
Runner.Report (parameter, severity.Value, Confidence.Total);
}
}
return Runner.CurrentRuleResult;
}
public RuleResult CheckMethod (MethodDefinition method)
{
// rule only applies to visible methods with parameters
// we also exclude all p/invokes since we have a rule for them not to be visible
if (method.IsPInvokeImpl || !method.HasParameters || !method.IsVisible ())
return RuleResult.DoesNotApply;
foreach (ParameterDefinition parameter in method.Parameters) {
string how = null;
if (parameter.IsOut) {
// out is permitted for the "bool Try* (...)" pattern
if ((method.ReturnType.FullName == "System.Boolean") &&
method.Name.StartsWith ("Try", StringComparison.Ordinal)) {
continue;
}
how = "out";
} else if (parameter.IsRef ()) {
how = "ref";
}
if (how != null) {
// goal is to keep the API as simple as possible so this is more severe for public than protected methods
Severity severity = method.IsPublic ? Severity.Medium : Severity.Low;
string msg = String.Format ("Parameter '{0}' passed by reference ({1}).", parameter.Name, how);
Runner.Report (parameter, severity, Confidence.Total, msg);
}
}
return Runner.CurrentRuleResult;
}
public RuleResult CheckMethod (MethodDefinition method)
{
//does not apply if method has no parameter, is a property, or a p/invoke
if (!method.HasParameters || method.IsProperty () || method.IsPInvokeImpl)
return RuleResult.DoesNotApply;
//if this is a constructor or override, the method name is dependent
if (method.IsConstructor || method.IsOverride ())
return RuleResult.DoesNotApply;
ParameterDefinition p0 = method.Parameters [0];
string name = p0.ParameterType.Name;
//param is out/ref, it is already not obvious (there is a rule for that)
if (p0.IsOut || p0.IsRef ())
return RuleResult.DoesNotApply;
string method_name = method.Name;
if (name.Length == 1 || method_name.Length <= name.Length)
return RuleResult.DoesNotApply;
if ((method_name.Length - name.Length) < 4 && IsVaguePrefix (method_name)) //suggestion would be too vague anyway (Get/Set/Is)
return RuleResult.DoesNotApply;
if (!char.IsUpper (name [0])) //non-compliant naming, cannot go further (PascalWords needed)
return RuleResult.DoesNotApply;
//if the method return the parameter type it is most likely clearer to have it in the name
if (method.ReturnType == p0.ParameterType)
return RuleResult.Success;
//if starting with name it is most likely on purpose
if (method_name.StartsWith (name, StringComparison.Ordinal))
return RuleResult.Success;
int pos = method_name.LastIndexOf (name);
if (-1 == pos)
return RuleResult.Success;
Confidence confidence = Confidence.Normal;
if (pos >= method_name.Length - name.Length) //suffix, most common and most verbose case
confidence = Confidence.High;
else if (!char.IsUpper (method_name [pos + name.Length])) //not the end of a 'PascalWord'
return RuleResult.Success;
//if IgnoreAlienNamespaces is True, then check if parameter type is from one of the analyzed namespaces
if (IgnoreAlienNamespaces && IsTypeFromAlienNamespace (p0.ParameterType))
return RuleResult.Success; //ignored/out-of-reach, so this is a success
//main goal is to keep the API as simple as possible so this is more severe for visible methods
Severity severity = method.IsVisible () ? Severity.Medium : Severity.Low;
string suggestion = GetSuggestionMethodName (method, name, pos);
string msg;
if (method.IsStatic) { //we already have a rule that checks if the method should be static
string memberKind = GetSuggestionMemberKind (method);
msg = String.Format ("Consider renaming method to '{2}', or extracting method to type '{0}' as {1} '{2}', or making an extension method of that type.",
p0.ParameterType, memberKind, suggestion);
} else {
msg = String.Format ("Consider renaming method to '{0}'.", suggestion);
}
Runner.Report (method, severity, confidence, msg);
return RuleResult.Failure;
}
public RuleResult CheckMethod (MethodDefinition method)
{
// p/invoke, abstract methods and method without parameters
if (!method.HasBody || !method.HasParameters || !method.IsVisible ())
return RuleResult.DoesNotApply;
has_null_check.ClearAll ();
int parameters = method.Parameters.Count;
// check
foreach (Instruction ins in method.Body.Instructions) {
if (ins.IsLoadArgument ()) {
CheckArgument (method, ins);
} else if (OpCodeBitmask.Calls.Get (ins.OpCode.Code)) {
CheckCall (method, ins);
} else if (check.Get (ins.OpCode.Code)) {
Instruction owner = ins;
// fields (no need to check static fields), ldind, ldelem, ldlen
while ((owner != null) && check.Get (owner.OpCode.Code)) {
owner = owner.TraceBack (method);
}
CheckParameter (owner.GetParameter (method));
}
// stop processing instructions once all parameters are validated
if (has_null_check.Count () == parameters)
break;
}
return Runner.CurrentRuleResult;
}
public RuleResult CheckMethod (MethodDefinition method)
{
// methods using vararg are easily identifiable
if ((method.CallingConvention & MethodCallingConvention.VarArg) == 0)
return RuleResult.Success;
// __arglist is accepted for interoperability purpose
if (method.IsPInvokeImpl)
return RuleResult.Success;
// all other case should be changed to use "params"
// this is more severe for visible methods since vararg is not CLS compliant
Severity severity = method.IsVisible () ? Severity.Critical : Severity.High;
Runner.Report (method, severity, Confidence.High);
return RuleResult.Failure;
}
public RuleResult CheckMethod (MethodDefinition method)
{
// check if the the rule applies to this method
if (!Applicable (method))
return RuleResult.DoesNotApply;
// we can't be sure if this code won't be reached indirectly
if (method.IsVirtual && !method.IsFinal)
return RuleResult.Success;
// if the method is visible outside the assembly
if (method.IsVisible ())
return RuleResult.Success;
// check if the method is private
if (method.IsPrivate) {
if (!CheckPrivateMethod (method)) {
Runner.Report (method, Severity.High, Confidence.Normal, "The private method code is not used in its declaring type.");
return RuleResult.Failure;
}
return RuleResult.Success;
}
if (method.IsPublic && CheckPublicMethod (method))
return RuleResult.Success;
if (method.IsAssembly && CheckInternalMethod (method))
return RuleResult.Success;
// internal methods and visible methods (public or protected) inside a non-visible type
// needs to be checked if something in the assembly is using this method
bool need_to_check_assembly = (method.IsAssembly ||
((method.IsPublic || method.IsFamily) && !method.DeclaringType.IsVisible ()));
if (!need_to_check_assembly || CheckAssemblyForMethodUsage (method))
return RuleResult.Success;
// method is unused and unneeded
Runner.Report (method, Severity.High, Confidence.Normal, "The method is not visible outside its declaring assembly, nor used within.");
return RuleResult.Failure;
}
public RuleResult CheckMethod (MethodDefinition method)
{
// #1 - rule apply only if the method has a body (e.g. p/invokes, icalls don't)
// otherwise we don't know what it's calling
if (!method.HasBody)
return RuleResult.DoesNotApply;
// #2 - rule apply to methods are publicly accessible
// note that the type doesn't have to be public (indirect access)
if (!method.IsVisible ())
return RuleResult.DoesNotApply;
// #3 - avoid looping if we're sure there's no call in the method
if (!OpCodeBitmask.Calls.Intersect (OpCodeEngine.GetBitmask (method)))
return RuleResult.DoesNotApply;
// *** ok, the rule applies! ***
// #4 - look for every method we call
foreach (Instruction ins in method.Body.Instructions) {
switch (ins.OpCode.Code) {
case Code.Call:
case Code.Callvirt:
MethodDefinition callee = (ins.Operand as MethodDefinition);
if (callee == null)
continue;
// 4 - and if it has security, ensure we don't reduce it's strength
if (callee.HasSecurityDeclarations && !Check (method, callee)) {
Runner.Report (method, ins, Severity.High, Confidence.High);
}
break;
}
}
return Runner.CurrentRuleResult;
}
private void CheckMethod (MethodDefinition method)
{
// Getters/setters handled by CheckProperty.
if (method.IsGetter || method.IsSetter || !method.IsVisible ())
return;
if (IsList (method.ReturnType))
Runner.Report (method, Severity.Medium, Confidence.Total);
if (!method.HasParameters)
return;
foreach (var param in method.Parameters) {
if (IsList (param.ParameterType))
Runner.Report (param, Severity.Medium, Confidence.Total);
}
}
public RuleResult CheckMethod (MethodDefinition method)
{
if (!method.IsVisible ())
return RuleResult.DoesNotApply;
MethodReturnType mrt = method.MethodReturnType;
if (IsSpecificXmlType (mrt.ReturnType))
Runner.Report (mrt, GetSeverity (method), Confidence.High);
if (method.HasParameters) {
foreach (ParameterDefinition parameter in method.Parameters) {
if (parameter.IsOut)
continue; //out params already have their rule
if (IsSpecificXmlType (parameter.ParameterType))
Runner.Report (parameter, GetSeverity (method), Confidence.High);
}
}
return Runner.CurrentRuleResult;
}
public RuleResult CheckMethod (MethodDefinition method)
{
// exclude constrcutors, non-visible methods and generated code
if (method.IsConstructor || !method.IsVisible () || method.IsGeneratedCode ())
return RuleResult.DoesNotApply;
// the rule does not apply if the code is an interface to COM objects
if (UsedForComInterop (method.DeclaringType as TypeDefinition))
return RuleResult.DoesNotApply;
// check the method name
if (!CheckName (method.Name, method.IsSpecialName))
Runner.Report (method, Severity.Medium, Confidence.High);
if (method.HasParameters) {
foreach (ParameterDefinition parameter in method.Parameters) {
if (!CheckName (parameter.Name, false))
Runner.Report (parameter, Severity.Medium, Confidence.High);
}
}
return Runner.CurrentRuleResult;
}
public RuleResult CheckMethod (MethodDefinition method)
{
CheckIdentifier (method, method.Name, method.IsVisible () ? Severity.Medium : Severity.Low);
// we're not checking parameters
return Runner.CurrentRuleResult;
}
protected override void Report (MethodDefinition method, Instruction ins)
{
string msg = string.Format ("Replace null with {0}.", SuggestReturnType ());
Runner.Report (method, ins, method.IsVisible () ? Severity.Medium : Severity.Low, Confidence.Normal, msg);
}
public RuleResult CheckMethod (MethodDefinition method)
{
if (!method.IsSynchronized)
return RuleResult.Success;
// special case since the compiler generate add/remove on events using Synchronized
if (method.IsAddOn || method.IsRemoveOn)
return RuleResult.DoesNotApply;
// base severity on whether the method is visible or not
// if not then the potential problem is limited to the assembly
Severity severity = method.IsVisible () ? Severity.High : Severity.Medium;
Runner.Report (method, severity, Confidence.Total);
return RuleResult.Failure;
}
