Skip to content

Security Code Scan support for .NET 4.x

Problem

C#/.NET is identified as one of our higher-priority languages. We've encountered many customers who continue to use .NET 4 in development, which we don't currently support.

In the past we've interpreted Microsoft's statements about .NET support as a signal that .NET 4 would diminish in use, but certain organizations do still use it widely in their projects and Microsoft supports recent versions of .NET Framework 4.x.

References/interested users

Solution parameters

The most important thing is making it possible to analyze .NET 4 code in a supported configuration. This means:

  • The solution should use an analyzer image we publish.
  • The solution should be documented if it requires anything other than using the CI template off the shelf.

However, if necessary:

  • The solution may require setting a configuration (like an environment variable in the CI config) so that we know to enable .NET 4 support, if we need to separate this behavior from our support for other versions.
    • In this case, it would be ideal to know the precise error message we might expect so that we can produce discoverable troubleshooting content.
  • We can iterate on the cleanliness of this solution over time.

Plan

Implement Security Code Scan support for .NET 4.x via the security-scan4x.zip found in the scanner's GitHub Releases section.

We will likely need to:

  • Update the Dockerfile to download the .NET 4 zip to a separate location from the existing Security Code Scan download.
  • Update analyzersXML based on whether it is a .NET 4 app.
  • Add mechanism to read .sln/.project metadata to determine if it is a .NET 4 app, or support a variable that can be set to indicate that.
  • Add a downstream test project to demonstrate this works as expected.

Related to #338168 (closed).

Edited by Connor Gilbert