This document discusses using the Roslyn compiler API to build .NET static code analyzers. It begins with an overview of existing free and open source .NET static analysis tools. It then covers the basics of the Roslyn API and how to create a code analyzer that checks for weak password lengths in ASP.NET Identity. It also discusses challenges with analyzing non-code files and demonstrates a tool called Puma Scan that contains over 40 security rules for .NET applications. The document encourages contributions to help expand analysis capabilities and rule coverage.
6. Microsoft CAT.NET v1.1
• Microsoft Code Analysis Tool (CAT)
• Promising start but fizzled quickly
• Version 1.1 published
– April 2009
• Version 2.0 beta never published
– November 2009
• https://www.microsoft.com/en-
us/download/details.aspx?id=19968
15. Getting Started
• Prerequisites:
– Visual Studio 2015
– Visual Studio 2015 Extensibility Tools
– .NET Compiler Platform ("Roslyn") SDK
• Described in detail in this MSDN Magazine
article by Alex Turner:
– https://msdn.microsoft.com/en-
us/magazine/dn879356.aspx
20. • Decorate the custom analyzer with the
DiagnosticAnalyzer attribute
• Inherit from the DiagnosticAnalyzer base class
Diagnostic Analyzer Class
[DiagnosticAnalyzer(LanguageNames.CSharp)]
public class MyAwesomeAnalyzer : DiagnosticAnalyzer
{
//Insert awesome analyzer logic here
}
1
2
3
4
5
24. • Determines the syntax nodes or symbol the
analyzers are inspecting
• Hundreds of options are available, some
commonly used items:
Symbol / Syntax Kind Options
Syntax Kinds Symbol Kinds
MethodDeclaration Event
ObjectCreationExpression Field
InvocationExpression Method
SimpleAssignmentExpression Parameter