by Chad Green
22. November 2008 23:26
One of the hardest parts of using the Visual Studio Code Analysis tool (or FXCop) is trying to figure out which rules to worry about. Last year David Kean published the What rules do Microsoft have turned on internally? article. This article provide some really good insight and let us know that Microsoft is realistic when it writes its own code.
According to the article, there are several reasons why rules would be turned off:
- Applicability. Not every rule is applicable to every project, for example, the Design rules might be turned off if you are writing a Windows Application
- Noise rate. Some rules have a low signal-to-noise ratio. While we try remove as much noise as possible from a rule, some rules, due to limitations in our analysis engine, still remain to be too noisy to be run regularly over large code bases. For example, some of the performance rules lack real context to make a good judge to whether a particular issue will really affect the performance of an application.
- Time. We have to ship eventually - attempting to fix every single violation, for every single binary is just not feasible nor advisable. Therefore we make calls to turn off some rules that may lack value and do not impact the security of the product.
|
Since Visual Studio 2005 came out, I have been working on determining which rules to turn off. Initially, I would keep everything on and then turn off a rule when I was getting violations that I simply didn’t want to worry about (for one reason or another).
Because of the way how things went this summer at work, I ended up having time to really go through and evaluate all of the rules. The list below is the list of rules I have determined should be used when performing code analysis. One other thing I did was also determine whether I wanted to consider a rule as an error or a warning. The idea was to ensure that there are some rules that have a higher level or importance and the project shouldn’t even compile until those rules pass.
Design | ID | Rule Name | Violation Treatment |
| CA1001 | Types that own disposable fields should be disposable | Error |
| CA1003 | Use generic event handler instances | Error |
| CA1004 | Generic methods should provide type parameter | Warning |
| CA1006 | Do not nest generic types in member signature | Warning |
| CA1008 | Enums should have zero value | Error |
| CA1009 | Declare event handlers correctly | Error |
| CA1010 | Collections should implement generic interface | Warning |
| CA1011 | Consider passing base types as parameter | Warning |
| CA1012 | Abstract types should not have constructors | Error |
| CA1014 | Mark assemblies with CLSCompliantAttribute attribute | Error |
| CA1017 | Mark assemblies with ComVisibleAttribute | Error |
| CA1018 | Mark attributes with the AttributeUsageAttribute attribute | Warning |
| CA1019 | Define accessors for attribute arguments | Warning |
| CA1023 | Indexers should not be multidimensional | Warning |
| CA1024 | Use properties where appropriate | Warning |
| CA1025 | Replace repetitive arguments with params array | Warning |
| CA1026 | Default parameters should not be used | Error |
| CA1027 | Mark enums with FlagsAttribute | Warning |
| CA1028 | Enum storage should be Int32 | Warning |
| CA1030 | Use events where appropriate | Warning |
| CA1032 | Implement standard exception constructions | Error |
| CA1034 | Nested types should not be visible | Error |
| CA1036 | Override methods on comparable types | Warning |
| CA1038 | Enumerators should be strongly typed | Warning |
| CA1039 | Lists are strongly typed | Warning |
| CA1040 | Avoid empty interfaces | Warning |
| CA1041 | Provide ObsoleteAttribute message | Error |
| CA1043 | Use integral or string argument for indexers | Warning |
| CA1044 | Properties should not be write only | Warning |
| CA1047 | Do not declare protected members in sealed types | Error |
| CA1049 | Types that own native resources should be disposable | Warning |
| CA1050 | Declare types in namespaces | Warning |
| CA1051 | Do not declare visible instance fields | Error |
| CA1052 | Static holder types should be sealed | Error |
| CA1053 | Static holders should not have constructors | Error |
| CA1054 | URI parameters should not be strings | Warning |
| CA1055 | URI return values should not be strings | Warning |
| CA1056 | URI properties should not be strings | Warning |
| CA1057 | String URI overloads call System.Uri overloads | Warning |
| CA1058 | Types should not extend certain base types | Error |
| CA1059 | Members should not expose certain concrete types | Warning |
| CA1062 | Validate arguments of public methods | Warning |
| CA1063 | Implement IDisposable correctly | Error |
| CA1064 | Exceptions should be public | Warning |
| CA1065 | Do not raise exceptions in unexpected locations | Error |
Globalization | ID | Rule Name | Violation Treatment |
| CA1301 | Avoid duplicate accelerators | Error |
| CA1302 | Do not hardcode local specific strings | Warning |
| CA1308 | Normalize strings to uppercase | Warning |
| CA2101 | Specify marshaling for P/Invoke string arguments | Error |
Interoperability | ID | Rule Name | Violation Treatment |
| CA1400 | P/Invoke should not be visible | Error |
| CA1401 | P/Invokes should not be visible | Error |
| CA1402 | Avoid overloads in COM visible interfaces | Error |
| CA1403 | Auto layout types should not be COM visible | Error |
| CA1404 | Call GetLastError immediately after P/Invoke | Warning |
| CA1405 | COM visible type base types should be COM visible | Error |
| CA1406 | Avoid Int64 arguments for Visual Basic 6 clients | Warning |
| CA1408 | Do not use AutoDual ClassInterfaceType | Error |
| CA1413 | Avoid non-public fields in COM visible value types | Warning |
Maintainability | ID | Rule Name | Violation Treatment |
| CA1500 | Variable names should not match field names | Error |
| CA1501 | Avoid excessive inheritance | Warning |
| CA1502 | Avoid excessive complexity | Warning |
| CA1504 | Review misleading field names | Error |
| CA1505 | Avoid unmaintainable code | Warning |
| CA1506 | Avoid excessive class coupling | Warning |
Portability | ID | Rule Name | Violation Treatment |
| CA1900 | Value type fields should be portable | Error |
| CA1901 | P/Invoke declarations should be portable | Error |
Reliability | ID | Rule Name | Violation Treatment |
| CA2001 | Avoid calling problematic methods | Error |
| CA2002 | Do not lock on objects with weak identity | Error |
| CA2003 | Do not treat fibers as threads | Error |
| CA2004 | Remove calls to GC.KeepAlive | Warning |
| CA2006 | Use SafeHandle to encapsulate native resources | Error |
Naming | ID | Rule Name | Violation Treatment |
| CA1700 | Do not name enum values ‘Reserved’ | Error |
| CA1701 | Resource string compound words should be cased correctly | Warning |
| CA1702 | Compound words should be cased correctly | Error |
| CA1703 | Resource strings should be spelled correctly | Warning |
| CA1704 | Identifiers should be spelled correctly | Warning |
| CA1707 | Identifiers should not contain underscores | Error |
| CA1708 | Identifiers should differ by more than case | Error |
| CA1709 | Identifiers should be cased correctly | Warning |
| CA1710 | Identifiers should have correct suffix | Error |
| CA1711 | Identifiers should have incorrect suffix | Error |
| CA1712 | Do not prefix enum values with type name | Error |
| CA1713 | Events should not have before or after prefix | Error |
| CA1714 | Flags enum should have plural names | Warning |
| CA1715 | Identifiers should have correct prefix | Error |
| CA1716 | Identifiers should not match keywords | Error |
| CA1717 | Only FlagsAttribute enums should have plural names | Error |
| CA1719 | Parameter names should not match member names | Error |
| CA1720 | Identifiers should not contain type names | Error |
| CA1721 | Property names should not match get methods | Error |
| CA1722 | Identifiers should not have incorrect prefix | Error |
| CA1723 | Use preferred terms | Error |
| CA1724 | Type names should not match namespaces | Error |
| CA1725 | Parameter names should match base declaration | Warning |
Performance | ID | Rule Name | Violation Treatment |
| CA1800 | Do not cast unnecessarily | Warning |
| CA1801 | Avoid uninstantiated internal classes | Warning |
| CA1802 | Use literals where appropriate | Warning |
| CA1804 | Remove unused locals | Warning |
| CA1805 | Do not initialize unnecessarily | Warning |
| CA1806 | Do not ignore method results | Warning |
| CA1810 | Initialize reference type static fields inline | Warning |
| CA1811 | Avoid uncalled private code | Warning |
| CA1812 | Avoid uninstantiated internal classes | Warning |
| CA1813 | Avoid unsealed attributes | Warning |
| CA1814 | Prefer jagged arrays over multidimensional | Warning |
| CA1815 | Override equals and operator equals on value types | Warning |
| CA1819 | Properties should not return arrays | Error |
| CA1820 | Test for empty strings using string length | Warning |
| CA1821 | Remove empty finalizers | Warning |
| CA1822 | Mark members as static | Warning |
| CA1823 | Avoid unused private fields | Warning |
| CA1824 | Mark assemblies with NeutralResourcesLanguageAttribute | Warning |
Security | ID | Rule Name | Violation Treatment |
| CA2102 | Specify marshaling for P/Invoke string arguments | Error |
| CA2103 | Review imperative security | Warning |
| CA2104 | Do not declare read only mutable reference types | Warning |
| CA2105 | Do not declare read only mutable reference types | Error |
| CA2106 | Secure asserts | Warning |
| CA2107 | Review deny and permit only usage | Warning |
| CA2108 | Review declarative security on value types | Warning |
| CA2109 | Review visible event handlers | Warning |
| CA2111 | Pointers should not be visible | Warning |
| CA2112 | Secured types should not expose fields | Warning |
| CA2114 | Method security should be superset of type | Warning |
| CA2115 | Call GC.KeepAlive when using native resources | Warning |
| CA2116 | APTCA methods should only call APTCA methods | Warning |
| CA2117 | APTCA types should only extend APTCA base types | Warning |
| CA2118 | Review SuppressUnmanagedCodeSecurityAttribute usage | Warning |
| CA2119 | Seal methods that satisfy private interfaces | Warning |
| CA2120 | Secure serialization constructors | Error |
| CA2121 | Static constructors should be private | Error |
| CA2122 | Do not indirectly expose methods with link demands | Warning |
| CA2123 | Override link demands should be identical to base | Error |
| CA2124 | Wrap vulnerable finally clauses in outer try | Error |
| CA2126 | Type link demands require inheritance demands | Error |
| CA2127 | Security transparent assemblies should not contain security critical code | Error |
| CA2128 | Security transparent code should not assert | Error |
| CA2129 | Security transparent code should not reference non-public security critical members | Error |
Usage | ID | Rule Name | Violation Treatment |
| CA1806 | Do not ignore method results | Warning |
| CA2200 | Rethrow to preserve stack details | Error |
| CA2201 | Do not raise reserved exception types | Warning |
| CA2207 | Do not ignore method results | Warning |
| CA2208 | Instantiate argument exceptions correctly | Warning |
| CA2210 | Assemblies should have valid strong names | Error |
| CA2211 | Non-constant fields should not be visible | Warning |
| CA2212 | Do not mark serviced components with WebMethod | Warning |
| CA2213 | Disposable fields should be disposed | Warning |
| CA2214 | Do not call overridable methods in constructors | Error |
| CA2216 | Disosable fields should be disposed | Warning |
| CA2217 | Disposable fields should be disposed | Error |
| CA2218 | Override GetHashCode on override Equals | Error |
| CA2219 | Do not raise exceptions in exception clauses | Error |
| CA2220 | Finanizers should call base class finalizer | Error |
| CA2221 | Finalizers should be protected | Error |
| CA2222 | Do not decrease inherited member visibility | Error |
| CA2224 | Override equals on overloading operator equals | Warning |
| CA2225 | Operator overloads have named alternates | Error |
| CA2226 | Operators should have symmetrical overloads | Error |
| CA2227 | Collection properties should be read only | Error |
| CA2228 | Do not ship unreleased resource formats | Error |
| CA2229 | Implement serialization constructors | Error |
| CA2230 | Use params for variable arguments | Error |
| CA2231 | Operator overloads have named alternates | Warning |
| CA2233 | Operations should not overflow | Warning |
| CA2234 | Pass System.Uri objects instead of strings | Warning |
| CA2235 | Mark all non-serializable fields | Error |
| CA2236 | Call base class methods on ISerializable types | Error |
| CA2237 | Mark ISerializable types with SerializableAttribute | Error |
| CA2238 | Implement serialization methods correctly | Error |
| CA2239 | Provide deserialization methods for optional fields | Warning |
| CA2240 | Implement ISerializable correctly | Error |
| CA2242 | Test for NaN correctly | Warning |
| CA2243 | Attribute string literals should parse correctly | Warning |
8315e147-8f48-4447-9e20-ef594ce0d31e|1|5.0
Tags:
Subscribe