Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Consider releasing Roslyn Analyzers and Fixers

See original GitHub issue

Roslyn analyzers and fixers work as part of the compiler and can be used in any IDE or tooling the supports Roslyn analyzers.

The Roslyn compilers can output diagnostics in SARIF formant (-errorLog) that can be used by other tooling.

Issue Analytics

State:
Created 3 years ago
Comments:7 (7 by maintainers)

Top GitHub Comments

1reaction

scovettacommented, Feb 1, 2021

@paulomorgado Just to add a little to this – static analyzers make tradeoffs in different areas – the advantage of Roslyn analyzers are execution speed, disadvantages (IMHO) are complexity of rule creation and the languages that can be analyzed. CodeQL isn’t usually as performant, but enables for a much deeper analysis, and still a relatively high cost of rule creation.

DevSkim goes at it from the other direction – rules are very easy to write and are language agnostic. This means that yes, it’s easy to “trick” DevSkim into not finding an issue, and there can be more false positives.

There’s no “best” tool for all jobs – we think that DevSkim has a useful spot in the mix, similar to Semgrep, but we don’t want to try to make DevSkim something that it isn’t.

If your original comment was about creating new Roslyn rules to detect more security bugs, that would always be helpful, but it isn’t something that we (the folks managing DevSkim) are actively working on. You might want to consider security-code-scan (NuGet) in case they’ve already implemented what you’re looking for.

0reactions

paulomorgadocommented, Feb 1, 2021

Thanks.