SonarQube Server: Community Build v25.5.0.107428
No information available about configuration, not maintained by us.
I have the problem, that SonarQube reports the S3885 issue, which can’t be solved as we need to load an Assembly when .NET can’t detect it by name or reference.
I came then across this issue :
We also use the AssemblyResolve event to load assemblies from another path. So we want do this by Assembly.LoadFrom, but this you report as issue.
How can it be solved?
Hey @HBoskugelS!
Thanks for bringing up this topic. Can you share some code samples?
It reports the code at return in OnAssemblyResolve
private static Assembly OnAssemblyResolve(Object sender,
ResolveEventArgs args)
{
String[] nameParts = args.Name.Split(',');
String assemblyFilePath = __librariesDirectoryPaths.SelectMany(ldp => new[]
{
Path.Combine(ldp,
$"{nameParts[0]}.dll"),
Path.Combine(ldp,
$"{nameParts[0]}.exe")
})
.FirstOrDefault(afp => File.Exists(afp));
if(assemblyFilePath == null)
{
return null;
}
return Assembly.LoadFrom(assemblyFilePath);
}
static DllExports()
{
AppDomain.CurrentDomain.AssemblyResolve += OnAssemblyResolve;
}
Hi @HBoskugelS,
Thanks for raising this!
I agree this is a False Positive.
The MSDN explicitly calls this out as what not to do!
I have added a repro to our codebase and a ticket to not raise this rule inside event handlers.
Please look right what MSDN tells in the article. The first sample is what you have NOT to do. The second then shows the solution with the LoadFile. But this Method is deprecated, so LoadFrom is the right one.
Hi @HBoskugelS,
Yes, I realise I was unclear.
To be clear:
In the code snippet you provided, we should not suggest using Assembly.Load() as it could lead to a stack overflow. (This is what the MSDN calls out as bad practice and what I have added a reproducer in our codebase for).
In your code the use of Assembly.LoadFrom is correct.
I would recommend marking the code as a False Positive in SonarQube Server.
Thanks