Getting errors of mismatched MVID

Building .NET Framework 4.7.2 projects using msbuild, and getting errors in many projects like the following:

CompilerServer: server failed - server rejected the request due to analyzer / generator issues 'analyzer assembly 'C:
  \Users\builduser\AppData\Local\Temp\.sonarqube\resources\2\System.Buffers.dll' has MVID '36e84b0d-9d74-4086-a062-54e
  1963f24d5' but loaded assembly 'System.Buffers, Version=, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51' ha
  s MVID 'f389ca43-32bf-4e24-ad8c-a6ed5efddff3', analyzer assembly 'C:\Users\builduser\AppData\Local\Temp\.sonarqube\r
  esources\2\System.Numerics.Vectors.dll' has MVID '95de52ab-0179-450a-9f6f-08d224d60b15' but loaded assembly 'System.N
  umerics.Vectors, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' has MVID '34905ed1-db9d-4250-b31b
  -b80e1ff70ff5', analyzer assembly 'C:\Users\builduser\AppData\Local\Temp\.sonarqube\resources\2\System.Runtime.Compi
  lerServices.Unsafe.dll' has MVID 'bd600ba8-23b5-4d45-ba63-f24457fa3be3' but loaded assembly 'System.Runtime.CompilerS
  ervices.Unsafe, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' has MVID '9dde2c5e-b52a-4cbd-861e-

This is with the SQ .net scanner sonar-scanner-msbuild-

I can’t find any documentation on this error or what MVID is or why there might be mismatches. We are doing a 2-week trial of developer edition and want to make sure the assemblies are being properly scanned before we acquire a license. Just looking for pointers on where to begin analysis right now.


Hello and welcome to the community.

Sorry for the delay in answering.

This is an issue we’ve seen previously with the dotnet analysis - see #4808. The root cause is a conflict in the dependencies used by our analyzer and the same dependency with a different version used by the analyzed project.

How .NET Core and .NET works is that, when seeing a dependency, it will load the first occurrence and then ignore the rest (which is a different behavior from .NET Framework). In our case, because our analyzers are “plugged in” first in the build system, the dependency of our analyzers are the ones who “win”. Which means that if the customer project uses System.Buffers.dll , the .NET Core runtime will hand it the Sonar analyzer dependency, and because of this behavior they end up with a build break.

This particular clash comes from the Sonar Security C# FrontEnd which generates UCFG files for the Taint Analysis Engine (a.k.a. injection vulnerability detection). Read more here.

Do you use Google.Protobuf, Grpc, Grpc.Tools or Microsoft.Composition in the projects that are failing? Until we fix the root cause, you can mitigate the issue by using the same version of these libraries with the versions that we use.

We opened an internal ticket to fix this issue (SONARSEC-2690 for reference, but you cannot access the JIRA project as the taint analysis detection is a closed-source project).

Is there any update on this issue? SONARSEC-2690 I’m having the same issue with SonarCloud but I am not able to mitigate the issue by using the same version of these libraries with the versions that Sonar uses. This is because I depend on packages which indirectly use System.Buffers, System.Numerics.Vectors and System.Runtime.CompilerServices.Unsafe. These packages are not available with the same versions as Sonar uses. I’ve tried fixing the issue by referencing the packages myself like this:

<PackageReference Include="System.Buffers" Version="4.5.1" PrivateAssets="All" NoWarn="NU1605"/>

But to no avail. I’ve also noticed that no matter which version of the packages I use, the MVID mentioned in the error stays the same. For example, System.Buffers version 4.5.1. is MVID ‘36e84b0d-9d74-4086-a062-54e1963f24d5’ (same as in the error john.ruark described) and System.Buffers version 4.3.0 is also MVID ‘36e84b0d-9d74-4086-a062-54e1963f24d5’.

Any help would be greatly appreciated.


@sbussink-covadis we’ve replied in your other thread, so we’ll close this one.

@john.ruark could you please provide the full log of msbuild step with /v:diag ? Would be great if you could provide one log without scanner and one log after scanner start step.

I can provide you with private thread to share the log.

1 Like