Getting errors of mismatched MVID

Hello and welcome to the community.

Sorry for the delay in answering.

This is an issue we’ve seen previously with the dotnet analysis - see #4808. The root cause is a conflict in the dependencies used by our analyzer and the same dependency with a different version used by the analyzed project.

How .NET Core and .NET works is that, when seeing a dependency, it will load the first occurrence and then ignore the rest (which is a different behavior from .NET Framework). In our case, because our analyzers are “plugged in” first in the build system, the dependency of our analyzers are the ones who “win”. Which means that if the customer project uses System.Buffers.dll , the .NET Core runtime will hand it the Sonar analyzer dependency, and because of this behavior they end up with a build break.

This particular clash comes from the Sonar Security C# FrontEnd which generates UCFG files for the Taint Analysis Engine (a.k.a. injection vulnerability detection). Read more here.

Do you use Google.Protobuf, Grpc, Grpc.Tools or Microsoft.Composition in the projects that are failing? Until we fix the root cause, you can mitigate the issue by using the same version of these libraries with the versions that we use.

We opened an internal ticket to fix this issue (SONARSEC-2690 for reference, but you cannot access the JIRA project as the taint analysis detection is a closed-source project).

1 Like