S2437 Remove this silly bit operation additional False Positive


  • Visual Studio 2022
  • SonarQube 8.9.1
  • SonarLint 6.9.0
  • SonarScanner for .NET 5.8.0

Similar to this issue ( https://community.sonarsource.com/t/s2437-vb-net-remove-this-silly-bit-operation-false-positive/38622 ) we are seeing a false positive in C# code. I can’t tell if our Sonar versions include the fix that was released in Analyzer 8.24 for that or not.

The code snippet below is flagged in the VS IDE as well as by our SonarQube installation which is hooked into our Azure DevOps pipeline via the SonarScanner.

var length = 0x80;
var bytesRequired = 0;
while (length > 0)
    length >>= 8;
stream.Write((byte)(bytesRequired | 0x80));

The final line is flagged effectively stating bytesRequired isn’t set to a non-zero value.

Changing bytesRequired++; to bytesRequired += 1; no longer flags the issue. That makes me think we have the fixed Analyzer version but that this is an additional edge case needing to be handled.

Hey there.

SonarQube v8.9 LTS was bundled with v8.22 of the .NET analyzer, and therefore doesn’t contain a fix for that false-positive… and, in the latest versions of SonarLint for Visual Studio we should be using a much later version (even in connected mode), so I’ll flag this for attention.

Thank you for the update. I’ll recommend our QA team upgrade our installation to the latest 9.x version and see if that resolves it.

I re-read the SonarLint portion of your reply. You’re saying that because the latest SonarLint is also flagging this in VS, the previous false positive fix doesn’t cover this scenario? That would make sense.

That’s my understanding of how we package .NET analysis into SonarLint.

Hi Jeff,

Thanks for your feedback. I’ve added S2437: FP, none of the operands is 0 · Issue #6326 · SonarSource/sonar-dotnet · GitHub on our side to take care of the issue.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.