S3353 false positive for Razor inject

  • What language is this for? Razor templates
  • Which rule? S3353
  • Why do you believe it’s a false-positive/false-negative? When using dependency injection in a Razor template, S3353 is raising a violation, although such injections can’t have a const modifier.
  • Are you using…? The SonarAnalyzer.CSharp NuGet package, v10.6.0.109712.
  • How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)
@using Microsoft.Extensions.Configuration
@inject IConfiguration Configuration

The violation is raised on the second line.

What makes this more unfortunate than usual, is that you can’t suppress violations in Razor templates at all.

Hello @Piedone,

Thank you for reaching out.

Unfortunately, I am not able to reproduce your issue with the given snippet.

Could you provide a bit more?
Ideally a small project, that would be very helpful.

Thank you :pray:

Here it is:

WebApplication1.zip (5.0 KB)

This is a stripped down vanilla ASP.NET Core app, created from the default Visual Studio template.

2 Likes

Hello @Piedone,

Thank you for the reproducer, I am able to reproduce the issue now.

However, I can only reproduce this issue inside Visual Studio.
Is this case for you as well?
Do you see the issue during the build (e.g.: the issue appears in SonarQube or SonarCloud)?

I also tried to reproduce the issue in Rider and there is no issue there as well.
I suspect the issue might come from how Visual Studio generate razor pages for in-IDE analysis.

This also breaks builds with dotnet build. This is in line with it not just showing in the editor in VS, but also in the build output.

That’s very surprising!

Could you give me the output of dotnet --info inside the project folder?

Sure:

info.txt (8.7 KB)

1 Like

Hello @Piedone,

Thank you for all your inputs!
I was able to reproduce it consistently, however I am not sure why you are seeing the issue when invoking dotnet build.

Anyway, I have opened a ticket in our backlog to tackle it in one of our next hardening sprints!

Have a nice day!

1 Like

Thank you! Is this an issue on GitHub? Because I don’t see it on GitHub · Where software is built.

No, I have created the ticket in our internal backlog which is private at the moment.

1 Like