Sonar analysis does not handle correctly multi targeting

SonarQube for IDE Visual Studio
,
1
  • Operating system: Windows
  • Visual Studio version: 2022 (17.9.5)
  • SonarLint plugin version: 7.8.0
  • Programming language you’re coding in: C#
  • Is connected mode used:
    • Connected to SonarQube (and which version):10.4.1

Assuming a project multi targeting to netstandard2.1 and net472:

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <TargetFrameworks>netstandard2.1;net472</TargetFrameworks>
    <Nullable>disable</Nullable>
  </PropertyGroup>

</Project>

Analyzing the following example I run into S3240:

namespace S3240
{
    public class Class1
    {
        private object a;

        public void Test()
        {
            if (a == null) // S3240
            {
                a = new object();
            }
        }
    }
}

The identification itself is ok, but the quick-fix changes the code to

a ??= new object();

This is correct for netstandard2.1 but not compatible with net472 (which is using C# 7.3).

When multi-targeting is enable the quick-fix should use the most compatible version which is

a = a ?? new object();

BTW: I guess this problem also applies to many more rules.

4

Hello @lg2de,

Thank you for reaching out!

The suggested code fix depends on which target framework your IDE uses.
In Visual Studio, you can choose which target framework to use by selecting it in the left-most dropdown on top of your file:

image

In your case, you are probably using netstandard2.1; thus, the suggested code fix is for netstandard2.1.

This happens because, when doing the analysis, we get the information only about the currently used target framework, we do not know about any other targeted framework.

Similarly, the code fix for IDE0074 will suggest you to use a null-coalescing assignment even though you are also targeting net472.

To prevent the wrong code fix from being suggested, make sure to always set the current target framework to net472.

16

Today I hit another issue quite similar. So, I guess it is correct to update this thread instead of create a new one.

The rule S6513 “Add a justification” raises issues on ExcludeFromCodeCoverageAttribute. But, the Justification property is only available in newer dotnet versions. It is not available in .NET Framework 4.8.

My analysis reports:

Using the .NET Framework version of the Scanner for MSBuild

How can we achieve correct analysis in multi-targeting environment?

17

Hi @lg2de,

To verify,

  • You’re seeing this in-IDE (flavor & version, please?)
  • You’ve set the current target framework appropriately, per

?

 
Thx,
Ann

18

No, I see the result in SonarQube Server (on premises), Developer Edition v2025.2.
The affected project uses the targets net48 and net8.

I’m not sure what means “make sure to set the current target”? The analyzer already prompts in the analysis to use .NET Framework.

20

Hi,

Thanks for the details. I’ve flagged this for the language experts.

 
Ann

22

Hello @lg2de!

thanks for reporting this.

What is happening here is that since you are targeting two frameworks there will be two compilations (one for net48 and one for net8).

Each compilation will raise issues according to the framework and then the issues will be aggregated and that’s why you are actually seeing this issue raised (it comes from the net8 compilation, if your project would target only net48 the issue would not be there at all).

Making a choice when aggregating the issues based on the target frameworks is a pretty complex topic that we decided to not go into.

I have 2 suggestions as a workaround:

  1. Either you could use preprocessor directives to compile that part only for net48.
  2. Either deactivate this rule fully since for this project from my POV it has nothing to offer (every single issue will be an FP for net48).

Thanks!

1 Like