UcfgGenerator Inconsistent syntax tree features

Report a bug Fault
,
#1

Template for a good bug report, formatted with Markdown:

  • Versions used
    sonar-scanner-msbuild-5.0.4.24009-net46
    Sonarcloud project using ruleset from Sonarcloud recomended
  • Error observed
    18>CSC : warning AD0001: Analyzer 'SonarAnalyzer.Security.CSharp.UcfgGenerator' threw an exception of type 'System.ArgumentException' with message 'Inconsistent syntax tree features [C:\Users\hellm\source\repos\tc-iot-platform\Messify Management Portal\Messify Management Portal\Messify Management Portal.csproj]
         Parameter name: trees'.
         Exception occurred with following context:
         Compilation: Messify.Presentation.ManagementPortal
         
         System.ArgumentException: Inconsistent syntax tree features
         Parameter name: trees
            at Microsoft.CodeAnalysis.Compilation.SyntaxTreeCommonFeatures(IEnumerable`1 trees)
            at Microsoft.CodeAnalysis.CSharp.CSharpCompilation.Update(ReferenceManager referenceManager, Boolean reuseReferenceManager, SyntaxAndDeclarationManager syntaxAndDeclarations)
            at SonarAnalyzer.Security.CSharp.UcfgGenerator.RazorViewMethodsForNetFramework(Compilation compilation, IEnumerable`1 razorDocuments)
            at SonarAnalyzer.Security.CSharp.UcfgGenerator.CreateNetFrameworkMvcRazorViewUcfg(CompilationAnalysisContext endContext, IRazorPathProvider pathProvider)
            at SonarAnalyzer.Security.CSharp.UcfgGenerator.<Initialize>b__16_10(CompilationAnalysisContext endContext)
            at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.<>c.<ExecuteCompilationActionsCore>b__48_1(ValueTuple`2 data)
            at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.ExecuteAndCatchIfThrows_NoLock[TArg](DiagnosticAnalyzer analyzer, Action`1 analyze, TArg argument, Nullable`1 info)
         -----
         
         Suppress the following diagnostics to disable this analyzer: S2076, S2078, S2083, S2091, S2631, S3649, S5131, S5135, S5144, S5145, S5146, S5167
  • Steps to reproduce
    Having a MVC and Web Api project on .NET Framework 4.6.2 which is quite huge we we getting this issue mentioned. Analyses still proceed but during inspection of logs this error is present
  • Potential workaround
    N/A
  • Scanner command used when applicable (private details masked)
    .\SonarScanner.MSBuild.exe begin /o:“xx” /k:“xx” /d:sonar.host.url=“https://sonarcloud.io” /d:sonar.login=“xx”
#2

Hi @hellmanf,

This is interesting issue, but unfortunately not easy to reproduce. Can you help us find the source of this?

Step 1

We need to find what .cshtml file is causing this. Can you

  • run scanner begin step to prepare the analyzers
  • delete *.cshtml files from some section of your project
  • rebuild the solution and check for the error
  • repeat deleting and building until the error goes away and narrow it down to a single file

As it’s .NET Framework project, deleting *.cshtml files should not break the build.

Step 2

Can you privately share with us the .cshtml file and all web.config files from it’s directory towards the root of your solution?

In those web.config files, we’re mainly interested in references, namespaces and compiler configurations. All AppSettings, connection strings, custom settings and private data can be removed.

Can you also share with us any special version or compiler related settings from your *.csproj files?

#3

Hi @Pavel_Mikula

Ah these rules are related to .cshtml? If so i think i know the issue because they are excluded from analysis.
Let me reconfigure this and run it again and i will get back to this topic.

Current configuration is;

# Additional properties that will be passed to the scanner, 
# Put one key=value per line, example:
sonar.exclusions=**/*.bin/*,**/obj/**/*,**/bin/**/*,**/Content/**/*,**/Properties/**/*,**/*.cshtml,**/*.js,**/*.csdef,**/*.cscfg,**/*.map,**/node_modules/**/*,**/Messify Integration/**/*
sonar.inclusions=Messify Management Portal/**/*.cs

sonar.coverage.exclusions=**/*.csdef,**/*.cscfg
sonar.cs.vstest.reportsPaths=**\*.trx
sonar.javascript.lcov.reportPaths=**\clover.xml

Going to drop out and see how it goes

**/.cshtml

#4

Removing sonar.exclusions will not change the behavior. UCFGs are generated before exclusions are considered to report the rule. And the issue occurs during the UCFG generation.

You should keep them included to be able to benefit from S5131 XSS vulnerability detection rule.

#5

Ah got it.

Let me share all the cshtml files with you in private. Seems like i cannot send you a email, but if you can do that to me i can share them

#6

files shared, let me know if there is more that i can do in order to help