UcfgGenerator Inconsistent syntax tree features

hellmanf · December 29, 2020, 7:25pm

Template for a good bug report, formatted with Markdown:

Versions used
sonar-scanner-msbuild-5.0.4.24009-net46
Sonarcloud project using ruleset from Sonarcloud recomended
Error observed

    18>CSC : warning AD0001: Analyzer 'SonarAnalyzer.Security.CSharp.UcfgGenerator' threw an exception of type 'System.ArgumentException' with message 'Inconsistent syntax tree features [C:\Users\hellm\source\repos\tc-iot-platform\Messify Management Portal\Messify Management Portal\Messify Management Portal.csproj]
         Parameter name: trees'.
         Exception occurred with following context:
         Compilation: Messify.Presentation.ManagementPortal
         
         System.ArgumentException: Inconsistent syntax tree features
         Parameter name: trees
            at Microsoft.CodeAnalysis.Compilation.SyntaxTreeCommonFeatures(IEnumerable`1 trees)
            at Microsoft.CodeAnalysis.CSharp.CSharpCompilation.Update(ReferenceManager referenceManager, Boolean reuseReferenceManager, SyntaxAndDeclarationManager syntaxAndDeclarations)
            at SonarAnalyzer.Security.CSharp.UcfgGenerator.RazorViewMethodsForNetFramework(Compilation compilation, IEnumerable`1 razorDocuments)
            at SonarAnalyzer.Security.CSharp.UcfgGenerator.CreateNetFrameworkMvcRazorViewUcfg(CompilationAnalysisContext endContext, IRazorPathProvider pathProvider)
            at SonarAnalyzer.Security.CSharp.UcfgGenerator.<Initialize>b__16_10(CompilationAnalysisContext endContext)
            at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.<>c.<ExecuteCompilationActionsCore>b__48_1(ValueTuple`2 data)
            at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.ExecuteAndCatchIfThrows_NoLock[TArg](DiagnosticAnalyzer analyzer, Action`1 analyze, TArg argument, Nullable`1 info)
         -----
         
         Suppress the following diagnostics to disable this analyzer: S2076, S2078, S2083, S2091, S2631, S3649, S5131, S5135, S5144, S5145, S5146, S5167

Steps to reproduce
Having a MVC and Web Api project on .NET Framework 4.6.2 which is quite huge we we getting this issue mentioned. Analyses still proceed but during inspection of logs this error is present
Potential workaround
N/A
Scanner command used when applicable (private details masked)
.\SonarScanner.MSBuild.exe begin /o:“xx” /k:“xx” /d:sonar.host.url=“https://sonarcloud.io” /d:sonar.login=“xx”

Pavel_Mikula · January 6, 2021, 10:51am

Hi @hellmanf,

This is interesting issue, but unfortunately not easy to reproduce. Can you help us find the source of this?

Step 1

We need to find what .cshtml file is causing this. Can you

run scanner begin step to prepare the analyzers
delete *.cshtml files from some section of your project
rebuild the solution and check for the error
repeat deleting and building until the error goes away and narrow it down to a single file

As it’s .NET Framework project, deleting *.cshtml files should not break the build.

Step 2

Can you privately share with us the .cshtml file and all web.config files from it’s directory towards the root of your solution?

In those web.config files, we’re mainly interested in references, namespaces and compiler configurations. All AppSettings, connection strings, custom settings and private data can be removed.

Can you also share with us any special version or compiler related settings from your *.csproj files?

hellmanf · January 11, 2021, 8:55am

Hi @Pavel_Mikula

Ah these rules are related to .cshtml? If so i think i know the issue because they are excluded from analysis.
Let me reconfigure this and run it again and i will get back to this topic.

Current configuration is;

# Additional properties that will be passed to the scanner, 
# Put one key=value per line, example:
sonar.exclusions=**/*.bin/*,**/obj/**/*,**/bin/**/*,**/Content/**/*,**/Properties/**/*,**/*.cshtml,**/*.js,**/*.csdef,**/*.cscfg,**/*.map,**/node_modules/**/*,**/Messify Integration/**/*
sonar.inclusions=Messify Management Portal/**/*.cs

sonar.coverage.exclusions=**/*.csdef,**/*.cscfg
sonar.cs.vstest.reportsPaths=**\*.trx
sonar.javascript.lcov.reportPaths=**\clover.xml

Going to drop out and see how it goes

**/.cshtml

Pavel_Mikula · January 11, 2021, 3:17pm

Removing sonar.exclusions will not change the behavior. UCFGs are generated before exclusions are considered to report the rule. And the issue occurs during the UCFG generation.

You should keep them included to be able to benefit from S5131 XSS vulnerability detection rule.

hellmanf · January 11, 2021, 5:05pm

Ah got it.

Let me share all the cshtml files with you in private. Seems like i cannot send you a email, but if you can do that to me i can share them

hellmanf · January 12, 2021, 4:39pm

files shared, let me know if there is more that i can do in order to help

Pavel_Mikula · February 8, 2021, 4:04pm

Hi,
I’m sorry for late reply.

I tried to put your “Views” folder in empty .NET Framework ASP.NET MVC project with default web.config file in the root and it unfortunately didn’t reproduce the issue.

Isn’t there something specific in your root web.config that can affect the compilation?

hellmanf · February 19, 2021, 10:03am

Hi Pavel,
I will check on my side and get back to you need week (end of feb)

hellmanf · March 18, 2021, 1:32pm

This warning has not yet come up again after swapping over to a new type of pipeline for us. So yeah i would discard this issue unfortunately.

Pavel_Mikula · March 18, 2021, 2:59pm

Hi @hellmanf ,

I’ll close the topic then, as it’s not reproducible on either side. Please let us know if you face any issue in the future!

Cheers
Pavel