diff --git a/.github/workflows/cd-production.yml b/.github/workflows/cd-production.yml
index b8f939c..98f8188 100644
--- a/.github/workflows/cd-production.yml
+++ b/.github/workflows/cd-production.yml
@@ -9,7 +9,7 @@ env:
jobs:
pack-and-publish:
- runs-on: ubuntu-latest
+ runs-on: ubuntu-22.04 # NuGet.exe is a Mono application on Linux and is not installed by default on `ubuntu-latest` runners
steps:
- name: Checkout
uses: actions/checkout@v3
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7a98d05..aa62b8f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -9,7 +9,7 @@ on:
jobs:
pack:
- runs-on: ubuntu-latest
+ runs-on: ubuntu-22.04 # NuGet.exe is a Mono application on Linux and is not installed by default on `ubuntu-latest` runners
steps:
- name: Checkout
uses: actions/checkout@v3
@@ -21,7 +21,7 @@ jobs:
run: 'sed -i -e "s/{{NuGetVersion}}/$NUGET_VERSION/g" *.nuspec'
- name: Setup NuGet.exe for use with actions
- uses: NuGet/setup-nuget@v1.2.0
+ uses: NuGet/setup-nuget@v2
- name: Create main package
run: nuget pack Neolution.CodeAnalysis.nuspec
diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
index 9c9a7a2..e522871 100644
--- a/.github/workflows/create-release.yml
+++ b/.github/workflows/create-release.yml
@@ -3,22 +3,27 @@ name: Create Release
on:
workflow_dispatch:
inputs:
- versioning_phase:
+ release_type:
type: choice
- description: Versioning Phase
+ description: Release Type
default: stable
options:
+ - stable
- alpha
- beta
- rc
- - stable
- bump_version_number:
+ continue_prerelease:
+ type: boolean
+ description: |
+ Do not bump version number, increase pre-release revision number instead.
+ default: false
+
+ version_bump:
type: choice
- description: Bump Version Number
- default: consecutive
+ description: Bump version number
+ default: patch
options:
- - consecutive
- patch
- minor
- major
@@ -41,7 +46,6 @@ jobs:
uses: actions/checkout@v4
with:
token: ${{ steps.generate-token.outputs.token }}
- # we need everything so release-it can compare the current version with the latest tag
fetch-depth: 0
- name: initialize mandatory git config
@@ -55,19 +59,26 @@ jobs:
- name: run release-it
run: |
params=()
-
- if [[ ${{ github.event.inputs.bump_version_number }} != "consecutive" ]]; then
- params+=(${{ github.event.inputs.bump_version_number }})
- fi
-
- if [[ ${{ github.event.inputs.versioning_phase }} != "stable" ]]; then
- params+=(--preRelease=${{ github.event.inputs.versioning_phase }})
- params+=(--plugins.@release-it/keep-a-changelog.keepUnreleased)
- params+=(--no-plugins.@release-it/keep-a-changelog.strictLatest)
+
+ if [[ "${{ github.event.inputs.release_type }}" == "stable" ]]; then
+ params+=(--${{ github.event.inputs.version_bump }})
+ elif [[ "${{ github.event.inputs.continue_prerelease }}" == "true" ]]; then
+ # Tell release-it to use prerelease tags
+ params+=(--preReleaseId=${{ github.event.inputs.release_type }})
+ params+=(--increment=prerelease)
+ params+=(--preRelease=${{ github.event.inputs.release_type }})
+ params+=(--git.tagMatch="v*-${{ github.event.inputs.release_type }}.*")
+ params+=(--plugins.@release-it/keep-a-changelog.keepUnreleased)
+ params+=(--no-plugins.@release-it/keep-a-changelog.strictLatest)
+ else
+ params+=(--${{ github.event.inputs.version_bump }})
+ params+=(--preRelease=${{ github.event.inputs.release_type }})
+ params+=(--plugins.@release-it/keep-a-changelog.keepUnreleased)
+ params+=(--no-plugins.@release-it/keep-a-changelog.strictLatest)
fi
- if [[ ${{ github.event.inputs.is_dry_run }} == "true" ]]; then
- params+=(--dry-run)
+ if [[ "${{ github.event.inputs.is_dry_run }}" == "true" ]]; then
+ params+=(--dry-run)
fi
params+=(--ci)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0a02f0c..7b92301 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,46 @@ and adheres to a project-specific [Versioning](/README.md).
## [Unreleased]
+### Fixed
+
+- Improved README by describing the purpose, usage, and versioning of the package.
+- Added repository and icon information to the test ruleset NuGet package.
+
+### Changed
+
+- Updated SonarAnalyzer.CSharp to version 9.32.0.97167
+
+### Added
+
+- S2629: Logging templates should be constant
+- S3431: "[ExpectedException]" should not be used
+- S4347: Secure random number generators should not output predictable values
+- S5344: Passwords should not be stored in plaintext or with a fast hashing algorithm
+- S6377: XML signatures should be validated securely
+- S6667: Logging in a catch clause should pass the caught exception as a parameter.
+- S6668: Logging arguments should be passed to the correct parameter
+- S6670: "Trace.Write" and "Trace.WriteLine" should not be used
+- S6672: Generic logger injection should match enclosing type
+- S6673: Log message template placeholders should be in the right order
+- S6674: Log message template should be syntactically correct
+- S6675: "Trace.WriteLineIf" should not be used with "TraceSwitch" levels
+- S6677: Message template placeholders should be unique
+- S6781: JWT secret keys should not be disclosed
+- S6930: Backslash should be avoided in route templates
+- S6932: Use model binding instead of reading raw request data
+- S6934: A Route attribute should be added to the controller when a route template is specified at the action level
+- S6960: Controllers should not have mixed responsibilities
+- S6961: API Controllers should derive from ControllerBase instead of Controller
+- S6962: You should pool HTTP connections with HttpClientFactory
+- S6965: REST API actions should be annotated with an HTTP verb attribute
+- S6966: Awaitable method should be used
+- S6967: ModelState.IsValid should be called in controller actions
+- S6968: Actions that return a value should be annotated with ProducesResponseTypeAttribute containing the return type
+
+### Removed
+
+- S6803: Parameters with SupplyParameterFromQuery attribute should be used only in routable components
+
## [3.2.1] - 2024-11-18
### Fixed
diff --git a/Neolution.CodeAnalysis.TestsRuleset.nuspec b/Neolution.CodeAnalysis.TestsRuleset.nuspec
index e8b664e..3f3ae88 100644
--- a/Neolution.CodeAnalysis.TestsRuleset.nuspec
+++ b/Neolution.CodeAnalysis.TestsRuleset.nuspec
@@ -7,13 +7,16 @@
Neolution AG
Configures Code Analysis for Neolution Test Projects.
https://github.com/neolution-ch/Neolution.CodeAnalysis
+
+ icon.png
+ code analysis;roslyn;stylecop;sonar;ruleset
docs\README.md
MIT
false
true
-
+
@@ -22,5 +25,6 @@
+
diff --git a/Neolution.CodeAnalysis.nuspec b/Neolution.CodeAnalysis.nuspec
index 17f5ff8..5c2371e 100644
--- a/Neolution.CodeAnalysis.nuspec
+++ b/Neolution.CodeAnalysis.nuspec
@@ -7,13 +7,16 @@
Neolution AG
Configures Code Analysis for Neolution Projects
https://github.com/neolution-ch/Neolution.CodeAnalysis
+
+ icon.png
+ code analysis;roslyn;stylecop;sonar;ruleset
docs\README.md
MIT
false
true
-
+
@@ -21,5 +24,6 @@
+
diff --git a/README.md b/README.md
index 99af239..3ddd49b 100644
--- a/README.md
+++ b/README.md
@@ -1,26 +1,74 @@
-# Neolution Code Analysis rulesets
-We maintain two (opinionated) rulesets for all our projects and distribute them, including 3rd-party Roslyn Analyzers (StyleCop and SonarSource) in two respective NuGet packages.
+# Neolution Code Analysis Rulesets
-- For Libraries, Tools, Web, UI and other projects
- - [Neolution.CodeAnalysis](https://www.nuget.org/packages/Neolution.CodeAnalysis/)
-- For projects containing automated tests (less strict rules)
- - [Neolution.CodeAnalysis.TestsRuleset](https://www.nuget.org/packages/Neolution.CodeAnalysis.TestsRuleset/)
+[](https://www.nuget.org/packages/Neolution.CodeAnalysis/)
+[](https://www.nuget.org/packages/Neolution.CodeAnalysis.TestsRuleset/)
-## Decisions and opinions
-The base ruleset consists of the default ruleset of the Roslyn Analyzers we include in the NuGet package and those used in our build tools.
+**Neolution.CodeAnalysis** provides a plug-and-play code analysis standard for .NET projects. By adding this package, you instantly enforce consistent, high-quality code with minimal setup—no need to maintain your own ruleset or configuration. The package includes:
-- We include our own opinionated ruleset with adjusted Analyzer severities as a [Global AnalyzerConfig](https://learn.microsoft.com/en-us/dotnet/fundamentals/code-analysis/configuration-files#global-analyzerconfig)
-- In all build configurations other that `Debug`, warnings will be converted to errors.
-- We include our own [stylecop.json](https://github.com/DotNetAnalyzers/StyleCopAnalyzers/blob/master/documentation/Configuration.md) configuration file.
+- Pre-configured Roslyn analyzers (StyleCop, SonarSource)
+- Strict and up-to-date rules for code quality and security
+- Automatic conversion of warnings to errors (except in Debug)
+- A single source of truth for code style and best practices
+- Easy updates: just bump the package version to get the latest rules
+
+**Why use this package?**
+
+- Save time on code reviews by catching issues early
+- Ensure all projects follow the same standards
+- Reduce technical debt and improve maintainability
+- Onboard new developers faster with clear, enforced guidelines
+- **Flexible:** You can override any rules or severities in your own `.editorconfig` files at the project or solution level to fit your team's needs.
+
+## Packages
+
+- **[Neolution.CodeAnalysis](https://www.nuget.org/packages/Neolution.CodeAnalysis/):** For libraries, tools, web, UI, and other projects.
+- **[Neolution.CodeAnalysis.TestsRuleset](https://www.nuget.org/packages/Neolution.CodeAnalysis.TestsRuleset/):** For test projects (less strict rules).
+
+## Installation
+
+Install via NuGet Package Manager:
+
+```shell
+Install-Package Neolution.CodeAnalysis
+```
+
+or for test projects:
+
+```shell
+Install-Package Neolution.CodeAnalysis.TestsRuleset
+```
+
+Or add the following to your `.csproj`:
+
+```xml
+
+
+ all
+ runtime; build; native; contentfiles; analyzers; buildtransitive
+
+
+```
## Versioning
-Given a version number `MAJOR.MINOR.PATCH`, an incremented number for:
-- `MAJOR` version means there are incompatible changes with the previous version,
-- `MINOR` version means functionality and rules were added, and
-- `PATCH` version means that the changes are all completely backwards compatible. Usually when rules were lowered in severity or disabled/removed.
+- **MAJOR**: Incompatible changes, may require significant refactoring
+- **MINOR**: New rules or rule changes, may break the build
+- **PATCH**: Safe to update, only disables or lowers severity of rules
+
+See [CHANGELOG.md](./CHANGELOG.md) for details.
+
+## License
+
+This project is licensed under the [MIT License](./LICENSE).
+
+## Contributing
+
+Contributions, issues, and feature requests are welcome! Please open an issue or pull request on [GitHub](https://github.com/neolution-ch/Neolution.CodeAnalysis).
+
+> **Note:** The ruleset is intentionally opinionated and curated by Neolution to reflect our collective experience and values. While we welcome feedback and suggestions, changes to the rules themselves are carefully considered to maintain consistency across projects. If your requirements differ significantly, you are welcome to fork the package and adapt it to your needs.
+
+## Links
-### What it means in practice:
-- You can (and should) always update the package to the latest `PATCH` version whenever you have the chance to do it, it should never break the build.
-- Updating to the latest `MINOR` version can break the build and may require minor refactorings. But you can expect to have Roslyn code fixes and/or documentation available for the changes that are needed to fix the build.
-- `MAJOR` updates will break your build and may require major refactorings.
\ No newline at end of file
+- [Source on GitHub](https://github.com/neolution-ch/Neolution.CodeAnalysis)
+- [NuGet: Neolution.CodeAnalysis](https://www.nuget.org/packages/Neolution.CodeAnalysis/)
+- [NuGet: Neolution.CodeAnalysis.TestsRuleset](https://www.nuget.org/packages/Neolution.CodeAnalysis.TestsRuleset/)
\ No newline at end of file
diff --git a/build/Neolution.CodeAnalysis.globalconfig b/build/Neolution.CodeAnalysis.globalconfig
index 4458e0f..6b120bc 100644
--- a/build/Neolution.CodeAnalysis.globalconfig
+++ b/build/Neolution.CodeAnalysis.globalconfig
@@ -270,6 +270,22 @@ dotnet_diagnostic.S6605.severity = none
; Better readability of `First()` and `Last()` are preferred over performance gains
dotnet_diagnostic.S6608.severity = none
+# S6931: ASP.NET controller actions should not have a route template starting with "/"
+; This rule has no effect for our projects, since we mainly use Endpoints which limits developers to only implement one action per "Controller".
+dotnet_diagnostic.S6931.severity = none
+
+# S6678: Use PascalCase for named placeholders
+; Team decided that enforcing this rule is not worth the effort
+dotnet_diagnostic.S6678.severity = suggestion
+
+# S6964: Value type property used as input in a controller action should be nullable, required or annotated with the JsonRequiredAttribute to avoid under-posting
+; This is handled by a custom model binder in our project templates that produces a bad request response in case of under-posting
+dotnet_diagnostic.S6964.severity = none
+
+# S2139: Exceptions should be either logged or rethrown but not both
+; Although this rule makes sense, we do not want to enforce it
+dotnet_diagnostic.S2139.severity = suggestion
+
# S107: Methods should not have too many parameters
dotnet_diagnostic.S107.severity = warning
diff --git a/icon.png b/icon.png
new file mode 100644
index 0000000..68121cc
Binary files /dev/null and b/icon.png differ
diff --git a/stylecop.json b/stylecop.json
deleted file mode 100644
index 7989950..0000000
--- a/stylecop.json
+++ /dev/null
@@ -1,16 +0,0 @@
-{
- "$schema": "https://raw.githubusercontent.com/DotNetAnalyzers/StyleCopAnalyzers/master/StyleCop.Analyzers/StyleCop.Analyzers/Settings/stylecop.schema.json",
- "settings": {
- "documentationRules": {
- "documentPrivateElements": true,
- "documentPrivateFields": true,
- "documentationCulture": "en-US"
- },
- "namingRules": {
- "allowCommonHungarianPrefixes": true,
- "allowedHungarianPrefixes": [
- "db", "ip"
- ]
- }
- }
-}
\ No newline at end of file