Update SonarAnalyzer.CSharp to latest version

.github/workflows/cd-production.yml

@@ -9,7 +9,7 @@ env:
 
 jobs:
   pack-and-publish:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04 # NuGet.exe is a Mono application on Linux and is not installed by default on `ubuntu-latest` runners
     steps:    
       - name: Checkout
         uses: actions/checkout@v3

.github/workflows/ci.yml

@@ -9,7 +9,7 @@ on:
 
 jobs:
   pack:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04 # NuGet.exe is a Mono application on Linux and is not installed by default on `ubuntu-latest` runners
     steps:    
       - name: Checkout
         uses: actions/checkout@v3
@@ -21,7 +21,7 @@ jobs:
         run: 'sed -i -e "s/{{NuGetVersion}}/$NUGET_VERSION/g" *.nuspec'
 
       - name: Setup NuGet.exe for use with actions
-        uses: NuGet/setup-nuget@v1.2.0
+        uses: NuGet/setup-nuget@v2
 
       - name: Create main package
         run: nuget pack Neolution.CodeAnalysis.nuspec

.github/workflows/create-release.yml

@@ -3,22 +3,27 @@ name: Create Release
 on:
   workflow_dispatch:
     inputs:
-      versioning_phase:
+      release_type:
         type: choice
-        description: Versioning Phase
+        description: Release Type
         default: stable
         options:
+          - stable
           - alpha
           - beta
           - rc
-          - stable
 
-      bump_version_number:
+      continue_prerelease:
+        type: boolean
+        description: |
+          Do not bump version number, increase pre-release revision number instead.
+        default: false
+
+      version_bump:
         type: choice
-        description: Bump Version Number
-        default: consecutive
+        description: Bump version number
+        default: patch
         options:
-          - consecutive
           - patch
           - minor
           - major
@@ -41,7 +46,6 @@ jobs:
         uses: actions/checkout@v4
         with:
           token: ${{ steps.generate-token.outputs.token }}
-          # we need everything so release-it can compare the current version with the latest tag
           fetch-depth: 0
 
       - name: initialize mandatory git config
@@ -55,19 +59,26 @@ jobs:
       - name: run release-it
         run: |
           params=()
-
-          if [[ ${{ github.event.inputs.bump_version_number }} != "consecutive" ]]; then
-              params+=(${{ github.event.inputs.bump_version_number }})
-          fi
-
-          if [[ ${{ github.event.inputs.versioning_phase }} != "stable" ]]; then
-              params+=(--preRelease=${{ github.event.inputs.versioning_phase }})
-              params+=(--plugins.@release-it/keep-a-changelog.keepUnreleased)
-              params+=(--no-plugins.@release-it/keep-a-changelog.strictLatest)
+
+          if [[ "${{ github.event.inputs.release_type }}" == "stable" ]]; then
+            params+=(--${{ github.event.inputs.version_bump }})
+          elif [[ "${{ github.event.inputs.continue_prerelease }}" == "true" ]]; then
+            # Tell release-it to use prerelease tags
+            params+=(--preReleaseId=${{ github.event.inputs.release_type }})
+            params+=(--increment=prerelease)
+            params+=(--preRelease=${{ github.event.inputs.release_type }})
+            params+=(--git.tagMatch="v*-${{ github.event.inputs.release_type }}.*")
+            params+=(--plugins.@release-it/keep-a-changelog.keepUnreleased)
+            params+=(--no-plugins.@release-it/keep-a-changelog.strictLatest)
+          else
+            params+=(--${{ github.event.inputs.version_bump }})
+            params+=(--preRelease=${{ github.event.inputs.release_type }})
+            params+=(--plugins.@release-it/keep-a-changelog.keepUnreleased)
+            params+=(--no-plugins.@release-it/keep-a-changelog.strictLatest)
           fi
 
-          if [[ ${{ github.event.inputs.is_dry_run }} == "true" ]]; then
-              params+=(--dry-run)
+          if [[ "${{ github.event.inputs.is_dry_run }}" == "true" ]]; then
+            params+=(--dry-run)
           fi
 
           params+=(--ci)

CHANGELOG.md

@@ -7,6 +7,46 @@ and adheres to a project-specific [Versioning](/README.md).
 
 ## [Unreleased]
 
+### Fixed
+
+- Improved README by describing the purpose, usage, and versioning of the package.
+- Added repository and icon information to the test ruleset NuGet package.
+
+### Changed
+
+- Updated SonarAnalyzer.CSharp to version 9.32.0.97167
+
+### Added
+
+- S2629: Logging templates should be constant
+- S3431: "[ExpectedException]" should not be used
+- S4347: Secure random number generators should not output predictable values
+- S5344: Passwords should not be stored in plaintext or with a fast hashing algorithm
+- S6377: XML signatures should be validated securely
+- S6667: Logging in a catch clause should pass the caught exception as a parameter.
+- S6668: Logging arguments should be passed to the correct parameter
+- S6670: "Trace.Write" and "Trace.WriteLine" should not be used
+- S6672: Generic logger injection should match enclosing type
+- S6673: Log message template placeholders should be in the right order
+- S6674: Log message template should be syntactically correct
+- S6675: "Trace.WriteLineIf" should not be used with "TraceSwitch" levels
+- S6677: Message template placeholders should be unique
+- S6781: JWT secret keys should not be disclosed
+- S6930: Backslash should be avoided in route templates
+- S6932: Use model binding instead of reading raw request data
+- S6934: A Route attribute should be added to the controller when a route template is specified at the action level
+- S6960: Controllers should not have mixed responsibilities
+- S6961: API Controllers should derive from ControllerBase instead of Controller
+- S6962: You should pool HTTP connections with HttpClientFactory
+- S6965: REST API actions should be annotated with an HTTP verb attribute
+- S6966: Awaitable method should be used
+- S6967: ModelState.IsValid should be called in controller actions
+- S6968: Actions that return a value should be annotated with ProducesResponseTypeAttribute containing the return type
+
+### Removed
+
+- S6803: Parameters with SupplyParameterFromQuery attribute should be used only in routable components
+
 ## [3.2.1] - 2024-11-18
 
 ### Fixed

Neolution.CodeAnalysis.TestsRuleset.nuspec

@@ -7,13 +7,16 @@
     <authors>Neolution AG</authors>
     <description>Configures Code Analysis for Neolution Test Projects.</description>
     <projectUrl>https://github.com/neolution-ch/Neolution.CodeAnalysis</projectUrl>
+    <repository type="git" url="https://github.com/neolution-ch/Neolution.CodeAnalysis" />
+    <icon>icon.png</icon>
+    <tags>code analysis;roslyn;stylecop;sonar;ruleset</tags>
     <readme>docs\README.md</readme>
     <license type="expression">MIT</license>
     <requireLicenseAcceptance>false</requireLicenseAcceptance>
     <developmentDependency>true</developmentDependency>
     <dependencies>
       <dependency id="StyleCop.Analyzers.Unstable" version="1.2.0.556" />
-      <dependency id="SonarAnalyzer.CSharp" version="9.20.0.85982" />
+      <dependency id="SonarAnalyzer.CSharp" version="9.32.0.97167" />
     </dependencies>
   </metadata>
   <files>
@@ -22,5 +25,6 @@
     <file src="build\Neolution.CodeAnalysis.TestsRuleset.globalconfig" target="build\Neolution.CodeAnalysis.TestsRuleset.globalconfig" />
     <file src="build\stylecop.json" target="build\stylecop.json" />
     <file src="README.md" target="docs\" />
+    <file src="icon.png" target="" />
   </files>
 </package>

Neolution.CodeAnalysis.nuspec

@@ -7,19 +7,23 @@
     <authors>Neolution AG</authors>
     <description>Configures Code Analysis for Neolution Projects</description>
     <projectUrl>https://github.com/neolution-ch/Neolution.CodeAnalysis</projectUrl>
+    <repository type="git" url="https://github.com/neolution-ch/Neolution.CodeAnalysis" />
+    <icon>icon.png</icon>
+    <tags>code analysis;roslyn;stylecop;sonar;ruleset</tags>
     <readme>docs\README.md</readme>
     <license type="expression">MIT</license>
     <requireLicenseAcceptance>false</requireLicenseAcceptance>
     <developmentDependency>true</developmentDependency>
     <dependencies>
       <dependency id="StyleCop.Analyzers.Unstable" version="1.2.0.556" />
-      <dependency id="SonarAnalyzer.CSharp" version="9.20.0.85982" />
+      <dependency id="SonarAnalyzer.CSharp" version="9.32.0.97167" />
     </dependencies>
   </metadata>
   <files>
     <file src="build\Neolution.CodeAnalysis.props" target="build\Neolution.CodeAnalysis.props" />
     <file src="build\Neolution.CodeAnalysis.globalconfig" target="build\Neolution.CodeAnalysis.globalconfig" />
     <file src="build\stylecop.json" target="build\stylecop.json" />
     <file src="README.md" target="docs\" />
+    <file src="icon.png" target="" />
   </files>
 </package>

README.md

@@ -1,26 +1,74 @@
-# Neolution Code Analysis rulesets
-We maintain two (opinionated) rulesets for all our projects and distribute them, including 3rd-party Roslyn Analyzers (StyleCop and SonarSource) in two respective NuGet packages.
+# Neolution Code Analysis Rulesets
 
-- For Libraries, Tools, Web, UI and other projects
-  - [Neolution.CodeAnalysis](https://www.nuget.org/packages/Neolution.CodeAnalysis/)
-- For projects containing automated tests (less strict rules)
-  - [Neolution.CodeAnalysis.TestsRuleset](https://www.nuget.org/packages/Neolution.CodeAnalysis.TestsRuleset/)
+[![NuGet](https://img.shields.io/nuget/v/Neolution.CodeAnalysis.svg)](https://www.nuget.org/packages/Neolution.CodeAnalysis/)
+[![NuGet](https://img.shields.io/nuget/v/Neolution.CodeAnalysis.TestsRuleset.svg)](https://www.nuget.org/packages/Neolution.CodeAnalysis.TestsRuleset/)
 
-## Decisions and opinions
-The base ruleset consists of the default ruleset of the Roslyn Analyzers we include in the NuGet package and those used in our build tools.
+**Neolution.CodeAnalysis** provides a plug-and-play code analysis standard for .NET projects. By adding this package, you instantly enforce consistent, high-quality code with minimal setup—no need to maintain your own ruleset or configuration. The package includes:
 
-- We include our own opinionated ruleset with adjusted Analyzer severities as a [Global AnalyzerConfig](https://learn.microsoft.com/en-us/dotnet/fundamentals/code-analysis/configuration-files#global-analyzerconfig)
-- In all build configurations other that `Debug`, warnings will be converted to errors.
-- We include our own [stylecop.json](https://github.com/DotNetAnalyzers/StyleCopAnalyzers/blob/master/documentation/Configuration.md) configuration file.
+- Pre-configured Roslyn analyzers (StyleCop, SonarSource)
+- Strict and up-to-date rules for code quality and security
+- Automatic conversion of warnings to errors (except in Debug)
+- A single source of truth for code style and best practices
+- Easy updates: just bump the package version to get the latest rules
+
+**Why use this package?**
+
+- Save time on code reviews by catching issues early
+- Ensure all projects follow the same standards
+- Reduce technical debt and improve maintainability
+- Onboard new developers faster with clear, enforced guidelines
+- **Flexible:** You can override any rules or severities in your own `.editorconfig` files at the project or solution level to fit your team's needs.
+
+## Packages
+
+- **[Neolution.CodeAnalysis](https://www.nuget.org/packages/Neolution.CodeAnalysis/):** For libraries, tools, web, UI, and other projects.
+- **[Neolution.CodeAnalysis.TestsRuleset](https://www.nuget.org/packages/Neolution.CodeAnalysis.TestsRuleset/):** For test projects (less strict rules).
+
+## Installation
+
+Install via NuGet Package Manager:
+
+```shell
+Install-Package Neolution.CodeAnalysis
+```
+
+or for test projects:
+
+```shell
+Install-Package Neolution.CodeAnalysis.TestsRuleset
+```
+
+Or add the following to your `.csproj`:
+
+```xml
+<ItemGroup>
+  <PackageReference Include="Neolution.CodeAnalysis" Version="*">
+    <PrivateAssets>all</PrivateAssets>
+    <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+  </PackageReference>
+</ItemGroup>
+```
 
 ## Versioning
-Given a version number `MAJOR.MINOR.PATCH`, an incremented number for:
 
-- `MAJOR` version means there are incompatible changes with the previous version,
-- `MINOR` version means functionality and rules were added, and
-- `PATCH` version means that the changes are all completely backwards compatible. Usually when rules were lowered in severity or disabled/removed.
+- **MAJOR**: Incompatible changes, may require significant refactoring
+- **MINOR**: New rules or rule changes, may break the build
+- **PATCH**: Safe to update, only disables or lowers severity of rules
+
+See [CHANGELOG.md](./CHANGELOG.md) for details.
+
+## License
+
+This project is licensed under the [MIT License](./LICENSE).
+
+## Contributing
+
+Contributions, issues, and feature requests are welcome! Please open an issue or pull request on [GitHub](https://github.com/neolution-ch/Neolution.CodeAnalysis).
+
+> **Note:** The ruleset is intentionally opinionated and curated by Neolution to reflect our collective experience and values. While we welcome feedback and suggestions, changes to the rules themselves are carefully considered to maintain consistency across projects. If your requirements differ significantly, you are welcome to fork the package and adapt it to your needs.
+
+## Links
 
-### What it means in practice:
-- You can (and should) always update the package to the latest `PATCH` version whenever you have the chance to do it, it should never break the build. 
-- Updating to the latest `MINOR` version can break the build and may require minor refactorings. But you can expect to have Roslyn code fixes and/or documentation available for the changes that are needed to fix the build.
--  `MAJOR` updates will break your build and may require major refactorings.
+- [Source on GitHub](https://github.com/neolution-ch/Neolution.CodeAnalysis)
+- [NuGet: Neolution.CodeAnalysis](https://www.nuget.org/packages/Neolution.CodeAnalysis/)
+- [NuGet: Neolution.CodeAnalysis.TestsRuleset](https://www.nuget.org/packages/Neolution.CodeAnalysis.TestsRuleset/)

build/Neolution.CodeAnalysis.globalconfig

@@ -270,6 +270,22 @@ dotnet_diagnostic.S6605.severity = none
 ; Better readability of `First()` and `Last()` are preferred over performance gains
 dotnet_diagnostic.S6608.severity = none
 
+# S6931: ASP.NET controller actions should not have a route template starting with "/"
+; This rule has no effect for our projects, since we mainly use Endpoints which limits developers to only implement one action per "Controller".
+dotnet_diagnostic.S6931.severity = none
+
+# S6678: Use PascalCase for named placeholders
+; Team decided that enforcing this rule is not worth the effort
+dotnet_diagnostic.S6678.severity = suggestion
+
+# S6964: Value type property used as input in a controller action should be nullable, required or annotated with the JsonRequiredAttribute to avoid under-posting
+; This is handled by a custom model binder in our project templates that produces a bad request response in case of under-posting 
+dotnet_diagnostic.S6964.severity = none
+
+# S2139: Exceptions should be either logged or rethrown but not both
+; Although this rule makes sense, we do not want to enforce it
+dotnet_diagnostic.S2139.severity = suggestion
+
 # S107: Methods should not have too many parameters
 dotnet_diagnostic.S107.severity = warning