I would like to change the allowed cognitive complexity of a method in SonarLint from the default of 15 to a lower values such as 10. I am using the SonarLint plugin for eclipse.
How can this be done?
In connected mode the threshold for cognitive complexity can be defined in solarlint (csharpsquid:S3776). Please reference here
Related
Due to the recent problems with log4j I was checking all my code etc..
While doing so i discovered two files named
"slf4j-log4j12-1.7.5.jar" and "log4j-1.2.17.jar"
to find under
"...\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\SSIS\150\Extensions\Common\Jars"
Since we are also developing SSIS packages we kinda rely on this extension.
Sadly I was not able to find anything about SSIS in context with log4j. IMO it's also a bit dubious that the version of the log4j seems to be 1.x, which support ended in 2015.
Are there any known fixes/updates?
This is not a problem.
In what way those .jar file can be exploited to trig a privilege escalation or software evasion?
The fact that Visual Studio is using old libraries doesn't shock me at all. Large companies are use to rely on third party library and then they are usually forbidden in the corner during years.
EDIT:
You question was somehow interesting and I needed to dig further.
Apparently this 0-day has been around since March, so it means 9 month ago. There is no evidence of mass exploitation but that doesn't mean that it hasn't been used in the past months.
In order to use it:
[...] an attacker only needs to get the system to log a strategically
crafted string of code. From there they can load arbitrary code on the
targeted server and install malware or launch other attacks. Notably,
hackers can introduce the snippet in seemingly benign ways, like by
sending the string in an email or setting it as an account username.
This means that hypothetically you can exploit the vulnerability through SSIS in this scenario:
Create an SSIS package that ask for an input to the client user
The package must use log4j for logging
The user enter the malicious crafted string of code
...then yes in this case an SSIS package could be exploited.
I will try it out in my spare time and I will let you know.
EDIT 2:
After extensive research I can confirm you that this is not a problem because only version Log4j 2.X are impacted:
Mitigation
Log4j 1.x mitigation: Log4j 1.x is not impacted by this vulnerability.
Log4j 2.x mitigation: Implement one of the mitigation techniques
below.
Use log4j-finder developed by FOX IT to enumerate vulnerable log4j files on your machines.
Microsoft have now removed the dependency
There is a new version (3.16) of the SSIS tools for VS2019 which removes the dependency for log4j.
Here's the download link:
https://marketplace.visualstudio.com/items?itemName=SSIS.SqlServerIntegrationServicesProjects
Version 3.16 Upgrade Notes
I hoped to use sonarlint-cli (2.0) for pre-commit analysis of C++ with a remote SonarQube server (5.6.1), but when updating the binding and downloading analysis plugins, it tells me the cxx plugin (among others) is not compatible:
DEBUG: Plugin cxx is not compatible with SonarLint. Skip it.
This is the community C++ plugin (0.9.6).
I'm wondering about the compatibility rules for plugins with SonarLint, and about alternative pre-commit approaches.
According to SonarLint web site, the connected mode "will make SonarLint use the analyzers, quality profiles and settings defined on your SonarQube server." However, that is not entirely true.
SonarLint does not support the non-sonarqube analyzers. Thus, it does not support PMD, checkstyle, FindBugs, C++ community plugin, and others. So, even if these analyzers are defined on your SonarQube server and quality profiles, they will not be used.
You may ask why. In a google group discussion, it's said that SonarLint can only work perfectly and superfast if these other analyzers do not run.
I personally think that statement is detrimental to the developers of these other tools. The decision not to support third-party plugins is also problematic to organizations (like mine) that have invested a lot of time in polyglot static code analysis. Remember, for 5+ years many people have created custom checks and custom rules using checkstyle and PMD, for example. Back then, sonar (ergo sonarqube) did not offer an API for Java custom checks.
I'm worried that SonarQube might eventually drop support for all these external plugins altogether.
I am a C# windows developer. I recently started to work with WinJS. Working with WinJS, I have noticed some challenges and limitations. Can face some new challenges as the community support for WinJS is very less. Below are the few points mentioned regarding this concern
a. WinJS does not support Visual Studio features like Finding References of Classes and Variables which is very useful to code productively.
b. WinJS is not strongly typed as C#. So we will get to know about the errors at runtime only instead of compile time which is difficult to Debug and time taking process.
c. WinJS does not support feature “What you see is what you get”. Visual Studio designer is not available for WinJS. We can see the application design only after we run the application which is again time taking thing.
There are very less chances of availability of “Ready to Work on WinJS” resources. Because most of the developers in Windows community work on C#, XAML languages.
d. Direct compatibility of third party libraries for WinJS might not be available.
Have anybody experience in WinJS and faced similar issues? Or Are there any solutions exists for this? What is the scope of improvement in Windows 10 version for WinJS??
For an HTML/CSS/JS designer, that's what Blend for Visual Studio is for. Load the project into Blend and you'll get a designer that also works when you're running the app. Documentation for this is on https://msdn.microsoft.com/en-us/library/jj129478.aspx, and there's a great video from //build 2013 that shows the flow, http://channel9.msdn.com/Events/Build/2013/2-311. I also cover using Blend to some extent in my free ebook, Programming Windows Store Apps with HTML, CSS, and JavaScript, 2nd Edition.
https://dev.windows.com/en-us/develop/winjs
see this link it give the solution your problem which is given below
a. WinJS does not support Visual Studio features like Finding References of Classes and Variables which is very useful to code productively.
b. WinJS is not strongly typed as C#. So we will get to know about the errors at runtime only instead of compile time which is difficult to Debug and time taking process.
c. WinJS does not support feature “What you see is what you get”. Visual Studio designer is not available for WinJS. We can see the application design only after we run the application which is again time taking thing.
Can PMD, FindBugs, and Checkstyle be used together for a Java development project? Does it lead to wide overlapping of functions? Or else, can the same results be achieved using Sonar instead?
Yes, you can use PMD, FindBugs and Checkstyle together for a Java development project. There will be overlap, so you will have to select the rules that you activate accordingly. You could start with the default rulesets and then see which findings are being reported by more than one tool.
Using SonarQube (formerly Sonar) will also work. SonarQube uses all three tools (and more) under the hood. Using the SonarQube plugin for your IDE, you can also see the SonarQube findings in your code directly. However, you may still run into some overlap depending on your configuration. Chances are smaller though. SonarQube has recently begun providing their own detectors for much of the Checkstyle, PMD, and FindBugs functionality. Those SonarQube provided detectors have little to no overlap among themselves. Also, the "Sonar Way" default ruleset is configured so that there is no overlap.
However, if you want to utilize static code analysis professionally, you must be prepared to spend a significant amount of time configuring and fine-tuning the toolchain. After a while, the question of overlap becomes less present, and you will develop opinions on which detector implementation is best for your situation.
I would want to learn about MS Entlib 5.0. Frankly I have no idea what it is. Please provide me the links to start exploring. Then I Would have to evaluate whether the following requirements can be met using MS Entlib 5.0
1.Policy based exception handling & logging into both file and DB
2.Capability to enable detailed logging through trace/debug.
3Capability to overwrite business exception raised from stored proc or BO with a localized exception message for UI display
Please provide your valuable inputs on the above requirements.
Thanks in Advance,
Manasa
Manasa, EntLib can help with all 3 scenarios you inquired about.
EntLib is a collection of pluggable application blocks that address cross-cutting concerns, such as logging, exception management, data access, data validation etc. EntLib is configuration-driven (supporting both external configuration sources and programmatic config via fluent interface). It's a mature library which is currently in its 5th release and is built by Microsoft patterns & practices group.
I recommend you start with the Enterprise Library Developer's Guide, in particular Chapters 1, 3 and 4. Then proceed with the Hands-On Labs. Based on your requirements, you would want to explore the Logging and Exception Handling set of exercises.
Additional resources can be found at:
MSDN EntLib Dev Center is the home page where all final releases and documentation can be
found.
EntLib Community Site - includes preview releases, ongoing work, community forum, issue database and other useful resources.