CA5392/CA5393 on cross-platform code

[Zenexer]

Analyzer package

Microsoft.CodeAnalysis.FxCopAnalyzers

Package Version

v2.9.5-beta1.final (Latest)

Diagnostic ID

• CA5392
• CA5393

Repro steps

CA5392:

[DllImport("System.Security.Cryptography.Native.OpenSsl")]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern unsafe bool CryptoNative_GetRandomBytes(byte* buffer, int length);

CA5393:

[DllImport("System.Security.Cryptography.Native.OpenSsl")]
[DefaultDllImportSearchPaths(DllImportSearchPath.LegacyBehavior)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern unsafe bool CryptoNative_GetRandomBytes(byte* buffer, int length);

Expected behavior

DefaultDllImportSearchPathsAttribute appears to be ignored on platforms other than Windows, and LegacyBehavior is the only available option. Warnings that are unavoidable on platforms other than Windows should be disabled by default.

Actual behavior

CA5392 and CA5393 are enabled by default.

[dotpaul]

Thanks for reporting @Zenexer ! Agree we should disable this by default, since it's Windows-centric.

[Zenexer]

I do think this warning serves as an important security feature; it would make sense to enable it by default if DefaultDllImportSearchPathsAttribute or similar is ever able to function on other platforms, and I do think that should be the ultimate goal if the aim here is security.

[mavasani]

@dotpaul - do we need to keep this issue open to track fixing the AD0001?

[dotpaul]

@dotpaul - do we need to keep this issue open to track fixing the AD0001?

Are you thinking of issue 2844 (intentionally avoiding a link)? Don't remember AD0001s showing up on this analyzer.

[mavasani]

Ah yes, sorry I got confused. Thanks!