C#
This section covers configuration specific to the C#
analyzer.
Code Analysis
.deepsource.toml
This section covers .deepsource.toml
configuration specific to the csharp
analyzer. Please make sure to read the general configuration guide first.
name
- Type: String
- Presence: mandatory
- Description: Shortcode of the analyzer.
- Example:
enabled
- Type: Boolean
- Presence: optional
- Description: Toggle whether this analyzer should be run.
- Example:
meta
- Type: Table
- Presence: optional
- Description: Any supported metadata to pass to the analyzer.
- Example:
cyclomatic_complexity_threshold
- Type: String
- Presence: optional
- Description: Specify the acceptable risk category for your project as the threshold. All functions with complexity beyond this threshold will raise an issue. For example, setting the threshold to
low
will flag all functions that have a cyclomatic complexity of more than5
, while setting the threshold tocritical
will not flag any function. - Available Values:
low
,medium
,high
,very-high
andcritical
Risk category | Cyclomatic complexity range | Recommended action |
---|---|---|
low | 1-5 | No action is needed. |
medium | 6-15 | Review and monitor. |
high | 16-25 | Review and refactor. Recommended to add detailed comments if the function absolutely needs to be kept as it is. |
very-high | 26-50 | Refactor to reduce the complexity. |
critical | >50 | Must refactor this. This can make the code untestable and very difficult to understand. |
- Default Value:
medium
- Example:
Sample config
Code Coverage
Via dotnet test
Here are the steps to generate and report C# coverage data:
Code Formatter (Transformer)
dotnet-format
Transform all incoming C# code with dotnet-format.
This section covers .deepsource.toml
configuration specific to the dotnet-format
transformer. Please make sure to read the general configuration guide first.
name
- Type: String
- Presence: mandatory
- Description: Shortcode of this transformer.
- Example:
enabled
- Type: Boolean
- Presence: optional
- Description: Toggle whether this transformer should be run.
- Example:
Vulnerability Scanning
Supported target files:
packages.lock.json
.csproj
filespackages.config
.deps.json
When a .csproj
file is provided for scanning without a packages.lock.json
file, DeepSource attempts to generate a packages.lock.json
using dotnet restore
.
This requires all dependencies to be publicly accessible.
In case you have private dependencies, we recommend to provide a packages.lock.json
file for scanning.
Common approaches for generating a lockfile:
-
For modern PackageReference-styled projects, a lockfile can be generated in either of the following ways:
-
By enabling the
RestorePackagesWithLockFile
property in your*.csproj
file. -
By using
dotnet restore
with theRestorePackagesWithLockFile
MSBuild property. -
By using
dotnet restore
with the--use-lock-file
flag.
-
-
For legacy projects, a lockfile can be generated as follows:
-
Using
nuget restore
andpackages.config
. -
Using
nuget restore
and a*.sln
file.
-
For more information on generating a lockfile for you specific project, you can refer:
Note: The lockfile must be committed to your repository and tracked in version control. It should not be treated as a temporary file that’s generated and discarded during the build process.