Code Analysis

.deepsource.toml

This section covers .deepsource.toml configuration specific to the csharp analyzer. Please make sure to read the general configuration guide first.

name

  • Type: String
  • Presence: mandatory
  • Description: Shortcode of the analyzer.
  • Example:
name = "csharp"

enabled

  • Type: Boolean
  • Presence: optional
  • Description: Toggle whether this analyzer should be run.
  • Example:
enabled = true

meta

  • Type: Table
  • Presence: optional
  • Description: Any supported metadata to pass to the analyzer.
  • Example:
[analyzers.meta]
  cyclomatic_complexity_threshold = "high"

cyclomatic_complexity_threshold

  • Type: String
  • Presence: optional
  • Description: Specify the acceptable risk category for your project as the threshold. All functions with complexity beyond this threshold will raise an issue. For example, setting the threshold to low will flag all functions that have a cyclomatic complexity of more than 5, while setting the threshold to critical will not flag any function.
  • Available Values: low, medium, high, very-high and critical
Risk categoryCyclomatic complexity rangeRecommended action
low1-5No action is needed.
medium6-15Review and monitor.
high16-25Review and refactor. Recommended to add detailed comments if the function absolutely needs to be kept as it is.
very-high26-50Refactor to reduce the complexity.
critical>50Must refactor this. This can make the code untestable and very difficult to understand.
  • Default Value: medium
  • Example:
cyclomatic_complexity_threshold = "high"

Sample config

version = 1

test_patterns = [
  "tests/**"
]

exclude_patterns = [
  "**/examples/**"
]

[[analyzers]]
name = "csharp"
enabled = true

  [analyzers.meta]
  cyclomatic_complexity_threshold = "high"

Code Coverage

Via dotnet test

Here are the steps to generate and report C# coverage data:

# Run your tests
dotnet test --collect:"XPlat Code Coverage" --logger:"console;verbosity=detailed" --results-directory /tmp/test-results/

# Install 'deepsource CLI'
curl https://deepsource.io/cli | sh

# Set DEEPSOURCE_DSN env variable from repository settings page
export DEEPSOURCE_DSN=https://sampledsn@deepsource.io

# From the root directory, run the report coverage command and provide the absolute file path to the generated report.
# In this case, the filepath looks something like /tmp/test-results/abcf7e0-b7df-4b0c-b919-7cb480d0f123/coverage.cobertura.xml
#
# Make sure to double check the test run ID, i.e. the GUID and the file path.
./bin/deepsource report --analyzer test-coverage --key csharp --value-file /tmp/test-results/<test_guid>/coverage.cobertura.xml

Code Formatter (Transformer)

dotnet-format

Transform all incoming C# code with dotnet-format.

This section covers .deepsource.toml configuration specific to the dotnet-format transformer. Please make sure to read the general configuration guide first.

name

  • Type: String
  • Presence: mandatory
  • Description: Shortcode of this transformer.
  • Example:
name = "dotnet-format"

enabled

  • Type: Boolean
  • Presence: optional
  • Description: Toggle whether this transformer should be run.
  • Example:
enabled = true

Vulnerability Scanning

Supported target files:

  • packages.lock.json
  • .csproj files
  • packages.config
  • .deps.json

When a .csproj file is provided for scanning without a packages.lock.json file, DeepSource attempts to generate a packages.lock.json using dotnet restore.

This requires all dependencies to be publicly accessible.

In case you have private dependencies, we recommend to provide a packages.lock.json file for scanning.

Common approaches for generating a lockfile:

  • For modern PackageReference-styled projects, a lockfile can be generated in either of the following ways:

    • By enabling the RestorePackagesWithLockFile property in your *.csproj file.

      <Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>
  </PropertyGroup>
</Project>

    • By using dotnet restore with the RestorePackagesWithLockFile MSBuild property.

      dotnet restore -p:RestorePackagesWithLockFile=true

    • By using dotnet restore with the --use-lock-file flag.

      dotnet restore --use-lock-file

  • For legacy projects, a lockfile can be generated as follows:

    • Using nuget restore and packages.config.

      nuget restore packages.config -PackagesDirectory ./packages -UseLockFile

    • Using nuget restore and a *.sln file.

      nuget restore YourSolution.sln -UseLockFile

For more information on generating a lockfile for you specific project, you can refer:

  1. dotnet restore
  2. nuget restore

Note: The lockfile must be committed to your repository and tracked in version control. It should not be treated as a temporary file that’s generated and discarded during the build process.