Analyzer package

[justindbaur]

🎟️ Tracking

📔 Objective

This adds an analyzer and code-fixer to the main Bitwarden.Server.Sdk package for ADR26 that adds warnings for using Add(Singleton|Scoped|Transient) instead of TryAdd(Singleton|Scoped|Transient).

It also adds an analyzer and code-fixer that comes with Bitwarden.Server.Sdk.Features that adds a warning when a bad feature flag value is used. It also adds a suggestion onto all feature flag keys that helps to remove the feature flag. It attempts to automatically compact common feature flagging patterns for quick removal from the code base.

[claude]

Claude finished @justindbaur's task in 3m 54s —— View job

---

Code Review Complete

Overall Assessment: ✅ APPROVE

This PR adds two sets of Roslyn analyzers and code fixers: one in Bitwarden.Server.Sdk for enforcing TryAdd* DI registration patterns (BW0003), and one in Bitwarden.Server.Sdk.Features for feature flag lifecycle management (BW0001 info-level suggestion to remove flags, BW0002 warning for invalid flag key values). A source generator produces GetKeys() methods for [FlagKeyCollection]-annotated classes. Build infrastructure correctly excludes analyzer projects from package metadata via a new IsAnalyzerProject property. Test coverage is thorough, validating analyzer diagnostics, code fix transformations across multiple patterns (binary expressions, ternaries, mock cleanup, attribute removal, method chain removal), and source generator output for various type hierarchies.

No new issues found. All 4 previously raised threads are resolved — the outdated findings have been addressed in subsequent commits, and the stale syntax root finding was acknowledged by the author as acceptable.

Severity	File	Issue	Status
⚠️ Important	RemoveFeatureFlagCodeFixer.cs:129-138	Stale syntax root when references are in same document as field declaration	Resolved — author accepted
⚠️ Important	LaunchDarklyFeatureService.cs	Unused context variable	Resolved — code changed
♻️ Debt	RemoveFeatureFlagCodeFixer.cs	Debug message referenced wrong diagnostic ID	Resolved — code changed
♻️ Debt	FeatureFlagAnalyzer.cs	helpLinkUri format placeholder not applied	Resolved — code changed

[github-actions]

Checkmarx One – Scan Summary & Details – 2c798ba5-f5c5-4846-be9d-e0e9b9d29af3

Great job! No new security vulnerabilities introduced in this pull request

[codecov]

Codecov Report

❌ Patch coverage is 82.34350% with 110 lines in your changes missing coverage. Please review.
✅ Project coverage is 72.84%. Comparing base (12088ac) to head (ca02599).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
....Features.CodeFixers/RemoveFeatureFlagCodeFixer.cs	85.71%	22 Missing and 21 partials ⚠️
...rver.Sdk.Features.Analyzers/FeatureFlagAnalyzer.cs	73.61%	12 Missing and 7 partials ⚠️
...en.Server.Sdk.Features.Analyzers/EquatableArray.cs	19.04%	17 Missing ⚠️
...ver.Sdk.CodeFixers/DependencyInjectionCodeFixer.cs	75.00%	10 Missing and 5 partials ⚠️
...ver.Sdk.Features.Analyzers/TypeSymbolExtensions.cs	78.57%	5 Missing and 1 partial ⚠️
...erver.Sdk.Analyzers/DependencyInjectionAnalyzer.cs	86.36%	4 Missing and 2 partials ⚠️
...er.Sdk.Features.Analyzers/FlagKeyCollectionSpec.cs	93.84%	3 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #265      +/-   ##
==========================================
+ Coverage   67.65%   72.84%   +5.18%     
==========================================
  Files          46       55       +9     
  Lines        1141     1764     +623     
  Branches      100      199      +99     
==========================================
+ Hits          772     1285     +513     
- Misses        325      398      +73     
- Partials       44       81      +37     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud