Update analyzers and add Meziantou.Analyzer + SBOM generation (#64)

Update analyzers and add Meziantou.Analyzer
https://www.nuget.org/packages/Meziantou.Analyzer/

Author: richardsondev

.editorconfig

@@ -0,0 +1,154 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = crlf
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.{cs,vb}]
+# Code style rules
+dotnet_diagnostic.IDE1006.severity = error
+
+# Visual Studio Spell Checker settings
+spelling_languages = en-us
+spelling_checkable_types = strings,identifiers,comments
+spelling_error_severity = warning
+spelling_use_default_exclusion_dictionary = true
+spelling_exclusion_path = .\exclusion.dic
+
+[*.cs]
+# CS1591: Missing XML comment for publicly visible type or member
+dotnet_diagnostic.CS1591.severity = warning
+
+# Organize usings
+dotnet_sort_system_directives_first = true
+dotnet_separate_import_directive_groups = true
+
+# Missing usings should be reported as error (IDE0005)
+dotnet_diagnostic.IDE0005.severity = error
+
+# Additional best practice rules as errors
+# IDE0003: Remove qualification
+dotnet_diagnostic.IDE0003.severity = error
+# IDE0009: Member access should be qualified
+dotnet_diagnostic.IDE0009.severity = error
+# IDE0017: Simplify object initialization
+dotnet_diagnostic.IDE0017.severity = error
+# IDE0028: Simplify collection initialization
+dotnet_diagnostic.IDE0028.severity = error
+# IDE0032: Use auto property
+dotnet_diagnostic.IDE0032.severity = error
+# IDE0034: Simplify 'default' expression
+dotnet_diagnostic.IDE0034.severity = error
+# IDE0036: Order modifiers
+dotnet_diagnostic.IDE0036.severity = error
+# IDE0040: Add accessibility modifiers
+dotnet_diagnostic.IDE0040.severity = error
+# IDE0044: Add readonly modifier
+dotnet_diagnostic.IDE0044.severity = error
+# IDE0049: Simplify names
+dotnet_diagnostic.IDE0049.severity = error
+# IDE0051: Remove unused private members
+dotnet_diagnostic.IDE0051.severity = error
+# IDE0052: Remove unread private members
+dotnet_diagnostic.IDE0052.severity = error
+# IDE0055: Fix formatting
+dotnet_diagnostic.IDE0055.severity = error
+# IDE0058: Expression value is never used
+dotnet_diagnostic.IDE0058.severity = suggestion
+# IDE0059: Unnecessary assignment of a value
+dotnet_diagnostic.IDE0059.severity = error
+# IDE0060: Remove unused parameter
+dotnet_diagnostic.IDE0060.severity = error
+# IDE0062: Make local function 'static'
+dotnet_diagnostic.IDE0062.severity = error
+# IDE0063: Use simple 'using' statement
+dotnet_diagnostic.IDE0063.severity = error
+# IDE0065: Misplaced using directive
+dotnet_diagnostic.IDE0065.severity = error
+# IDE0066: Convert switch statement to expression
+dotnet_diagnostic.IDE0066.severity = suggestion
+# IDE0090: Use 'new(...)'
+dotnet_diagnostic.IDE0090.severity = error
+# IDE0100: Remove redundant equality
+dotnet_diagnostic.IDE0100.severity = error
+# IDE0110: Remove unnecessary discard
+dotnet_diagnostic.IDE0110.severity = error
+
+# Security rules as errors
+# CA2100: Review SQL queries for security vulnerabilities
+dotnet_diagnostic.CA2100.severity = error
+# CA2109: Review visible event handlers
+dotnet_diagnostic.CA2109.severity = error
+# CA2119: Seal methods that satisfy private interfaces
+dotnet_diagnostic.CA2119.severity = error
+# CA3001: Review code for SQL injection vulnerabilities
+dotnet_diagnostic.CA3001.severity = error
+# CA3002: Review code for XSS vulnerabilities
+dotnet_diagnostic.CA3002.severity = error
+# CA3003: Review code for file path injection vulnerabilities
+dotnet_diagnostic.CA3003.severity = error
+# CA3004: Review code for information disclosure vulnerabilities
+dotnet_diagnostic.CA3004.severity = error
+# CA3005: Review code for LDAP injection vulnerabilities
+dotnet_diagnostic.CA3005.severity = error
+# CA3006: Review code for process command injection vulnerabilities
+dotnet_diagnostic.CA3006.severity = error
+# CA3007: Review code for open redirect vulnerabilities
+dotnet_diagnostic.CA3007.severity = error
+# CA3008: Review code for XPath injection vulnerabilities
+dotnet_diagnostic.CA3008.severity = error
+# CA3009: Review code for XML injection vulnerabilities
+dotnet_diagnostic.CA3009.severity = error
+# CA3010: Review code for XAML injection vulnerabilities
+dotnet_diagnostic.CA3010.severity = error
+# CA3011: Review code for DLL injection vulnerabilities
+dotnet_diagnostic.CA3011.severity = error
+# CA3012: Review code for regex injection vulnerabilities
+dotnet_diagnostic.CA3012.severity = error
+
+# Performance rules as errors
+# CA1802: Use literals where appropriate
+dotnet_diagnostic.CA1802.severity = error
+# CA1805: Do not initialize unnecessarily
+dotnet_diagnostic.CA1805.severity = error
+# CA1810: Initialize reference type static fields inline
+dotnet_diagnostic.CA1810.severity = error
+# CA1812: Avoid uninstantiated internal classes
+dotnet_diagnostic.CA1812.severity = error
+# CA1813: Avoid unsealed attributes
+dotnet_diagnostic.CA1813.severity = error
+# CA1814: Prefer jagged arrays over multidimensional
+dotnet_diagnostic.CA1814.severity = suggestion
+# CA1815: Override equals and operator equals on value types
+dotnet_diagnostic.CA1815.severity = error
+# CA1819: Properties should not return arrays
+dotnet_diagnostic.CA1819.severity = error
+# CA1820: Test for empty strings using string length
+dotnet_diagnostic.CA1820.severity = error
+# CA1821: Remove empty finalizers
+dotnet_diagnostic.CA1821.severity = error
+# CA1822: Mark members as static
+dotnet_diagnostic.CA1822.severity = suggestion
+# CA1823: Avoid unused private fields
+dotnet_diagnostic.CA1823.severity = error
+# CA1824: Mark assemblies with NeutralResourcesLanguageAttribute
+dotnet_diagnostic.CA1824.severity = suggestion
+# CA1825: Avoid zero-length array allocations
+dotnet_diagnostic.CA1825.severity = error
+
+# AsyncFixer findings as errors
+# AsyncFixer01: Unnecessary async/await usage - Remove async/await when not needed to avoid performance penalty
+dotnet_diagnostic.AsyncFixer01.severity = error
+# AsyncFixer02: Long-running or blocking operations inside an async method - Replace blocking calls with async equivalents
+dotnet_diagnostic.AsyncFixer02.severity = error
+# AsyncFixer03: Fire-and-forget async-void methods and delegates - Convert async void to async Task (except event handlers)
+dotnet_diagnostic.AsyncFixer03.severity = error
+# AsyncFixer04: Fire-and-forget async call inside a using block - Await async operations that use disposable objects
+dotnet_diagnostic.AsyncFixer04.severity = error
+# AsyncFixer05: Downcasting from a nested task to an outer task - Avoid awaiting Task<Task>, use Unwrap() or Task.Run instead
+dotnet_diagnostic.AsyncFixer05.severity = error
+
+# Roslynator findings as errors
+dotnet_analyzer_diagnostic.category-roslynator.severity = error

.github/workflows/build.yml

@@ -55,11 +55,21 @@ jobs:
 
         echo "VERSION=$VERSION" >> $env:GITHUB_OUTPUT
 
+    - name: Generate SBOM for the project
+      uses: advanced-security/generate-sbom-action@v1
+      id: gensbom
+
     - name: Build AggregateConfigBuildTask solution in Release mode
-      run: dotnet build src/AggregateConfigBuildTask.sln --configuration Release -warnaserror -p:Version=${{ steps.get_version.outputs.VERSION }}
+      run: dotnet build src/dirs.proj --configuration Release -warnaserror -p:Version=${{ steps.get_version.outputs.VERSION }}
 
     - name: Run tests for AggregateConfigBuildTask solution
-      run: dotnet test src/AggregateConfigBuildTask.sln --configuration Release -warnaserror -p:Version=${{ steps.get_version.outputs.VERSION }} -p:CollectCoverage=true
+      run: dotnet test src/dirs.proj --configuration Release -warnaserror -p:Version=${{ steps.get_version.outputs.VERSION }} -p:CollectCoverage=true --no-build
+
+    - name: Upload SBOM artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: sbom
+        path: ${{ steps.gensbom.outputs.fileName }}
 
     - name: Upload NuGetPackage artifact
       uses: actions/upload-artifact@v4
@@ -98,10 +108,10 @@ jobs:
       run: dotnet nuget add source ${{ github.workspace }}/nuget/local --name AggregateConfigBuildTask
 
     - name: Build IntegrationTests in Release mode
-      run: dotnet build test/IntegrationTests.sln --configuration Release -warnaserror -p:Version=${{ needs.build.outputs.VERSION }}
+      run: dotnet build test/dirs.proj --configuration Release -warnaserror -p:Version=${{ needs.build.outputs.VERSION }} -p:UseLocalPackageVersion=true
 
     - name: Run IntegrationTests
-      run: dotnet test test/IntegrationTests.sln --configuration Release -warnaserror -p:Version=${{ needs.build.outputs.VERSION }} -p:CollectCoverage=true
+      run: dotnet test test/dirs.proj --configuration Release -warnaserror -p:Version=${{ needs.build.outputs.VERSION }} -p:CollectCoverage=true -p:UseLocalPackageVersion=true
 
     - name: Upload integration results artifact
       uses: actions/upload-artifact@v4

src/Directory.Build.props Directory.Build.propssrc/Directory.Build.props renamed to Directory.Build.props

@@ -1,13 +1,14 @@
-<Project>
-
-  <PropertyGroup>
-    <GenerateDocumentationFile>true</GenerateDocumentationFile>
-    <Deterministic>true</Deterministic>
-    <EnableNETAnalyzers>true</EnableNETAnalyzers>
-    <AnalysisLevel>latest</AnalysisLevel>
-    <TreatWarningsAsErrors>false</TreatWarningsAsErrors>
-    <CodeAnalysisTreatWarningsAsErrors>false</CodeAnalysisTreatWarningsAsErrors>
-    <AnalysisMode>AllEnabledByDefault</AnalysisMode>
-  </PropertyGroup>
-
-</Project>
+<Project>
+
+  <PropertyGroup>
+    <GenerateDocumentationFile>true</GenerateDocumentationFile>
+    <Deterministic>true</Deterministic>
+    <EnableNETAnalyzers>true</EnableNETAnalyzers>
+    <AnalysisLevel>latest</AnalysisLevel>
+    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+    <CodeAnalysisTreatWarningsAsErrors>true</CodeAnalysisTreatWarningsAsErrors>
+    <AnalysisMode>AllEnabledByDefault</AnalysisMode>
+    <EnforceCodeStyleInBuild>true</EnforceCodeStyleInBuild>
+  </PropertyGroup>
+
+</Project>

src/Directory.Packages.props Directory.Packages.propssrc/Directory.Packages.props renamed to Directory.Packages.props

@@ -1,35 +1,39 @@
-<Project>
-  <PropertyGroup>
-    <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
-  </PropertyGroup>
-  <!-- Build packages-->
-  <ItemGroup>
-    <PackageVersion Include="Microsoft.Build.Framework" Version="17.14.8" PrivateAssets="all" />
-    <PackageVersion Include="Microsoft.Build.Utilities.Core" Version="17.14.8" PrivateAssets="all" />
-    <PackageVersion Include="Microsoft.SourceLink.GitHub" Version="8.0.0" PrivateAssets="all" />
-  </ItemGroup>
-  <!-- Runtime packages -->
-  <ItemGroup>
-    <PackageVersion Include="Microsoft.Bcl.AsyncInterfaces" Version="9.0.6" PrivateAssets="all" />
-    <PackageVersion Include="System.IO.Pipelines" Version="9.0.6" PrivateAssets="all" />
-    <PackageVersion Include="System.Text.Encodings.Web" Version="9.0.6" PrivateAssets="all" />
-    <PackageVersion Include="System.Text.Json" Version="9.0.6" PrivateAssets="all" />
-    <PackageVersion Include="YamlDotNet" Version="16.3.0" PrivateAssets="all" GeneratePathProperty="true" />
-    <PackageVersion Include="YamlDotNet.System.Text.Json" Version="1.6.6" PrivateAssets="all" />
-  </ItemGroup>
-  <!-- Test packages -->
-  <ItemGroup>
-    <PackageVersion Include="coverlet.collector" Version="6.0.4" />
-    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
-    <PackageVersion Include="Moq" Version="4.20.72" />
-    <PackageVersion Include="MSTest.TestAdapter" Version="3.9.3" />
-    <PackageVersion Include="MSTest.TestFramework" Version="3.9.3" />
-  </ItemGroup>
-  <!-- Global packages -->
-  <ItemGroup>
-    <GlobalPackageReference Include="AsyncFixer" Version="1.6.0" />
-    <GlobalPackageReference Include="Microsoft.CodeAnalysis.NetAnalyzers" Version="9.0.0" />
-    <GlobalPackageReference Include="ReferenceTrimmer" Version="3.3.11" />
-    <GlobalPackageReference Include="Roslynator.Analyzers" Version="4.13.1" />
-  </ItemGroup>
-</Project>
+<Project>
+  <PropertyGroup>
+    <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
+    <!-- Exclude local packages from central management -->
+    <CentralPackageTransitivePinningEnabled>false</CentralPackageTransitivePinningEnabled>
+  </PropertyGroup>
+  <!-- Build packages-->
+  <ItemGroup>
+    <PackageVersion Include="Microsoft.Build.Framework" Version="17.14.8" PrivateAssets="all" />
+    <PackageVersion Include="Microsoft.Build.Utilities.Core" Version="17.14.8" PrivateAssets="all" />
+    <PackageVersion Include="Microsoft.SourceLink.GitHub" Version="8.0.0" PrivateAssets="all" />
+  </ItemGroup>
+  <!-- Runtime packages -->
+  <ItemGroup>
+    <PackageVersion Include="Microsoft.Bcl.AsyncInterfaces" Version="9.0.6" PrivateAssets="all" />
+    <PackageVersion Include="System.IO.Pipelines" Version="9.0.6" PrivateAssets="all" />
+    <PackageVersion Include="System.Text.Encodings.Web" Version="9.0.6" PrivateAssets="all" />
+    <PackageVersion Include="System.Text.Json" Version="9.0.6" PrivateAssets="all" />
+    <PackageVersion Include="YamlDotNet" Version="16.3.0" PrivateAssets="all" GeneratePathProperty="true" />
+    <PackageVersion Include="YamlDotNet.System.Text.Json" Version="1.6.6" PrivateAssets="all" />
+  </ItemGroup>
+  <!-- Test packages -->
+  <ItemGroup>
+    <PackageVersion Include="AggregateConfigBuildTask" Version="1.0.8" />
+    <PackageVersion Include="coverlet.collector" Version="6.0.4" />
+    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
+    <PackageVersion Include="Moq" Version="4.20.72" />
+    <PackageVersion Include="MSTest.TestAdapter" Version="3.9.3" />
+    <PackageVersion Include="MSTest.TestFramework" Version="3.9.3" />
+  </ItemGroup>
+  <!-- Global packages -->
+  <ItemGroup>
+    <GlobalPackageReference Include="AsyncFixer" Version="1.6.0" />
+    <GlobalPackageReference Include="Meziantou.Analyzer" Version="2.0.205" />
+    <GlobalPackageReference Include="Microsoft.CodeAnalysis.NetAnalyzers" Version="9.0.0" />
+    <GlobalPackageReference Include="ReferenceTrimmer" Version="3.3.12" />
+    <GlobalPackageReference Include="Roslynator.Analyzers" Version="4.13.1" />
+  </ItemGroup>
+</Project>

README.md

@@ -359,6 +359,28 @@ foreach (var name in resourceNames)
 
 This will list all embedded resources, allowing you to confirm the correct name to use when loading the resource.
 
+## Development
+
+This project uses `dirs.proj` files with the Microsoft.Build.Traversal SDK for project organization instead of traditional solution files. This approach provides better performance and more flexibility for build scenarios.
+
+### Generating Solution Files
+
+If you need Visual Studio solution files for development, you can generate them using the [Microsoft.VisualStudio.SlnGen](https://github.com/microsoft/slngen) global tool:
+
+```bash
+# Install the slngen global tool
+dotnet tool install --global Microsoft.VisualStudio.SlnGen
+
+# Generate solution files from dirs.proj files
+slngen src/dirs.proj --folders true
+slngen test/dirs.proj --folders true
+
+# Or generate a solution for the entire repository
+slngen dirs.proj --folders true
+```
+
+The generated solution files will include all projects referenced by the `dirs.proj` files and maintain the folder structure for easy navigation in Visual Studio.
+
 ## License
 
 This project is licensed under the MIT License. See the [LICENSE](https://github.com/richardsondev/AggregateConfigBuildTask/blob/main/LICENSE) file for details.

dirs.proj

@@ -0,0 +1,9 @@
+<Project Sdk="Microsoft.Build.Traversal">
+
+  <ItemGroup>
+    <!-- Folder-level project references -->
+    <ProjectReference Include="src\dirs.proj" />
+    <ProjectReference Include="test\dirs.proj" />
+  </ItemGroup>
+
+</Project>

global.json

@@ -0,0 +1,9 @@
+{
+  "sdk": {
+    "version": "9.0.301",
+    "rollForward": "latestFeature"
+  },
+  "msbuild-sdks": {
+    "Microsoft.Build.Traversal": "4.1.82"
+  }
+}