Merge branch 'master' of github.com:MicrosoftDocs/visualstudio-docs-pr into target-platforms

Author: ghogen

.openpublishing.redirection.json

@@ -2745,6 +2745,11 @@
       "redirect_url": "/visualstudio/debugger/graphics/getting-started-with-visual-studio-graphics-diagnostics",
       "redirect_document_id": false
     },
+    {
+      "source_path": "docs/profiling/profiling-overview.md",
+      "redirect_url": "/visualstudio/profiling/profiling-feature-tour",
+      "redirect_document_id": false
+    },
     {
       "source_path": "docs/debugger/gpu-usage.md",
       "redirect_url": "/visualstudio/profiling/gpu-usage",

docs/code-quality/ca1806.md

@@ -33,41 +33,58 @@ There are several possible reasons for this warning:
 
 - A method that creates and returns a new string is called and the new string is never used.
 
-- A COM or P/Invoke method that returns a HRESULT or error code that is never used. Rule Description
+- A COM or P/Invoke method that returns a HRESULT or error code that is never used.
+
+- A LINQ method that returns a result that is never used.
+
+## Rule description
 
 Unnecessary object creation and the associated garbage collection of the unused object degrade performance.
 
 Strings are immutable and methods such as String.ToUpper returns a new instance of a string instead of modifying the instance of the string in the calling method.
 
 Ignoring HRESULT or error code can lead to unexpected behavior in error conditions or to low-resource conditions.
 
+LINQ methods are known to not have side effects, and the result should not be ignored.
+
 ## How to fix violations
-If method A creates a new instance of B object that is never used, pass the instance as an argument to another method or assign the instance to a variable. If the object creation is unnecessary, remove the it.-or-
 
-If method A calls method B, but does not use the new string instance that the method B returns. Pass the instance as an argument to another method, assign the instance to a variable. Or remove the call if it is unnecessary.
+If method A creates a new instance of B object that is never used, pass the instance as an argument to another method or assign the instance to a variable. If the object creation is unnecessary, remove the it.
+
+-or-
+
+If method A calls method B, but does not use the new string instance that the method B returns, pass the instance as an argument to another method, assign the instance to a variable. Or remove the call if it is unnecessary.
+
+-or-
 
- -or-
+If method A calls method B, but does not use the HRESULT or error code that the method returns, use the result in a conditional statement, assign the result to a variable, or pass it as an argument to another method.
 
-If method A calls method B, but does not use the HRESULT or error code that the method returns. Use the result in a conditional statement, assign the result to a variable, or pass it as an argument to another method.
+-or-
+
+If a LINQ method A calls method B, but does not use the result, use the result in a conditional statement, assign the result to a variable, or pass it as an argument to another method.
 
 ## When to suppress warnings
+
 Do not suppress a warning from this rule unless the act of creating the object serves some purpose.
 
 ## Example
+
 The following example shows a class that ignores the result of calling String.Trim.
 
 [!code-csharp[FxCop.Usage.DoNotIgnoreMethodResults3#1](../code-quality/codesnippet/CSharp/ca1806-do-not-ignore-method-results_1.cs)]
 [!code-vb[FxCop.Usage.DoNotIgnoreMethodResults3#1](../code-quality/codesnippet/VisualBasic/ca1806-do-not-ignore-method-results_1.vb)]
 [!code-cpp[FxCop.Usage.DoNotIgnoreMethodResults3#1](../code-quality/codesnippet/CPP/ca1806-do-not-ignore-method-results_1.cpp)]
 
 ## Example
+
 The following example fixes the previous violation by assigning the result of String.Trim back to the variable it was called on.
 
 [!code-csharp[FxCop.Usage.DoNotIgnoreMethodResults4#1](../code-quality/codesnippet/CSharp/ca1806-do-not-ignore-method-results_2.cs)]
 [!code-vb[FxCop.Usage.DoNotIgnoreMethodResults4#1](../code-quality/codesnippet/VisualBasic/ca1806-do-not-ignore-method-results_2.vb)]
 [!code-cpp[FxCop.Usage.DoNotIgnoreMethodResults4#1](../code-quality/codesnippet/CPP/ca1806-do-not-ignore-method-results_2.cpp)]
 
 ## Example
+
 The following example shows a method that does not use an object that it creates.
 
 > [!NOTE]
@@ -77,6 +94,7 @@ The following example shows a method that does not use an object that it creates
 [!code-csharp[FxCop.Usage.DoNotIgnoreMethodResults5#1](../code-quality/codesnippet/CSharp/ca1806-do-not-ignore-method-results_3.cs)]
 
 ## Example
+
 The following example fixes the previous violation by removing the unnecessary creation of an object.
 
 [!code-csharp[FxCop.Usage.DoNotIgnoreMethodResults6#1](../code-quality/codesnippet/CSharp/ca1806-do-not-ignore-method-results_4.cs)]

docs/code-quality/ca2002.md

@@ -61,7 +61,9 @@ To fix a violation of this rule, use an object from a type that is not in the li
 
 ## When to suppress warnings
 
-Do not suppress a warning from this rule.
+It is safe to suppress the warning if the locked object is `this` or `Me` and the visibility of the self object type is private or internal, and the instance is not accessible using any public reference.
+
+Otherwise, do not suppress a warning from this rule.
 
 ## Related rules
 

docs/code-quality/ca2013.md

@@ -0,0 +1,61 @@
+---
+title: "ca2013: Do not use ReferenceEquals with value types"
+ms.date: 05/27/2020
+ms.topic: reference
+f1_keywords:
+  - "DoNotUseReferenceEqualsWithValueTypes"
+  - "CA2013"
+helpviewer_keywords:
+  - "DoNotUseReferenceEqualsWithValueTypes"
+  - "CA2013"
+author: buyaa-n
+ms.author: bunamnan
+manager: jeffhand
+ms.workload:
+  - "multiple"
+---
+# CA2013: Do not use ReferenceEquals with value types
+
+|||
+|-|-|
+|CheckId|CA2013|
+|Category|Microsoft.Reliability|
+|Breaking change|Non-breaking|
+
+## Cause
+
+Using <xref:System.Object.ReferenceEquals%2A?displayProperty=fullName> method to test one or more value types for equality.
+
+## Rule description
+
+When comparing values using <xref:System.Object.ReferenceEquals%2A>, if objA and objB are value types, they are boxed before they are passed to the <xref:System.Object.ReferenceEquals%2A> method. This means that even if both objA and objB represent the same instance of a value type, the <xref:System.Object.ReferenceEquals%2A> method nevertheless returns false, as the following example shows.
+
+## How to fix violations
+
+To fix the violation, replace it with a more appropriate equality check such as `==`.
+
+```csharp
+
+    int int1 = 1, int2 = 1;
+	
+    // Violation occurs, returns false.
+    Console.WriteLine(Object.ReferenceEquals(int1, int2));  // false
+	
+    // Use appropriate equality operator or method instead
+    Console.WriteLine(int1 == int2);                        // true
+    Console.WriteLine(Object.Equals(int1, int2));           // true
+```
+
+## When to suppress warnings
+
+It is NOT safe to suppress a warning from this rule, we recommend using the more appropriate equality operator such as `==`.
+
+## Related rules
+
+- [CA2231: Overload operator equals on overriding ValueType.Equals](CA2231.md)
+- [CA2224: Override equals on overloading operator equals](../code-quality/ca2224.md)
+- [CA2218: Override GetHashCode on overriding Equals](../code-quality/ca2218.md)
+
+## See also
+
+- [Reliability warnings](../code-quality/reliability-warnings.md)

docs/code-quality/ca5360.md

@@ -0,0 +1,113 @@
+---
+title: "CA5360: Do not call dangerous methods in deserialization"
+description: Provides information about code analysis rule CA5360, including causes, how to fix violations, and when to suppress it.
+ms.date: 05/27/2020
+ms.topic: reference
+author: LLLXXXCCC
+ms.author: linche
+manager: jillfra
+ms.workload:
+  - "multiple"
+f1_keywords:
+  - "CA5360"
+  - "DoNotCallDangerousMethodsInDeserialization"
+---
+# CA5360: Do not call dangerous methods in deserialization
+
+|||
+|-|-|
+|CheckId|CA5360|
+|Category|Microsoft.Security|
+|Breaking change|Non-breaking|
+
+## Cause
+
+Calling one of the following dangerous methods in deserialization:
+- <xref:System.IO.Directory.Delete%2A?displayProperty=fullName>
+- <xref:System.IO.DirectoryInfo.Delete%2A?displayProperty=fullName>
+- <xref:System.IO.File.AppendAllLines%2A?displayProperty=fullName>
+- <xref:System.IO.File.AppendAllText%2A?displayProperty=fullName>
+- <xref:System.IO.File.AppendText%2A?displayProperty=fullName>
+- <xref:System.IO.File.Copy%2A?displayProperty=fullName>
+- <xref:System.IO.File.Delete%2A?displayProperty=fullName>
+- <xref:System.IO.File.WriteAllBytes%2A?displayProperty=fullName>
+- <xref:System.IO.File.WriteAllLines%2A?displayProperty=fullName>
+- <xref:System.IO.File.WriteAllText%2A?displayProperty=fullName>
+- <xref:System.IO.FileInfo.Delete%2A?displayProperty=fullName>
+- <xref:System.IO.Log.LogStore.Delete%2A?displayProperty=fullName>
+- <xref:System.Reflection.Assembly.GetLoadedModules%2A?displayProperty=fullName>
+- <xref:System.Reflection.Assembly.Load%2A?displayProperty=fullName>
+- <xref:System.Reflection.Assembly.LoadFrom%2A?displayProperty=fullName>
+- <xref:System.Reflection.Assembly.LoadFile%2A?displayProperty=fullName>
+- <xref:System.Reflection.Assembly.LoadModule%2A?displayProperty=fullName>
+- <xref:System.Reflection.Assembly.LoadWithPartialName%2A?displayProperty=fullName>
+- <xref:System.Reflection.Assembly.ReflectionOnlyLoad%2A?displayProperty=fullName>
+- <xref:System.Reflection.Assembly.ReflectionOnlyLoadFrom%2A?displayProperty=fullName>
+- <xref:System.Reflection.Assembly.UnsafeLoadFrom%2A?displayProperty=fullName>
+
+All methods meets one of the following requirements could be the callback of deserialization:
+- Marked with <xref:System.Runtime.Serialization.OnDeserializingAttribute?displayProperty=fullName>.
+- Marked with <xref:System.Runtime.Serialization.OnDeserializedAttribute?displayProperty=fullName>.
+- Implementing <xref:System.Runtime.Serialization.IDeserializationCallback.OnDeserialization%2A?displayProperty=fullName>.
+- Implementing <xref:System.IDisposable.Dispose%2A?displayProperty=fullName>.
+- Is a destructor.
+
+## Rule description
+
+Insecure deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application, inflict a Denial-of-Service (DoS) attack, or even execute arbitrary code upon it being deserialized. It's frequently possible for malicious users to abuse these deserialization features when the application is deserializing untrusted data which is under their control. Specifically, invoke dangerous methods in the process of deserialization. Successful insecure deserialization attacks could allow an attacker to carry out attacks such as DoS attacks, authentication bypasses, and remote code execution.
+
+## How to fix violations
+
+Remove these dangerous methods from automatically run deserialization callbacks. Call dangerous methods only after validating the input.
+
+## When to suppress warnings
+
+It's safe to suppress this rule if:
+- You know the input is trusted. Consider that your application's trust boundary and data flows may change over time.
+- The serialized data is tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.
+- The data is validated as safe to the application.
+
+## Pseudo-code examples
+
+### Violation
+
+```csharp
+using System;
+using System.IO;
+using System.Runtime.Serialization;
+
+[Serializable()]
+public class ExampleClass : IDeserializationCallback
+{
+    private string member;
+
+    void IDeserializationCallback.OnDeserialization(Object sender)
+    {
+        var sourceFileName = "malicious file";
+        var destFileName = "sensitive file";
+        File.Copy(sourceFileName, destFileName);
+    }
+}
+```
+
+### Solution
+
+```csharp
+using System;
+using System.IO;
+using System.Runtime.Serialization;
+
+[Serializable()]
+public class ExampleClass : IDeserializationCallback
+{
+    private string member;
+
+    void IDeserializationCallback.OnDeserialization(Object sender)
+    {
+        var sourceFileName = "malicious file";
+        var destFileName = "sensitive file";
+        // Remove the potential dangerous operation.
+        // File.Copy(sourceFileName, destFileName);
+    }
+}
+```

docs/code-quality/code-analysis-warnings-for-managed-code-by-checkid.md

@@ -177,6 +177,7 @@ f1_keywords:
 - CA2007
 - CA2009
 - CA2011
+- CA2013
 - CA2015
 - CA2100
 - CA2101
@@ -449,6 +450,7 @@ The following table lists Code Analysis warnings for managed code by the CheckId
 | CA2007 | [CA2007: Do not directly await a Task](ca2007.md) | An asynchronous method [awaits](/dotnet/csharp/language-reference/keywords/await) a <xref:System.Threading.Tasks.Task> directly. When an asynchronous method awaits a <xref:System.Threading.Tasks.Task> directly, continuation occurs in the same thread that created the task. This behavior can be costly in terms of performance and can result in a deadlock on the UI thread. Consider calling <xref:System.Threading.Tasks.Task.ConfigureAwait(System.Boolean)?displayProperty=nameWithType> to signal your intention for continuation. |
 | CA2009 | [CA2009: Do not call ToImmutableCollection on an ImmutableCollection value](ca2009.md) | `ToImmutable` method was unnecessarily called on an immutable collection from <xref:System.Collections.Immutable> namespace. |
 | CA2011 | [CA2011: Do not assign property within its setter](ca2011.md) | A property was accidentally assigned a value within its own [set accessor](/dotnet/csharp/programming-guide/classes-and-structs/using-properties#the-set-accessor). |
+| CA2013 | [CA2013: Do not use ReferenceEquals with value types](ca2013.md) | When comparing values using <xref:System.Object.ReferenceEquals%2A?displayProperty=fullName>, if objA and objB are value types, they are boxed before they are passed to the <xref:System.Object.ReferenceEquals%2A> method. This means that even if both objA and objB represent the same instance of a value type, the <xref:System.Object.ReferenceEquals%2A> method nevertheless returns false. |
 | CA2015 | [CA2015: Do not define finalizers for types derived from MemoryManager&lt;T&gt;](ca2015.md) | Adding a finalizer to a type derived from <xref:System.Buffers.MemoryManager%601> may permit memory to be freed while it is still in use by a <xref:System.Span%601>. |
 | CA2100 | [CA2100: Review SQL queries for security vulnerabilities](../code-quality/ca2100.md) | A method sets the System.Data.IDbCommand.CommandText property by using a string that is built from a string argument to the method. This rule assumes that the string argument contains user input. A SQL command string that is built from user input is vulnerable to SQL injection attacks. |
 | CA2101 |[CA2101: Specify marshaling for P/Invoke string arguments](../code-quality/ca2101.md) | A platform invoke member allows partially trusted callers, has a string parameter, and does not explicitly marshal the string. This can cause a potential security vulnerability. |
@@ -543,6 +545,7 @@ The following table lists Code Analysis warnings for managed code by the CheckId
 | CA2246 | [CA2246: Do not assign a symbol and its member in the same statement](../code-quality/ca2246.md) | Assigning a symbol and its member, that is, a field or a property, in the same statement is not recommended. It is not clear if the member access was intended to use the symbol's old value prior to the assignment or the new value from the assignment in this statement. |
 | CA5122 | [CA5122 P/Invoke declarations should not be safe critical](../code-quality/ca5122.md) | Methods are marked as SecuritySafeCritical when they perform a security sensitive operation, but are also safe to be used by transparent code. Transparent code may never directly call native code through a P/Invoke. Therefore, marking a P/Invoke as security safe critical will not enable transparent code to call it, and is misleading for security analysis. |
 | CA5359 | [CA5359 Do not disable certificate validation](../code-quality/ca5359.md) | A certificate can help authenticate the identity of the server. Clients should validate the server certificate to ensure requests are sent to the intended server. If the ServerCertificateValidationCallback always returns `true`, any certificate will pass validation. |
+| CA5360 | [CA5360 Do not call dangerous methods in deserialization](../code-quality/ca5360.md) | Insecure deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application, inflict a Denial-of-Service (DoS) attack, or even execute arbitrary code upon it being deserialized. It's frequently possible for malicious users to abuse these deserialization features when the application is deserializing untrusted data which is under their control. Specifically, invoke dangerous methods in the process of deserialization. Successful insecure deserialization attacks could allow an attacker to carry out attacks such as DoS attacks, authentication bypasses, and remote code execution. |
 | CA5362 | [CA5362 Potential reference cycle in deserialized object graph](../code-quality/ca5362.md) | If deserializing untrusted data, then any code processing the deserialized object graph needs to handle reference cycles without going into infinite loops. This includes both code that's part of a deserialization callback and code that processes the object graph after deserialization completed. Otherwise, an attacker could perform a Denial-of-Service attack with malicious data containing a reference cycle. |
 | CA5365 | [CA5365 Do Not Disable HTTP Header Checking](../code-quality/ca5365.md) | HTTP header checking enables encoding of the carriage return and newline characters, \r and \n, that are found in response headers. This encoding can help to avoid injection attacks that exploit an application that echoes untrusted data contained by the header. |
 | CA5366 | [CA5366 Use XmlReader For DataSet Read XML](../code-quality/ca5366.md) | Using a <xref:System.Data.DataSet> to read XML with untrusted data may load dangerous external references, which should be restricted by using an <xref:System.Xml.XmlReader> with a secure resolver or with DTD processing disabled. |

docs/code-quality/reliability-warnings.md

@@ -30,4 +30,5 @@ Reliability warnings support library and application reliability, such as correc
 |[CA2007: Do not directly await a Task](../code-quality/ca2007.md)|An asynchronous method [awaits](/dotnet/csharp/language-reference/keywords/await) a <xref:System.Threading.Tasks.Task> directly.|
 |[CA2009: Do not call ToImmutableCollection on an ImmutableCollection value](../code-quality/ca2009.md)|`ToImmutable` method was unnecessarily called on an immutable collection from <xref:System.Collections.Immutable> namespace.|
 |[CA2011: Do not assign property within its setter](../code-quality/ca2011.md) | A property was accidentally assigned a value within its own [set accessor](/dotnet/csharp/programming-guide/classes-and-structs/using-properties#the-set-accessor). |
+|[CA2013: Do not use ReferenceEquals with value types](../code-quality/ca2013.md) | When comparing values using <xref:System.Object.ReferenceEquals%2A?displayProperty=fullName>, if objA and objB are value types, they are boxed before they are passed to the <xref:System.Object.ReferenceEquals%2A> method. This means that even if both objA and objB represent the same instance of a value type, the <xref:System.Object.ReferenceEquals%2A> method nevertheless returns false. |
 |[CA2015: Do not define finalizers for types derived from MemoryManager&lt;T&gt;](../code-quality/ca2015.md) | Adding a finalizer to a type derived from <xref:System.Buffers.MemoryManager%601> may permit memory to be freed while it is still in use by a <xref:System.Span%601>. |