Allow banning Newtonsoft.Json references (#110)

Author: meziantou

.github/workflows/semgrep.yml

@@ -10,6 +10,7 @@ on:
 jobs:
   call-workflow-semgrep:
     permissions:
+      actions: read
       contents: read
       security-events: write
     uses: workleap/wl-reusable-workflows/.github/workflows/reusable-semgrep-workflow.yml@main

README.md

@@ -29,6 +29,13 @@ If you also have a `Directory.Build.props` file in your solution, you can remove
 - Project properties, including deterministic build, strict mode, continuous integration build detection, [faster package restoration](https://learn.microsoft.com/en-us/nuget/reference/msbuild-targets#restoring-with-msbuild-static-graph-evaluation), and [faster builds on Visual Studio](https://devblogs.microsoft.com/visualstudio/vs-toolbox-accelerate-your-builds-of-sdk-style-net-projects/), and more.
 - .NET analysis rules configuration, including style rules (`IDExxxx`) and code analysis rules (`CAxxxx`). These rules have been manually configured to provide a good balance between quality, performance, security, and build time.
 - Banned APIs, such as `DateTime.Now` and `DateTimeOffset.Now` (use their UTC counterparts instead).
+- Opt-in banning `Newtonsoft.Json`:
+
+    ```xml
+    <PropertyGroup>
+        <BanNewtonsoftJsonSymbols>true</BanNewtonsoftJsonSymbols>
+    </PropertyGroup>
+    ```
 
 ## What's NOT included
 

src/build/Workleap.DotNet.CodingStandards.targets

@@ -21,11 +21,15 @@
   <!-- Banned Symbols -->
   <PropertyGroup>
     <IncludeDefaultBannedSymbols Condition="$(IncludeDefaultBannedSymbols) == ''">true</IncludeDefaultBannedSymbols>
+    <BanNewtonsoftJsonSymbols Condition="$(BanNewtonsoftJsonSymbols) == ''">false</BanNewtonsoftJsonSymbols>
   </PropertyGroup>
 
   <ItemGroup>
     <AdditionalFiles Include="$(MSBuildThisFileDirectory)\..\files\BannedSymbols.txt"
       Condition="$(IncludeDefaultBannedSymbols) == 'true'"
       Visible="false" />
+    <AdditionalFiles Include="$(MSBuildThisFileDirectory)\..\files\BannedSymbols.Newtonsoft.Json.txt"
+      Condition="$(BanNewtonsoftJsonSymbols) == 'true'"
+      Visible="false" />
   </ItemGroup>
 </Project>

src/files/BannedSymbols.Newtonsoft.Json.txt

@@ -0,0 +1 @@
+N:Newtonsoft.Json

tests/Workleap.DotNet.CodingStandards.Tests/CodingStandardTests.cs

@@ -17,6 +17,29 @@ public async Task BannedSymbolsAreReported()
         Assert.True(data.HasWarning("RS0030"));
     }
 
+    [Fact]
+    public async Task BannedNewtonsoftJsonSymbolsAreReportedWhenPropertyIsSet()
+    {
+        using var project = new ProjectBuilder(fixture, testOutputHelper);
+        project.AddCsprojFile(
+            properties: new Dictionary<string, string> { { "BanNewtonsoftJsonSymbols", "true" } },
+            packageReferences: new Dictionary<string, string> { { "Newtonsoft.Json", "13.0.1" } });
+        project.AddFile("sample.cs", "_ = Newtonsoft.Json.JsonConvert.SerializeObject(new object());");
+        var data = await project.BuildAndGetOutput();
+        Assert.True(data.HasWarning("RS0030"));
+    }
+
+    [Fact]
+    public async Task BannedNewtonsoftJsonSymbolsAreNotReportedWhenPropertyIsNotSet()
+    {
+        using var project = new ProjectBuilder(fixture, testOutputHelper);
+        project.AddCsprojFile(
+            packageReferences: new Dictionary<string, string> { { "Newtonsoft.Json", "13.0.1" } });
+        project.AddFile("sample.cs", "_ = Newtonsoft.Json.JsonConvert.SerializeObject(new object());");
+        var data = await project.BuildAndGetOutput();
+        Assert.False(data.HasWarning("RS0030"));
+    }
+
     [Fact]
     public async Task WarningsAsErrorOnGitHubActions()
     {

tests/Workleap.DotNet.CodingStandards.Tests/Helpers/ProjectBuilder.cs

@@ -56,7 +56,7 @@ public void AddCsprojFile(Dictionary<string, string>? properties = null, Diction
         {
             foreach (var prop in properties)
             {
-                propertyElement.Add(new XElement(prop.Key), prop.Value);
+                propertyElement.Add(new XElement(prop.Key, prop.Value));
             }
         }