Efcore: Microsoft.EntityFrameworkCore.Analyzers - warning EF1000: Possible SQL injection vulnerability.

@dalibor983 Does it show in the VS warnings window? Can you double click on it to go to the code line involved?

@ajcvickers No, this warning is shown in solution explorer window under dependencies

|- Project Name
|--- Dependencies
|----- .NETStandard 2.0
|------- Analyzers
|--------- Microsoft.EntityFrameworkCore.Analyzers
|----------- EF1000: Possible SQL injection vulnerability.

Noting happens when I double click on EF1000: Possible SQL injection vulnerability. :disappointed:

@dalibor983 Can you post the full text in the context of all the other text around it?

@ajcvickers There are no any text around it. I can get more information only when I goes to properties of EF1000: Possible SQL injection vulnerability. and in property window I got this:

Category: Security
Default severity: Warning
Description: 
Effective severity: Warning
Enabled by default: True
Help link: https://bingdev.cloudapp.net/BingUrl.svc/Get?selectedText=The SQL expression passed to '{0}' embeds data that will not be parameterized. Review for potential SQL injection vulnerability. See https:%2F%2Fgo.microsoft.com%2Ffwlink%2F%3Flinkid%3D871170 for more information.&mainLanguage=C%23&projectType=&requestId=30ad45c4-9af9-4c7a-9c3d-ff4856396d6a&clientId=&errorCode=EF1000
ID: EF1000
Message: The SQL expression passed to '{0}' embeds data that will not be parameterized. Review for potential SQL injection vulnerability. See https://go.microsoft.com/fwlink/?linkid=871170 for more information.
Tags: 
Title: Possible SQL injection vulnerability.

It's not an error. It is Visual Studio's way to show all the warnings from given analyzer so that you can set severity of each of them using GUI tool.
FWIW, this is what is being talked about.

@smitpatel In my case there is also yellow exclamation mark and in properties window Message property with value The SQL expression passed to '{0}' embeds data that will not be parameterized. Review for potential SQL injection vulnerability. See https://go.microsoft.com/fwlink/?linkid=871170 for more information.

Something like this:
.

If this is not error or warning how to remove yellow exclamation mark?

The yellow exclamation mark on dependencies in VS is sign of dependencies are not available. If you run package restore and use correct SDK, yellow mark will go away. It is nothing specific about EFCore.Analyzers. It's more of telling that there is an issue with dependencies this project is referencing.

@smitpatel yellow exclamation mark stands at EF1000: Possible SQL injection vulnerability.. This image is only for illustration how yellow exclamation mark look like

@dalibor983 - Again, that yellow exclamation is about dependency issue. EFCore neither has a way to generate that yellow mark nor have control over it. If there is any errors generated by EFCore analyzer then it will be included in Error List window in VS. If you are not able to get rid of that yellow mark, perhaps file an issue with VS as it seems like project system issue.

@smitpatel yellow exclamation mark in solution explorer nothing in error list

@dalibor983 - Can you file issue with VS using VS feedback system?
More info: https://docs.microsoft.com/en-us/visualstudio/ide/how-to-report-a-problem-with-visual-studio-2017?view=vs-2017

I have similar problem:

I've checked the file and it does exist.

I've added EF Core Sql Server nuget package using Visual Studio Package Management UI into .NET Standard 2.0 Library and referenced the lib in .NET Core Web Application.

dotnet --list-sdks
2.1.401 [C:\Program Files\dotnet\sdk]
2.1.402 [C:\Program Files\dotnet\sdk]
2.1.403 [C:\Program Files\dotnet\sdk]
2.1.500 [C:\Program Files\dotnet\sdk]

It is quite disturbing.

@ajcvickers: why it was closed? Not resolved, not answered imho...

@Liero We haven't been able to reproduce the yellow warning rectangle--I just used the steps you listed and still don't see it. But even if we could, since we're removing the analyzer in the 3.0 release anyway it's unlikely that there would be any additional action on our side other than to continue with that plan.

@ajcvickers: understood. meanwhile, the warning rectangle disappeared from my solution although I have done nothing with the packages. maybe PC restart helped....

@Liero

meanwhile, the warning rectangle disappeared from my solution although

Try to run some dotnet ef cli command in the project, I think warning rectangle will appear again.

For example try to run this while visual studio is opened and your project is loaded:

dotnet ef migrations list

i just unload project and reload project, the warning is disappeared.

I was getting this as well. The solution which worked for me was Installing net core 2.2 SDK and restart.

I updated one of the NuGet packages (Microsoft.VisualStudio.Web.CodeGeneration.Design 2.2.2 to 2.2.3) and it disappeared as well.

I got this warning too. What I did was to remove all files inside the obj folder in my project then build your project again.

I got this warning too!

I cleaned the affected project, deleted the obj folder and reloaded the project.

This is detailed issue, so your recommendation is needed?

This is detailed issue, so your recommendation is needed?

Solved by remove string format