Shall we introduce pipelining functionalty in our cmdlet so users can do something like:

Eg. Invoke-ScriptAnalyzer -IncludeRule { Get-ScriptAnalyzerRules -Severity Error }
Invoke-ScriptAnalyzer -IncludeRule { Get-ScriptAnalyzerRules PSAvoid* }

When using Custom Rule Paths that are nested, the recurse functionality will improve the usability

If I have this function:

    function get-preference
    {
        [CmdletBinding()]
        Param()

        if (-not $PSBoundParameters.ContainsKey('Verbose')) {
            $VerbosePreference = $PSCmdlet.GetVariableValue('VerbosePreference') -as [System.Management.Automation.ActionPreference]
        }

        $VerbosePreference
    }

the "PSAvoidUninitializedVariable" warning is triggered even though $VerbosePreference will always be initialized.

Currently, this project doesn't have a .gitignore. Meaning when you build the project several files are created and reported as "untracked" via the git status command.

C:\PSScriptAnalyzer>git status
On branch master
Your branch is up-to-date with 'origin/master'.

Untracked files:
(use "git add ..." to include in what will be committed)

   Engine/bin/
   Engine/obj/
   PSScriptAnalyzer/
   PSScriptAnalyzer_Build.log
   Rules/bin/
   Rules/obj/

nothing added to commit but untracked files present (use "git add" to track)

GitHub has a recommended .gitignore file for Visual Studio projects located here.

Get-WMIObject is based on DCOM. During Windows 8 timeframe, this is replaced with Get-CIMInstance which is more stable and works in many scenarios that Get-WMIObject does not work. Generate a warning, if a script uses Get-WMIObject and is PowerShell 3.0 and above.

Generate a warning if ShouldProcess is not implemented for the verbs that change system state.

This is increasingly becoming an issue as PowerShell gets new language features and cmdlets. And cmdlets get new parameters, etc. I could have a #requires -version 3.0 in my script but I'm developing on PowerShell 5.0. It is real easy to slip up and use a lang feature ("using namespace System.Diagnostics") or a cmdlet (New-TemporaryFile) or a new cmdlet parameter (PassThru added to Enable-JobTrigger in v4). It would be great if ScriptAnalyzer saw a #requires -Version X.0 and warned (or errored) when I used a feature not available on X.0. Likewise, I would like to have a parameter to ScriptAnalyzer where I could tell it the minimum version I want to target (perhaps I have several scripts written at different times that have varying levels of #requires -Version).

For bonus points, if someone specified neither the command line parameter (MinimumPowerShellVersion) or had any #requires or min version in their PSD1 file, it would be nice if ScriptAnalyzer told me that - "Scripts require at least version 4 due use of -PassThru parameter on Enable-JobTrigger and use of Get-FileHash cmdlet).

Where things get a bit more tricky is setting a minimum Windows OS version. But the need is there since I have a whole bunch of cmdlets available to me on Windows 8.1 that I know are not available on Windows 7.

Repro

Clone https://github.com/TravisEz13/PSScriptAnalyzerExamples.git
open the repo in powershell
Invoke-ScriptAnalyzer .\pipeExample.ps1

Expected

no errors

Actual

Rule Name                           Severity   File Name  Line  Message
---------                           --------   ---------  ----  -------
PSUseCmdletCorrectly                Warning    pipeExampl 2     Cmdlet 'write-verbose' may be used incorrectly. Please
                                               e.ps1            check that all mandatory parameters are supplied.

Repro

Clone https://github.com/TravisEz13/PSScriptAnalyzerExamples.git
open the repo in powershell
Invoke-ScriptAnalyzer .\executioncontext.ps1

Expected

No issues found by the script Analyzer

Actual

Rule Name                           Severity   File Name  Line  Message
---------                           --------   ---------  ----  -------
PSAvoidUninitializedVariable        Warning    executionc 1     Variable 'ExecutionContext' is not initialized. Non-global
                                               ontext.ps1       variables must be initialized. To fix a violation of this
                                                                rule, please initialize non-global variables.

In our output result, we display "RuleName" as "Rule Name", this may cause confusion for users to map that property during property access. Therefore, we should make the display names same as property names.

If the OutputType attribute is declared, the cmdlet must return an object of those types.

We need to provide wildcard support for inputting rules on the command line. Eg. Invoke-ScriptAnalyzer -IncludeRule PSAvoid*

The function:

    function test-progresspreference
    {
        $ProgressPreference
        $VerbosePreference
    }

will trigger a "PSAvoidUninitializedVariable" for $ProgressPreference but not for $VerbosePreference.

Here's my script:

$manifest = [xml](Get-Content -Path $ManifestPath)
$product = $manifest.Products.Product | Where-Object {$_.name -eq $ProductName}
if ($null -eq $product)
{
    throw "The value for the ProductName parameter '$ProductName' does not exist in the manifest file $ManifestPath"
}

$productSrcPath = $ExecutionContext.InvokeCommand.ExpandString($product.source)

Results in this warning:

Variable 'product' is not initialized. Non-global
variables must be initialized. To fix a violation of
this rule, please initialize non-global variables.

We will want to show a report of warnings that are suppressed by the users in the scripts.

Currently IDSCResourceRule requires two methods to be implemented:

• AnalyzeDSCResource
• AnalyzeDSCClass

First of them is called only for non-class based resources, while second of them is called for both class and non-class based resources.

If we have rule which should have different implementations for class and non-classed based resources, we need to perform additional checks inside AnalyzeDSCClass to confirm we are dealing with class based resource. We need to do it for every such rule, e.g. DscExamplesPresent and UseStandardDSCFunctionsInResource. Otherwise, we will have our rule run twice (and possibly displayed twice if conditions are not met).

We should modify the script analyzer engine so that it detects whether we are dealing with class based resource and calls AnalyzeDSCClass method only if that's the case.

Repro

Clone https://github.com/TravisEz13/PSScriptAnalyzerExamples.git
open the repo in powershell
Invoke-ScriptAnalyzer .\doubleforeach.ps1

Expected

No issues found by the script Analyzer

Actual

Rule Name                           Severity   File Name  Line  Message
---------                           --------   ---------  ----  -------
PSAvoidUninitializedVariable        Warning    doublefore 7     Variable 'value' is not initialized. Non-global variables
                                               ach.ps1          must be initialized. To fix a violation of this rule,
                                                                please initialize non-global variables.
PSUseCmdletCorrectly                Warning    doublefore 7     Cmdlet 'Write-Output' may be used incorrectly. Please check
                                               ach.ps1          that all mandatory parameters are supplied.

AvoidUnitializedVariable.cs
should be
AvoidUninitializedVariable.cs

Need to modify the check process to prevent false warnings.

Applies to non-class, non-composite resources.

I'm working on something that would benefit from passing a string of PowerShell to it and not having to save it in a file first. Is that a planned addition?

Resource module contains .psd1 file and schema.mof for every resource.
If class-based resource, no MOF needed. (need to support these at same time as schema.mof test exists)

Fix with pull request #60

I have a non-mandatory parameter that is defined like so:

    [Parameter()]
    [ValidateNotNullOrEmpty()]    
    [string]
    $NuGetVersion,

This is generating a warning:

Variable 'NuGetVersion' is not initialized.
Non-global variables must be initialized. To fix a
violation of this rule, please initialize non-global
variables.

While parameter may not be global variables, their initial value is typically provided outside the scope of the function. I've used parameter checks against $null to test if the parameter was supplied. I guess I could initialize these parameters to some value (say $null). I'm just not convinced that all non-mandatory parameters should be initialized with a default value.

Here's an example where initialization gets tricky due to value types:

function foo {param([Parameter()][DateTime]$d) "d is $($d -eq $null)"}

Parameter $d is not initialized and this would gen a warning. However, if I try to set $d to $null that will error saying that null can't be converted to DateTime. However if no argument is passed for $d, the function above will return True - $d is equal to $null in this scenario. So to eliminate this warning I have to initialize to some valid DateTime value - blech. I guess I could resort to checking $PSBoundParameters but that seems clunky when a simple $null check would suffice.

We will create a separate branch targeting for PSScriptAnalyzer on Nano.
It will have a few new rules checking scripts compliance on NanoServer.

Perhaps we can identify and implement rules that would help around proper usage of the Azure Module and various Azure modes

[Fully realizing what these types of rules would be tbd! An example could be ensuring the AzureMode is set before running certain types of Azure commands]

I get this warning:

ProductRel 268 '//files' could be an internal URL. Using internal
easeDeploy URL directly in the script may cause potential
ment.psm1 information discloure.

on a XPath expression:

$filesNode = $infoXml.SelectSingleNode("//files")

There should be sample configurations present for every resource.

We will put up a documentation for some best practices to write PS scripts so we can engage the community to identify what rules will be needed.

An item to discuss/consider/prototype Visual Studio Integration:

An integration could take one of two paths:

1. A standalone VSIX that has a dependency on https://github.com/adamdriscoll/poshtools/
2. A library that the aforementioend poshtools has dependencies upon

A completely standalone VSIX would not work if we intent to handle DSC, due to bitness restrictions.

To maintain agility, and to get to a minimum viable product sooner, we recommend the first option.

A dependency can be checked both at install time [as part of the VSIX Manifest], or at Runtime, by Querying the Visual Studio Service provider for the IPowerShellService. See https://github.com/microsoft/poshtools/blob/dev/PowerShellTools.PublicContract/IPowershellService.cs

The fastest way to a Proof of Concept, is to use the IPowerShell service and craft the powershell command to run upon the selected file. The output would be emitted as text.

The next step could be an output to a separate window, in a more friendly and usable manner

A further step could be real time analysis, but, to be performant, it would work nicer if the service exposed the most recent AST [See https://github.com/microsoft/poshtools/issues/496 ]

General Information about VS Extensibility can be found at https://msdn.microsoft.com/en-us/library/bb165336.aspx but our team is always happy to help with advice :)

When running the command:

    invoke-scriptanalyzer .\a.ps1 -severity error

invoke-scriptanalyzer will throw an ArgumentException.

Per, community rule out-01 Write-Host should be allowed inside functions starting with the Show verb

Similar to Invoke-ScriptAnalyzer -Recurse, we need to provide similar support for Get-ScriptAnalyzerRule -Recurse [CustomizedRulePath]

This rule was pushed recently without documentation.

This looks amazing, would it be possible to actually integrate this into the ISE ala StyleCop so it's possible to see these errors more or less in "real time?"

The use case here is most people that don't write a ton of scripts are not going to know that this is a problem until they run these scripts, mostly likely at the end of their development. They'll then have to go back and correct any of these problems. It would be a better flow if this could alert them to the problem as they are working.

Thanks!

When removed line returning $bool from Test-TargetResource in MSFT_xAzureSubscription.psm1, https://github.com/PowerShell/xAzure/blob/master/DSCResources/MSFT_xAzureSubscription/MSFT_xAzureSubscription.psm1

PSDSCReturnCorrectTypesForDSCFunctions rule does not complain that Test-TargetResource does not return Boolean. It complains if we explicitly return different type though, e.g.

return @{}

When a module manifest contains 'ModuleToProcess' the warning

WARNING: The module manifest member 'ModuleToProcess' has been deprecated. Use the 'RootModule' member instead.

shows up.

If the module is targeting PowerShell version 2 then changing 'ModuleToProcess' to 'RootModule' will break the module.

This warning should be suppressed when the module is targeting PowerShell version 2.

• Invoke-WmiMethod
• Register-WmiEvent
• Set-WmiInstance

New CIM cmdlets, introduced Windows PowerShell 3.0, perform the same tasks as the WMI cmdlets. The CIM cmdlets comply with WS-Management (WSMan) standards and with the Common Information Model (CIM) standard, which enables the cmdlets to use the same techniques to manage Windows computers and those running other operating systems.

We can give some documentations along with some sample to make it useful for contributors to learn how to write a customized rule in PS scripts.

The function:

    function new-fish {'andy dufresne'}

will trigger a "UseSingularNoun" error even though "fish" is both plural and singular.

One issue I've seen with adopting code analysis / FxCop on an existing, large code base is that the number of warnings and errors can be overwhelming. Additionally, code may be released and management may frown heavily on changing existing, released code to eliminate CA warnings. Sometimes we can make the case for CA errors. However, the project could benefit from turning on CA for new code.

I believe the PowerShell ScriptAnalyzer could benefit from this approach. Folks have an existing large script base that has been working for years. Most likely they won't want to change working script to eliminate warnings. There should probably be an option to point out errors (or not) when creating the baseline. After the baseline is created, the ScriptAnalyzer would then generate warnings and errors for new script as well as modified script.