ReflectionTypeLoadException on startup

[kbilsted]

Environment:

• Version: 5.6.3
• Branch:
  • vs2019
  • vs2017
  • vs2015
• Installation/Running method:
  • Visual Studio Extension
  • NuGet package
  • Standalone tool
    • DotNet Core Tool from NuGet
    • security-scan4x.zip from GitHub Release section
• Operating System:
  • Windows
  • Linux
  • Mac

Describe the bug
Downloading and unzipping the scan4x 24.6.2022 from GH. Checking a simple C# application and i get a stack trace.

Repro

• check out the code https://github.com/kbilsted/KeyboordUsage
• run scan4x

PS C:\Users\kbils\Desktop\security-scan4x> .\security-scan.exe C:\src\KeyboordUsage\

╔═╗┌─┐┌─┐┬ ┬┬─┐┬┌┬┐┬ ┬ ╔═╗┌─┐┌┬┐┌─┐ ╔═╗┌─┐┌─┐┌┐┌
╚═╗├┤ │ │ │├┬┘│ │ └┬┘ ║ │ │ ││├┤ ╚═╗│ ├─┤│││
╚═╝└─┘└─┘└─┘┴└─┴ ┴ ┴ ╚═╝└─┘─┴┘└─┘ ╚═╝└─┘┴ ┴┘└┘

.NET tool by Jaroslav Lobačevski v5.6.3

Unhandled Exception: System.Reflection.ReflectionTypeLoadException: Unable to load one or more of the requested types. Retrieve the LoaderExceptions property for more information.
at System.Reflection.RuntimeModule.GetTypes(RuntimeModule module)
at System.Reflection.RuntimeAssembly.get_DefinedTypes()
at System.Composition.Hosting.ContainerConfiguration.<>c.b__16_0(Assembly a)
at System.Linq.Enumerable.d__172.MoveNext() at System.Composition.TypedParts.TypedPartExportDescriptorProvider..ctor(IEnumerable1 types, AttributedModelProvider attributeContext)
at System.Composition.Hosting.ContainerConfiguration.CreateContainer()
at Microsoft.CodeAnalysis.Host.Mef.MefHostServices.Create(IEnumerable`1 assemblies)
at Microsoft.CodeAnalysis.Host.Mef.MSBuildMefHostServices.get_DefaultServices()
at SecurityCodeScan.Tool.Program.

d__0.MoveNext() in D:\a\security-code-scan\security-code-scan\SecurityCodeScan.Tool\Program.cs:line 276
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at SecurityCodeScan.Tool.Program.(String[] args)

[JarLob]

Hi, I can reproduce it, but it is not clear to me why exactly it doesn't find the DisposeAsync:

	Name	Value	Type
▶	[0]	{"Method 'DisposeAsync' in type 'StreamingProgressDisposer' from assembly 'Microsoft.CodeAnalysis.Workspaces, Version=3.8.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' does not have an implementation.":"StreamingProgressDisposer"}	System.Exception {System.TypeLoadException}

However I must say I use the security-scan4x.zip from GitHub Release section only when DotNet Core Tool from NuGet fails as a backup. In this case the .net core tool successfully loads the solution.

As a side note Security Code Scan may not be able to find vulnerabilities in your project because you need to provide custom taint sources (untrusted input) according to your threat model.

[kbilsted]

The only "odd" thing I do is scan a .net framework project. I don't provide any custom stuff only do a .\security-scan.exe C:\src\KeyboordUsage\