Share via


CA2137: Transparent methods must contain only verifiable IL

Applies to: yesVisual Studio noVisual Studio for Mac

Note

This article applies to Visual Studio 2017. If you're looking for the latest Visual Studio documentation, see Visual Studio documentation. We recommend upgrading to the latest version of Visual Studio. Download it here

Item Value
RuleId CA2137
Category Microsoft.Security
Breaking change Breaking

Cause

A method contains unverifiable code or returns a type by reference.

Note

This rule has been deprecated. For more information, see Deprecated rules.

Rule description

This rule fires on attempts by security transparent code to execute unverifiable MSIL (Microsoft Intermediate Language). However, the rule does not contain a full IL verifier, and instead uses heuristics to catch most violations of MSIL verification.

To be certain that your code contains only verifiable MSIL, run Peverify.exe (PEVerify Tool) on your assembly. Run PEVerify with the /transparent option which limits the output to only unverifiable transparent methods which would cause an error. If the /transparent option is not used, PEVerify also verifies critical methods that are allowed to contain unverifiable code.

How to fix violations

To fix a violation of this rule, mark the method with the SecurityCriticalAttribute or SecuritySafeCriticalAttribute attribute, or remove the unverifiable code.

When to suppress warnings

Do not suppress a warning from this rule.

Example

The method in this example uses unverifiable code and should be marked with the SecurityCriticalAttribute or SecuritySafeCriticalAttribute attribute.

using System;
using System.Security;


namespace TransparencyWarningsDemo
{

    public class UnverifiableMethodClass
    {
        // CA2137 violation - transparent method with unverifiable code.  This method should become critical or
        // safe critical 
    //    public unsafe byte[] UnverifiableMethod(int length)
    //    {
    //        byte[] bytes = new byte[length];
    //        fixed (byte* pb = bytes)
    //        {
    //            *pb = (byte)length;
    //        }

    //        return bytes;
    //    }
    }

}