Add opt-in configuration for MA0153 to detect logging of types containing DataClassification members

[Copilot]

Add opt-in configuration for MA0153 to detect logging of types with DataClassification members

• Understand the issue: Detect when an object is logged whose type contains properties/fields with DataClassificationAttribute
• Review existing MA0153 analyzer implementation (DoNotLogClassifiedDataAnalyzer.cs)
• Review existing tests
• Verify build succeeds
• Add logic to check if a type contains any members with DataClassificationAttribute
• Add test cases for logging objects with classified members
• Update documentation
• Run documentation generator (no changes needed)
• Verify code follows conventions
• Code review completed and feedback addressed
• Add configuration option to enable/disable type-level detection
• Add tests for configuration option
• Update documentation with configuration details
• Change default value to false as requested
• Simplify configuration reading using GetConfigurationValue extension method
• Use GetAllMembers to check inherited members as well
• Final validation complete

Summary of Changes

Analyzer Enhancement:

• Added TypeContainsMembersWithDataClassification helper method to check if a type contains properties or fields with DataClassificationAttribute
• Enhanced ValidateDataClassification to check parameter types and general operation types for classified members
• Added performance optimization: early exit for System value types to avoid unnecessary checks
• Added configuration option MA0153.report_types_with_data_classification_attributes to enable/disable type-level detection (default: false)
• Simplified configuration reading using GetConfigurationValue extension method
• Uses GetAllMembers to check inherited members for DataClassificationAttribute
• Properly excludes primitive types and strings to avoid false positives

Test Coverage:

• Added 6 new test cases covering the new functionality
• Added 3 test cases for configuration option behavior
• Tests verify detection is controlled by the configuration option
• Tests verify no false positives for primitives, strings, and types without classified members

Documentation:

• Updated MA0153.md to explain the new detection capability
• Added example showing the issue scenario from the original problem statement
• Added configuration section explaining the new option (default: false)

Configuration Option

The new analyzer behavior can be configured via .editorconfig:

[*.cs]
MA0153.report_types_with_data_classification_attributes = true|false  # Default: false

When set to false (default), the analyzer will only detect direct member access (original behavior). When set to true, it will also detect logging of objects containing classified members, including inherited members.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Type with Redacted properties should not be allowed to be logged</issue_title>
<issue_description>lets say I have the following Type

   public partial class PatientInfo
   {
        [PiiData] public string PatientId { get; set; }
        public ulong RecordId { get; set; } //the record Id in the backend database
        [PiiData] public string FirstName { get; set; }
        [PiiData] public string MiddleName { get; set; }
        [PiiData] public string LastName { get; set; }
        public DateTimeOffset? ScheduledDate { get; set; } //UTC value
        public string Department { get; set; }
        public DateTimeOffset? DateOfBirth { get; set; } //UTC value
        [PiiData] public string MedicalRecordNumber { get; set; } //Same as Patient ID
}

currently this is detected correctly:

// Report the second argument
logger.LogInformation("dummy", obj.PropertyDecoratedWithDataClassificationAttribute);

is it possible to prevent logging of the type itself?

PatientInfo p = new();
logger.LogInformation("{Patient}", p);

since there could be multipe log providers any type that has sensitive attribute should not be logged (since some provder could log inner fields/properties and ignore the attributes). Usage of any member (field, property, parameter) decorated with Microsoft.Extensions.Compliance.Classification.DataClassificationAttribute should not be logged indirectly by logging the object itself

related to https://github.com/meziantou/Meziantou.Analyzer/blob/main/docs/Rules/MA0153.md</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Type with Redacted properties should not be allowed to be logged #935

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[meziantou]

@copilot Can you add an option to enable reporting object containing properties decorated with DataClassificationAttribute. Follow the format used in other rule: <AnalyzerId>.<propertyname>.

[Copilot]

@copilot Can you add an option to enable reporting object containing properties decorated with DataClassificationAttribute. Follow the format used in other rule: <AnalyzerId>.<propertyname>.

Done in commit 32c4185. Added configuration option MA0153.report_types_with_data_classification_attributes (default: true) that can be set via .editorconfig to enable/disable detection of objects containing properties with DataClassificationAttribute.

[meziantou]

@copilot Can you change the default value to false?

[Copilot]

@copilot Can you change the default value to false?

Done in commit 2518ec2. Changed the default value to false.

[meziantou]

@copilot You can simplify it by using the extension method GetConfigurationValue, which also supports a boolean default value.

[Copilot]

Done in commit cb5885f. Simplified by using the GetConfigurationValue extension method.

[meziantou]

@copilot Can you replace GetMembers with GetAllMembers (extension method in the project)