This release includes improvements to our security compliance solution and enhancements to existing functionality.
Support for Environments
We've added support for:
- Windows Server 2019
The following operating systems are no longer supported:
- Windows 8
- Windows Server 2008
New and Updated Test Configurations
We've extended support for the CWE SANS Top 25 2011 standard to include On the Cusp guidelines. The following test configuration now ships in the built-in Security Compliance Pack test configurations category:
- CWE SANS Top 25 2011+On the Cusp
We've extended the following test configurations with new or improved rules to enhance support for security standards:
- CWE 3.1 → extended and renamed as CWE 3.2
- OWASP Top 10 2017 → extended and renamed as OWASP Top 10-2017
- PCI Data Security Standard → extended and renamed as PCI DSS 3.2
- CWE SANS Top 25 2011 → extended
- UL 2900 → replaced by a new UL 2900 test configuration that includes the rules from the CWE SANS Top 25 2011+On the Cusp and OWASP Top 10-2017 test configurations
The following test configurations have been updated to improve analysis results:
- Calculate Application Coverage
- Recommended .NET Core Rules
See Built-in Test Configurations for the list of test configurations shipped with dotTEST.
Deprecated Test Configurations
PCI Data Security Standard - deprecated and replaced with the PCI DSS 3.2 test configuration.
- UL 2900 – deprecated and replaced with the new UL 2900 test configuration that includes CWE SANS Top 25 2011 on the Cusp and OWASP Top 10 2017 rules.
The deprecated test configurations are not available by default and can only be applied as user-defined test configuration. They are now shipped with dotTEST in the following location: [INSTALL_DIR]\configs\Deprecated.
Flow Analysis Improvements
- You can now specify the functions you always want to be analyzed when encountered on the execution path; see Configuring Flow Analysis for details.
- CS files generated from website project files, such as .aspx or .cshtml files, are now included in the analysis scope.
- We've added support for XUnit assertions.
- We've added the
-propertyoption that allows you to specify configuration settings directly in the command line; see Command Line Options.
- We've optimized dotTEST to improve performance when running analysis from the IDE or collecting coverage information.
New Static Analysis Rules
The following rules have been added:
Consistently check the returned value of non-void functions
Avoid integer overflows
Avoid use before explicit initialization
Prevent untrusted inputs that may affect authorization
Ensure that a random salt is used
Protect against Reflection injection
Use object with secure XmlResolver property
Avoid explicit conversions between data types if the conversion may cause data loss or unexpected results
Avoid explicit conversions of integrals to integrals of smaller size if the conversion may cause data truncation
Avoid using improper HTML or URL encoding in HttpResponse methods
Do not execute external code without integrity check
Add authorization services to MVC Core
Do not rely on reverse DNS resolution for security decisions
Ensure sufficient session expiration
Lock out the user after failed login attempts
Ensure that authorization attributes match the controller
Use anti-forgery attributes on POST methods
Updated Static Analysis Rules
The following static analysis rules have been updated to improve analysis results:
The output messages of the following rules have been updated, and as a result, suppressions associated with these rules on DTP may no longer be available:
Resolved Bugs and FRs
Option -exclude is not accounted when running "Calculate Application Coverage" configuration
SEC.LGE potential false negative
SymbolsParser fails on complex lambda expressed methods
Avoid unreachable code CS.PB.USC.UC false positive using "when" condition in "catch"
CS.PB.USC.UC false positive on ?? operator
CS.PB.USC.UC false positive
Rule CS.PB.USC.UC showing a false positive
Avoid unreachable code CS.PB.USC.UC false positive
Do not add to scope extra files from unit testing violation stack trace
False Negative TUG.AU.UFABFE under Japanese environment
Coverage MAX_COVERABLE_LINES limit is not sufficient while testing huge projects
Re-implement rule CS.PB.CNFA
False negatives for capitalization rules (NG.CAPSTY.PASCAL.ENUMTYPE, NG.CAPSTY.PASCAL.STRUCT)
BRM.CMT.TSC false positive
|BD.PB.VOVR bogus violation when variable is used in initializer / linq
|BD.RES.LEAKS violations related to TextWriter/TextReader not found on solution using mix of .NET Framework and .NET Core projects
|Problems with determining methods possibly throwing exceptions (Dllimport, extern method in .NET)
|BD.PB.VOVR false positive when variable is used in list initializer in object initializer
|Tech support settings from dottestcli.properties have priority over UI settings.
Can user name set inside the IDE override system user?