Page tree

Skip to end of metadata
Go to start of metadata

This release includes improvements to our security compliance solution and enhancements to existing functionality.

Support for Environments

We've added support for:

  • Windows Server 2019

The following operating systems are no longer supported:

  • Windows 8
  • Windows Server 2008

New and Updated Test Configurations

We've extended support for the CWE SANS Top 25 2011 standard to include On the Cusp guidelines. The following test configuration now ships in the built-in Security Compliance Pack test configurations category:

  • CWE SANS Top 25 2011+On the Cusp

We've extended the following test configurations with new or improved rules to enhance support for security standards:

  • CWE 3.1 → extended and renamed as CWE 3.2
  • OWASP Top 10 2017 → extended and renamed as OWASP Top 10-2017
  • PCI Data Security Standard → extended and renamed as PCI DSS 3.2
  • CWE SANS Top 25 2011 extended
  • UL 2900 → replaced by a new UL 2900 test configuration that includes the rules from the CWE SANS Top 25 2011+On the Cusp and OWASP Top 10-2017 test configurations

The following test configurations have been updated to improve analysis results:

  • Calculate Application Coverage
  • Recommended .NET Core Rules

See Built-in Test Configurations for the list of test configurations shipped with dotTEST.

Deprecated Test Configurations

  • PCI Data Security Standard - deprecated and replaced with the PCI DSS 3.2 test configuration.

  • UL 2900 – deprecated and replaced with the new UL 2900 test configuration that includes CWE SANS Top 25 2011 on the Cusp and OWASP Top 10 2017 rules.

The deprecated test configurations are not available by default and can only be applied as user-defined test configuration. They are now shipped with dotTEST in the following location: [INSTALL_DIR]\configs\Deprecated.

Flow Analysis Improvements

  • You can now specify the functions you always want to be analyzed when encountered on the execution path; see Configuring Flow Analysis for details.
  • CS files generated from website project files, such as .aspx or .cshtml files, are now included in the analysis scope.
  • We've added support for XUnit assertions.

Other Improvements

  • We've added the -property  option that allows you to specify configuration settings directly in the command line; see Command Line Options.
  • We've optimized dotTEST to improve performance when running analysis from the IDE or collecting coverage information.

New Static Analysis Rules

The following rules have been added:

Rule ID

Header

BD.PB.CHECKRET

Consistently check the returned value of non-void functions

BD.PB.INTOVERF

Avoid integer overflows

BD.PB.NOTEXPLINIT

Avoid use before explicit initialization

BD.SECURITY.AUTH

Prevent untrusted inputs that may affect authorization

BD.SECURITY.SALT

Ensure that a random salt is used

BD.SECURITY.TDRFL

Protect against Reflection injection

BD.SECURITY.USXRS

Use object with secure XmlResolver property

CT.ECLTS

Avoid explicit conversions between data types if the conversion may cause data loss or unexpected results

CT.ECLSII

Avoid explicit conversions of integrals to integrals of smaller size if the conversion may cause data truncation

PB.AIHUE

Avoid using improper HTML or URL encoding in HttpResponse methods

SEC.IREC

Do not execute external code without integrity check

SEC.WEB.AAM

Add authorization services to MVC Core

SEC.WEB.IIPHEU

Do not rely on reverse DNS resolution for security decisions

SEC.WEB.ISE

Ensure sufficient session expiration

SEC.WEB.LUAFLA

Lock out the user after failed login attempts

SEC.WEB.UAAMC

Ensure that authorization attributes match the controller

SEC.WEB.VAFT

Use anti-forgery attributes on POST methods

Updated Static Analysis Rules

The following static analysis rules have been updated to improve analysis results:

  • BD.SECURITY.TDRESP
  • BD.SECURITY.TDSQL
  • BRM.CMT.TSC
  • CS.PB.CNFA
  • CS.PB.USC.UC
  • NG.CAPSTY.PASCAL.ENUMTYPE
  • NG.CAPSTY.PASCAL.STRUCT
  • PB.EMPTYMETHODS
  • SEC.LGE
  • TUG.AU.UFABFE

The output messages of the following rules have been updated, and as a result, suppressions associated with these rules on DTP may no longer be available:

  • CS.PB.USC.UC

Resolved Bugs and FRs

Bug/FR ID

Description

DT-9402

Option -exclude is not accounted when running "Calculate Application Coverage" configuration

DT-13026

SEC.LGE potential false negative

DT-13093

SymbolsParser fails on complex lambda expressed methods

DT-13262

Avoid unreachable code CS.PB.USC.UC false positive using "when" condition in "catch"

DT-12353

CS.PB.USC.UC false positive on ?? operator

DT-13043

CS.PB.USC.UC false positive

DT-11051

Rule CS.PB.USC.UC showing a false positive

DT-10958

Avoid unreachable code CS.PB.USC.UC false positive

DT-13217

Do not add to scope extra files from unit testing violation stack trace

DT-13160

False Negative TUG.AU.UFABFE under Japanese environment

DT-13056

Coverage MAX_COVERABLE_LINES limit is not sufficient while testing huge projects

DT-12608

Re-implement rule CS.PB.CNFA

DT-12657

False negatives for capitalization rules (NG.CAPSTY.PASCAL.ENUMTYPE, NG.CAPSTY.PASCAL.STRUCT)

DT-11571

BRM.CMT.TSC false positive

FA-6416BD.PB.VOVR bogus violation when variable is used in initializer / linq
FA-6786BD.RES.LEAKS violations related to TextWriter/TextReader not found on solution using mix of .NET Framework and .NET Core projects
FA-6805Problems with determining methods possibly throwing exceptions (Dllimport, extern method in .NET)
FA-6822BD.PB.VOVR false positive when variable is used in list initializer in object initializer
XT-36443Tech support settings from dottestcli.properties have priority over UI settings.
XT-36549

Can user name set inside the IDE override system user?

  • No labels