This release includes improvements to our security compliance solution and enhancements to existing functionality.
Support for Environments
We've added support for:
- Windows Server 2019
The following operating systems are no longer supported:
- Windows 8
- Windows Server 2008
New and Updated Test Configurations
We've extended support for the CWE SANS Top 25 2011 standard to include On the Cusp guidelines. The following test configuration now ships in the built-in Security Compliance Pack test configurations category:
- CWE SANS Top 25 2011+On the Cusp
We've extended the following test configurations with new or improved rules to enhance support for security standards:
- CWE 3.1 → extended and renamed as CWE 3.2
- OWASP Top 10 2017 → extended and renamed as OWASP Top 10-2017
- PCI Data Security Standard → extended and renamed as PCI DSS 3.2
- CWE SANS Top 25 2011 → extended
- UL 2900 → replaced by a new UL 2900 test configuration that includes the rules from the CWE SANS Top 25 2011+On the Cusp and OWASP Top 10-2017 test configurations
The following test configurations have been updated to improve analysis results:
- Calculate Application Coverage
- Recommended .NET Core Rules
See Built-in Test Configurations for the list of test configurations shipped with dotTEST.
Deprecated Test Configurations
PCI Data Security Standard - deprecated and replaced with the PCI DSS 3.2 test configuration.
- UL 2900 – deprecated and replaced with the new UL 2900 test configuration that includes CWE SANS Top 25 2011 on the Cusp and OWASP Top 10 2017 rules.
The deprecated test configurations are not available by default and can only be applied as user-defined test configuration. They are now shipped with dotTEST in the following location: [INSTALL_DIR]\configs\Deprecated.
Flow Analysis Improvements
- You can now specify the functions you always want to be analyzed when encountered on the execution path; see Configuring Flow Analysis for details.
- CS files generated from website project files, such as .aspx or .cshtml files, are now included in the analysis scope.
- We've added support for XUnit assertions.
Other Improvements
- We've added the
-propertyoption that allows you to specify configuration settings directly in the command line; see Command Line Options. - We've optimized dotTEST to improve performance when running analysis from the IDE or collecting coverage information.
New Static Analysis Rules
The following rules have been added:
Rule ID | Header |
|---|---|
BD.PB.CHECKRET | Consistently check the returned value of non-void functions |
BD.PB.INTOVERF | Avoid integer overflows |
BD.PB.NOTEXPLINIT | Avoid use before explicit initialization |
BD.SECURITY.AUTH | Prevent untrusted inputs that may affect authorization |
BD.SECURITY.SALT | Ensure that a random salt is used |
BD.SECURITY.TDRFL | Protect against Reflection injection |
BD.SECURITY.USXRS | Use object with secure XmlResolver property |
CT.ECLTS | Avoid explicit conversions between data types if the conversion may cause data loss or unexpected results |
CT.ECLSII | Avoid explicit conversions of integrals to integrals of smaller size if the conversion may cause data truncation |
PB.AIHUE | Avoid using improper HTML or URL encoding in HttpResponse methods |
SEC.IREC | Do not execute external code without integrity check |
SEC.WEB.AAM | Add authorization services to MVC Core |
SEC.WEB.IIPHEU | Do not rely on reverse DNS resolution for security decisions |
SEC.WEB.ISE | Ensure sufficient session expiration |
SEC.WEB.LUAFLA | Lock out the user after failed login attempts |
SEC.WEB.UAAMC | Ensure that authorization attributes match the controller |
SEC.WEB.VAFT | Use anti-forgery attributes on POST methods |
Updated Static Analysis Rules
The following static analysis rules have been updated to improve analysis results:
- BD.SECURITY.TDRESP
- BD.SECURITY.TDSQL
- BRM.CMT.TSC
- CS.PB.CNFA
- CS.PB.USC.UC
- NG.CAPSTY.PASCAL.ENUMTYPE
- NG.CAPSTY.PASCAL.STRUCT
- PB.EMPTYMETHODS
- SEC.LGE
- TUG.AU.UFABFE
The output messages of the following rules have been updated, and as a result, suppressions associated with these rules on DTP may no longer be available:
- CS.PB.USC.UC
Resolved Bugs and FRs
Bug/FR ID | Description |
|---|---|
DT-9402 | Option -exclude is not accounted when running "Calculate Application Coverage" configuration |
DT-13026 | SEC.LGE potential false negative |
DT-13093 | SymbolsParser fails on complex lambda expressed methods |
DT-13262 | Avoid unreachable code CS.PB.USC.UC false positive using "when" condition in "catch" |
DT-12353 | CS.PB.USC.UC false positive on ?? operator |
DT-13043 | CS.PB.USC.UC false positive |
DT-11051 | Rule CS.PB.USC.UC showing a false positive |
DT-10958 | Avoid unreachable code CS.PB.USC.UC false positive |
DT-13217 | Do not add to scope extra files from unit testing violation stack trace |
DT-13160 | False Negative TUG.AU.UFABFE under Japanese environment |
DT-13056 | Coverage MAX_COVERABLE_LINES limit is not sufficient while testing huge projects |
DT-12608 | Re-implement rule CS.PB.CNFA |
DT-12657 | False negatives for capitalization rules (NG.CAPSTY.PASCAL.ENUMTYPE, NG.CAPSTY.PASCAL.STRUCT) |
DT-11571 | BRM.CMT.TSC false positive |
| FA-6416 | BD.PB.VOVR bogus violation when variable is used in initializer / linq |
| FA-6786 | BD.RES.LEAKS violations related to TextWriter/TextReader not found on solution using mix of .NET Framework and .NET Core projects |
| FA-6805 | Problems with determining methods possibly throwing exceptions (Dllimport, extern method in .NET) |
| FA-6822 | BD.PB.VOVR false positive when variable is used in list initializer in object initializer |
| XT-36443 | Tech support settings from dottestcli.properties have priority over UI settings. |
| XT-36549 | Can user name set inside the IDE override system user? |
