Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Scroll Ignore

In this release, we've focused on helping you enforce compliance with security standards and enhancing the existing functionality.

Table of Contents
maxLevel1

Security Compliance Pack

In this release, we've introduced the Security Pack to give you instant access to test configurations that help you enforce compliance with security standards and practices. The Security Pack includes the following test configurations:

  • CWE 3.1
  • CWE SANS Top 25 2011
  • Microsoft Secure Coding Guidelines
  • OWASP Top 10 2017
  • PCI Data Security Standard
  • PCI v3.1 Data Security Standard (Server Configuration)
  • Security Assessment
  • UL 2900

See Built-in Test Configurations for details.

(info) Compliance Packs require dedicated license features to be activated. Contact Parasoft Support for more details on Compliance Packs licensing.

Standalone License Server

You can now obtain the Parasoft license from an additional instance of DTP or a standalone License Server. See Setting the Parasoft License (for desktop) and Setting the License (for automation).

Collecting Coverage for .NET Core Web Applications

dotTEST can collect coverage for .NET Core web applications deployed on IIS server; see Application Coverage for Web Applications.

Anchor
Security Compliance Pack
Security Compliance Pack

New and Updated Test Configurations

We've added the following built-in test configuration:

The following test configurations that enforce safety standards have been moved from the Static Analysis category to the Security Pack (see Security Compliance Pack):

  • Microsoft Secure Coding Guidelines

  • OWASP Top 10 2017

  • PCI Data Security Standard

  • PCI v3.1 Data Security Standard (Server Configuration)

  • Security Assessment

  • UL 2900

The following test configurations have been updated to improve analysis results:

  • Critical Rules

  • Demo

  • Find Memory Issues

  • PCI Data Security Standard

  • PCI v3.1 Data Security Standard (Server Configuration)

  • Recommended .NET Core Rules

  • Recommended Rules

  • UL 2900

See Built-in Test Configurations for the list of test configurations shipped with dotTEST.

Anchor
Deprecated Test Configurations
Deprecated Test Configurations
Deprecated Test Configurations

  • CWE-SANS Top 25 Most Dangerous Programming Errors – deprecated and replaced with the CWE SANS Top 25 2011 test configuration

  • OWASP Top 10 2017 – deprecated and replaced with the new OWASP Top 10 2017 test configuration

The deprecated test configurations are not available by default and can only be applied as user-defined test configuration. They are now shipped with dotTEST in the following location: [INSTALL_DIR]\configs\builtin\Deprecated.

Other Changes

  • We've updated VSTest to version 15.9.0 - see VSTest Release Notes for details.

  • We've enhanced the presentation of Flow Analysis results in the IDE.

  • NuGet packages are now automatically restored before the project is built (see Restoring Packages Before the Build).

  • We've removed support for Microsoft Team Foundation Server 2008.

New Static Analysis Rules

The following rules have been added:

Scroll Table Layout
sortDirectionASC
repeatTableHeadersdefault
widths60%,40%
sortByColumn1
sortEnabledfalse
cellHighlightingtrue

Rule ID

Header

BD.SECURITY.TDINPUT

Exclude unsanitized user input from format strings

CS.SEC.AUK

Avoid 'unsafe' keyword

EXCEPT.NTSAE

Avoid throwing 'Exception', 'SystemException' or 'ApplicationException'

SEC.ACCA

Avoid using custom cryptographic algorithms

SEC.AIWIL

Avoid indexer wraparound in loops

SEC.APDM

Avoid using potentially dangerous methods

SEC.AUEP

Avoid using elevated privileges

SEC.UOWR

Use OAEP with RSA algorithm encryption

SEC.WEB.UAA

Use authorization attributes on pages and controllers

SEC.XXE.PDTDP

Prevent DTD processing

Updated Static Analysis Rules

The following static analysis rules and metrics have been updated to improve analysis results:

  • BD.SECURITY.TDFNAMES

  • BD.SECURITY.TDSQL

  • BD.SECURITY.TDXSS

  • BRM.HBCM

  • BRM.HBCP

  • CS.BRM.IDOU

  • CS.BRM.IEB

  • CS.BRM.UCB

  • IFD.DDFODB

  • NG.FN.PNCFN

  • OPU.CPTEQ

  • OPU.REVT

  • PB.DNCF

  • PB.INOE

  • SEC.ACWNS

  • METRIC.CLLOCRIF

  • METRIC.CLLOCRIT

  • METRIC.CLLOCRIM

 The following rules are deprecated and have been replaced by the BD.RES.LEAKS rule:

  • GC.UFID

  • PB.CFSRLV

  • SEC.CDBC

  • SEC.CDBCLV

  • SEC.CDR

  • SEC.CDRLV

The output messages of the following rules have been updated, and as a result, suppressions associated with these rules on DTP may no longer be available:

  • BD.PB.ARRAY

  • BD.PB.ZERO

You can restore the previous messages and suppressions for the BD category rules by configuring the following settings in your .properties file:

flowanalysis.legacy.messages.for.BD.PB.ARRAY=true
flowanalysis.legacy.messages.for.BD.PB.ZERO=true

Resolved Bugs and FRs

Scroll Table Layout
sortDirectionASC
repeatTableHeadersdefault
widths60%,40%
sortByColumn1
sortEnabledfalse
cellHighlightingtrue

Bug/FR ID

Description

DT-11992

CS.BRM.IDOU false positive

DT-12827

Prerequisite for Roslyn runner should be .NET Framework 4.6 instead of 4.6.2

DT-12826

SEC.AIWIL, SEC.APDM and SEC.LGE are missing some localization resources

DT-12744

Not localized rules labels on DTP test configuration view

DT-12816

Missing Japanese resource in Test Configurations

DT-12523

Missing rules in dotTEST pdf rules documentation

DT-12732

TUG.NTU.AUPNT rule description is not being translated

DT-12510

Parasoft.Dottest.CodingStandards.Runner crashes reported as Windows Events

DT-12609

Re-implement rule CS.BRM.IEB

DT-12904

Problem with combined violations for PB.INOE

DT-8990

IFD.DDFODB false positive

DT-11744

CS.BRM.UCB should not detect tasks for embedded, single-lined 'using' statements

DT-12411

NG.FN.PNCFN custom parameterization

FA-6649

BD-PB-CC false positive on bit-AND

FA-6552

FA violations are not being detected for the attached solution

Scroll Only

For information about this release, see https://docs.parasoft.com/display/DOTTEST1041/Updates+in+10.4.1.