In this release, we've focused on helping you enforce compliance with security standards and enhancing the existing functionality. Security Compliance PackIn this release, we've introduced the Security Pack to give you instant access to test configurations that help you enforce compliance with security standards and practices. The Security Pack includes the following test configurations: - CWE 3.1
- CWE SANS Top 25 2011
- Microsoft Secure Coding Guidelines
- OWASP Top 10 2017
- PCI Data Security Standard
- PCI v3.1 Data Security Standard (Server Configuration)
- Security Assessment
- UL 2900
See Built-in Test Configurations for details.  Compliance Packs require dedicated license features to be activated. Contact Parasoft Support for more details on Compliance Packs licensing.
Standalone License ServerYou can now obtain the Parasoft license from an additional instance of DTP or a standalone License Server. See Setting the Parasoft License (for desktop) and Setting the License (for automation). Collecting Coverage for .NET Core Web ApplicationsdotTEST can collect coverage for .NET Core web applications deployed on IIS server; see Application Coverage for Web Applications. | Anchor |
|---|
| Security Compliance Pack |
|---|
| Security Compliance Pack |
|---|
|
New and Updated Test ConfigurationsWe've added the following built-in test configuration: The following test configurations that enforce safety standards have been moved from the Static Analysis category to the Security Pack (see Security Compliance Pack): Microsoft Secure Coding Guidelines OWASP Top 10 2017 PCI Data Security Standard PCI v3.1 Data Security Standard (Server Configuration) Security Assessment UL 2900
The following test configurations have been updated to improve analysis results: Critical Rules Demo Find Memory Issues PCI Data Security Standard PCI v3.1 Data Security Standard (Server Configuration) Recommended .NET Core Rules Recommended Rules UL 2900
See Built-in Test Configurations for the list of test configurations shipped with dotTEST. | Anchor |
|---|
| Deprecated Test Configurations |
|---|
| Deprecated Test Configurations |
|---|
|
Deprecated Test ConfigurationsCWE-SANS Top 25 Most Dangerous Programming Errors – deprecated and replaced with the CWE SANS Top 25 2011 test configuration OWASP Top 10 2017 – deprecated and replaced with the new OWASP Top 10 2017 test configuration
The deprecated test configurations are not available by default and can only be applied as user-defined test configuration. They are now shipped with dotTEST in the following location: [INSTALL_DIR]\configs\builtin\Deprecated. Other ChangesWe've updated VSTest to version 15.9.0 - see VSTest Release Notes for details. We've enhanced the presentation of Flow Analysis results in the IDE. NuGet packages are now automatically restored before the project is built (see Restoring Packages Before the Build). We've removed support for Microsoft Team Foundation Server 2008.
New Static Analysis RulesThe following rules have been added: | Scroll Table Layout |
|---|
| sortDirection | ASC |
|---|
| repeatTableHeaders | default |
|---|
| widths | 60%,40% |
|---|
| sortByColumn | 1 |
|---|
| sortEnabled | false |
|---|
| cellHighlighting | true |
|---|
|
Rule ID | Header |
|---|
BD.SECURITY.TDINPUT | Exclude unsanitized user input from format strings | CS.SEC.AUK | Avoid 'unsafe' keyword | EXCEPT.NTSAE | Avoid throwing 'Exception', 'SystemException' or 'ApplicationException' | SEC.ACCA | Avoid using custom cryptographic algorithms | SEC.AIWIL | Avoid indexer wraparound in loops | SEC.APDM | Avoid using potentially dangerous methods | SEC.AUEP | Avoid using elevated privileges | SEC.UOWR | Use OAEP with RSA algorithm encryption | SEC.WEB.UAA | Use authorization attributes on pages and controllers | SEC.XXE.PDTDP | Prevent DTD processing |
Updated Static Analysis RulesThe following static analysis rules and metrics have been updated to improve analysis results: BD.SECURITY.TDFNAMES BD.SECURITY.TDSQL BD.SECURITY.TDXSS BRM.HBCM BRM.HBCP CS.BRM.IDOU CS.BRM.IEB CS.BRM.UCB IFD.DDFODB NG.FN.PNCFN OPU.CPTEQ OPU.REVT PB.DNCF PB.INOE SEC.ACWNS METRIC.CLLOCRIF METRIC.CLLOCRIT METRIC.CLLOCRIM
The following rules are deprecated and have been replaced by the BD.RES.LEAKS rule: GC.UFID PB.CFSRLV SEC.CDBC SEC.CDBCLV SEC.CDR SEC.CDRLV
The output messages of the following rules have been updated, and as a result, suppressions associated with these rules on DTP may no longer be available: You can restore the previous messages and suppressions for the BD category rules; see Why are suppressions of some rules no longer available on DTP after dotTEST was upgraded to a newer version?. Resolved Bugs and FRs| Scroll Table Layout |
|---|
| sortDirection | ASC |
|---|
| repeatTableHeaders | default |
|---|
| widths | 60%,40% |
|---|
| sortByColumn | 1 |
|---|
| sortEnabled | false |
|---|
| cellHighlighting | true |
|---|
|
Bug/FR ID | Description |
|---|
DT-11992 | CS.BRM.IDOU false positive | DT-12827 | Prerequisite for Roslyn runner should be .NET Framework 4.6 instead of 4.6.2 | DT-12826 | SEC.AIWIL, SEC.APDM and SEC.LGE are missing some localization resources | DT-12744 | Not localized rules labels on DTP test configuration view | DT-12816 | Missing Japanese resource in Test Configurations | DT-12523 | Missing rules in dotTEST pdf rules documentation | DT-12732 | TUG.NTU.AUPNT rule description is not being translated | DT-12510 | Parasoft.Dottest.CodingStandards.Runner crashes reported as Windows Events | DT-12609 | Re-implement rule CS.BRM.IEB | DT-12904 | Problem with combined violations for PB.INOE | DT-8990 | IFD.DDFODB false positive | DT-11744 | CS.BRM.UCB should not detect tasks for embedded, single-lined 'using' statements | DT-12411 | NG.FN.PNCFN custom parameterization | FA-6649 | BD-PB-CC false positive on bit-AND | FA-6552 | FA violations are not being detected for the attached solution |
|