The following tables include the test configurations shipped in the [INSTALL]/configs/builtin directory.
Static Analysis
This group includes universal static analysis test configurations. See Security Compliance Pack for test configurations that enforce security coding standards.
Built-in Test Configuration | Description |
---|---|
Recommended Rules | The default configuration of recommended rules. Covers most Severity 1 and Severity 2 rules. Includes rules in the Flow Analysis Fast configuration. |
Recommended .NET Rules | Includes rules that identify high-severity defects in .NET projects. |
Find Duplicated Code | Applies static code analysis rules that report duplicate code. Duplicate code may indicate poor application design and lead to maintainability issues. |
Metrics | Computes values for several code metrics. |
Flow Analysis | Detects complex runtime errors without requiring test cases or application execution. Defects detected include using uninitialized or invalid memory, null pointer dereferencing, array and buffer overflows, division by zero, memory and resource leaks, and dead code. This requires a special Flow Analysis license option. |
Flow Analysis Aggressive | Includes rules for deep flow analysis of code. A significant amount of time may be required to run this configuration. |
Flow Analysis Fast | Includes rules for shallow depth of flow analysis, which limits the number of potentially acceptable defects from being reported. |
Critical Rules | Includes most Severity 1 rules, as well as rules in the Flow Analysis Fast configuration. |
Demo | Includes rules for demonstrating various techniques of code analysis. May not be suitable for large code bases. |
Find Memory Issues | Includes rules for finding memory management issues in the code. |
Find Unimplemented Scenarios | Includes rules for finding unimplemented scenarios in the code. |
Find Unused Code | Includes rules for identifying unused/dead code. |
Check Code Compatibility against .NET [2.0, 3.0, 3.5, 4.0 Client Profile, 4.0 Full, 4.5, 4.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8] | Includes a set of test configurations that validates the code’s compatibility with the specified version of .NET framework. |
IEC 62304 (Template) | A template test configuration for applying the IEC 62304 Medical standard. |
Roslyn .NET Analyzers Default Rules | Applies the .NET compiler platform (Roslyn) analyzer rules from the roslyn-analyzer project that have high severity and are enabled by default. See Overview of source code analysis for more information about Roslyn analyzers. |
Security Compliance Pack
This compliance pack includes test configurations that help you enforce security coding standards and practices. See Compliance Packs Rule Mapping for information how the standards are mapped to dotTEST's rules.
Security Compliance Pack requires dedicated license features to be activated. Contact Parasoft Support for more details on licensing.
Built-in Test Configuration | Description |
---|---|
CWE 4.15 | Includes rules that find issues identified in the CWE standard v4.15. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
CWE Top 25 2023 | Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard v.2023. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
CWE Top 25 2022 | Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard v.2022. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
CWE Top 25 + On the Cusp 2023 | Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard or included on the CWE Weaknesses On the Cusp list v.2023. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
CWE Top 25 + On the Cusp 2022 | Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard or included on the CWE Weaknesses On the Cusp list v.2022. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
DISA-ASD-STIG | Includes rules that find issues identified in Application Security and Development STIG (Security Technical Implementation Guide) v.5 provided by Defense Information Systems Agency. |
HIPAA | Includes rules that find issues identified by the HIPAA (Health Insurance Portability and Accountability Act) regulations. |
OWASP API Security Top 10-2023 | Includes rules that find issues identified in OWASP’s API Security Top 10 - 2023. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
OWASP API Security Top 10-2019 | Includes rules that find issues identified in OWASP’s API Security Top 10 - 2019. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
OWASP ASVS 4.0.3 | Includes rules that enforce the requirements defined in the ASVS (Application Security Verification Standard). |
OWASP Top 10-2021 | Includes rules that find web application security risks identified in the OWASP Top 10 - 2021. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
OWASP Top 10-2017 | Includes rules that find web application security risks identified in the OWASP Top 10 - 2017. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
PCI DSS 4.0 | Includes rules that find issues identified in PCI Data Security Standard version 4.0. |
PCI DSS 3.2 | Includes rules that find issues identified in PCI Data Security Standard version 3.2. |
Security Assessment | General test configuration that finds security issues. |
UL 2900 | Includes rules that find issues identified in the UL-2900 standard. |
Microsoft Secure Coding Guidelines | Includes rules that enforce Microsoft Secure Coding Guidelines. |
VVSG 2.0 | Includes rules that enforce the specifications and requirements defined in Voluntary Voting System Guidelines 2.0. |
Unit Testing and Collecting Coverage
This group includes test configurations that allow you to run and collect coverage data for unit tests.
Built-in Test Configuration | Description |
---|---|
Run VSTest Tests | Runs NUnit, MSTest, and xUnit tests that are found in the scope of analysis. |
Run VSTest Tests with Coverage | Runs NUnit, MSTest, and xUnit tests that are found in the scope of analysis and monitors coverage. |
Calculate Application Coverage | Processes the application coverage data to generate a coverage.xml file. See Application Coverage for Web Applications. |
Collect Static Coverage | Generates the static coverage data necessary for application coverage. See Application Coverage for Web Applications. |
Compliance Packs Rule Mapping
This section includes rule mapping for the CWE standard. The mapping information for other standards is available in the PDF rule mapping files shipped with Compliance Packs.
CWE Top 25 2023 Mapping
CWE ID | CWE name/description | Parasoft rule ID(s) |
---|---|---|
CWE-787 | Out-of-bounds Write |
|
CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
CWE-416 | Use After Free |
|
CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
CWE-20 | Improper Input Validation |
|
CWE-125 | Out-of-bounds Read |
|
CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
CWE-352 | Cross-Site Request Forgery (CSRF) |
|
CWE-434 | Unrestricted Upload of File with Dangerous Type |
|
CWE-862 | Missing Authorization |
|
CWE-476 | NULL Pointer Dereference |
|
CWE-287 | Improper Authentication |
|
CWE-190 | Integer Overflow or Wraparound |
|
CWE-502 | Deserialization of Untrusted Data |
|
CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
|
CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
|
CWE-798 | Use of Hard-coded Credentials |
|
CWE-918 | Server-Side Request Forgery (SSRF) |
|
CWE-306 | Missing Authentication for Critical Function |
|
CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
|
CWE-269 | Improper Privilege Management |
|
CWE-94 | Improper Control of Generation of Code ('Code Injection') |
|
CWE-863 | Incorrect Authorization |
|
CWE-276 | Incorrect Default Permissions |
|
CWE Weaknesses On the Cusp 2023 Mapping
CWE ID | CWE name/description | Parasoft rule ID(s) |
---|---|---|
CWE-617 | Reachable Assertion |
|
CWE-427 | Uncontrolled Search Path Element |
|
CWE-611 | Improper Restriction of XML External Entity Reference |
|
CWE-770 | Allocation of Resources Without Limits or Throttling |
|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
|
CWE-732 | Incorrect Permission Assignment for Critical Resource |
|
CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
|
CWE-1321 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') |
|
CWE-295 | Improper Certificate Validation |
|
CWE-522 | Insufficiently Protected Credentials |
|
CWE-401 | Missing Release of Memory after Effective Lifetime |
|
CWE-400 | Uncontrolled Resource Consumption |
|
CWE-639 | Authorization Bypass Through User-Controlled Key |
|
CWE-59 | Improper Link Resolution Before File Access ('Link Following') |
|
CWE-668 | Exposure of Resource to Wrong Sphere |
|
CWE Top 25 2022 Mapping
CWE ID | CWE name/description | Parasoft rule ID(s) |
---|---|---|
CWE-787 | Out-of-bounds Write |
|
CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
CWE-20 | Improper Input Validation |
|
CWE-125 | Out-of-bounds Read |
|
CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
CWE-416 | Use After Free |
|
CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
CWE-352 | Cross-Site Request Forgery (CSRF) |
|
CWE-434 | Unrestricted Upload of File with Dangerous Type |
|
CWE-476 | NULL Pointer Dereference |
|
CWE-502 | Deserialization of Untrusted Data |
|
CWE-190 | Integer Overflow or Wraparound |
|
CWE-287 | Improper Authentication |
|
CWE-798 | Use of Hard-coded Credentials |
|
CWE-862 | Missing Authorization |
|
CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
|
CWE-306 | Missing Authentication for Critical Function |
|
CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
|
CWE-276 | Incorrect Default Permissions |
|
CWE-918 | Server-Side Request Forgery (SSRF) |
|
CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
|
CWE-400 | Uncontrolled Resource Consumption |
|
CWE-611 | Improper Restriction of XML External Entity Reference |
|
CWE-94 | Improper Control of Generation of Code ('Code Injection') |
|
CWE Weaknesses On the Cusp 2022 Mapping
CWE ID | CWE name/description | Parasoft rule ID(s) |
---|---|---|
CWE-295 | Improper Certificate Validation |
|
CWE-427 | Uncontrolled Search Path Element |
|
CWE-863 | Incorrect Authorization |
|
CWE-269 | Improper Privilege Management |
|
CWE-732 | Incorrect Permission Assignment for Critical Resource |
|
CWE-843 | Access of Resource Using Incompatible Type ('Type Confusion') |
|
CWE-668 | Exposure of Resource to Wrong Sphere |
|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
|
CWE-1321 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') |
|
CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
|
CWE-401 | Missing Release of Memory after Effective Lifetime |
|
CWE-59 | Improper Link Resolution Before File Access ('Link Following') |
|
CWE-522 | Insufficiently Protected Credentials |
|
CWE-319 | Cleartext Transmission of Sensitive Information |
|
CWE-312 | Cleartext Storage of Sensitive Information |
|
CWE 4.15 Mapping
CWE ID | CWE name/description | Parasoft rule ID(s) |
---|---|---|
CWE-20 | Improper Input Validation |
|
CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
CWE-64 | Windows Shortcut Following (.LNK) |
|
CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
CWE-80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) |
|
CWE-88 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') |
|
CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
CWE-90 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') |
|
CWE-95 | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
|
CWE-99 | Improper Control of Resource Identifiers ('Resource Injection') |
|
CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
|
CWE-125 | Out-of-bounds Read |
|
CWE-129 | Improper Validation of Array Index |
|
CWE-131 | Incorrect Calculation of Buffer Size |
|
CWE-134 | Use of Externally-Controlled Format String |
|
CWE-190 | Integer Overflow or Wraparound |
|
CWE-191 | Integer Underflow (Wrap or Wraparound) |
|
CWE-197 | Numeric Truncation Error |
|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
|
CWE-201 | Insertion of Sensitive Information Into Sent Data |
|
CWE-209 | Generation of Error Message Containing Sensitive Information |
|
CWE-212 | Improper Removal of Sensitive Information Before Storage or Transfer |
|
CWE-250 | Execution with Unnecessary Privileges |
|
CWE-252 | Unchecked Return Value |
|
CWE-256 | Plaintext Storage of a Password |
|
CWE-259 | Use of Hard-coded Password |
|
CWE-260 | Password in Configuration File |
|
CWE-269 | Improper Privilege Management |
|
CWE-287 | Improper Authentication |
|
CWE-294 | Authentication Bypass by Capture-replay |
|
CWE-295 | Improper Certificate Validation |
|
CWE-299 | Improper Check for Certificate Revocation |
|
CWE-307 | Improper Restriction of Excessive Authentication Attempts |
|
CWE-311 | Missing Encryption of Sensitive Data |
|
CWE-316 | Cleartext Storage of Sensitive Information in Memory |
|
CWE-319 | Cleartext Transmission of Sensitive Information |
|
CWE-321 | Use of Hard-coded Cryptographic Key |
|
CWE-326 | Inadequate Encryption Strength |
|
CWE-327 | Use of a Broken or Risky Cryptographic Algorithm |
|
CWE-328 | Use of Weak Hash |
|
CWE-329 | Generation of Predictable IV with CBC Mode |
|
CWE-338 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
|
CWE-350 | Reliance on Reverse DNS Resolution for a Security-Critical Action |
|
CWE-352 | Cross-Site Request Forgery (CSRF) |
|
CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
|
CWE-369 | Divide By Zero |
|
CWE-391 | Unchecked Error Condition |
|
CWE-395 | Use of NullPointerException Catch to Detect NULL Pointer Dereference |
|
CWE-396 | Declaration of Catch for Generic Exception |
|
CWE-397 | Declaration of Throws for Generic Exception |
|
CWE-400 | Uncontrolled Resource Consumption |
|
CWE-402 | Transmission of Private Resources into a New Sphere ('Resource Leak') |
|
CWE-412 | Unrestricted Externally Accessible Lock |
|
CWE-416 | Use After Free |
|
CWE-426 | Untrusted Search Path |
|
CWE-427 | Uncontrolled Search Path Element |
|
CWE-434 | Unrestricted Upload of File with Dangerous Type |
|
CWE-456 | Missing Initialization of a Variable |
|
CWE-457 | Use of Uninitialized Variable |
|
CWE-470 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') |
|
CWE-472 | External Control of Assumed-Immutable Web Parameter |
|
CWE-476 | NULL Pointer Dereference |
|
CWE-480 | Use of Incorrect Operator |
|
CWE-481 | Assigning instead of Comparing |
|
CWE-494 | Download of Code Without Integrity Check |
|
CWE-499 | Serializable Class Containing Sensitive Data |
|
CWE-502 | Deserialization of Untrusted Data |
|
CWE-521 | Weak Password Requirements |
|
CWE-532 | Insertion of Sensitive Information into Log File |
|
CWE-546 | Suspicious Comment |
|
CWE-554 | ASP.NET Misconfiguration: Not Using Input Validation Framework |
|
CWE-561 | Dead Code |
|
CWE-563 | Assignment to Variable without Use |
|
CWE-570 | Expression is Always False |
|
CWE-571 | Expression is Always True |
|
CWE-595 | Comparison of Object References Instead of Object Contents |
|
CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
|
CWE-611 | Improper Restriction of XML External Entity Reference |
|
CWE-613 | Insufficient Session Expiration |
|
CWE-614 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute |
|
CWE-617 | Reachable Assertion |
|
CWE-624 | Executable Regular Expression Error |
|
CWE-638 | Not Using Complete Mediation |
|
CWE-643 | Improper Neutralization of Data within XPath Expressions ('XPath Injection') |
|
CWE-662 | Improper Synchronization |
|
CWE-676 | Use of Potentially Dangerous Function |
|
CWE-681 | Incorrect Conversion between Numeric Types |
|
CWE-732 | Incorrect Permission Assignment for Critical Resource |
|
CWE-759 | Use of a One-Way Hash without a Salt |
|
CWE-760 | Use of a One-Way Hash with a Predictable Salt |
|
CWE-770 | Allocation of Resources Without Limits or Throttling |
|
CWE-771 | Missing Reference to Active Allocated Resource |
|
CWE-772 | Missing Release of Resource after Effective Lifetime |
|
CWE-778 | Insufficient Logging |
|
CWE-779 | Logging of Excessive Data |
|
CWE-780 | Use of RSA Algorithm without OAEP |
|
CWE-787 | Out-of-bounds Write |
|
CWE-789 | Memory Allocation with Excessive Size Value |
|
CWE-798 | Use of Hard-coded Credentials |
|
CWE-807 | Reliance on Untrusted Inputs in a Security Decision |
|
CWE-827 | Improper Control of Document Type Definition |
|
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere |
|
CWE-833 | Deadlock |
|
CWE-835 | Loop with Unreachable Exit Condition ('Infinite Loop') |
|
CWE-838 | Inappropriate Encoding for Output Context |
|
CWE-862 | Missing Authorization |
|
CWE-863 | Incorrect Authorization |
|
CWE-918 | Server-Side Request Forgery (SSRF) |
|
CWE-1004 | Sensitive Cookie Without 'HttpOnly' Flag |
|
CWE-1386 | Insecure Operation on Windows Junction / Mount Point |
|