This release includes a wide range of new features, as well as enhancements to the existing functionality:
Customizing Rules and Test Configurations on the Desktop
This release features significant improvements for customizing static analysis on your desktop. We've introduced a browser-based interface that allows you to locally modify and save code analysis rules and test configurations to meet your organization’s development policy. See Customizing Static Analysis Rules and Creating Custom Test Configurations.
Additionally, you can now configure dotTEST to apply the rule mapping stored locally or on DTP.
Support for Microsoft Code Analysis
You can now run Microsoft Code Analysis rules using the standard dotTEST static analysis workflow and reporting capabilities. See Analysis Types.
Support for .NET Core
We've added support for performing analysis of .NET Core projects.
Integration with VSTest
dotTEST now ships with support for VSTest to execute NUnit, MS Test, and xUnit tests in a single run and speed the testing process. The built-in test configurations allow you to run your tests with or without collecting coverage information. See Running Unit Tests with VSTest.
New and Updated Test Configurations
We've added the following built-in test configurations:
- UL 2900
- OWASP Top 10 2017
The outdated OWASP Top 10 Security Vulnerabilities and NIST SAMATE test configurations have been removed.
Other Changes
- DTP 5.4.0 is required to leverage DTP capabilities and workflows.
- Findings marked with the Do Not Show priority on your DTP no longer simulate suppressions and should be converted into true suppressions; see DTP 5.4.0 Release Notes.
- The paradigm for merging coverage information has been improved, which may increase your coverage results.
New Code Analysis Rules
The following rules have been added:
| Rule ID | Header |
|---|---|
| BD.PB.POVR | Avoid overwriting method parameters before each use |
| BD.TRS.INSTLOCK | Do not use an instance lock to protect shared static data |
Updated Code Analysis Rules
- BD.EXCEPT.NR
- BD.EXCEPT.AN
- BD.PB.STRNULL
- BD.PB.VOVR
- BD.RES.LEAKS
- BD.TRS.ORDER
- BRM.CMT.MSC
- CS.PB.DEFSWITCH
- EXCEPT.NCSAE
- IFD.DCDSF
- IFD.DDFODB
- PB.STRIDX
- PB.STATICFLD
- SEC.LGE
Resolved Bugs and FRs
| Bug/FR ID | Description |
|---|---|
| FA-5005 | BD.PB.VOVR parameter reportOnPrimitivesDeclarations does not work in dotTest |
| FA-5994 | Cannot define constructor as null not accepting method for BD.EXCEPT.NP |
| FA-6122 | Include information about dangerous methods in documentation of BD.SECURITY.TD* rules in dotTEST |
| FA-6140 | Not all paths are counted when reporting flowanalysis.output.performance.info for some of the rules. |
| FA-6378 | BD.PB.DEREF False Positive |
| DT-9222 | Metrics not scanning on a XAML file with DTP Engine for .NET version 10.3.1 |
| DT-11083 | Line filtering in test scope is not working in Engine VS plugin |
| DT-11122 | PB.STRIDX potential false positive |
| DT-11128 | Request to have "dottest.custom.rule.dir" setting supported |
DT-11246 | IFD.DCDSF potential false positive |
| DT-11247 | CS.PB.DEFSWITCH potential false positive |
DT-11319 | dotTEST analysis results differ between runs |
| DT-11431 | PB.STATICFLD false positive |
| DT-11771 | dotTEST Execution Hanging - "Checking License Features" |
| DT-11787 | Performance drop due to Old Standards Checker communication exceptions |
| XT-35411 | Spaces in CVS reports starting from second row |