In this release, we've focused on helping you enforce compliance with security standards and enhancing the existing functionality.
Security Compliance Pack
In this release, we've introduced the Security Pack to give you instant access to test configurations that help you enforce compliance with security standards and practices. The Security Pack includes the following test configurations:
- CWE 3.1
- CWE SANS Top 25 2011
- Microsoft Secure Coding Guidelines
- OWASP Top 10 2017
- PCI Data Security Standard
- PCI v3.1 Data Security Standard (Server Configuration)
- Security Assessment
- UL 2900
See Built-in Test Configurations for details.
Compliance Packs require dedicated license features to be activated. Contact Parasoft Support for more details on Compliance Packs licensing.
Standalone License Server
You can now obtain the Parasoft license from an additional instance of DTP or a standalone License Server. See Setting the Parasoft License (for desktop) and Setting the License (for automation).
Collecting Coverage for .NET Core Web Applications
dotTEST can collect coverage for .NET Core web applications deployed on IIS server; see Application Coverage for Web Applications.
New and Updated Test Configurations
We've added the following built-in test configuration:
CWE 3.1
CWE SANS Top 25 2011
OWASP Top 10 2017 (see Deprecated Test Configurations)
The following test configurations that enforce safety standards have been moved from the Static Analysis category to the Security Pack (see Security Compliance Pack):
Microsoft Secure Coding Guidelines
OWASP Top 10 2017
PCI Data Security Standard
PCI v3.1 Data Security Standard (Server Configuration)
Security Assessment
UL 2900
The following test configurations have been updated to improve analysis results:
Critical Rules
Demo
Find Memory Issues
PCI Data Security Standard
PCI v3.1 Data Security Standard (Server Configuration)
Recommended .NET Core Rules
Recommended Rules
UL 2900
See Built-in Test Configurations for the list of test configurations shipped with dotTEST.
Deprecated Test Configurations
CWE-SANS Top 25 Most Dangerous Programming Errors – deprecated and replaced with the CWE SANS Top 25 2011 test configuration
OWASP Top 10 2017 – deprecated and replaced with the new OWASP Top 10 2017 test configuration
The deprecated test configurations are not available by default and can only be applied as user-defined test configuration. They are now shipped with dotTEST in the following location: [INSTALL_DIR]\configs\builtin\Deprecated.
Other Changes
We've updated VSTest to version 15.9.0 - see VSTest Release Notes for details.
We've enhanced the presentation of Flow Analysis results in the IDE.
NuGet packages are now automatically restored before the project is built (see Restoring Packages Before the Build).
We've removed support for Microsoft Team Foundation Server 2008.
New Static Analysis Rules
The following rules have been added:
Rule ID | Header |
|---|---|
BD.SECURITY.TDINPUT | Exclude unsanitized user input from format strings |
CS.SEC.AUK | Avoid 'unsafe' keyword |
EXCEPT.NTSAE | Avoid throwing 'Exception', 'SystemException' or 'ApplicationException' |
SEC.ACCA | Avoid using custom cryptographic algorithms |
SEC.AIWIL | Avoid indexer wraparound in loops |
SEC.APDM | Avoid using potentially dangerous methods |
SEC.AUEP | Avoid using elevated privileges |
SEC.UOWR | Use OAEP with RSA algorithm encryption |
SEC.WEB.UAA | Use authorization attributes on pages and controllers |
SEC.XXE.PDTDP | Prevent DTD processing |
Updated Static Analysis Rules
The following static analysis rules and metrics have been updated to improve analysis results:
BD.SECURITY.TDFNAMES
BD.SECURITY.TDSQL
BD.SECURITY.TDXSS
BRM.HBCM
BRM.HBCP
CS.BRM.IDOU
CS.BRM.IEB
CS.BRM.UCB
IFD.DDFODB
NG.FN.PNCFN
OPU.CPTEQ
OPU.REVT
PB.DNCF
PB.INOE
SEC.ACWNS
METRIC.CLLOCRIF
METRIC.CLLOCRIT
METRIC.CLLOCRIM
The following rules are deprecated and have been replaced by the BD.RES.LEAKS rule:
GC.UFID
PB.CFSRLV
SEC.CDBC
SEC.CDBCLV
SEC.CDR
SEC.CDRLV
The output messages of the following rules have been updated, and as a result, suppressions associated with these rules on DTP may no longer be available:
BD.PB.ARRAY
BD.PB.ZERO
You can restore the previous messages and suppressions for the BD category rules; see Why are suppressions of some rules no longer available on DTP after dotTEST was upgraded to a newer version?.
Resolved Bugs and FRs
Bug/FR ID | Description |
|---|---|
DT-11992 | CS.BRM.IDOU false positive |
DT-12827 | Prerequisite for Roslyn runner should be .NET Framework 4.6 instead of 4.6.2 |
DT-12826 | SEC.AIWIL, SEC.APDM and SEC.LGE are missing some localization resources |
DT-12744 | Not localized rules labels on DTP test configuration view |
DT-12816 | Missing Japanese resource in Test Configurations |
DT-12523 | Missing rules in dotTEST pdf rules documentation |
DT-12732 | TUG.NTU.AUPNT rule description is not being translated |
DT-12510 | Parasoft.Dottest.CodingStandards.Runner crashes reported as Windows Events |
DT-12609 | Re-implement rule CS.BRM.IEB |
DT-12904 | Problem with combined violations for PB.INOE |
DT-8990 | IFD.DDFODB false positive |
DT-11744 | CS.BRM.UCB should not detect tasks for embedded, single-lined 'using' statements |
DT-12411 | NG.FN.PNCFN custom parameterization |
FA-6649 | BD-PB-CC false positive on bit-AND |
FA-6552 | FA violations are not being detected for the attached solution |