The following tables include the test configurations shipped in the [INSTALL]/configs/builtin directory.
Static Analysis
This group includes universal static analysis test configurations. See Security Compliance Pack for test configurations that enforce security coding standards.
Built-in Test Configuration | Description |
---|---|
Recommended Rules | The default configuration of recommended rules. Covers most Severity 1 and Severity 2 rules. Includes rules in the Flow Analysis Fast configuration. |
Recommended .NET Core Rules | Includes rules that identify high-severity defects in .NET Core projects. |
Find Duplicated Code | Applies static code analysis rules that report duplicate code. Duplicate code may indicate poor application design and lead to maintainability issues. |
Metrics | Computes values for several code metrics. |
Flow Analysis | Detects complex runtime errors without requiring test cases or application execution. Defects detected include using uninitialized or invalid memory, null pointer dereferencing, array and buffer overflows, division by zero, memory and resource leaks, and dead code. This requires a special Flow Analysis license option. |
Flow Analysis Aggressive | Includes rules for deep flow analysis of code. A significant amount of time may be required to run this configuration. |
Flow Analysis Fast | Includes rules for shallow depth of flow analysis, which limits the number of potentially acceptable defects from being reported. |
Critical Rules | Includes most Severity 1 rules, as well as rules in the Flow Analysis Fast configuration. |
Demo | Includes rules for demonstrating various techniques of code analysis. May not be suitable for large code bases. |
Find Memory Issues | Includes rules for finding memory management issues in the code. |
Find Unimplemented Scenarios | Includes rules for finding unimplemented scenarios in the code. |
Find Unused Code | Includes rules for identifying unused/dead code. |
Check Code Compatibility against .NET [2.0, 3.0, 3.5, 4.0 Client Profile, 4.0 Full, 4.5, 4.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8] | Includes a set of test configurations that validates the code’s compatibility with the specified version of .NET framework. |
IEC 62304 (Template) | A template test configuration for applying the IEC 62304 Medical standard. |
Microsoft Managed Recommended Rules | Applies the Microsoft Managed Recommended Rules that identify the most critical issues in your managed code. |
Roslyn .NET Analyzers Default Rules | Applies the .NET compiler platform (Roslyn) analyzer rules from the roslyn-analyzer project that have high severity and are enabled by default. See Overview of source code analysis for more information about Roslyn analyzers. |
Security Compliance Pack
This compliance pack includes test configurations that help you enforce security coding standards and practices. See Compliance Packs Rule Mapping for information how the standards are mapped to dotTEST's rules.
Security Compliance Pack requires dedicated license features to be activated. Contact Parasoft Support for more details on licensing.
Built-in Test Configuration | Description |
---|---|
CWE 4.6 | Includes rules that find issues identified in the CWE standard v4.6. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
CWE Top 25 2021 | Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
CWE Top 25 + On the Cusp 2021 | Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE standard or included on the CWE Weaknesses On the Cusp list. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
DISA-ASD-STIG | Includes rules that find issues identified in Application Security and Development STIG (Security Technical Implementation Guide) provided by Defense Information Systems Agency. |
OWASP API Security Top 10-2019 | Includes rules that find issues identified in OWASP’s API Security Top 10. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
OWASP Top 10-2017 | Includes rules that find web application security risks identified in the OWASP Top 10 - 2017. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
OWASP Top 10-2021 | Includes rules that find web application security risks identified in the OWASP Top 10 - 2021. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
PCI DSS 3.2 | Includes rules that find issues identified in PCI Data Security Standard version 3.2. |
Security Assessment | General test configuration that finds security issues. |
UL 2900 | Includes rules that find issues identified in the UL-2900 standard. |
Microsoft Secure Coding Guidelines | Includes rules that enforce Microsoft Secure Coding Guidelines. |
Unit Testing and Collecting Coverage
This group includes test configurations that allow you to run and collect coverage data for unit tests.
Built-in Test Configuration | Description |
---|---|
Run VSTest Tests | Runs NUnit, MSTest, and xUnit tests that are found in the scope of analysis. |
Run VSTest Tests with Coverage | Runs NUnit, MSTest, and xUnit tests that are found in the scope of analysis and monitors coverage. |
Calculate Application Coverage | Processes the application coverage data to generate a coverage.xml file. See Application Coverage for Web Applications. |
Collect Static Coverage | Generates the static coverage data necessary for application coverage. See Application Coverage for Web Applications. |
Compliance Packs Rule Mapping
This section includes rule mapping for the CWE standard. The mapping information for other standards is available in the PDF rule mapping files shipped with Compliance Packs.
CWE Top 25 Mapping
CWE ID | CWE name/description | Parasoft rule ID(s) |
---|---|---|
CWE-787 | Out-of-bounds Write |
|
CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
CWE-125 | Out-of-bounds Read |
|
CWE-20 | Improper Input Validation |
|
CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
CWE-416 | Use After Free |
|
CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
CWE-352 | Cross-Site Request Forgery (CSRF) |
|
CWE-434 | Unrestricted Upload of File with Dangerous Type |
|
CWE-306 | Missing Authentication for Critical Function |
|
CWE-190 | Integer Overflow or Wraparound |
|
CWE-502 | Deserialization of Untrusted Data |
|
CWE-287 | Improper Authentication |
|
CWE-476 | NULL Pointer Dereference |
|
CWE-798 | Use of Hard-coded Credentials |
|
CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
|
CWE-862 | Missing Authorization |
|
CWE-276 | Incorrect Default Permissions | N/A |
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
|
CWE-522 | Insufficiently Protected Credentials |
|
CWE-732 | Incorrect Permission Assignment for Critical Resource |
|
CWE-611 | Improper Restriction of XML External Entity Reference |
|
CWE-918 | Server-Side Request Forgery (SSRF) |
|
CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
|
CWE Weaknesses On the Cusp Mapping
CWE ID | CWE name/description | Parasoft rule ID(s) |
---|---|---|
CWE-295 | Improper Certificate Validation |
|
CWE-400 | Uncontrolled Resource Consumption |
|
CWE-94 | Improper Control of Generation of Code ('Code Injection') |
|
CWE-269 | Improper Privilege Management |
|
CWE-917 | Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') | N/A |
CWE-59 | Improper Link Resolution Before File Access ('Link Following') |
|
CWE-401 | Missing Release of Memory after Effective Lifetime | N/A |
CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
|
CWE-427 | Uncontrolled Search Path Element |
|
CWE-319 | Cleartext Transmission of Sensitive Information | N/A |
CWE-843 | Access of Resource Using Incompatible Type ('Type Confusion') | N/A |
CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
|
CWE-863 | Incorrect Authorization |
|
CWE-532 | Insertion of Sensitive Information into Log File |
|
CWE-770 | Allocation of Resources Without Limits or Throttling |
|
CWE 4.6 Mapping
CWE ID | CWE name/description | Parasoft rule ID(s) |
---|---|---|
CWE-20 | Improper Input Validation |
|
CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
CWE-59 | Improper Link Resolution Before File Access ('Link Following') |
|
CWE-64 | Windows Shortcut Following (.LNK) |
|
CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
|
CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
CWE-80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) |
|
CWE-88 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') |
|
CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
CWE-90 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') |
|
CWE-94 | Improper Control of Generation of Code ('Code Injection') |
|
CWE-95 | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
|
CWE-99 | Improper Control of Resource Identifiers ('Resource Injection') |
|
CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
|
CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
|
CWE-125 | Out-of-bounds Read |
|
CWE-129 | Improper Validation of Array Index |
|
CWE-131 | Incorrect Calculation of Buffer Size |
|
CWE-134 | Use of Externally-Controlled Format String |
|
CWE-190 | Integer Overflow or Wraparound |
|
CWE-191 | Integer Underflow (Wrap or Wraparound) |
|
CWE-197 | Numeric Truncation Error |
|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
|
CWE-201 | Insertion of Sensitive Information Into Sent Data |
|
CWE-209 | Generation of Error Message Containing Sensitive Information |
|
CWE-212 | Improper Removal of Sensitive Information Before Storage or Transfer |
|
CWE-250 | Execution with Unnecessary Privileges |
|
CWE-252 | Unchecked Return Value |
|
CWE-256 | Plaintext Storage of a Password |
|
CWE-259 | Use of Hard-coded Password |
|
CWE-269 | Improper Privilege Management |
|
CWE-284 | Improper Access Control |
|
CWE-285 | Improper Authorization |
|
CWE-287 | Improper Authentication |
|
CWE-294 | Authentication Bypass by Capture-replay |
|
CWE-295 | Improper Certificate Validation |
|
CWE-299 | Improper Check for Certificate Revocation |
|
CWE-306 | Missing Authentication for Critical Function |
|
CWE-307 | Improper Restriction of Excessive Authentication Attempts |
|
CWE-316 | Cleartext Storage of Sensitive Information in Memory |
|
CWE-321 | Use of Hard-coded Cryptographic Key |
|
CWE-326 | Inadequate Encryption Strength |
|
CWE-327 | Use of a Broken or Risky Cryptographic Algorithm |
|
CWE-328 | Reversible One-Way Hash |
|
CWE-329 | Generation of Predictable IV with CBC Mode |
|
CWE-330 | Use of Insufficiently Random Values |
|
CWE-350 | Reliance on Reverse DNS Resolution for a Security-Critical Action |
|
CWE-352 | Cross-Site Request Forgery (CSRF) |
|
CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
|
CWE-369 | Divide By Zero |
|
CWE-391 | Unchecked Error Condition |
|
CWE-395 | Use of NullPointerException Catch to Detect NULL Pointer Dereference |
|
CWE-396 | Declaration of Catch for Generic Exception |
|
CWE-397 | Declaration of Throws for Generic Exception |
|
CWE-400 | Uncontrolled Resource Consumption |
|
CWE-402 | Transmission of Private Resources into a New Sphere ('Resource Leak') |
|
CWE-412 | Unrestricted Externally Accessible Lock |
|
CWE-416 | Use After Free |
|
CWE-426 | Untrusted Search Path |
|
CWE-427 | Uncontrolled Search Path Element |
|
CWE-434 | Unrestricted Upload of File with Dangerous Type |
|
CWE-456 | Missing Initialization of a Variable |
|
CWE-457 | Use of Uninitialized Variable |
|
CWE-470 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') |
|
CWE-476 | NULL Pointer Dereference |
|
CWE-480 | Use of Incorrect Operator |
|
CWE-481 | Assigning instead of Comparing |
|
CWE-494 | Download of Code Without Integrity Check |
|
CWE-499 | Serializable Class Containing Sensitive Data |
|
CWE-502 | Deserialization of Untrusted Data |
|
CWE-522 | Insufficiently Protected Credentials |
|
CWE-532 | Insertion of Sensitive Information into Log File |
|
CWE-546 | Suspicious Comment |
|
CWE-561 | Dead Code |
|
CWE-563 | Assignment to Variable without Use |
|
CWE-570 | Expression is Always False |
|
CWE-571 | Expression is Always True |
|
CWE-595 | Comparison of Object References Instead of Object Contents |
|
CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
|
CWE-611 | Improper Restriction of XML External Entity Reference |
|
CWE-613 | Insufficient Session Expiration |
|
CWE-617 | Reachable Assertion |
|
CWE-624 | Executable Regular Expression Error |
|
CWE-662 | Improper Synchronization |
|
CWE-676 | Use of Potentially Dangerous Function |
|
CWE-681 | Incorrect Conversion between Numeric Types |
|
CWE-704 | Incorrect Type Conversion or Cast |
|
CWE-732 | Incorrect Permission Assignment for Critical Resource |
|
CWE-759 | Use of a One-Way Hash without a Salt |
|
CWE-760 | Use of a One-Way Hash with a Predictable Salt |
|
CWE-770 | Allocation of Resources Without Limits or Throttling |
|
CWE-771 | Missing Reference to Active Allocated Resource |
|
CWE-772 | Missing Release of Resource after Effective Lifetime |
|
CWE-779 | Logging of Excessive Data |
|
CWE-780 | Use of RSA Algorithm without OAEP |
|
CWE-787 | Out-of-bounds Write |
|
CWE-789 | Memory Allocation with Excessive Size Value |
|
CWE-798 | Use of Hard-coded Credentials |
|
CWE-807 | Reliance on Untrusted Inputs in a Security Decision |
|
CWE-827 | Improper Control of Document Type Definition |
|
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere |
|
CWE-833 | Deadlock |
|
CWE-835 | Loop with Unreachable Exit Condition ('Infinite Loop') |
|
CWE-838 | Inappropriate Encoding for Output Context |
|
CWE-862 | Missing Authorization |
|
CWE-863 | Incorrect Authorization |
|
CWE-918 | Server-Side Request Forgery (SSRF) |
|
CWE-1004 | Sensitive Cookie Without 'HttpOnly' Flag |
|