In this section:
Overview
Test configurations define how your code is analyzed and tested, including which static analysis rules are enabled, which tests to run, and other analysis parameters. dotTEST ships with built-in test configurations, but users can create and store their own test configurations in the DTP server (see the DTP documentation for details).
User-defined test configurations that are stored in DTP can be downloaded from the DTP server and stored in the [INSTALL_DIR]/configs/user directory as *.properties files.
Running a Test Configuration
You can specify which configuration will be run in one of the following ways:
Run
dottestcli
with the-config
switch and specify a built-in, user-defined or DTP-hosted test configuration:-config "builtin://Recommended Rules" -config "user://Foo Configuration" -config "dtp://Foo Team Configuration" -config "dtp://FooTeamConfig.properties"
Alternatively, you can add the prefix of the Parasoft tool you are using to specify a DTP-hosted test configuration:
-config "dottest.dtp://Foo Team Configuration"
You can also provide a path or URL to the test configuration .properties file:
-config "C:\Devel\Configs\FooConfig.properties" -config "http://foo.bar.com/configs/FoodConfig.properties"
For example, your command line may resemble the following:dottestcli.exe -solution "C:\Devel\MyFooSolution\MySolution.sln" -config "builtin://Demo" -report "C:\Report"
In the .properties file, specify the default configuration that will be run when the
-config
option is not used:dottest.configuration=user://Configuration Name
Viewing Available Test Configurations
Use the -listconfigs
switch to print the available test configurations.
Built-in Test Configurations
The following tables include the test configurations shipped in the [INSTALL]/configs/builtin directory.
Static Analysis
This group includes universal static analysis test configurations. See Security Compliance Pack for test configurations that enforce security coding standards.
Built-in Test Configuration | Description |
---|---|
Recommended Rules | The default configuration of recommended rules. Covers most Severity 1 and Severity 2 rules. Includes rules in the Flow Analysis Fast configuration. |
Recommended .NET Core Rules | Includes rules that identify high-severity defects in .NET Core projects. |
Find Duplicated Code | Applies static code analysis rules that report duplicate code. Duplicate code may indicate poor application design and lead to maintainability issues. |
Metrics | Computes values for several code metrics. |
Flow Analysis | Detects complex runtime errors without requiring test cases or application execution. Defects detected include using uninitialized or invalid memory, null pointer dereferencing, array and buffer overflows, division by zero, memory and resource leaks, and dead code. This requires a special Flow Analysis license option. |
Flow Analysis Aggressive | Includes rules for deep flow analysis of code. A significant amount of time may be required to run this configuration. |
Flow Analysis Fast | Includes rules for shallow depth of flow analysis, which limits the number of potentially acceptable defects from being reported. |
Critical Rules | Includes most Severity 1 rules, as well as rules in the Flow Analysis Fast configuration. |
Demo | Includes rules for demonstrating various techniques of code analysis. May not be suitable for large code bases. |
Find Memory Issues | Includes rules for finding memory management issues in the code. |
Find Unimplemented Scenarios | Includes rules for finding unimplemented scenarios in the code. |
Find Unused Code | Includes rules for identifying unused/dead code. |
Check Code Compatibility against .NET [2.0, 3.0, 3.5, 4.0 Client Profile, 4.0 Full, 4.5, 4.5.1, 4.5.2, 4.6.0, 4.6.1, 4.6.2, 4.7] | Includes a set of test configurations that validates the code’s compatibility with the specified version of .NET framework. |
IEC 62304 (Template) | A template test configuration for applying the IEC 62304 Medical standard. |
Microsoft Managed Recommended Rules | Applies the Microsoft Managed Recommended Rules that identify the most critical issues in your managed code |
Security Compliance Pack
This compliance pack includes test configurations that help you enforce security coding standards and practices. See Compliance Packs Rule Mapping for information how the standards are mapped to dotTEST's rules.
Security Compliance Pack requires dedicated license features to be activated. Contact Parasoft Support for more details on licensing.
Built-in Test Configuration | Description |
---|---|
CWE 3.2 | Includes rules that find issues identified in the CWE standard v3.2. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
CWE SANS Top 25 2011 | Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE-SANS standard. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
CWE SANS Top 25 2011 + On the Cusp | Includes rules that find issues classified as Top 25 Most Dangerous Programming Errors of the CWE-SANS standard or included on the CWE - On the Cusp list. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
OWASP Top 10-2017 | Includes rules that find issues identified in OWASP’s Top 10 standard. This test configuration is part of Parasoft Compliance Pack solution that allows you to monitor compliance with industry standards using the "Compliance" extensions on DTP. |
PCI DSS 3.2 | Includes rules that find issues identified in PCI Data Security Standard version 3.2. |
Security Assessment | General test configuration that finds security issues. |
UL 2900 | Includes rules that find issues identified in the UL-2900 standard. |
Microsoft Secure Coding Guidelines | Includes rules that enforce Microsoft Secure Coding Guidelines. |
Unit Testing and Collecting Coverage
This group includes test configurations that allow you to run and collect coverage data for unit tests.
Built-in Test Configuration | Description |
---|---|
Run VSTest Tests | Runs NUnit, MSTest, and xUnit tests that are found in the scope of analysis. |
Run VSTest Tests with Coverage | Runs NUnit, MSTest, and xUnit tests that are found in the scope of analysis and monitors coverage. |
Run NUnit Tests | Runs NUnit tests that are found in the scope of analysis. |
Run NUnit Tests with Coverage | Runs NUnit tests that are found in the scope of analysis and monitors coverage. |
Execute MSTests | Executes MSTest tests. See Unit Testing. |
Execute MSTests with Coverage | Executes MSTest tests and collects coverage. See Unit Testing. |
Calculate Application Coverage | Processes the application coverage data to generate a coverage.xml file. See Application Coverage for Web Applications. |
Collect Static Coverage | Generates the static coverage data necessary for application coverage. See Application Coverage for Web Applications. |
Compliance Packs Rule Mapping
This section includes rule mapping for the CWE standard. The mapping information for other standards is available in the PDF rule mapping files shipped with Compliance Packs.
CWE SANS Top 25 2011 Mapping
CWE ID | CWE Name | Parasoft Rule ID(s) |
---|---|---|
CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
|
CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
CWE-306 | Missing Authentication for Critical Function |
|
CWE-862 | Missing Authorization |
|
CWE-798 | Use of Hard-coded Credentials |
|
CWE-311 | Missing Encryption of Sensitive Data |
|
CWE-434 | Unrestricted Upload of File with Dangerous Type |
|
CWE-807 | Reliance on Untrusted Inputs in a Security Decision |
|
CWE-250 | Execution with Unnecessary Privileges |
|
CWE-352 | Cross-Site Request Forgery (CSRF) |
|
CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
CWE-494 | Download of Code Without Integrity Check |
|
CWE-863 | Incorrect Authorization |
|
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere |
|
CWE-732 | Incorrect Permission Assignment for Critical Resource |
|
CWE-676 | Use of Potentially Dangerous Function |
|
CWE-327 | Use of a Broken or Risky Cryptographic Algorithm |
|
CWE-131 | Incorrect Calculation of Buffer Size |
|
CWE-307 | Improper Restriction of Excessive Authentication Attempts |
|
CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
|
CWE-134 | Use of Externally-Controlled Format String |
|
CWE-190 | Integer Overflow or Wraparound |
|
CWE-759 | Use of a One-Way Hash without a Salt |
|
CWE SANS On the Cusp Mapping
CWE ID | CWE Name | Parasoft Rule ID(s) |
---|---|---|
CWE-770 | Allocation of Resources Without Limits or Throttling |
|
CWE-129 | Improper Validation of Array Index |
|
CWE-754 | Improper Check for Unusual or Exceptional Conditions |
|
CWE-805 | Buffer Access with Incorrect Length Value | N/A |
CWE-838 | Inappropriate Encoding for Output Context |
|
CWE-330 | Use of Insufficiently Random Values |
|
CWE-822 | Untrusted Pointer Dereference | N/A |
CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
|
CWE-212 | Improper Cross-boundary Removal of Sensitive Data |
|
CWE-681 | Incorrect Conversion between Numeric Types |
|
CWE-476 | NULL Pointer Dereference |
|
CWE-841 | Improper Enforcement of Behavioral Workflow | N/A |
CWE-772 | Missing Release of Resource after Effective Lifetime |
|
CWE-209 | Information Exposure Through an Error Message |
|
CWE-825 | Expired Pointer Dereference | N/A |
CWE-456 | Missing Initialization of a Variable | N/A |
CWE 3.2 Mapping
CWE ID | CWE Name | Parasoft Rule ID(s) |
---|---|---|
CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
|
CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
CWE-80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) |
|
CWE-88 | Argument Injection or Modification |
|
CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
CWE-90 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') |
|
CWE-99 | Improper Control of Resource Identifiers ('Resource Injection') |
|
CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
|
CWE-129 | Improper Validation of Array Index |
|
CWE-131 | Incorrect Calculation of Buffer Size |
|
CWE-134 | Use of Externally-Controlled Format String |
|
CWE-190 | Integer Overflow or Wraparound |
|
CWE-191 | Integer Underflow (Wrap or Wraparound) |
|
CWE-197 | Numeric Truncation Error |
|
CWE-201 | Information Exposure Through Sent Data |
|
CWE-209 | Information Exposure Through an Error Message |
|
CWE-212 | Improper Cross-boundary Removal of Sensitive Data |
|
CWE-250 | Execution with Unnecessary Privileges |
|
CWE-252 | Unchecked Return Value |
|
CWE-259 | Use of Hard-coded Password |
|
CWE-285 | Improper Authorization |
|
CWE-306 | Missing Authentication for Critical Function |
|
CWE-307 | Improper Restriction of Excessive Authentication Attempts |
|
CWE-316 | Cleartext Storage of Sensitive Information in Memory |
|
CWE-327 | Use of a Broken or Risky Cryptographic Algorithm |
|
CWE-328 | Reversible One-Way Hash |
|
CWE-329 | Not Using a Random IV with CBC Mode |
|
CWE-330 | Use of Insufficiently Random Values |
|
CWE-350 | Reliance on Reverse DNS Resolution for a Security-Critical Action |
|
CWE-352 | Cross-Site Request Forgery (CSRF) |
|
CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
|
CWE-369 | Divide By Zero |
|
CWE-391 | Unchecked Error Condition |
|
CWE-395 | Use of NullPointerException Catch to Detect NULL Pointer Dereference |
|
CWE-396 | Declaration of Catch for Generic Exception |
|
CWE-397 | Declaration of Throws for Generic Exception |
|
CWE-401 | Improper Release of Memory Before Removing Last Reference |
|
CWE-402 | Transmission of Private Resources into a New Sphere ('Resource Leak') |
|
CWE-412 | Unrestricted Externally Accessible Lock |
|
CWE-416 | Use After Free |
|
CWE-434 | Unrestricted Upload of File with Dangerous Type |
|
CWE-457 | Use of Uninitialized Variable |
|
CWE-470 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') |
|
CWE-476 | NULL Pointer Dereference |
|
CWE-480 | Use of Incorrect Operator |
|
CWE-481 | Assigning instead of Comparing |
|
CWE-494 | Download of Code Without Integrity Check |
|
CWE-499 | Serializable Class Containing Sensitive Data |
|
CWE-502 | Deserialization of Untrusted Data |
|
CWE-546 | Suspicious Comment |
|
CWE-561 | Dead Code |
|
CWE-563 | Assignment to Variable without Use |
|
CWE-570 | Expression is Always False |
|
CWE-571 | Expression is Always True |
|
CWE-595 | Comparison of Object References Instead of Object Contents |
|
CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
|
CWE-611 | Improper Restriction of XML External Entity Reference ('XXE') |
|
CWE-613 | Insufficient Session Expiration |
|
CWE-662 | Improper Synchronization |
|
CWE-676 | Use of Potentially Dangerous Function |
|
CWE-681 | Incorrect Conversion between Numeric Types |
|
CWE-732 | Incorrect Permission Assignment for Critical Resource |
|
CWE-759 | Use of a One-Way Hash without a Salt |
|
CWE-760 | Use of a One-Way Hash with a Predictable Salt |
|
CWE-770 | Allocation of Resources Without Limits or Throttling |
|
CWE-772 | Missing Release of Resource after Effective Lifetime |
|
CWE-778 | Insufficient Logging |
|
CWE-780 | Use of RSA Algorithm without OAEP |
|
CWE-798 | Use of Hard-coded Credentials |
|
CWE-807 | Reliance on Untrusted Inputs in a Security Decision |
|
CWE-827 | Improper Control of Document Type Definition |
|
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere |
|
CWE-833 | Deadlock |
|
CWE-838 | Inappropriate Encoding for Output Context |
|
CWE-862 | Missing Authorization |
|
CWE-863 | Incorrect Authorization |
|
Creating Custom Rules
Use RuleWizard to create custom rules. See the RuleWizard User Guide for information about RuleWizard capabilities and usage.
To use the rule, it needs to be enabled in a test configuration and the custom rule file must be located in one of the following directories:
- [INSTALL_DIR]\rules\user\
- [DOCUMENTS DIR]\Parasoft\[tool_name]\rules where [DOCUMENTS DIR] refers to the "My Documents" directory on Windows.