This release includes a wide range of new features, as well as enhancements to the existing functionality:

Customizing Rules and Test Configurations on the Desktop

This release features significant improvements for customizing static analysis on your desktop. We've introduced a browser-based interface that allows you to locally modify and save code analysis rules and test configurations to meet your organization’s development policy. See Customizing Static Analysis Rules and Creating Custom Test Configurations.

Additionally, you can now configure dotTEST to apply the rule mapping stored locally or on DTP.

Support for Microsoft Code Analysis

You can now run Microsoft Code Analysis rules using the standard dotTEST static analysis workflow and reporting capabilities. See Analysis Types.

Support for .NET Core

We've added support for performing analysis of .NET Core projects.

Integration with VSTest

dotTEST now ships with support for VSTest to execute NUnit, MS Test, and xUnit tests in a single run and speed the testing process. The built-in test configurations allow you to run your tests with or without collecting coverage information. See Running Unit Tests with VSTest.

New and Updated Test Configurations

We've added the following built-in test configurations:

  • UL 2900
  • OWASP Top 10 2017

The outdated OWASP Top 10 Security Vulnerabilities and NIST SAMATE test configurations have been removed.

Other Changes

  • DTP 5.4.0 is required to leverage DTP capabilities and workflows.
  • Findings marked with the Do Not Show priority on your DTP no longer simulate suppressions and should be converted into true suppressions; see DTP 5.4.0 Release Notes.
  • The paradigm for merging coverage information has been improved, which may increase your coverage results.

New Code Analysis Rules

The following rules have been added:

Rule IDHeader
BD.PB.POVRAvoid overwriting method parameters before each use
BD.TRS.INSTLOCKDo not use an instance lock to protect shared static data

Updated Code Analysis Rules

  • BD.EXCEPT.NR
  • BD.EXCEPT.AN
  • BD.PB.STRNULL
  • BD.PB.VOVR
  • BD.RES.LEAKS
  • BD.TRS.ORDER
  • BRM.CMT.MSC
  • CS.PB.DEFSWITCH
  • EXCEPT.NCSAE
  • IFD.DCDSF
  • IFD.DDFODB
  • PB.STRIDX
  • PB.STATICFLD
  • SEC.LGE

Resolved Bugs and FRs

Bug/FR IDDescription
FA-5005BD.PB.VOVR parameter reportOnPrimitivesDeclarations does not work in dotTest
FA-5994Cannot define constructor as null not accepting method for BD.EXCEPT.NP
FA-6122Include information about dangerous methods in documentation of BD.SECURITY.TD* rules in dotTEST
FA-6140Not all paths are counted when reporting flowanalysis.output.performance.info for some of the rules.
FA-6378BD.PB.DEREF False Positive
DT-9222Metrics not scanning on a XAML file with DTP Engine for .NET version 10.3.1
DT-11083Line filtering in test scope is not working in Engine VS plugin
DT-11122PB.STRIDX potential false positive
DT-11128Request to have "dottest.custom.rule.dir" setting supported

DT-11246

IFD.DCDSF potential false positive
DT-11247CS.PB.DEFSWITCH potential false positive

DT-11319

dotTEST analysis results differ between runs
DT-11431PB.STATICFLD false positive
DT-11771dotTEST Execution Hanging - "Checking License Features"
DT-11787Performance drop due to Old Standards Checker communication exceptions
XT-35411Spaces in CVS reports starting from second row
  • No labels