1.2.16
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 34467 | An unexpected exception occured while loading project xxxxx Sequence contains more than one matching element. |
| 31602 | Net warning: DOTNET.0156: An unexpected exception occured while loading project Net 5. |
| 31022 | False violation for rule (rule id: 8110): Use dedicated stored procedures when multiple data accesses are needed. |
| 33194 | Even when version 4.8 is installed, following message: "Required framework version is 4.8 but version 4.7.2 will be used instead" is displayed. |
Other Updates
| Details |
|---|
| Moving CommandData.json files raised an exception, when running the analysis a second time. |
| Generated .json files are analyzed incorrectly by the HTML5 and JavaScript extension, and this analysis leads to invalid results. After the fix, the generated .json files are stored in the LISA folder instead of the deployment folder hence they do not get analyzed by the HTML5 and JavaScript extension. |
| The exception "PathTooLongException" is not caught hence the analysis is stopped with the DOTNET.0156 warning. With the fix, the exception is caught, and the analysis continues without any warning message. |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 8108 | FALSE | The rule "Avoid missing release of stream connection after an effective lifetime" has been modified to reduce false positive violations by excluding streams in constructor arguments of classes inheriting from IDisposable. |
| 8110 | FALSE | False violation for rule “Avoid not using dedicated stored procedures when processing multiple data accesses” is removed. Now the rule uses dedicated stored procedures when multiple data accesses are needed. |
1.2.15
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 29725 | Transaction are deleted due to missing dll file reference: compilation conflicts between extractions and references |
| 33077 | Missing Reference to Datarow even though the dll is present causing GUID changes between versions |
| 33518 | Missing Reference to Datarow even though the dll is present causing GUID changes between versions |
Other Updates
| Details |
|---|
| General Protection Fault crash on code "QUAL_SACS". |
| False positive on rule: "Avoid missing release of stream connection after an effective lifetime" with some methods of classes File and Stream. |
| Update the analyzer, to provide a list of the .NET frameworks managed by default in a .json file. |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 8108 | FALSE | False positive on rule "Avoid missing release of stream connection after an effective lifetime" with some methods of classes File and Stream. |
1.2.14
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 30747 | Drop in FP, due to changes in .NET TCCSetup file. |
1.2.13
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 28876 | .NET Analysis crash --- com.castsoftware.dotnet.1.3.1-funcrel\DotNetCmd.exe exited with code -1073741571 |
Other Updates
| Details |
|---|
| TCC config delivered by .NET extension is referring to package="Dotnet_Extension" instead of package="Base_DotNet". |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1027008 | FALSE | False violation for "Always Revert After Impersonation" on stored instances of classes implementing IDisposable. |
1.2.12
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 28888 | Modified Transactions due to links alternating to objects with same fullname in different folders. |
| 28054 | False violation (rule id: 1027012): "Avoid storing Non-Serializable Object as HttpSessionState attributes". |
| 29262 | The rule (rule id: 8156): "Persistent classes should implement GetHashCode() and Equals()” should not apply for Entity Framework. |
Other Updates
| Details |
|---|
| "System.Threading.Task" should be exception to the QR (rule id: 8086): "Avoid types that own disposable fields and are not disposable". |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1027012 | FALSE | Fixed false positive due to wrong resolution of symbol (compiler error BC30560) |
| 8156 | FALSE | Fixed false positive due to rule formerly applied to entities of EF |
| 8086 | FALSE | Fixed false positive due to rule formerly applied to "System.Threading.Task" |
1.2.11
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 27654 | DOTNET.0156: An unexpected exception occurred while loading project xxxx. Project excluded from analysis. |
| 25822 | False Positive in the QR: "Avoid having lock on this object". |
| 27762 | False positive in the QR: "Avoid missing release of stream connection after an effective lifetime". Close the outermost stream ASAP. |
| 28018 | Objects not coming part of module causing transactions to be "Deleted" |
| 26749 | ASPX Transactions deleted |
| 24427 | Wrong Violations in the rule: "Avoid missing release of stream connection after an effective lifetime" in .NET |
| 26766 | False violation in the QR: "Avoid missing release of stream connection after an effective lifetime". |
| 28276 | False positives produced in the QR: "Avoid missing release of stream connection after an effective lifetime". |
| 27617 | Objects not coming as part of module is causing transactions to be "Deleted". |
Other Updates
| Details |
|---|
| False positives for the QR: "Avoid missing release of stream connection after an effective lifetime" when the syntax, "using declaration" is used |
| Correct bookmark for the QR: "Avoid missing release of stream connection after an effective lifetime" |
1.2.10
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 26236 | Aspx Source File Object has reduced due to object being external |
| 24396 | No SQL QR are triggered for links that are created between C# objects and SQL Analyzer objects when links are grep |
1.2.9
Note
.NET Analyzer - 1.2.9 is now in LTS (Long Term Support).
1.2.9-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 23232 | Missing link from client objects to SQL Script subpackage object |
Other Updates
| Details |
|---|
| DOTNET.0142: Dependency System.Xml not found |
| Resolution impossible with 3rd party NuGet packages versionned with -beta2 |
| DOTNET.0150 for symbols already defined in ressources.fwe - case of Microsoft.AspNetCore.Http |
| Analysis crashes in connection less mode and prevent launch of no regression test |
| Missing warning when recursive dependent package are missing |
1.2.8-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 21878 | Analysis of .NET application blocked during Run_CSV_generation with .Net Analyzer 1.2.3-funcrel due to Lambda expression |
| 24329 | Defects are duplicated for .Net violations in dashboard |
| 24260 | DOTNET.0012: Could not load assembly ACME.Enterprise Library. |
Other Updates
| Details |
|---|
| Getting warning in .net log for "Error BC30002 Type is not defined" |
| Adding .NET SOAP operation/service as default entry point for TCC |
| All blackbox files are loaded regardless of APPLICATION_NAME with AIP 8.3.17 and .NET Analyzer 1.2.1-funcrel |
| Some objects within "external " source code are marked as "internal". |
1.2.7-funcrel
Resolved Issues
Following issues are resolved in this release of the analyzer.
| Internal ID | Call ID | Description | Impact? |
|---|---|---|---|
| DOTNET-986 | - | Non Regression Tests setup for .Net | After the fix, Non Regression Tests runs fine, irrespective of the number of times it is run. |
| DOTNET-997 | - | Random failures of Non Regression Tests for .Net due to random projects execution | Random order of projects during execution is fixed. |
| DOTNET-1005 | - | NRT Failures when xaml files are present in Test app | The fix handles the differences between the multiple analysis' on same version caused due to generated Files of .Net. |
| DOTNET-1094 | - | NullReferenceException during devirtualization | Exception is fixed. |
1.2.6-funcrel
Resolved Issues
Following issues are resolved in this release of the analyzer.
| Internal ID | Call ID | Description | Impact? |
|---|---|---|---|
| DOTNET-913 | 20646 | Massive increase in warnings mainly of the type GUID duplicate found : CAST_DotNet_ClassExternal after upgrading extension. | Regression fixed, but few GUID duplicate warnings are remaining. |
| DOTNET-965 | - | Uncaught exception while processing target EntryPoint | Exception does not occur anymore. |
| DOTNET-969 | - | SSL in .Net extension | A change has been implemented in preparation for the future support of encrypted SSL connections to CAST Storage Service/PostgreSQL. |
| DOTNET-971 | 22353 | DOTNET.0156: An unexpected exception occurred while loading project | The exception was occurring when the .NET analyzer was installed in a folder containing spaces characters. The issue is fixed. |
| DOTNET-981 | 22535 | Analysis of XXX.csproj has failed. An unexpected error happened leaving the analysis in an unknown state | Exception does not occur anymore. |
| DOTNET-988 | - | CS0433 errors related to extractions | These errors were related to two conflicting extraction, errors removed. |
| DOTNET-990 | - | On local functions we get the warning: DOTNET.0020: Error while processing visitor: MethodBodyVisitor | This error was occurring on local functions with the arrow syntax. We do not generate any more CASTIL code for these local function until some other fixes on lambdas. |
| DOTNET-995 | 22791 | DOTNET.0156: An unexpected exception occurred while loading project | Exception does not occur anymore. |
| DOTNET-996 | 22793 | .NET analysis is failing with warning: System.ArgumentException: Illegal characters in path | Exception does not occur anymore. |
1.2.5-funcrel
Updates
New technology support
This extension now supports:
- .NET Core 3.1, implicitly also supporting:
- ASP.NET Core 3.1
- WinForms and WPF for .NET Core
- .NET Standard 2.1
Resolved Issues
| Internal ID | Call ID | Description | Impact? |
|---|---|---|---|
| DOTNET-974 | - | create_link call crashing with entity 1.4.4 extension | The analyzer no longer crashes |
| DOTNET-984 | - | get_inherited_types() method is broken | In Python extensions the method get_inherited_types() was not working for some base types, depending on the analysis configuration. This is now fixed. |
1.2.4-funcrel
Updates
Packages.config file support
This extension now supports 'packages.config files' which gives more accurate analysis (less messages in DOTNET.0150 and DOTNET.0151).
Resolved Issues
| Internal ID | Call ID | Description | Impact? |
|---|---|---|---|
| DOTNET-899 | - | SQL injection target methods for C/S links is not aligned with User Input Security requirement and needs | Improved accuracy for User Security Input analyses. |
| DOTNET-937 | - | Support of conditional member access syntax | The analyzer no longer crashes. |
| DOTNET-940 | - | .Net 1.0/1.1 analysis fail with warning DOTNET.0155: Unrecognized format of project file | .NET 1.x projects may be analyzed again. |
| DOTNET-947 | 21787 | .NET analysis is failing with several warnings in the analysis log and hence links not created between the artifacts | A NullReferenceException was occurring in an attempt to draw a devirtualization link in a lambda as a field initializer. The link is now created from all constructors of the class. |
| DOTNET-948 | - | DOTNET.0020: Error while processing visitor: AvoidStreamResourceLeaks, AlwaysRevertImpersonation | No more crash with message DOTNET.0020. |
1.2.3-funcrel
Updates
.NET Core and ASP.NET Core support
This extension now supports:
- .NET Core 3.0
- ASP.NET Core 3.0
QR name of the rule '8108' is revised
Earlier name of '8108': Close outermost stream ASAP
Current name of 8108': Avoid missing release of stream connection after an effective lifetime
Resolved Issues
| Internal ID | Call ID | Description | Impact? |
|---|---|---|---|
| DOTNET-865 | 19708 | False positive for .net rule "Close outermost stream ASAP" , now "Avoid missing release of stream connection after an effective lifetime" | Before the 'null conditional operator' was not recognized and false violations were displayed. After the fix, 'null conditional operator' is handled hence no false violations displayed. |
| DOTNET-925 | 21127 | .Net analysis is frozen | An infinite loop was occurring during the analysis. After the fix, the analysis completes successfully. |
| DOTNET-926 | 21198 | .NET Analyzer 1.2.2 funcrel - Unable to analyze complete code | While loading projects, analysis was crashing. After the fix, analysis does not crash. In the future if any exception is raised during the load of project, only projects failing to load will be excluded from analysis. |
| DOTNET-929 | 21245 | AIP_CONSOLE OnBoarding : All C# classes are not analyzed. | A crash was occurring when the target framework of a project was an empty string. The crash is fixed. After the fix, incase of an empty string we select the default framework version (which is the highest framework version supported). |
1.2.2-funcrel
Resolved Issues
| Internal ID | Call ID | Description | Impact? |
|---|---|---|---|
| DOTNET-296 | - | Support of C#7 and VB :: tuple syntax | New links are created and the user input security will go through the instructions using tuples. |
| DOTNET-902 | - | Fix required for 4 DOTNET.0020 warnings in analysis log file | Under specific conditions, a crash could occur during the analysis of the web services. Due to this some methods were not recognized as web methods. After the fix, the crash does not occur. |
| DOTNET-907 | - | Some recursive package dependencies are not found | Some recursive dependencies were not found and interoperability between system frameworks were not taken into account resulting in missed package dependencies. Missing package dependencies may have impact as: missing links toward external objects and less accurate user input security. The issue is fixed after the upgrade. |
| DOTNET-909 | - | Missing objects expected from Edmx files | Edmx files are now saved as additional documents of a project, allowing extensions to leverage that information. |
| DOTNET-917 | - | Crash during computation of diag Avoid weak encryption key size | After the fix, crash does not happen hence no missing violations. |
1.2.1-funcrel
Resolved Issues
| Internal ID | Call ID | Description | Impact? |
|---|---|---|---|
| DOTNET-611 | - | Invalid CASTIL generation for ASP.NET pages | After upgrading, intermediate CastIL code related to web forms (.aspx) and web controls (.ascx) is now generated correctly for the User Security Input. Therefore after an upgrade to this version of the extension and the generation of a post upgrade consistency snapshot, results may change: more User Input Security related violations may be identified. |
| DOTNET-612 | - | Missing devirtualization links when type instantiations are involved | Devirtualization links are now created properly in the context of type instantiations. Therefore after an upgrade to this version of the extension and the generation of a post upgrade consistency snapshot, results may change: more accurate transaction information will be produced. |
| DOTNET-869 | - | Missing type conversion calls for the CastIL generation via Roslyn | Implicit calls to ToString() methods were not generated in CASTIL (for dataflow). Therefore after an upgrade to this version of the extension and the generation of a post upgrade consistency snapshot, results may change: more User Input Security related violations may be identified. |
| DOTNET-887 | - | Violations are missing in AED when compared with 1.0.14 extension | Violations were not reported on Page_Load methods in a web application. Therefore after an upgrade to this version of the extension and the generation of a post upgrade consistency snapshot, results may change: increased number of violations producing greater accuracy. |
| DOTNET-896 | - | Missing dependency toward netstandard.dll facade may cause name resolution errors | Name resolution errors are fixed. |
| DOTNET-897 | - | Resolution errors because of dependencies added twice | Name resolution errors are fixed. |
1.2.0-funcrel
Resolved Issues
| Internal ID | Call ID | Description | Impact? |
|---|---|---|---|
| DOTNET-784 | - | "C# Property" objects are "synthetic", but their children (setters and getters) are internal | A change has been made to the status of certain objects resulting from .NET analyses. The following objects are all now considered as "generated code" when required:
Previously, these objects were not considered as "generated code" and therefore violations found in them were included in grade and violation counts. After an upgrade to 1.2.0-funcrel and the generation of a post upgrade consistency snapshot on unchanged source code, results may be impacted due to this change: grades may change due the non-inclusion of violations caused by these objects. In addition, other metrics may change such as the total number of violations and Line of Code count (generated objects do not contribute to these). Finally, the Engineering Dashboard will now report identical values for the total number of all violations in the Risk Model tile and in the Application Components tile. |
| DOTNET-855 | Error while processing visitor: MethodBodyVisitor | In 1.2.0-funcrel a change has been made to display a warning message instead of an error message:
The consequence of this change is that previously the generated code for the entire file was lost (skipped due to the error), however, now the generated code is lost only for the specific method mentioned in the warning message. | |
| DOTNET-856 | Error while processing visitor: LinqToSQLVisitor | After upgrading to 1.2.0-funcrel, warning message is not displayed. |
1.2.0-beta5
Updates
Support added for DbDataAdapter in CAST Transaction Configuration Center
The .TCCSetup file provided in the extension has been configured to recognize End points for DbDataAdapter.
Dependencies in nupkg files not taken into account
Nuget package may have some dependencies toward other packages (specified in the nupec file). We should take these dependencies into account to include them as dependent packages.
Resolved Issues
| Internal ID | Call ID | Description | Impact? |
|---|---|---|---|
| DOTNET-833 | 19400 | Crash in .Net analyzer | After upgrading to 1.2.0-beta5, .Net analyzer does not crash due to duplicate Keys in dictionaries. |
| DOTNET-780 | 18569 | Analysis warning: DOTNET.0020:Error while processing visitor: NumberOfBreaksInForLoops | After upgrading to 1.2.0-beta5, you will not get false warning message related to NumberOfBreaksForLoops |
| DOTNET-825 | 19152 | Receiving false positives reporting dead code for code that is in use | This issue has been fixed by disabling the rules listed below. These rules often produce a significant number of false violations thereby reducing their usefulness. These rules are multi-techno and are embedded in AIP Core, therefore they are only disabled specifically and only for .NET technologies when using CAST AIP ≥ 8.3.16. As a result of this change, results may be impacted - no violations will be triggered for any of these rules, therefore potentially impacting grades and existing results: |
| DOTNET-843 | Devirtualization should create a link to all overrides at least | After upgrading to 1.2.0-beta5, .Net analyzer creates a link to all overrides when devirtualization of a call do not find a single link. |
1.2.0-beta4
Updates
Support for Xamarin.Forms in CAST Transaction Configuration Center
The .TCCSetup file provided in the extension has been configured to recognize Entry points for Xamarin.Forms and End points for SQLite. And thus Transaction can now be seen in CAST Transaction Configuration Center.
Single warning for each unresolved type
A single warning is now displayed in the log file for each unresolved type.
Resolved Issues
| Internal ID | Call ID | Description | Impact? |
|---|---|---|---|
| DOTNET-808 | 19086,19229 | Snapshot error - ‘Error while executing Procedure’ | After upgrading to 1.2.0-beta4, no error is displayed. |
| DOTNET-789 | There should be fatal error instead Warning message "Analysis failure, could not load a type. The following assemblies could not be loaded as well:" | After upgrading to 1.2.0-beta4, fatal error message is displayed instead of warning message. | |
| DOTNET-820 | DOTNET.0020:Error while processing visitor: WebServiceVisitor | After upgrading to 1.2.0-beta4, no error while processing "WebServiceVisitor" | |
| DOTNET-742 | FALSE VIOLATION FOR RULE- "Close the outermost stream ASAP" | Methods returning streams will not be considered for violation. After an upgrade to the current version of the extension and the generation of a post-upgrade consistency snapshot, results may changed for this rule - less false violations providing more accuracy. | |
| DOTNET-805 | Workaround for "Nupkg files exclusion in Nuget packaging" | Xamarin.Forms libraries were not getting referenced as while packaging Files and folders starting with '.' or ending with '.nupkg' are excluded by default. This problem is solved by shipping the '.nupkg' as '.castpkg'. | |
| DOTNET-819 | 17666 | FALSE VIOLATIONS FOR "Avoid improper processing of the execution status of data handling operations" | The current rule is not violated in the below cases: |
1.2.0-beta3
Updates
The MAV2 metric "Length of the longest line" has been removed for .NET related analyses as a consequence it will no longer appear in the object properties list in CAST Enlighten.
Resolved Issues
| Internal ID | Call ID | Description | Impact? |
|---|---|---|---|
| DOTNET-779 | - | CASTONCAST: snapshot fails with ERROR: duplicate key value violates unique constraint "dss_objects_pk" | The snapshot failed due to a duplicate checksum for certain objects (when shared projects were present in the sources). This has now been fixed and the snapshot will complete correctly. |
| DOTNET-708 | - | When both the iOS and android and UWP application are present in the same solution not finding the Xamarin reference | Missing links to framework dependencies for Xamarin projects will now be created |
| DOTNET-577 | - | DOTNET.0048:Error while loading XML document | Documentation updated to clarify scenario of an empty configuration file in project |
| DOTNET-709 | - | Not finding the Xamarin reference for the WatchOS App, can find the Xamarin WatchOS reference in web config | Missing links to framework dependencies for Xamarin projects will now be created |
| DOTNET-783 | - | EOF counted as line of code | The EOF is no longer counted as a line of code, therefore a change in the number of lines of code is to be expected after upgrade to this release. |
1.2.0-beta2
Updates
New feature
- Support for .NET Core 2.2: The .NET Analyzer now analyzes the code that uses .NET Core 2.2
New rule
The following rule has been added in this release - see: https://technologies.castsoftware.com/rules?sec=srs_dotnet&ref=||1.2.0-beta2
| 1027012 | Avoid storing Non-Serializable Object as HttpSessionState attributes |
|---|
Resolved issues
| Internal ID | Call ID | Description | Impact? |
|---|---|---|---|
| DOTNET-621 | - | Bug in the quality rule "avoid instantiations inside loops" | No false violation message The creation of an object to be added to a collection that has a life cycle longer than the loop should be not considered as a violation. |
| DOTNET-745 | - | Regression: Snapshot failed with ERROR: duplicate key value violates unique constraint "dss_objects_pk" | There were 2 CRCs saved on some objects, now there is only 1 CRC. |
| DOTNET-763 | 18245 | LOC increase post migration | The analyzer was previously including empty lines in the lines of code (LOC) value therefore producing an erroneous value for this metric. This bug has been fixed (blank lines are no longer included in the LOC value) and therefore after an upgrade to the current version of the extension and the generation of a post-upgrade consistency snapshot on unchanged source code, the LOC value will reduce. |
1.2.0-beta1
Resolved issues
| Internal ID | Call ID | Description | Impact? |
|---|---|---|---|
| DOTNET-718 | 17275 | FALSE VIOLATION FOR RULE- Close the outermost stream ASAP | After upgrading to 1.2.0-beta1: No false violation for the rule - Close the outermost stream ASAP. Upgrading to 1.2.0-beta1 will affect the analysis results. |
1.2.0-alpha2
Updates
New rules
The following rules have been added in this release - see https://technologies.castsoftware.com/rules?sec=srs_dotnet&ref=||1.2.0-alpha2:
| 1027004 | Avoid using deprecated XmlTextReader .NET API |
|---|---|
| 1027008 | Always Revert After Impersonation |
| 1027010 | Avoid weak encryption providing sufficient key size (.NET) |
DOTNET-682 - Adopt Roslyn 3.0
The .NET Analyzer now uses the Roslyn 3.0 compiler/analyzer which brings a first level of support for:
- C# 8.0
- VB.NET 15.8
- Visual Studio 2019
DOTNET-724 - PostgreSQL connectivity
A change has been implemented to introduce a connectivity layer compatible with PostgreSQL 10 and 11.
1.2.0-alpha1
Prerequisites
In order to use the .NET Analyzer extension for analysis purposes, the .NET Framework ≥ 4.7.2 must be installed in order for the analysis to function. A check will be done when the analysis starts and a message will produced if the minimum .NET Framework cannot be found. See also Required third-party software in .NET Analyzer - 1.2.
Updates
Xamarin support
First level of support for Xamarin (links to Xamarin API objects will be resolved) for:
- Android
- iOS
- TvOS
- WatchOS
- UWP
New rules
The following rules have been added in the this release - see https://technologies.castsoftware.com/rules?sec=srs_dotnet&ref=||1.2.0-alpha1:
| 1027000 | Avoid Managed type declaration for Win32 API using Overlapped IO |
|---|---|
| 1027002 | Avoid exposing methods that use Platform Invocation Services to access unmanaged code |
New icons for CAST Enlighten
A new set of icons has been provided for display in CAST Enlighten.
Resolved issues
| Internal ID | Call ID | Description | Impact? |
|---|---|---|---|
| DOTNET-673 | 16172 | False positive for rule 'Avoid using Keywords' for 'C# Property Set' and 'C# Property Get' | After an upgrade to 1.2.0 and then generation of a new snapshot on unchanaged source code, results of the rule Avoid using Keywords' for 'C# Property Set' and 'C# Property Get' may be impacted: less false violations providing greater accuracy. |
