Created by N Padmavathi, last modified by James Hurrell on Apr 12, 2021
This documentation is not maintained. Please refer to doc.castsoftware.com/technologies to find the latest updates.

Summary: This document provides information about changes and new features introduced in this release.

1.4.18

Resolved Issues

Customer Ticket IdDetails
43359Fixes an issue that was causing a mismatch in the Engineering Dashboard between the total violation count in the main tile and the CSV export report.

1.4.17

Resolved Issues

Customer Ticket IdDetails
41637Corrected the violation count displayed in Engineering Dashboard for the rule (1027024): "Avoid comparing passwords against hard-coded strings"

Other Updates

Details
Corrected the wrong generic type for nested class or enum of a generic class in extraction files.
Corrected the metamodel property of quality rules to correct violation count displayed in Dashboard.

Rules

Rule IdNew RuleDetails
7198FALSEFixed false positives for the rule: "Avoid String concaténation in loops (.NET)" when the concatenation was done inside the initialization during variable declaration.

1.4.16

Resolved Issues

Customer Ticket IdDetails
41935Fixes a false violation of rule 3612: "Avoid missing release of SQL connection after an effective lifetime (C#, VB.NET)" when using declaration syntax.

Other Updates

Details
.NET has a new option to disable linking .NET Client code to SQL Database Tables. Not activated by default.

1.4.15

Resolved Issues

Customer Ticket IdDetails
41374Fixes a false violation of the rule 7862: "Avoid catching an exception of type Exception, RuntimeException, or Throwable".
41802Fixes an issue causing the analysis to fail with the error "System.ArgumentException: An item with the same key has already been added".

Other Updates

Details
The analysis behaviour has been updated to ensure that the symbols comparison process is completed with the current project's .NET version.
Avoid argument exception with duplicate key entry in dictionary for AvoidRaisingExceptionsInUnexpectedLocation diag

1.4.14

Resolved Issues

Customer Ticket IdDetails
40482Fixes an issue causing an analysis to fail with the error "DOTNET.0007:Unknown language Unknown. Couldn't load project."

Other Updates

Details
The analyzer has been updated to prevent the analysis of unused source files (e.g with the Content or None tag) such as .cs, .vb, etc. in SDK style projects.
The analyzer has been updated to ensure that generated objects (such as classes) are saved with the properties "external" and "generated" (previously these objects were only saved with the property "external).
Fixes a false positive in rule 1027042 "Avoid having unmatched contracts for exported interfaces" that is triggered when a class does not implement directly the interface but inherits a class that implements it.
Fixes an issue where tags disabling implicit file inclusion in SDK style project files are ignored during an analysis causing unwanted files to be analyzed.
Fixes an issue where the analyzer was previously analyzing the same file multiple times (due to the existence of multiple project files specifying the compilation of the file multiple times).
Fixes an issue causing the analyzer to create the wrong type of link (accessReadLink) when the assignment of an object is done by a deconstruct operation. The analyzer now creates an accessWriteLink link instead.
Fixes a false negative in rule 1027100 "Avoid dangerous File Upload" that is triggered when "HttpPostedFile.SaveAs" is used.

Rules

Rule IdNew RuleDetails
1027042FALSE"Avoid having unmatched contracts for exported interfaces": removed a false positive that is triggered when a class does not implement directly the interface but inherits a class that implements it.
1027100FALSE"Avoid dangerous File Upload": fixes a false negative that is triggered when "HttpPostedFile.SaveAs" is used.

1.4.13

Resolved Issues

Customer Ticket IdDetails
39034Fixes an issue causing an analysis crash with the error "Unknown exception System.InvalidOperationException: The project already contains the specified reference."
38601Fixes an issue causing an analysis crash with the error "Unknown exception System.InvalidOperationException: The project already contains the specified reference."
38362Fixes an issue causing an analysis crash with the error: "Unknown exception System.IO.DirectoryNotFoundException: Could not find a part of the path."
39086Fixes a false violation of the rule 8108 - "Avoid missing release of stream connection after an effective lifetime".
37489Fixes an issues where the analysis completed but took a very long time to run.
38509Fixes several incorrect terms in warning messages found in the .NET analysis log file.
38529Fixes an issue where the warning "DOTNET.0012:Could not load assembly" was encountered many times in one analysis. This warning is now not triggered for DLLs that are not .NET assemblies and where there is more than one DLL in a directory of a build of a package, then add all DLLs are added.

Other Updates

Details
Changes the behaviour to stop and exception being raised when analyzing code with local functions: now the analyzer carefully ignores local function calls in order to avoid exceptions (and so, continue the analysis of the current file).
Fixes an exception raised by the Security Analyzer during log forging analysis due to optional arguments encountered in the code.
Fixes an issue where the log contained many instances of the entry "An exception occurred while generating code for...." when tuple expressions were being analyzed.

Rules

Rule IdNew RuleDetails
8108FALSEFixes a false violation of the rule 8108 - "Avoid missing release of stream connection after an effective lifetime".

1.4.12

Note

No changes or updates have been made in this release. This is simply a move to LTS (Long Term Support).

1.4.11-funcrel

Resolved Issues

Customer Ticket IdDetails
35954Fixes missing links from .NET methods to stored procedures when a string variable is declared in an anonymous function.
38220Fixes a false violation - "Avoid storing passwords in Comments" - 1027046.

Other Updates

Details
Improved support for databases: Oracle, DB2, MySQL, Microsoft.Data.SqlClient

Rules

Rule IdNew RuleDetails
1027046FALSEFixes a false violation for "Avoid storing passwords in Comments".

New Support

SummaryDetails
Support of C# 9Introduces support for C# 9: record, init-only accessor, top-level statement, target-typed new, covariant return type, ...

1.4.10-funcrel

Note

The release 1.4.10-funcrel replaces 1.4.9-funcrel, which was withdrawn due to an error where snapshots failed after an upgrade to 1.4.9-funcrel. 1.4.10-funcrel contains the same fixes and updates as 1.4.9-funcrel, in addition to a fix for the error introduced in 1.4.9-funcrel.

Resolved Issues

Customer Ticket IdDetails
37290Fixes an issue where snapshots fail after an upgrade to 1.4.9-funcrel with the error "Error while executing Procedure: ERROR: function mal_as_allocation_eu_main_local.dss_diag_scope_generic_num(integer, integer, integer, integer) does not exist."
36406Fixes an issue where .NET analysis failed with error: The process `"D:\CAST\Extensions\com.castsoftware.dotnet.1.4.7-funcrel\DotNetCmd.exe" "R:\Storage\XX\DotNetCmd.xml"' exited with code -1073740940.
36719Fixes an issue where .NET analysis is missing links to System namespace that should be resolved from .NET framework.
26750Fixes an issue related to All ASMX transactions. A link is missing from "ASMX Source File" to its "C# source file". But the ASMX object is defined in TCC configuration as entry point. Therefore, All ASMX transactions are empty. The link is missing for all ASMX objects that are entry points for transactions.

Other Updates

Details
Fixes an issue related to missing assemblies with correct project hintpaths. The features using the hintpath of scproj files were found missing. After the fix, there is no Warning for DOTNET.0142 and DOTNET.0150.
Fixes an issue related to third party application. Updating the third party package Microsoft.WindowsDesktop.App.Ref to version 6.0.6
Fixes an issue related to .NET Analysis concurrency. When two applications are launched parallelly with the same Zip file for the source code, first analysis ends successfully and the second one fails with an error.

Rules

Rule IdNew RuleDetails
1027100TRUEAvoid dangerous File Upload.

New Support

SummaryDetails
Support Dapper/Oracle/NpgSQL framework for .NetSupport Dapper/Oracle/NpgSQL framework for .Net with blackboxing.

1.4.9-funcrel

Note

This release has been withdrawn due to an error, where snapshots failed after an upgrade to 1.4.9-funcrel. 1.4.10-funcrel contains the same fixes and updates as 1.4.9-funcrel, in addition to a fix for the error introduced in 1.4.9-funcrel.

1.4.8-funcrel

Resolved Issues

Customer Ticket IdDetails
34766Fixed false positive violations for the rule (7266): "Call 'base.Dispose()' or 'MyBase.Finalize()' in the "finally" block of 'Dispose(bool)' methods".
35114Fixed false positive violations caused by event handler C# methods for the rule (1027098): "Avoid unused private types or members".
31317Fixed incorrect links in the "Reference" section for the rule (1043010) "Avoid creating cookie without setting httpOnly option (C#)".
34864Fixed false false positive violations for the rule (1027048): "Avoid returning null from non-async Task/Task<T> method".
35078Fixed false positive violations for the rule (1027048): "Avoid returning null from non-async Task/Task<T> method".
34960Fixed false positive violations for the rule (1027074): "Avoid hard-coded URIs (.NET)".
34773Fixed false positives for rule (8402): "All types of a serializable class must be serializable" in C#.

Other Updates

Details
Added a new tool "WSDLGenerator": externalize generated files based on WSDL file in a separate tool.
Fixed a bad type link between .NET and SQL synonym.
Fixed an unexpected exception, that occurred during step: Dataflow symbol registration.
Default links in 'analysis schema' decreased by 1730, when comparing analyses run between 8.3.42 and 8.3.43.
Added a new tool XSDGenerator: externalize generated files based on XSD file in a separate tool.
Correction of the error: "System.IO.DirectoryNotFoundException", while moving CommandData.json file with folder path containing a space character.

Rules

Rule IdNew RuleDetails
1027074FALSEFixed false positive violations for the rule: "Avoid hard-coded URIs (.NET)".
7212FALSEFixed missing violations for the rule: "Avoid instantiations inside loops".
7266FALSEFixed false positive violations for the rule: "Call 'base.Dispose()' or 'MyBase.Finalize()' in the "finally" block of 'Dispose(bool)' methods".
1027098FALSEFixed false positive violations caused by event handler C# methods for the rule: "Avoid unused private types or members".
1027048FALSEFixed false positive violations for the rule: "Avoid returning null from non-async Task/Task<T> method".
8402TRUEFixed false positives for rule: "All types of a serializable class must be serializable" in C#.

New Support

SummaryDetails
Support ASP.NET Core 5 and 6Support for Asp.Net Core 5 and 6, libraries are imported as third parties.

1.4.7-funcrel

Resolved Issues

Customer Ticket IdDetails
3438141 projects are not analyzed with Unexpected exception occurred during step: ASTs visit
34654Missing links from .NET SOAP Resource Service to .NET SOAP Operation due to wrong Soap Operation name

Other Updates

Details
Moving CommandData.json files raised an exception when running the analysis a second time.

1.4.6-funcrel

Note

Please do not use this version.

Resolved Issues

Customer Ticket IdDetails
34467An unexpected exception occured while loading project xxxxx Sequence contains more than one matching element
34572An unexpected exception occured while loading project xxxxx Sequence contains more than one matching element.
33966Rule name: "Avoid using console logging" should be renamed according to technology as: "Avoid using console logging (.NET)".

Other Updates

Details
CASTIL generation - Review CastIL generation for fields: Non static fields with initializers are now correctly instantiated and have a bookmark, static field are now initialized in static constructor
Generated .json files are analyzed by HTML5 extension, but they should not be analyzed by the extension- this leads to invalid result variation
PathTooLongException not catched raised DOTNET.0156 warning.
The rule (8108) "Avoid missing release of stream connection after an effective lifetime" has been modified to reduce false positive violations by excluding streams in constructor arguments of classes inheriting from IDisposable.

Rules

Rule IdNew RuleDetails
8108FALSEThe rule "Avoid missing release of stream connection after an effective lifetime" has been modified to reduce false positive violations by excluding streams in constructor arguments of classes inheriting from IDisposable.
1020060FALSERule name: "Avoid using console logging" is renamed according to technology as: "Avoid using console logging (.NET)".

New Support

SummaryDetails
Support of .NET Core 5 and 6The .NET Analyzer now supports .NET Core 5 and 6. Syntax support is limited to C# 8.0.

1.4.5-funcrel

Resolved Issues

Customer Ticket IdDetails
31602Net warning: DOTNET.0156: An unexpected exception occured while loading project Net 5
31022False violation for rule (rule id: 8110): Use dedicated stored procedures when multiple data accesses are needed.
33194Message "Required framework version is 4.8 but version 4.7.2 will be used instead" still displayed, when version 4.8 is installed.

Other Updates

Details
Bad inherited link between a class and an instanciated: A bad relyon link has been replaced by an inheritance link.

Rules

Rule IdNew RuleDetails
8110FALSERemoved false violation for the rule: Avoid not using dedicated stored procedures when processing multiple data accesses.

1.4.4-funcrel

Resolved Issues

Customer Ticket IdDetails
29725Transaction are deleted due to missing dll file reference: compilation conflicts between extractions and references
33077Missing Reference to Datarow even though the dll is present causing GUID changes between versions
33272DOTNET.0142: No ressource found for package XLabs.IoC version 2.0.5782. Package reference ignored in project: support of Portable Class Library (PCL) for nuget package
33379DOTNET.0142:No ressource found for package XLabs.IoC version 2.0.5782. Package reference ignored in project: Support of Portable Class Library (PCL) for nuget package.
33476False violation for QR "Avoid non-public custom exception types" for partial classes
33518Missing Reference to Datarow even though the dll is present causing GUID changes between versions

Other Updates

Details
False positive on rule: "Avoid missing release of stream connection after an effective lifetime" with some methods of classes File and Stream.
Get rid of useless flagged warning logs.

Rules

Rule IdNew RuleDetails
1027088FALSEFalse violation for rule: "Avoid non-public custom exception types" for partial classes.
8108FALSEFalse positive on rule: "Avoid missing release of stream connection after an effective lifetime" with some methods of classes File and Stream.

1.4.3-funcrel

Resolved Issues

Customer Ticket IdDetails
32682False violation for rule “Always use System.Uri instead of string to build URLs”: authorize secure method System.Net.WebRequest::Create(System.String).
32708False positive for the rule: "Avoid storing passwords in Comments".
32823Unknown exception System.AggregateException in method AvoidRaisingExceptionsInUnexpectedLocation.Init
32852False violation for the rule: "Avoid hard-coded network resource names (.NET, VB)": restrict ipv4 to 4 numbers pattern.
32978False violation for the rule: "Avoid comparing passwords against hard-coded strings".

Other Updates

Details
Update the analyzer, to provide a list of the .NET frameworks managed by default in a .json file.

Rules

Rule IdNew RuleDetails
1027054FALSEFalse violation for rule “ Always use System.Uri instead of string to build URLs”: authorize secure method System.Net.WebRequest::Create(System.String).
1027046FALSEFalse positive for the rule: "Avoid storing passwords in Comments".
1027032FALSEFalse violation for the rule: "Avoid hard-coded network resource names (.NET, VB)": restrict ipv4 to 4 numbers pattern.
1027024FALSEFalse violation for the rule: "Avoid comparing passwords against hard-coded strings".

1.4.2-funcrel

Resolved Issues

Customer Ticket IdDetails
32444Onboarding: Csproj project excluded due to System.IndexOutOfRangeException: Index was outside the bounds of the array.
32585Onboarding: Csproj project excluded due to System.IndexOutOfRangeException: Index was outside the bounds of the array.

Other Updates

Details
False positives in rule "Avoid hardcoded URIs".
Unknown exception System.ArgumentException raised in rule "Avoid unused private types or members".
General Protection Fault crash on code "QUAL_SACS".
Correction for initialization of plugins inside component.

Rules

Rule IdNew RuleDetails
1027074FALSEFalse positives in rule "Avoid hardcoded URIs".
1027098FALSEUnknown exception System.ArgumentException raised in rule "Avoid unused private types or members".

1.4.1-funcrel

Resolved Issues

Customer Ticket IdDetails
30747Drop in FP, due to changes in .NET TCCSetup file.
30762Mismatch in violation count for the rule (7198): "Avoid String concatenation in loops (.NET)".
30482False negative for the rule: "Avoid storing Non-Serializable Object as HttpSessionState attributes". Rule does not consider Property objects.
31611False negative for the rule Avoid storing Non-Serializable Object as HttpSessionState attributes.' Rule does not consider Property objects.

Other Updates

Details
Analysis too long for file initializing, extremely big dictionary.
8108: False positive for method System.IO.File::Exists.
TFP decreased by 4858.0 when migrating 8.3.37 -> 8.3.38 (upgraded dotnet extension).
Generalized the string evaluation.

Rules

Rule IdNew RuleDetails
1027012FALSEFalse negative for the rule: "Avoid storing Non-Serializable Object as HttpSessionState attributes". Rule does not consider Property objects.
8108FALSEFalse positive for method System.IO.File::Exists

1.4.0-funcrel

Resolved Issues

Customer Ticket IdDetails
28876.NET Analysis crash --- com.castsoftware.dotnet.1.3.1-funcrel\DotNetCmd.exe exited with code -1073741571

Other Updates

Details
Exception occurred while loading a project: "System.ArgumentException: Version string portion was too short or too long".

Rules

Rule IdNew RuleDetails
1027096TRUEAvoid raising exceptions in unexpected location
1027098TRUEAvoid unused private types or members

1.4.0-beta1

Other Updates

Details
TCC config delivered by .NET extension is referring to package="Dotnet_Extension" instead of package="Base_DotNet".

Rules

Rule IdNew RuleDetails
1027008FALSEFalse violation for "Always Revert After Impersonation" on stored instances of classes implementing IDisposable.
1027058FALSEFalse positive for "Avoid blocking async methods" in "main" method and missing violation on property "Task<TResult>.Result".
1027096TRUE"Avoid raising exceptions in unexpected location": a method that is not expected to throw exceptions throws an exception. Currently limited to C#.
1027098TRUE"Avoid unused private types or members": private or internal types or private members that are never executed or referenced are dead code. Currently limited to C#.

1.4.0-alpha5

Resolved Issues

Customer Ticket IdDetails
28888Modified Transactions due to links alternating to objects with same fullname in different folders.
28054False violation (rule id:1027012): Avoid storing Non-Serializable Object as HttpSessionState attributes.
29262The rule (rule id: 8156): "Persistent classes should implement GetHashCode() and Equals()” should not apply for Entity Framework.

Other Updates

Details
"System.Threading.Task" should be exception to the QR (rule id: 8086) "Avoid types that own disposable fields and are not disposable".
Fixed System.NullReferenceException raised in RawProjectBuilder.setProjectOutputKind.

Rules

Rule IdNew RuleDetails
1027012FALSEFixed false positive due to wrong resolution of symbol (compiler error BC30560)
8156FALSEFixed false positive due to rule formerly applied to entities of EF
8086FALSEFixed false positive due to rule formerly applied to "System.Threading.Task"

1.4.0-alpha4

Rules

Rule IdNew RuleDetails
1027050TRUENew rule: Avoid throwing ArgumentException from yielding method.
1027042FALSEBookmark only the attribute declaration.
1027070FALSEVariable declared and initialized against a LINQ query when compare to 'null' is always false.
1027020FALSEWhen comparison is done using "==" operator, as in "1 == aThrow.Children.Count()", violation should not be set.
1027088FALSEDeclaring a C# class without any access modifier ("public" or others) should raise a violation.

1.4.0-alpha3

Resolved Issues

Customer Ticket IdDetails
27762False positive in the rule: "Close the outermost stream ASAP (Avoid missing release of stream connection after an effective lifetime)"
24427Wrong Violations for the rule: "Avoid missing release of stream connection after an effective lifetime" in .NET
26766False violation for the rule: "Avoid missing release of stream connection after an effective lifetime"
28276The Metric Rule: "Avoid missing release of stream connection after an effective lifetime" produces false positives
26749ASPX Transactions deleted
27617Objects not coming part of module causing transactions to be "Deleted"

Other Updates

Details
False positives on QR "Avoid missing release of stream connection after an effective lifetime" when "using declaration" syntax is used
Correct bookmark for rule "Avoid missing release of stream connection after an effective lifetime"
False positives on QR "Avoid missing release of stream connection after an effective lifetime" when "using" syntax is used
False positives on QR "Avoid missing release of stream connection after an effective lifetime" when "using" syntax is used
improvement of the rule Avoid weak encryption providing insufficient key size (.NET)
improvement of the rule "Avoid returning null from ToString()" to non override method
increase pattern supported for rule "Avoid hardcoded URIs (.NET)"
increase of the scope of the rule "Avoid using Obsolete attributes without message"
improve support of nuget extractor

Performance Improvements

Summary
Improve performance to compute Metrics and CRC

1.4.0-alpha2

Resolved Issues

Customer Ticket IdDetails
27654DOTNET.0156: An unexpected exception occurred while loading project xxxx. Project excluded from analysis.
26398DOTNET warning: DOTNET.0142: No resource found for package and DOTNET.0150: No definition found for the name
27291DOTNET analysis stuck at End Compute Metrics for symbols
26465DOTNET analysis stuck at End Compute Metrics for symbols
27061DOTNET warning: DOTNET.0142: No resource found for package and DOTNET.0150: No definition found for the name

Rules

Rule IdNew RuleDetails
1027088TRUEAvoid non-public custom exception types
1027090TRUEAvoid improper instantiation of argument exceptions
1027092TRUEAlways pass optional parameters too, when making 'base' calls
1027094TRUEAlways provide deserialization methods for optional fields

1.4.0-alpha1

Note

A significant number of new rules have been added in this release of the extension which will have a significant impact on any existing analysis results generated with a previous release of the extension. When re-analyzing existing and unchanged source code with this new extension, you should therefore expect grade and violation changes. When using AIP Console, if you do not want this extension to be used, you should ensure that you implement an extension strategy to prevent the automatic download and installation of the extension. If you are onboarding a new application, CAST actively encourages you to use this new release to take advantage of the improvements that have been implemented.

Resolved Issues

Customer Ticket IdDetails
25822QR: Avoid having lock on this object - False Positive
26801Dotnet analysis is failing with error : The solution does not contain the specified project. (The problem was when analyzer try to search dependencies, but it does not find or dupplicate reference)

Other Updates

Details
Diags may put violations on fields while fields are not part of the rule's scope
Unknown exception System.InvalidOperationException in PathUtils.FindCommonPath method

Rules

Rule IdNew RuleDetails
1027014TRUEAvoid using Thread API to manage activities of threads
1027016TRUEAvoid throwing exceptions in destructors
1027018TRUEAvoid throwing exceptions in finally block
1027030TRUEAvoid using Obsolete attributes without message
1027020TRUEAvoid using Count or LongCount where Any can be used
1027022TRUEAvoid using "new Guid()"
1027024TRUEAvoid comparing passwords against hard-coded strings
1027032TRUEAvoid hardcoded network resource names (.NET, VB)
1027034TRUENever catch NullReferenceException
1027038TRUEAvoid if … else if constructs not terminated with an else clause (.NET, VB)
1027036TRUEAvoid rethrow exception explicitly
1027042TRUEAvoid having unmatched contracts for exported interfaces
1027040TRUEAvoid using multiple OrderBy calls
1027046TRUEAvoid storing passwords in Comments
1027044TRUEAvoid using SafeHandle.DangerousGetHandle
1027048TRUEAvoid returning null from non-async Task/Task<T> method
1027086TRUEAvoid having the same implementation in a conditional structure
1027054TRUEAlways use System.Uri instead of string to build URLs
1027058TRUEAvoid blocking async methods
1027070TRUEAvoid if statements and blocks that are always TRUE or FALSE
1027076TRUEAvoid allowing File IO unrestricted access
1027078TRUEAlways mark Windows Forms starting point as STAThread
1027084TRUEAvoid calling CoSetProxyBlanket and CoInitializeSecurity
1027082TRUEAvoid using console logging
1027080TRUEAlways use ConfigureAwait(false) in library code awaited tasks
1027074TRUEAvoid hardcoded URIs
1027068TRUEAvoid returning null from ToString()
1027066TRUEAvoid throwing exception from property getters
1027064TRUEAlways override 'Equals' and Comparison operators with IComparable implementation