https://extend.castsoftware.com/api/delta/export/release-notes/format/markdown?id=com.castsoftware.dotnet&major=1&minor=2 |
Following issues are resolved in this release of the analyzer.
| Internal ID | Call ID | Description | Impact? |
|---|---|---|---|
| DOTNET-986 | - | Non Regression Tests setup for .Net | After the fix, Non Regression Tests runs fine, irrespective of the number of times it is run. |
| DOTNET-997 | - | Random failures of Non Regression Tests for .Net due to random projects execution | Random order of projects during execution is fixed. |
| DOTNET-1005 | - | NRT Failures when xaml files are present in Test app | The fix handles the differences between the multiple analysis' on same version caused due to generated Files of .Net. |
| DOTNET-1094 | - | NullReferenceException during devirtualization | Exception is fixed. |
Following issues are resolved in this release of the analyzer.
| Internal ID | Call ID | Description | Impact? |
|---|---|---|---|
| DOTNET-913 | 20646 | Massive increase in warnings mainly of the type GUID duplicate found : CAST_DotNet_ClassExternal after upgrading extension. | Regression fixed, but few GUID duplicate warnings are remaining. |
| DOTNET-965 | - | Uncaught exception while processing target EntryPoint | Exception does not occur anymore. |
| DOTNET-969 | - | SSL in .Net extension | A change has been implemented in preparation for the future support of encrypted SSL connections to CAST Storage Service/PostgreSQL. |
| DOTNET-971 | 22353 | DOTNET.0156: An unexpected exception occurred while loading project | The exception was occurring when the .NET analyzer was installed in a folder containing spaces characters. The issue is fixed. |
| DOTNET-981 | 22535 | Analysis of XXX.csproj has failed. An unexpected error happened leaving the analysis in an unknown state | Exception does not occur anymore. |
| DOTNET-988 | - | CS0433 errors related to extractions | These errors were related to two conflicting extraction, errors removed. |
| DOTNET-990 | - | On local functions we get the warning: DOTNET.0020: Error while processing visitor: MethodBodyVisitor | This error was occurring on local functions with the arrow syntax. We do not generate any more CASTIL code for these local function until some other fixes on lambdas. |
| DOTNET-995 | 22791 | DOTNET.0156: An unexpected exception occurred while loading project | Exception does not occur anymore. |
| DOTNET-996 | 22793 | .NET analysis is failing with warning: System.ArgumentException: Illegal characters in path | Exception does not occur anymore. |
This extension now supports:
| Internal ID | Call ID | Description | Impact? |
|---|---|---|---|
| DOTNET-974 | - | create_link call crashing with entity 1.4.4 extension | The analyzer no longer crashes |
| DOTNET-984 | - | get_inherited_types() method is broken | In Python extensions the method get_inherited_types() was not working for some base types, depending on the analysis configuration. This is now fixed. |
This extension now supports 'packages.config files' which gives more accurate analysis (less messages in DOTNET.0150 and DOTNET.0151).
| Internal ID | Call ID | Description | Impact? |
|---|---|---|---|
| DOTNET-899 | - | SQL injection target methods for C/S links is not aligned with User Input Security requirement and needs | Improved accuracy for User Security Input analyses. |
| DOTNET-937 | - | Support of conditional member access syntax | The analyzer no longer crashes. |
| DOTNET-940 | - | .Net 1.0/1.1 analysis fail with warning DOTNET.0155: Unrecognized format of project file | .NET 1.x projects may be analyzed again. |
| DOTNET-947 | 21787 | .NET analysis is failing with several warnings in the analysis log and hence links not created between the artifacts | A NullReferenceException was occurring in an attempt to draw a devirtualization link in a lambda as a field initializer. The link is now created from all constructors of the class. |
| DOTNET-948 | - | DOTNET.0020: Error while processing visitor: AvoidStreamResourceLeaks, AlwaysRevertImpersonation | No more crash with message DOTNET.0020. |
This extension now supports:
Earlier name of '8108': Close outermost stream ASAP
Current name of 8108': Avoid missing release of stream connection after an effective lifetime
| Internal ID | Call ID | Description | Impact? |
|---|---|---|---|
| DOTNET-865 | 19708 | False positive for .net rule "Close outermost stream ASAP" , now "Avoid missing release of stream connection after an effective lifetime" | Before the 'null conditional operator' was not recognized and false violations were displayed. After the fix, 'null conditional operator' is handled hence no false violations displayed. |
| DOTNET-925 | 21127 | .Net analysis is frozen | An infinite loop was occurring during the analysis. After the fix, the analysis completes successfully. |
| DOTNET-926 | 21198 | .NET Analyzer 1.2.2 funcrel - Unable to analyze complete code | While loading projects, analysis was crashing. After the fix, analysis does not crash. In the future if any exception is raised during the load of project, only projects failing to load will be excluded from analysis. |
| DOTNET-929 | 21245 | AIP_CONSOLE OnBoarding : All C# classes are not analyzed. | A crash was occurring when the target framework of a project was an empty string. The crash is fixed. After the fix, incase of an empty string we select the default framework version (which is the highest framework version supported). |
| Internal ID | Call ID | Description | Impact? |
|---|---|---|---|
| DOTNET-296 | - | Support of C#7 and VB :: tuple syntax | New links are created and the user input security will go through the instructions using tuples. |
| DOTNET-902 | - | Fix required for 4 DOTNET.0020 warnings in analysis log file | Under specific conditions, a crash could occur during the analysis of the web services. Due to this some methods were not recognized as web methods. After the fix, the crash does not occur. |
| DOTNET-907 | - | Some recursive package dependencies are not found | Some recursive dependencies were not found and interoperability between system frameworks were not taken into account resulting in missed package dependencies. Missing package dependencies may have impact as: missing links toward external objects and less accurate user input security. The issue is fixed after the upgrade. |
| DOTNET-909 | - | Missing objects expected from Edmx files | Edmx files are now saved as additional documents of a project, allowing extensions to leverage that information. |
| DOTNET-917 | - | Crash during computation of diag Avoid weak encryption key size | After the fix, crash does not happen hence no missing violations. |
| Internal ID | Call ID | Description | Impact? |
|---|---|---|---|
| DOTNET-611 | - | Invalid CASTIL generation for ASP.NET pages | After upgrading, intermediate CastIL code related to web forms (.aspx) and web controls (.ascx) is now generated correctly for the User Security Input. Therefore after an upgrade to this version of the extension and the generation of a post upgrade consistency snapshot, results may change: more User Input Security related violations may be identified. |
| DOTNET-612 | - | Missing devirtualization links when type instantiations are involved | Devirtualization links are now created properly in the context of type instantiations. Therefore after an upgrade to this version of the extension and the generation of a post upgrade consistency snapshot, results may change: more accurate transaction information will be produced. |
| DOTNET-869 | - | Missing type conversion calls for the CastIL generation via Roslyn | Implicit calls to ToString() methods were not generated in CASTIL (for dataflow). Therefore after an upgrade to this version of the extension and the generation of a post upgrade consistency snapshot, results may change: more User Input Security related violations may be identified. |
| DOTNET-887 | - | Violations are missing in AED when compared with 1.0.14 extension | Violations were not reported on Page_Load methods in a web application. Therefore after an upgrade to this version of the extension and the generation of a post upgrade consistency snapshot, results may change: increased number of violations producing greater accuracy. |
| DOTNET-896 | - | Missing dependency toward netstandard.dll facade may cause name resolution errors | Name resolution errors are fixed. |
| DOTNET-897 | - | Resolution errors because of dependencies added twice | Name resolution errors are fixed. |
| Internal ID | Call ID | Description | Impact? |
|---|---|---|---|
| DOTNET-784 | - | "C# Property" objects are "synthetic", but their children (setters and getters) are internal | A change has been made to the status of certain objects resulting from .NET analyses. The following objects are all now considered as "generated code" when required:
Previously, these objects were not considered as "generated code" and therefore violations found in them were included in grade and violation counts. After an upgrade to 1.2.0-funcrel and the generation of a post upgrade consistency snapshot on unchanged source code, results may be impacted due to this change: grades may change due the non-inclusion of violations caused by these objects. In addition, other metrics may change such as the total number of violations and Line of Code count (generated objects do not contribute to these). Finally, the Engineering Dashboard will now report identical values for the total number of all violations in the Risk Model tile and in the Application Components tile. |
| DOTNET-855 | Error while processing visitor: MethodBodyVisitor | In 1.2.0-funcrel a change has been made to display a warning message instead of an error message:
The consequence of this change is that previously the generated code for the entire file was lost (skipped due to the error), however, now the generated code is lost only for the specific method mentioned in the warning message. | |
| DOTNET-856 | Error while processing visitor: LinqToSQLVisitor | After upgrading to 1.2.0-funcrel, warning message is not displayed. |
The .TCCSetup file provided in the extension has been configured to recognize End points for DbDataAdapter.
Nuget package may have some dependencies toward other packages (specified in the nupec file). We should take these dependencies into account to include them as dependent packages.
| Internal ID | Call ID | Description | Impact? |
|---|---|---|---|
| DOTNET-833 | 19400 | Crash in .Net analyzer | After upgrading to 1.2.0-beta5, .Net analyzer does not crash due to duplicate Keys in dictionaries. |
| DOTNET-780 | 18569 | Analysis warning: DOTNET.0020:Error while processing visitor: NumberOfBreaksInForLoops | After upgrading to 1.2.0-beta5, you will not get false warning message related to NumberOfBreaksForLoops |
| DOTNET-825 | 19152 | Receiving false positives reporting dead code for code that is in use | This issue has been fixed by disabling the rules listed below. These rules often produce a significant number of false violations thereby reducing their usefulness. These rules are multi-techno and are embedded in AIP Core, therefore they are only disabled specifically and only for .NET technologies when using CAST AIP ≥ 8.3.16. As a result of this change, results may be impacted - no violations will be triggered for any of these rules, therefore potentially impacting grades and existing results: |
| DOTNET-843 | Devirtualization should create a link to all overrides at least | After upgrading to 1.2.0-beta5, .Net analyzer creates a link to all overrides when devirtualization of a call do not find a single link. |
The .TCCSetup file provided in the extension has been configured to recognize Entry points for Xamarin.Forms and End points for SQLite. And thus Transaction can now be seen in CAST Transaction Configuration Center.
A single warning is now displayed in the log file for each unresolved type.
| Internal ID | Call ID | Description | Impact? |
|---|---|---|---|
| DOTNET-808 | 19086,19229 | Snapshot error - ‘Error while executing Procedure’ | After upgrading to 1.2.0-beta4, no error is displayed. |
| DOTNET-789 | There should be fatal error instead Warning message "Analysis failure, could not load a type. The following assemblies could not be loaded as well:" | After upgrading to 1.2.0-beta4, fatal error message is displayed instead of warning message. | |
| DOTNET-820 | DOTNET.0020:Error while processing visitor: WebServiceVisitor | After upgrading to 1.2.0-beta4, no error while processing "WebServiceVisitor" | |
| DOTNET-742 | FALSE VIOLATION FOR RULE- "Close the outermost stream ASAP" | Methods returning streams will not be considered for violation. After an upgrade to the current version of the extension and the generation of a post-upgrade consistency snapshot, results may changed for this rule - less false violations providing more accuracy. | |
| DOTNET-805 | Workaround for "Nupkg files exclusion in Nuget packaging" | Xamarin.Forms libraries were not getting referenced as while packaging Files and folders starting with '.' or ending with '.nupkg' are excluded by default. This problem is solved by shipping the '.nupkg' as '.castpkg'. | |
| DOTNET-819 | 17666 | FALSE VIOLATIONS FOR "Avoid improper processing of the execution status of data handling operations" | The current rule is not violated in the below cases: |
The MAV2 metric "Length of the longest line" has been removed for .NET related analyses as a consequence it will no longer appear in the object properties list in CAST Enlighten.
| Internal ID | Call ID | Description | Impact? |
|---|---|---|---|
| DOTNET-779 | - | CASTONCAST: snapshot fails with ERROR: duplicate key value violates unique constraint "dss_objects_pk" | The snapshot failed due to a duplicate checksum for certain objects (when shared projects were present in the sources). This has now been fixed and the snapshot will complete correctly. |
| DOTNET-708 | - | When both the iOS and android and UWP application are present in the same solution not finding the Xamarin reference | Missing links to framework dependencies for Xamarin projects will now be created |
| DOTNET-577 | - | DOTNET.0048:Error while loading XML document | Documentation updated to clarify scenario of an empty configuration file in project |
| DOTNET-709 | - | Not finding the Xamarin reference for the WatchOS App, can find the Xamarin WatchOS reference in web config | Missing links to framework dependencies for Xamarin projects will now be created |
| DOTNET-783 | - | EOF counted as line of code | The EOF is no longer counted as a line of code, therefore a change in the number of lines of code is to be expected after upgrade to this release. |
The following rule has been added in this release - see: https://technologies.castsoftware.com/rules?sec=srs_dotnet&ref=||1.2.0-beta2
| 1027012 | Avoid storing Non-Serializable Object as HttpSessionState attributes |
|---|
| Internal ID | Call ID | Description | Impact? |
|---|---|---|---|
| DOTNET-621 | - | Bug in the quality rule "avoid instantiations inside loops" | No false violation message The creation of an object to be added to a collection that has a life cycle longer than the loop should be not considered as a violation. |
| DOTNET-745 | - | Regression: Snapshot failed with ERROR: duplicate key value violates unique constraint "dss_objects_pk" | There were 2 CRCs saved on some objects, now there is only 1 CRC. |
| DOTNET-763 | 18245 | LOC increase post migration | The analyzer was previously including empty lines in the lines of code (LOC) value therefore producing an erroneous value for this metric. This bug has been fixed (blank lines are no longer included in the LOC value) and therefore after an upgrade to the current version of the extension and the generation of a post-upgrade consistency snapshot on unchanged source code, the LOC value will reduce. |
| Internal ID | Call ID | Description | Impact? |
|---|---|---|---|
| DOTNET-718 | 17275 | FALSE VIOLATION FOR RULE- Close the outermost stream ASAP | After upgrading to 1.2.0-beta1: No false violation for the rule - Close the outermost stream ASAP. Upgrading to 1.2.0-beta1 will affect the analysis results. |
The following rules have been added in this release - see https://technologies.castsoftware.com/rules?sec=srs_dotnet&ref=||1.2.0-alpha2:
| 1027004 | Avoid using deprecated XmlTextReader .NET API |
|---|---|
| 1027008 | Always Revert After Impersonation |
| 1027010 | Avoid weak encryption providing sufficient key size (.NET) |
The .NET Analyzer now uses the Roslyn 3.0 compiler/analyzer which brings a first level of support for:
A change has been implemented to introduce a connectivity layer compatible with PostgreSQL 10 and 11.
In order to use the .NET Analyzer extension for analysis purposes, the .NET Framework ≥ 4.7.2 must be installed in order for the analysis to function. A check will be done when the analysis starts and a message will produced if the minimum .NET Framework cannot be found. See also Required third-party software in .NET Analyzer - 1.2.
First level of support for Xamarin (links to Xamarin API objects will be resolved) for:
The following rules have been added in the this release - see https://technologies.castsoftware.com/rules?sec=srs_dotnet&ref=||1.2.0-alpha1:
| 1027000 | Avoid Managed type declaration for Win32 API using Overlapped IO |
|---|---|
| 1027002 | Avoid exposing methods that use Platform Invocation Services to access unmanaged code |
A new set of icons has been provided for display in CAST Enlighten.
| Internal ID | Call ID | Description | Impact? |
|---|---|---|---|
| DOTNET-673 | 16172 | False positive for rule 'Avoid using Keywords' for 'C# Property Set' and 'C# Property Get' | After an upgrade to 1.2.0 and then generation of a new snapshot on unchanaged source code, results of the rule Avoid using Keywords' for 'C# Property Set' and 'C# Property Get' may be impacted: less false violations providing greater accuracy. |