Release Notes - 1.4

1.4.19

Resolved Issues

Customer Ticket Id Details
45254 Fixes a false violation of the rule 3612: "Avoid missing release of SQL connection after an effective lifetime (C#, VB.NET)".
46337 Fixes and removes false links to table objects from ".NET AppSetting found in configuration file".
47133 Fixes a false violation of the rule 3612: "Avoid missing release of SQL connection after an effective lifetime (C#, VB.NET)".
47384 Fixes incorrect/false (non-dynamic) links from VB.NET methods to tables created by the analyzer inference engine: all links found from the dataflow entry point with the inference engine are now handled as "dynamic".

1.4.18

Resolved Issues

Customer Ticket Id Details
43359 Fixes an issue that was causing a mismatch in the Engineering Dashboard between the total violation count in the main tile and the CSV export report.

1.4.17

Resolved Issues

Customer Ticket Id Details
41637 Corrected the violation count displayed in Engineering Dashboard for the rule (1027024): "Avoid comparing passwords against hard-coded strings"

Other Updates

Details
Corrected the wrong generic type for nested class or enum of a generic class in extraction files.
Corrected the metamodel property of quality rules to correct violation count displayed in Dashboard.

Rules

Rule Id New Rule Details
7198 FALSE Fixed false positives for the rule: "Avoid String concaténation in loops (.NET)" when the concatenation was done inside the initialization during variable declaration.

1.4.16

Resolved Issues

Customer Ticket Id Details
41935 Fixes a false violation of rule 3612: "Avoid missing release of SQL connection after an effective lifetime (C#, VB.NET)" when using declaration syntax.

Other Updates

Details
.NET has a new option to disable linking .NET Client code to SQL Database Tables. Not activated by default.

1.4.15

Resolved Issues

Customer Ticket Id Details
41374 Fixes a false violation of the rule 7862: "Avoid catching an exception of type Exception, RuntimeException, or Throwable".
41802 Fixes an issue causing the analysis to fail with the error "System.ArgumentException: An item with the same key has already been added".

Other Updates

Details
The analysis behaviour has been updated to ensure that the symbols comparison process is completed with the current project's .NET version.
Avoid argument exception with duplicate key entry in dictionary for AvoidRaisingExceptionsInUnexpectedLocation diag

1.4.14

Resolved Issues

Customer Ticket Id Details
40482 Fixes an issue causing an analysis to fail with the error "DOTNET.0007:Unknown language Unknown. Couldn't load project."

Other Updates

Details
The analyzer has been updated to prevent the analysis of unused source files (e.g with the Content or None tag) such as .cs, .vb, etc. in SDK style projects.
The analyzer has been updated to ensure that generated objects (such as classes) are saved with the properties "external" and "generated" (previously these objects were only saved with the property "external).
Fixes a false positive in rule 1027042 "Avoid having unmatched contracts for exported interfaces" that is triggered when a class does not implement directly the interface but inherits a class that implements it.
Fixes an issue where tags disabling implicit file inclusion in SDK style project files are ignored during an analysis causing unwanted files to be analyzed.
Fixes an issue where the analyzer was previously analyzing the same file multiple times (due to the existence of multiple project files specifying the compilation of the file multiple times).
Fixes an issue causing the analyzer to create the wrong type of link (accessReadLink) when the assignment of an object is done by a deconstruct operation. The analyzer now creates an accessWriteLink link instead.
Fixes a false negative in rule 1027100 "Avoid dangerous File Upload" that is triggered when "HttpPostedFile.SaveAs" is used.

Rules

Rule Id New Rule Details
1027042 FALSE "Avoid having unmatched contracts for exported interfaces": removed a false positive that is triggered when a class does not implement directly the interface but inherits a class that implements it.
1027100 FALSE "Avoid dangerous File Upload": fixes a false negative that is triggered when "HttpPostedFile.SaveAs" is used.

1.4.13

Resolved Issues

Customer Ticket Id Details
39034 Fixes an issue causing an analysis crash with the error "Unknown exception System.InvalidOperationException: The project already contains the specified reference."
38601 Fixes an issue causing an analysis crash with the error "Unknown exception System.InvalidOperationException: The project already contains the specified reference."
38362 Fixes an issue causing an analysis crash with the error: "Unknown exception System.IO.DirectoryNotFoundException: Could not find a part of the path."
39086 Fixes a false violation of the rule 8108 - "Avoid missing release of stream connection after an effective lifetime".
37489 Fixes an issues where the analysis completed but took a very long time to run.
38509 Fixes several incorrect terms in warning messages found in the .NET analysis log file.
38529 Fixes an issue where the warning "DOTNET.0012:Could not load assembly" was encountered many times in one analysis. This warning is now not triggered for DLLs that are not .NET assemblies and where there is more than one DLL in a directory of a build of a package, then add all DLLs are added.

Other Updates

Details
Changes the behaviour to stop and exception being raised when analyzing code with local functions: now the analyzer carefully ignores local function calls in order to avoid exceptions (and so, continue the analysis of the current file).
Fixes an exception raised by the Security Analyzer during log forging analysis due to optional arguments encountered in the code.
Fixes an issue where the log contained many instances of the entry "An exception occurred while generating code for…." when tuple expressions were being analyzed.

Rules

Rule Id New Rule Details
8108 FALSE Fixes a false violation of the rule 8108 - "Avoid missing release of stream connection after an effective lifetime".

1.4.12

Note

No changes or updates have been made in this release. This is simply a move to LTS (Long Term Support).

1.4.11-funcrel

Resolved Issues

Customer Ticket Id Details
35954 Fixes missing links from .NET methods to stored procedures when a string variable is declared in an anonymous function.
38220 Fixes a false violation - "Avoid storing passwords in Comments" - 1027046.

Other Updates

Details
Improved support for databases: Oracle, DB2, MySQL, Microsoft.Data.SqlClient

Rules

Rule Id New Rule Details
1027046 FALSE Fixes a false violation for "Avoid storing passwords in Comments".

New Support

Summary Details
Support of C# 9 Introduces support for C# 9: record, init-only accessor, top-level statement, target-typed new, covariant return type, …

1.4.10-funcrel

Note

The release 1.4.10-funcrel replaces 1.4.9-funcrel, which was withdrawn due to an error where snapshots failed after an upgrade to 1.4.9-funcrel. 1.4.10-funcrel contains the same fixes and updates as 1.4.9-funcrel, in addition to a fix for the error introduced in 1.4.9-funcrel.

Resolved Issues

Customer Ticket Id Details
37290 Fixes an issue where snapshots fail after an upgrade to 1.4.9-funcrel with the error "Error while executing Procedure: ERROR: function mal_as_allocation_eu_main_local.dss_diag_scope_generic_num(integer, integer, integer, integer) does not exist."
36406 Fixes an issue where .NET analysis failed with error: The process `"D:\CAST\Extensions\com.castsoftware.dotnet.1.4.7-funcrel\DotNetCmd.exe" "R:\Storage\XX\DotNetCmd.xml"' exited with code -1073740940.
36719 Fixes an issue where .NET analysis is missing links to System namespace that should be resolved from .NET framework.
26750 Fixes an issue related to All ASMX transactions. A link is missing from "ASMX Source File" to its "C# source file". But the ASMX object is defined in TCC configuration as entry point. Therefore, All ASMX transactions are empty. The link is missing for all ASMX objects that are entry points for transactions.

Other Updates

Details
Fixes an issue related to missing assemblies with correct project hintpaths. The features using the hintpath of scproj files were found missing. After the fix, there is no Warning for DOTNET.0142 and DOTNET.0150.
Fixes an issue related to third party application. Updating the third party package Microsoft.WindowsDesktop.App.Ref to version 6.0.6
Fixes an issue related to .NET Analysis concurrency. When two applications are launched parallelly with the same Zip file for the source code, first analysis ends successfully and the second one fails with an error.

Rules

Rule Id New Rule Details
1027100 TRUE Avoid dangerous File Upload.

New Support

Summary Details
Support Dapper/Oracle/NpgSQL framework for .Net Support Dapper/Oracle/NpgSQL framework for .Net with blackboxing.

1.4.9-funcrel

Note

This release has been withdrawn due to an error, where snapshots failed after an upgrade to 1.4.9-funcrel. 1.4.10-funcrel contains the same fixes and updates as 1.4.9-funcrel, in addition to a fix for the error introduced in 1.4.9-funcrel.

1.4.8-funcrel

Resolved Issues

Customer Ticket Id Details
34766 Fixed false positive violations for the rule (7266): "Call 'base.Dispose()' or 'MyBase.Finalize()' in the "finally" block of 'Dispose(bool)' methods".
35114 Fixed false positive violations caused by event handler C# methods for the rule (1027098): "Avoid unused private types or members".
31317 Fixed incorrect links in the "Reference" section for the rule (1043010) "Avoid creating cookie without setting httpOnly option (C#)".
34864 Fixed false false positive violations for the rule (1027048): "Avoid returning null from non-async Task/Task<T> method".
35078 Fixed false positive violations for the rule (1027048): "Avoid returning null from non-async Task/Task<T> method".
34960 Fixed false positive violations for the rule (1027074): "Avoid hard-coded URIs (.NET)".
34773 Fixed false positives for rule (8402): "All types of a serializable class must be serializable" in C#.

Other Updates

Details
Added a new tool "WSDLGenerator": externalize generated files based on WSDL file in a separate tool.
Fixed a bad type link between .NET and SQL synonym.
Fixed an unexpected exception, that occurred during step: Dataflow symbol registration.
Default links in 'analysis schema' decreased by 1730, when comparing analyses run between 8.3.42 and 8.3.43.
Added a new tool XSDGenerator: externalize generated files based on XSD file in a separate tool.
Correction of the error: "System.IO.DirectoryNotFoundException", while moving CommandData.json file with folder path containing a space character.

Rules

Rule Id New Rule Details
1027074 FALSE Fixed false positive violations for the rule: "Avoid hard-coded URIs (.NET)".
7212 FALSE Fixed missing violations for the rule: "Avoid instantiations inside loops".
7266 FALSE Fixed false positive violations for the rule: "Call 'base.Dispose()' or 'MyBase.Finalize()' in the "finally" block of 'Dispose(bool)' methods".
1027098 FALSE Fixed false positive violations caused by event handler C# methods for the rule: "Avoid unused private types or members".
1027048 FALSE Fixed false positive violations for the rule: "Avoid returning null from non-async Task/Task<T> method".
8402 TRUE Fixed false positives for rule: "All types of a serializable class must be serializable" in C#.

New Support

Summary Details
Support ASP.NET Core 5 and 6 Support for Asp.Net Core 5 and 6, libraries are imported as third parties.

1.4.7-funcrel

Resolved Issues

Customer Ticket Id Details
34381 41 projects are not analyzed with Unexpected exception occurred during step: ASTs visit
34654 Missing links from .NET SOAP Resource Service to .NET SOAP Operation due to wrong Soap Operation name

Other Updates

Details
Moving CommandData.json files raised an exception when running the analysis a second time.

1.4.6-funcrel

Note

Please do not use this version.

Resolved Issues

Customer Ticket Id Details
34467 An unexpected exception occured while loading project xxxxx Sequence contains more than one matching element
34572 An unexpected exception occured while loading project xxxxx Sequence contains more than one matching element.
33966 Rule name: "Avoid using console logging" should be renamed according to technology as: "Avoid using console logging (.NET)".

Other Updates

Details
CASTIL generation - Review CastIL generation for fields: Non static fields with initializers are now correctly instantiated and have a bookmark, static field are now initialized in static constructor
Generated .json files are analyzed by HTML5 extension, but they should not be analyzed by the extension- this leads to invalid result variation
PathTooLongException not catched raised DOTNET.0156 warning.
The rule (8108) "Avoid missing release of stream connection after an effective lifetime" has been modified to reduce false positive violations by excluding streams in constructor arguments of classes inheriting from IDisposable.

Rules

Rule Id New Rule Details
8108 FALSE The rule "Avoid missing release of stream connection after an effective lifetime" has been modified to reduce false positive violations by excluding streams in constructor arguments of classes inheriting from IDisposable.
1020060 FALSE Rule name: "Avoid using console logging" is renamed according to technology as: "Avoid using console logging (.NET)".

New Support

Summary Details
Support of .NET Core 5 and 6 The .NET Analyzer now supports .NET Core 5 and 6. Syntax support is limited to C# 8.0.

1.4.5-funcrel

Resolved Issues

Customer Ticket Id Details
31602 Net warning: DOTNET.0156: An unexpected exception occured while loading project Net 5
31022 False violation for rule (rule id: 8110): Use dedicated stored procedures when multiple data accesses are needed.
33194 Message "Required framework version is 4.8 but version 4.7.2 will be used instead" still displayed, when version 4.8 is installed.

Other Updates

Details
Bad inherited link between a class and an instanciated: A bad relyon link has been replaced by an inheritance link.

Rules

Rule Id New Rule Details
8110 FALSE Removed false violation for the rule: Avoid not using dedicated stored procedures when processing multiple data accesses.

1.4.4-funcrel

Resolved Issues

Customer Ticket Id Details
29725 Transaction are deleted due to missing dll file reference: compilation conflicts between extractions and references
33077 Missing Reference to Datarow even though the dll is present causing GUID changes between versions
33272 DOTNET.0142: No ressource found for package XLabs.IoC version 2.0.5782. Package reference ignored in project: support of Portable Class Library (PCL) for nuget package
33379 DOTNET.0142:No ressource found for package XLabs.IoC version 2.0.5782. Package reference ignored in project: Support of Portable Class Library (PCL) for nuget package.
33476 False violation for QR "Avoid non-public custom exception types" for partial classes
33518 Missing Reference to Datarow even though the dll is present causing GUID changes between versions

Other Updates

Details
False positive on rule: "Avoid missing release of stream connection after an effective lifetime" with some methods of classes File and Stream.
Get rid of useless flagged warning logs.

Rules

Rule Id New Rule Details
1027088 FALSE False violation for rule: "Avoid non-public custom exception types" for partial classes.
8108 FALSE False positive on rule: "Avoid missing release of stream connection after an effective lifetime" with some methods of classes File and Stream.

1.4.3-funcrel

Resolved Issues

Customer Ticket Id Details
32682 False violation for rule “Always use System.Uri instead of string to build URLs”: authorize secure method System.Net.WebRequest::Create(System.String).
32708 False positive for the rule: "Avoid storing passwords in Comments".
32823 Unknown exception System.AggregateException in method AvoidRaisingExceptionsInUnexpectedLocation.Init
32852 False violation for the rule: "Avoid hard-coded network resource names (.NET, VB)": restrict ipv4 to 4 numbers pattern.
32978 False violation for the rule: "Avoid comparing passwords against hard-coded strings".

Other Updates

Details
Update the analyzer, to provide a list of the .NET frameworks managed by default in a .json file.

Rules

Rule Id New Rule Details
1027054 FALSE False violation for rule “ Always use System.Uri instead of string to build URLs”: authorize secure method System.Net.WebRequest::Create(System.String).
1027046 FALSE False positive for the rule: "Avoid storing passwords in Comments".
1027032 FALSE False violation for the rule: "Avoid hard-coded network resource names (.NET, VB)": restrict ipv4 to 4 numbers pattern.
1027024 FALSE False violation for the rule: "Avoid comparing passwords against hard-coded strings".

1.4.2-funcrel

Resolved Issues

Customer Ticket Id Details
32444 Onboarding: Csproj project excluded due to System.IndexOutOfRangeException: Index was outside the bounds of the array.
32585 Onboarding: Csproj project excluded due to System.IndexOutOfRangeException: Index was outside the bounds of the array.

Other Updates

Details
False positives in rule "Avoid hardcoded URIs".
Unknown exception System.ArgumentException raised in rule "Avoid unused private types or members".
General Protection Fault crash on code "QUAL_SACS".
Correction for initialization of plugins inside component.

Rules

Rule Id New Rule Details
1027074 FALSE False positives in rule "Avoid hardcoded URIs".
1027098 FALSE Unknown exception System.ArgumentException raised in rule "Avoid unused private types or members".

1.4.1-funcrel

Resolved Issues

Customer Ticket Id Details
30747 Drop in FP, due to changes in .NET TCCSetup file.
30762 Mismatch in violation count for the rule (7198): "Avoid String concatenation in loops (.NET)".
30482 False negative for the rule: "Avoid storing Non-Serializable Object as HttpSessionState attributes". Rule does not consider Property objects.
31611 False negative for the rule Avoid storing Non-Serializable Object as HttpSessionState attributes.' Rule does not consider Property objects.

Other Updates

Details
Analysis too long for file initializing, extremely big dictionary.
8108: False positive for method System.IO.File::Exists.
TFP decreased by 4858.0 when migrating 8.3.37 -> 8.3.38 (upgraded dotnet extension).
Generalized the string evaluation.

Rules

Rule Id New Rule Details
1027012 FALSE False negative for the rule: "Avoid storing Non-Serializable Object as HttpSessionState attributes". Rule does not consider Property objects.
8108 FALSE False positive for method System.IO.File::Exists

1.4.0-funcrel

Resolved Issues

Customer Ticket Id Details
28876 .NET Analysis crash — com.castsoftware.dotnet.1.3.1-funcrel\DotNetCmd.exe exited with code -1073741571

Other Updates

Details
Exception occurred while loading a project: "System.ArgumentException: Version string portion was too short or too long".

Rules

Rule Id New Rule Details
1027096 TRUE Avoid raising exceptions in unexpected location
1027098 TRUE Avoid unused private types or members

1.4.0-beta1

Other Updates

Details
TCC config delivered by .NET extension is referring to package="Dotnet_Extension" instead of package="Base_DotNet".

Rules

Rule Id New Rule Details
1027008 FALSE False violation for "Always Revert After Impersonation" on stored instances of classes implementing IDisposable.
1027058 FALSE False positive for "Avoid blocking async methods" in "main" method and missing violation on property "Task<TResult>.Result".
1027096 TRUE "Avoid raising exceptions in unexpected location": a method that is not expected to throw exceptions throws an exception. Currently limited to C#.
1027098 TRUE "Avoid unused private types or members": private or internal types or private members that are never executed or referenced are dead code. Currently limited to C#.

1.4.0-alpha5

Resolved Issues

Customer Ticket Id Details
28888 Modified Transactions due to links alternating to objects with same fullname in different folders.
28054 False violation (rule id:1027012): Avoid storing Non-Serializable Object as HttpSessionState attributes.
29262 The rule (rule id: 8156): "Persistent classes should implement GetHashCode() and Equals()” should not apply for Entity Framework.

Other Updates

Details
"System.Threading.Task" should be exception to the QR (rule id: 8086) "Avoid types that own disposable fields and are not disposable".
Fixed System.NullReferenceException raised in RawProjectBuilder.setProjectOutputKind.

Rules

Rule Id New Rule Details
1027012 FALSE Fixed false positive due to wrong resolution of symbol (compiler error BC30560)
8156 FALSE Fixed false positive due to rule formerly applied to entities of EF
8086 FALSE Fixed false positive due to rule formerly applied to "System.Threading.Task"

1.4.0-alpha4

Rules

Rule Id New Rule Details
1027050 TRUE New rule: Avoid throwing ArgumentException from yielding method.
1027042 FALSE Bookmark only the attribute declaration.
1027070 FALSE Variable declared and initialized against a LINQ query when compare to 'null' is always false.
1027020 FALSE When comparison is done using "==" operator, as in "1 == aThrow.Children.Count()", violation should not be set.
1027088 FALSE Declaring a C# class without any access modifier ("public" or others) should raise a violation.

1.4.0-alpha3

Resolved Issues

Customer Ticket Id Details
27762 False positive in the rule: "Close the outermost stream ASAP (Avoid missing release of stream connection after an effective lifetime)"
24427 Wrong Violations for the rule: "Avoid missing release of stream connection after an effective lifetime" in .NET
26766 False violation for the rule: "Avoid missing release of stream connection after an effective lifetime"
28276 The Metric Rule: "Avoid missing release of stream connection after an effective lifetime" produces false positives
26749 ASPX Transactions deleted
27617 Objects not coming part of module causing transactions to be "Deleted"

Other Updates

Details
False positives on QR "Avoid missing release of stream connection after an effective lifetime" when "using declaration" syntax is used
Correct bookmark for rule "Avoid missing release of stream connection after an effective lifetime"
False positives on QR "Avoid missing release of stream connection after an effective lifetime" when "using" syntax is used
False positives on QR "Avoid missing release of stream connection after an effective lifetime" when "using" syntax is used
improvement of the rule Avoid weak encryption providing insufficient key size (.NET)
improvement of the rule "Avoid returning null from ToString()" to non override method
increase pattern supported for rule "Avoid hardcoded URIs (.NET)"
increase of the scope of the rule "Avoid using Obsolete attributes without message"
improve support of nuget extractor

Performance Improvements

Summary
Improve performance to compute Metrics and CRC

1.4.0-alpha2

Resolved Issues

Customer Ticket Id Details
27654 DOTNET.0156: An unexpected exception occurred while loading project xxxx. Project excluded from analysis.
26398 DOTNET warning: DOTNET.0142: No resource found for package and DOTNET.0150: No definition found for the name
27291 DOTNET analysis stuck at End Compute Metrics for symbols
26465 DOTNET analysis stuck at End Compute Metrics for symbols
27061 DOTNET warning: DOTNET.0142: No resource found for package and DOTNET.0150: No definition found for the name

Rules

Rule Id New Rule Details
1027088 TRUE Avoid non-public custom exception types
1027090 TRUE Avoid improper instantiation of argument exceptions
1027092 TRUE Always pass optional parameters too, when making 'base' calls
1027094 TRUE Always provide deserialization methods for optional fields

1.4.0-alpha1

Note

A significant number of new rules have been added in this release of the extension which will have a significant impact on any existing analysis results generated with a previous release of the extension. When re-analyzing existing and unchanged source code with this new extension, you should therefore expect grade and violation changes. When using AIP Console, if you do not want this extension to be used, you should ensure that you implement an extension strategy to prevent the automatic download and installation of the extension. If you are onboarding a new application, CAST actively encourages you to use this new release to take advantage of the improvements that have been implemented.

Resolved Issues

Customer Ticket Id Details
25822 QR: Avoid having lock on this object - False Positive
26801 Dotnet analysis is failing with error : The solution does not contain the specified project. (The problem was when analyzer try to search dependencies, but it does not find or dupplicate reference)

Other Updates

Details
Diags may put violations on fields while fields are not part of the rule's scope
Unknown exception System.InvalidOperationException in PathUtils.FindCommonPath method

Rules

Rule Id New Rule Details
1027014 TRUE Avoid using Thread API to manage activities of threads
1027016 TRUE Avoid throwing exceptions in destructors
1027018 TRUE Avoid throwing exceptions in finally block
1027030 TRUE Avoid using Obsolete attributes without message
1027020 TRUE Avoid using Count or LongCount where Any can be used
1027022 TRUE Avoid using "new Guid()"
1027024 TRUE Avoid comparing passwords against hard-coded strings
1027032 TRUE Avoid hardcoded network resource names (.NET, VB)
1027034 TRUE Never catch NullReferenceException
1027038 TRUE Avoid if … else if constructs not terminated with an else clause (.NET, VB)
1027036 TRUE Avoid rethrow exception explicitly
1027042 TRUE Avoid having unmatched contracts for exported interfaces
1027040 TRUE Avoid using multiple OrderBy calls
1027046 TRUE Avoid storing passwords in Comments
1027044 TRUE Avoid using SafeHandle.DangerousGetHandle
1027048 TRUE Avoid returning null from non-async Task/Task<T> method
1027086 TRUE Avoid having the same implementation in a conditional structure
1027054 TRUE Always use System.Uri instead of string to build URLs
1027058 TRUE Avoid blocking async methods
1027070 TRUE Avoid if statements and blocks that are always TRUE or FALSE
1027076 TRUE Avoid allowing File IO unrestricted access
1027078 TRUE Always mark Windows Forms starting point as STAThread
1027084 TRUE Avoid calling CoSetProxyBlanket and CoInitializeSecurity
1027082 TRUE Avoid using console logging
1027080 TRUE Always use ConfigureAwait(false) in library code awaited tasks
1027074 TRUE Avoid hardcoded URIs
1027068 TRUE Avoid returning null from ToString()
1027066 TRUE Avoid throwing exception from property getters
1027064 TRUE Always override 'Equals' and Comparison operators with IComparable implementation